On Wed, Dec 06 2017, Bernd <[email protected]> wrote: > Hi @misc, > > I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla > OpenBSD 6.2 amd64 (dmesg below). > > My /etc/ipsec.conf looks like this: > > ike esp from any to any peer x.y.z.0/27 \ > main auth hmac-sha2-256 enc aes-256 group modp2048 \ > psk "myverygoodsecretPSK" > > (As can be seen, I want the settings to be applied to a /27 network, > from where the tunnel initiation is sent out of. I also tried to use > a fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec > from there – it also failed.) > > isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set > as its flag(s) in /etc/rc.conf.local > > However, it seems to ignore the settings made in ipsec.conf (without > complaining about them, though): > > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > HASH_ALGORITHM: got MD5, expected SHA > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > HASH_ALGORITHM: got MD5, expected SHA > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > HASH_ALGORITHM: got SHA2_256, expected SHA > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > GROUP_DESCRIPTION: got MODP_768, expected MODP_1024 > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > HASH_ALGORITHM: got SHA2_256, expected SHA > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 > Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC > Dec 1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no > compatible proposal found > Dec 1 14:01:20 myhostname isakmpd[55480]: dropped message from x.y.z.1 > port 500 due to notification type NO_PROPOSAL_CHOSEN > > For example, ENCRYPTION_ALGORITHM is clearly not what was set in > /etc/ipsec.conf, but rather a default. Same applies to GROUP_DESCRIPTION > and HASH_ALGORITHM. > > As a result, the IPSec tunnel can not be established. What did > I overlook here?
Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph 4 of DESCRIPTION. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
