I am converting over to ipsec.conf from isakmpd.conf|policy.
I have a default vpn configuration to allow people from their home pc
to access. Under isakmpd.conf it works perfectly well. I can use
any number of settings, including the desired aes-256 for both phase
1 and phase 2.
My isakmpd.conf sections:
[Phase 1]
Default= ISAKMP-peer-default
61.62.63.64= ISAKMP-peer-default
Passive-Connections= IPsec-default
[ISAKMP-peer-default]
Phase= 1
Transport= udp
Local-address= 61.62.63.64
Configuration= AES-main-mode
Authentication= redacted
[IPsec-default]
Phase= 2
ISAKMP-peer= ISAKMP-peer-default
Configuration= Default-quick-mode
Local-ID= Net-corp
[Net-corp]
ID-type= IPV4_ADDR_SUBNET
Network= 10.10.10.0
Netmask= 255.255.255.0
[AES-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= AES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
I put the following into my ipsec.conf:
ike dynamic from any to 10.10.10.0/24 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
psk redacted
I've tried changing the settings to hmac-sha2-256 and aes-256, I've
tried changing the client settings to everything from auto through
128, 192 & 256. Nothing seems to work.
The debug when I try to connect does show phase 1 done, but later
says it's been told to delete the session. See below.
It does not seem to matter what settings I change in the vpn client
config, I cannot get it to maintain this connection.
What is the difference between the ipsec.conf and isakmpd.conf tunnels?
What is telling isakmpd to delete this SA?
040442.728781 Exch 10 exchange_finalize: phase 1 done: initiator id
192.168.1.9, responder id fw.example.com, src: 61.62.63.64 dst:
43.100.100.77
040442.728808 Timr 10 timer_add_event: event
sa_soft_expire(0x8b057000) added last, expiration in 74131s
040442.728819 SA 80 sa_reference: SA 0x8b057000 now has 5 references
040442.728838 Timr 10 timer_add_event: event
sa_hard_expire(0x8b057000) added last, expiration in 86400s
040442.728849 SA 80 sa_reference: SA 0x8b057000 now has 6 references
040442.728861 SA 80 sa_release: SA 0x8b057000 had 6 references
040442.770769 Trpt 70 transport_setup: added 0x87a3c0c0 to transport list
040442.770808 Trpt 70 transport_setup: added 0x87a3c1c0 to transport list
040442.770821 Trpt 50 virtual_clone: old 0x89f49e40 new 0x87a3c2c0
(main is 0x87a3c0c0)
040442.770832 Trpt 70 transport_setup: virtual transport 0x87a3c2c0
040442.770846 Mesg 90 message_alloc: allocated 0x86887100
040442.770858 Mesg 70 message_recv: message 0x86887100
040442.770871 Mesg 70 ICOOKIE: 864ee9d5f19da22f
040442.770885 Mesg 70 RCOOKIE: db55da1a362c3ba3
040442.770896 Mesg 70 NEXT_PAYLOAD: HASH
040442.770909 Mesg 70 VERSION: 16
040442.770920 Mesg 70 EXCH_TYPE: INFO
040442.770931 Mesg 70 FLAGS: [ ENC ]
040442.770943 Mesg 70 MESSAGE_ID: f09ac655
040442.770954 Mesg 70 LENGTH: 92
040442.770978 Mesg 70 message_recv: 864ee9d5 f19da22f db55da1a
362c3ba3 08100501 f09ac655 0000005c 2cf32098
040442.771002 Mesg 70 message_recv: df99aee4 72eb2103 30579627
a79aac92 3029017f 53433540 0af8aaea 2e464200
040442.771024 Mesg 70 message_recv: fa2d9ad3 1b156485 b4bcf4f2
4befc80a 68c3a13d 07a57a34 cbbfe575
040442.771036 SA 80 sa_reference: SA 0x8b057000 now has 6 references
040442.771053 Cryp 60 hash_get: requested algorithm 1
040442.771063 Cryp 80 ipsec_get_keystate: final phase 1 IV:
040442.771079 Cryp 80 e1859bae f2a4943b 98d51085 c2d0d538
040442.771089 Cryp 80 ipsec_get_keystate: message ID:
040442.771100 Cryp 80 f09ac655
040442.771117 Cryp 50 crypto_init_iv: initialized IV:
040442.771134 Cryp 50 1019151c c500b0c4 eedeef0b 890f3dfd
040442.771144 Cryp 80 ipsec_get_keystate: phase 2 IV:
040442.771161 Cryp 80 1019151c c500b0c4 eedeef0b 890f3dfd
040442.771171 Cryp 70 crypto_decrypt: before decryption:
040442.771194 Cryp 70 2cf32098 df99aee4 72eb2103 30579627 a79aac92
3029017f 53433540 0af8aaea
040442.771217 Cryp 70 2e464200 fa2d9ad3 1b156485 b4bcf4f2 4befc80a
68c3a13d 07a57a34 cbbfe575
040442.771231 Cryp 70 crypto_decrypt: after decryption:
040442.771255 Cryp 70 0c000018 9d93aa16 924a5147 05435224 1f50245c
6bb1cfe2 0000001c 00000001
040442.771279 Cryp 70 01100001 864ee9d5 f19da22f db55da1a 362c3ba3
00000000 00000000 00000000
040442.771291 Mesg 50 message_parse_payloads: offset 28 payload HASH
040442.771303 Mesg 50 message_parse_payloads: offset 52 payload DELETE
040442.771316 Mesg 60 message_validate_payloads: payload HASH at
0x8688779c of message 0x86887100
040442.771326 Mesg 70 DATA:
040442.771337 Cryp 60 hash_get: requested algorithm 1
040442.771347 Misc 90 message_validate_hash: SKEYID_a:
040442.771365 Misc 90 540cb39d 7776c123 4049eda1 7ad1f6d3 01c84a40
040442.771375 Cryp 60 hash_get: requested algorithm 1
040442.771387 Misc 90 message_validate_hash: message_id:
040442.771399 Misc 90 f09ac655
040442.771409 Misc 90 message_validate_hash: payloads after HASH(1):
040442.771432 Misc 90 0000001c 00000001 01100001 864ee9d5 f19da22f
db55da1a 362c3ba3
040442.771452 Mesg 60 message_validate_payloads: payload DELETE at
0x868877b4 of message 0x86887100
040442.771463 Mesg 70 DOI: IPSEC
040442.771474 Mesg 70 PROTO: ISAKMP
040442.771485 Mesg 70 SPI_SZ: 16
040442.771496 Mesg 70 NSPIS: 1
040442.771506 Mesg 70 SPI:
040442.771549 Timr 10 timer_add_event: event
exchange_free_aux(0x8b057700) added before sa_soft_expire(0x887e7800),
expiration in 120s
040442.771564 Exch 10 exchange_setup_p2: 0x8b057700 <unnamed> <no
policy> policy responder phase 2 doi 1 exchange 5 step 0
040442.771575 Exch 10 exchange_setup_p2: icookie 864ee9d5f19da22f
rcookie db55da1a362c3ba3
040442.771586 Exch 10 exchange_setup_p2: msgid f09ac655 sa_list
040442.771600 SA 90 sa_find: return SA 0x8b057000
040442.771612 Exch 90 exchange_validate: checking for required INFO
040442.771623 Misc 30 ipsec_responder: phase 2 exchange 5 step 0
040442.771636 SA 90 sa_find: return SA 0x8b057000
040442.771658 SA 30 ipsec_delete_spi_list: DELETE made us delete SA
0x8b057000 (6 references) for proto 1 (initiator id: 192.168.1.9,
responder id: fw.example.com)
040442.771670 Timr 10 timer_remove_event: removing event
sa_hard_expire(0x8b057000)
040442.771682 Timr 10 timer_remove_event: removing event
sa_soft_expire(0x8b057000)
040442.771693 SA 70 sa_remove: SA 0x8b057000 removed from SA list
040442.771704 SA 80 sa_release: SA 0x8b057000 had 4 references
040442.771715 Cryp 50 crypto_update_iv: updated IV:
