On 2007/08/13 21:00, Steve B wrote: > If I am interpreting the logs correctly then I have partial success using > > ike dynamic esp tunnel from any to 192.168.1.0/24 \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha2-256 enc 3des \ > psk abc123 > > I am confident that the first two lines are correct. The dynamic variable > should be correct if the incoming IP address is different for every user. > Line two should be OK since it appears I have a successful Phase 1. I've > SSH'd into the endpoint and run tcpdump against my external interface and > enc0. I have also used "ipssectl -m". So far I have not picked up any new > clues to help resolve the remainder of the problem.
turn on packet tracing; # echo "p on" > /var/run/isakmpd.fifo try and make a connection, then turn tracing back off: # echo "p off" > /var/run/isakmpd.fifo see isakmpd(8) for more FIFO commands. Then you can look at the capture file with tcpdump: # tcpdump -r /var/run/isakmpd.pcap -vvn this should give some clues about how the peer is configured. You may well find it's using SHA1 not SHA2, but go through the pcap/tcpdump thing anyway, it's the easiest way to debug the peer connection. In the tcpdump you posted I think you didn't increase snaplen (e.g. -s 2000) to see the actual exchange (otherwise you would have seen more details for phase 1). Not necessary for the -r used here since isakmpd writes the pcap file with larger packet sizes.