ipsec.conf

Bernd Thu, 07 Dec 2017 01:40:39 -0800

Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas:

On Wed, Dec 06 2017, Bernd <be...@kroenchenstadt.de> wrote:

Hi @misc,


I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla
OpenBSD 6.2 amd64 (dmesg below).

My /etc/ipsec.conf looks like this:

ike esp from any to any peer x.y.z.0/27 \
 main auth hmac-sha2-256 enc aes-256 group modp2048 \
 psk "myverygoodsecretPSK"

(As can be seen, I want the settings to be applied to a /27 network,
from where the tunnel initiation is sent out of. I also tried to use
a fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec
from there – it also failed.)

isakmpd is being started as described in ipsec.conf(5) et al: ``-K''set

as its flag(s) in /etc/rc.conf.local

However, it seems to ignore the settings made in ipsec.conf (without
complaining about them, though):

Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_768, expected MODP_1024
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no
compatible proposal found

Dec 1 14:01:20 myhostname isakmpd[55480]: dropped message fromx.y.z.1

port 500 due to notification type NO_PROPOSAL_CHOSEN

For example, ENCRYPTION_ALGORITHM is clearly not what was set in

/etc/ipsec.conf, but rather a default. Same applies toGROUP_DESCRIPTION

and HASH_ALGORITHM.

As a result, the IPSec tunnel can not be established. What did
I overlook here?

Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph 4of

DESCRIPTION.


Hi,

ipsec=YES is set in rc.conf.local:

# cat /etc/rc.conf.local
isakmpd_flags="-K"
ipsec=YES               # IPsec

# sysctl -a | grep ipsec
net.inet.ip.ipsec-expire-acquire=30
net.inet.ip.ipsec-invalid-life=60
net.inet.ip.ipsec-pfs=1
net.inet.ip.ipsec-soft-allocs=0
net.inet.ip.ipsec-allocs=0
net.inet.ip.ipsec-soft-bytes=0
net.inet.ip.ipsec-bytes=0
net.inet.ip.ipsec-timeout=86400
net.inet.ip.ipsec-soft-timeout=80000
net.inet.ip.ipsec-soft-firstuse=3600
net.inet.ip.ipsec-firstuse=7200
net.inet.ip.ipsec-enc-alg=aes
net.inet.ip.ipsec-auth-alg=hmac-sha1
net.inet.ip.ipsec-comp-alg=deflate

Best

Bernd

Re: isakmpd ignoring contents of /etc/ipsec.conf

Reply via email to