Hi @misc,
I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla
OpenBSD 6.2 amd64 (dmesg below).
My /etc/ipsec.conf looks like this:
ike esp from any to any peer x.y.z.0/27 \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
psk "myverygoodsecretPSK"
(As can be seen, I want the settings to be applied to a /27 network,
from where the tunnel initiation is sent out of. I also tried to use
a fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec
from there – it also failed.)
isakmpd is being started as described in ipsec.conf(5) et al: ``-K''
set
as its flag(s) in /etc/rc.conf.local
However, it seems to ignore the settings made in ipsec.conf (without
complaining about them, though):
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_768, expected MODP_1024
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no
compatible proposal found
Dec 1 14:01:20 myhostname isakmpd[55480]: dropped message from
x.y.z.1
port 500 due to notification type NO_PROPOSAL_CHOSEN
For example, ENCRYPTION_ALGORITHM is clearly not what was set in
/etc/ipsec.conf, but rather a default. Same applies to
GROUP_DESCRIPTION
and HASH_ALGORITHM.
As a result, the IPSec tunnel can not be established. What did
I overlook here?