Thanks Stuart for the answer
the new flags don't change the log output.
While with tcpdump I can see that the other endpoint is sending correct ipsec
parameters:
12:49:08.025601 *.fastwebnet.it.isakmp > *.it.isakmp: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: db2bb04573305edb->0000000000000000 msgid: 00000000 len: 200
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 1 ID: ISAKMP
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 28800
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute HASH_ALGORITHM = SHA2_256
attribute GROUP_DESCRIPTION = MODP_1024
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02\n)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports DPD v1.0)
payload: VENDOR len: 20 (DF) (ttl 52, id 41086, len 228)
ipsec -vnf /etc/ipsec.conf
C add
[phase1-peer-*]:Transforms=phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024
force
C set
[phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024]:AUTHENTICATION_METHOD=PRE_SHARED
force
C set
[phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024]:HASH_ALGORITHM=SHA2_256
force
C set
[phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024]:ENCRYPTION_ALGORITHM=3DES_CBC
force
C set
[phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024]:GROUP_DESCRIPTION=MODP_1024
force
C set
[phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024]:Life=phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024-life
force
C set
[phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024-life]:LIFE_TYPE=SECONDS
force
C set
[phase1-transform-peer-*-PRE_SHARED-SHA2_256-3DES-MODP_1024-life]:LIFE_DURATION=28800
force
......
Giacomo
> On 5 May 2021, at 14:33, Stuart Henderson <[email protected]> wrote:
>
> On 2021-05-04, Giacomo Marconi <[email protected]> wrote:
>> Hi all
>>
>> I have some openbsd boxes as vpn endpoint to a Palo Alto Pa-820.
>>
>> In my last VPN config (unsing 6.8) I see in the logs that isakmpd is
>> expexting RSA_SIG as authentication method, while in ipsec.conf I set the
>> psk value.
>
> This usually means that the packets seen from the other side didn't
> match your configuration (possibly a wrong IP or something) and
> instead were matched by the implicit default phase 1 configuration
> (which is 3DES-SHA-RSA_SIG)
>
> If that doesn't give any clues, bump up logging in isakmpd. This
> set of debug levels (worked out by studying source code) enables
> most logs that are possible to do without being so noisy that
> they're useless.
>
> isakmpd_flags="-Kv -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30 -D8=30 -D9=30
> -D10=20"
>
> Sometimes looking at captured packets is useful too. For phase 1
> negotiation then just watching the network interface is usually
> good
>
> tcpdump -vvs1500 -i $interface port 500 or 4500
>
> (For problems with phase 2 nego you often need to enable isakmpd's
> cleartext IKE packet capture via the isakmpd.fifo control socket
> but you aren't that far).
>
>
>
>
>
