Thanks for the reply Stuart, but: - It's a test network, with an offline switch - only the two routers are on the switch, with the good VLAN connected by one LACP trunk (for each device) - isakmp negotation is from the expected hosts - the certificate are default certificates, generated by OpenBSD
What's wrong ? I think it's another problem, but the configuration is trivial. Two monthes before i tested it with under two KVM hosts and i haven't this problem. Now with servers i have this problem, and many guys have this problem but nobody have an answer. Someone know how can i switch to AES instead of 3DES ? Thanks for advance -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le vendredi 01 mars 2013 à 17:42 +0000, Stuart Henderson a écrit : > On 2013-03-01, Loïc Blot <loic.b...@unix-experience.fr> wrote: > > Hello Misc ! > > I have a strange problem, and google doesn't help me. > > I want to make an IPSec+GRE tunnel with OSPF. For now, OSPF over GRE is > > perfectly working (ipv4+ipv6). > > I have a problem with IPSec, and I don't find how to resolve it. > > > > It's a fresh OpenBSD 5.2 image. > > > > The error is the following: > > attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected > > 3DES_CBC > > > > My ipsec.conf is very simple for now: > > > > on host A > > > > ike esp transport from 10.0.0.1 to 10.0.0.2 > > > > and on host B > > > > ike esp transport from 10.0.0.2 to 10.0.0.1 > > > > Any idea ? > > > The default settings in isakmpd are for 3DES_CBC so this indicates > that the packets did not match the configuration added by ipsecctl and > instead matched the default in isakmpd. > > Are the packets coming from the expected IP addresses? Check with > tcpdump if in doubt.
