On 2021-05-04, Giacomo Marconi <g.marc...@comune.arezzo.it> wrote: > Hi all > > I have some openbsd boxes as vpn endpoint to a Palo Alto Pa-820. > > In my last VPN config (unsing 6.8) I see in the logs that isakmpd is > expexting RSA_SIG as authentication method, while in ipsec.conf I set the psk > value.
This usually means that the packets seen from the other side didn't match your configuration (possibly a wrong IP or something) and instead were matched by the implicit default phase 1 configuration (which is 3DES-SHA-RSA_SIG) If that doesn't give any clues, bump up logging in isakmpd. This set of debug levels (worked out by studying source code) enables most logs that are possible to do without being so noisy that they're useless. isakmpd_flags="-Kv -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30 -D8=30 -D9=30 -D10=20" Sometimes looking at captured packets is useful too. For phase 1 negotiation then just watching the network interface is usually good tcpdump -vvs1500 -i $interface port 500 or 4500 (For problems with phase 2 nego you often need to enable isakmpd's cleartext IKE packet capture via the isakmpd.fifo control socket but you aren't that far).
