On Fri, Feb 18, 2022 at 15:06 Stuart Henderson wrote... > On Fri, Feb 18, 2022 at 11:43 AM I wrote: >> ike passive esp transport proto udp from $public_ip to any \ >> main auth "hmac-sha2-256" enc "aes-256" group "modp2048" \ >> quick auth "hmac-sha2-256" enc "aes-256" group "modp2048" \ >> psk "THIS_IS_MY_IPSEC_PASSPHRASE" >> >> ike passive esp transport proto udp from $public_ip to any \ >> main auth "hmac-md5" enc "3des" group "modp1024" \ >> quick auth "hmac-md5" enc "3des" group "modp1024" \ >> psk "THIS_IS_MY_IPSEC_PASSPHRASE"
> With isakmpd and ipsec.conf you can't have two proposals for the default > ("to any") peer with different PFS groups, you will have to choose one > or the other. As-is the second will overwrite the first config block. > (Use ipsecctl -v to see the commands sent by ipsecctl to isakmpd; > it generates what are basically isakmpd.conf style config blocks and > sends them over the control socket). It still fails even with one block, but this is good to know. Thanks. > You will save yourself a lot of trouble if you can move the newer machines > to IKEv2 .. (It would not be possible to run both isakmpd and iked on a > single OpenBSD machine though). Or alternatively wireguard or openvpn > (which _can_ coexist with IKEv1) though IKEv2 generally has a simpler > client config. I'm not opposed to this and I've tried, but even now it still gives me proposal errors from both iOS and MacOS Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #4 ENCR=AES_CBC-128 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #4 PRF=HMAC_SHA1 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #4 INTEGR=HMAC_SHA1_96 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #4 DH=MODP_1024 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #5 ENCR=3DES Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #5 PRF=HMAC_SHA1 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #5 INTEGR=HMAC_SHA1_96 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_log_proposal: IKE #5 DH=MODP_1024 Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: ikev2_add_error: NO_PROPOSAL_CHOSEN Feb 18 15:51:04 server iked[86219]: spi=0xdc6e75a2891b8e65: send IKE_SA_INIT res 0 peer 100.64.10.10:57904 local 203.0.113.1:500, 36 bytes