Two part question:
1. Anyone had any success getting iked and carp working on OpenBSD 5.1
(amd64)? We can get it working with isakmpd. The issue seems to be
that iked wants to send out packets as the physical interface IP instead
of the carp IP. iked documentation eludes to the fact that it should work.
2. I can't get isakmpd to use groups above modp1024 when using aes-256
or aes in main. Is there a catch I'm not aware of?
Works:
gwA = "1.1.1.1"
gwB = "2.2.2.2"
ike active esp from 192.168.1.1 to 172.16.1.1 \
local $gwA peer $gwB \
main auth hmac-sha1 enc aes-256 group modp1024 \
quick auth hmac-sha1 enc aes-256 \
psk "foobar"
Does not work:
gwA = "1.1.1.1"
gwB = "2.2.2.2"
ike active esp from 192.168.1.1 to 172.16.1.1 \
local $gwA peer $gwB \
main auth hmac-sha1 enc aes-256 group modp2048 \
quick auth hmac-sha1 enc aes-256 \
psk "foobar"
The error message isakmpd spits out on one side is says
MALFORMED_PAYLOAD and the other NO_PROPOSAL_CHOSEN. I can provide more
details if needed. Just odd it works with only a change to the group field.
thanks
Jim
