isakmpd ignoring contents of /etc/ipsec.conf

Wed, 06 Dec 2017 06:58:20 -0800 

Hi @misc,
I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla OpenBSD 6.2 amd64 (dmesg below). 

My /etc/ipsec.conf looks like this:

ike esp from any to any peer x.y.z.0/27 \
 main auth hmac-sha2-256 enc aes-256 group modp2048 \
 psk "myverygoodsecretPSK"


(As can be seen, I want the settings to be applied to a /27 network, 
from where the tunnel initiation is sent out of. I also tried to use a 
fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec from 
there – it also failed.)



isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set 
as its flag(s) in /etc/rc.conf.local



However, it seems to ignore the settings made in ipsec.conf (without 
complaining about them, though):



Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
HASH_ALGORITHM: got MD5, expected SHA
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_768, expected MODP_1024
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
HASH_ALGORITHM: got SHA2_256, expected SHA
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: 
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no 
compatible proposal found
Dec  1 14:01:20 myhostname isakmpd[55480]: dropped message from x.y.z.1 
port 500 due to notification type NO_PROPOSAL_CHOSEN



For example, ENCRYPTION_ALGORITHM is clearly not what was set in 
/etc/ipsec.conf, but rather a default. Same applies to GROUP_DESCRIPTION 
and HASH_ALGORITHM.



As a result, the IPSec tunnel can not be established. What did I 
overlook here?


Thanks in advance for any hints.

Best

Bernd























					Reply via email to