Thanks Stuart for the answer the new flags don't change the log output.
While with tcpdump I can see that the other endpoint is sending correct ipsec parameters: 12:49:08.025601 *.fastwebnet.it.isakmp > *.it.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: db2bb04573305edb->0000000000000000 msgid: 00000000 len: 200 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 1 ID: ISAKMP attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute AUTHENTICATION_METHOD = PRE_SHARED attribute HASH_ALGORITHM = SHA2_256 attribute GROUP_DESCRIPTION = MODP_1024 payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02\n) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports DPD v1.0) payload: VENDOR len: 20 (DF) (ttl 52, id 41086, len 228) ipsec -vnf /etc/ipsec.conf C add [phase1-peer-*]:Transforms=phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024 force C set [phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024]:AUTHENTICATION_METHOD=PRE_SHARED force C set [phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024]:HASH_ALGORITHM=SHA2_256 force C set [phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024]:ENCRYPTION_ALGORITHM=3DES_CBC force C set [phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force C set [phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024]:Life=phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024-life force C set [phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024-life]:LIFE_TYPE=SECONDS force C set [phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024-life]:LIFE_DURATION=28800 force ...... Giacomo > On 5 May 2021, at 14:33, Stuart Henderson <s...@spacehopper.org> wrote: > > On 2021-05-04, Giacomo Marconi <g.marc...@comune.arezzo.it> wrote: >> Hi all >> >> I have some openbsd boxes as vpn endpoint to a Palo Alto Pa-820. >> >> In my last VPN config (unsing 6.8) I see in the logs that isakmpd is >> expexting RSA_SIG as authentication method, while in ipsec.conf I set the >> psk value. > > This usually means that the packets seen from the other side didn't > match your configuration (possibly a wrong IP or something) and > instead were matched by the implicit default phase 1 configuration > (which is 3DES-SHA-RSA_SIG) > > If that doesn't give any clues, bump up logging in isakmpd. This > set of debug levels (worked out by studying source code) enables > most logs that are possible to do without being so noisy that > they're useless. > > isakmpd_flags="-Kv -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30 -D8=30 -D9=30 > -D10=20" > > Sometimes looking at captured packets is useful too. For phase 1 > negotiation then just watching the network interface is usually > good > > tcpdump -vvs1500 -i $interface port 500 or 4500 > > (For problems with phase 2 nego you often need to enable isakmpd's > cleartext IKE packet capture via the isakmpd.fifo control socket > but you aren't that far). > > > > >