I'm trying to set up an IPSEC vpn between two fresh OpenBSD -current
firewalls, using a combination of "Zero to IPSEC" and this message from
Reyk Floeter (http://marc.info/?l=openbsd-misc&m=114200467101649&w=2).
One side has a static IP, the other is ADSL.
I've copied the keys from each machine to the other, and isakmpd is
started with the -K flag on each.
Here's a brief network layout:
Static Side
External IP: 168.103.246.149
Internal Lan 10.1.1.0/24
Dynamic Side
External IP dynamic, but dns resolvable using homebrew script
Internal Lan 172.16.1.0/24
On the ADSL side I have the following in my ipsec.conf file:
flow from 172.16.1.0/24 to 168.103.246.149 type bypass
ike dynamic esp from 172.16.1.0/24 to 10.1.1.0/24 peer 168.103.246.149 \
srcid home.homeinstead.com \
dstid 168.103.246.149
ike dynamic esp from 172.16.1.0/24 to 10.1.1.0/24 peer 168.103.246.149
ike dynamic esp from 172.16.1.0/24 to 168.103.246.149
On the static side I have:
ike passive esp from 172.16.1.0/24 to 168.103.246.149 dstid \
home.homeinstead.openvistas.net
I appears that the ADSL side is trying to start the tunnel, but I'm
getting this in the static sides logs:
2008-03-23 12:37:18.290800500 daemon.notice: Mar 23 12:37:18
isakmpd[21074]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got
AES_CBC, expected 3DES_CBC
2008-03-23 12:37:18.291792500 daemon.notice: Mar 23 12:37:18
isakmpd[21074]: message_negotiate_sa: no compatible proposal found
2008-03-23 12:37:18.291803500 daemon.notice: Mar 23 12:37:18
isakmpd[21074]: dropped message from 70.57.209.37 port 500 due to
notification type NO_PROPOSAL_CHOSEN
Google doesn't provide much help for this error, so any help would be
geatly appreciated.
Thanks,
Jeff Ross