Hi Stuart, you are right, and i was tired :p, i haven't seen the source was wrong in tcpdump. In fact, the negotiation uses WAN src ip instead of LAN src ip. I forced src with local A.B.C.D and then, it works ! Thanks for your advice, i need to clean my eyes ^^ Have a nice day -- Best regards,
Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le vendredi 01 mars 2013 à 19:34 +0000, Stuart Henderson a écrit : > On 2013/03/01 20:16, Loïc BLOT wrote: > > Thanks for the reply Stuart, but: > > - It's a test network, with an offline switch > > - only the two routers are on the switch, with the good VLAN connected > > by one LACP trunk (for each device) > > - isakmp negotation is from the expected hosts > > - the certificate are default certificates, generated by OpenBSD > > > > What's wrong ? I think it's another problem, but the configuration is > > trivial. Two monthes before i tested it with under two KVM hosts and i > > haven't this problem. Now with servers i have this problem, and many > > guys have this problem but nobody have an answer. > > > > Someone know how can i switch to AES instead of 3DES ? > > Thanks for advance > > Your ipsec.conf lines are already setup for AES, to see the isakmpd > config sections used, try this: > > echo 'ike esp transport from 10.0.0.1 to 10.0.0.2' | ipsecctl -nvf - > > The fact that the log shows it expecting 3DES means that the connection > attempt isn't matching any of the configuration sections which ipsecctl > added to isakmpd, so isakmpd falls back to its built-in default > (3DES-SHA-RSA_SIG) and fails because the other side *is* using AES. > > Mismatching IP addresses is usually the most common reason on > multihomed hosts but there are other possibilities. Sometimes it > helps to tcpdump -vvs1500 -nienc0, sometimes it helps to use > "isakmpd -L" to generate a decrypted /var/run/isakmpd.pcap file > and examining that with tcpdump -r..but whatever the cause, > the 3DES thing means it is not using your configuration section.
