On Thu, Aug 09, 2007 at 02:22:31AM +0200, James Lepthien wrote: > Hi, > > I have set up a vpn from my OpenBSD Box (4.1-current) to our company > WatchGuard X700. My problem is that the re-keying > isn't always working and my tunnel does not come up if I send traffic to > the destination network. I must manually > restart the isakmpd and then start the tunnel by using ipsecctl -f > /etc/ipsec.conf. I see some strange errors in my /var/log/messages > even when the tunnel is up. What do these errors mean?: > > Aug 9 01:52:40 voldemort isakmpd[20491]: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC > ... > > My ipsec.conf looks like this: > > ike esp from $ext_IP to $peer_GW > ike esp from $ext_IP to $peer_LAN peer $peer_GW > ike esp from $int_LAN to $peer_LAN \ > peer $peer_GW \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group none \ > psk "XXXX"
this enables 3des/sha1/modp1024 only for the third rule. The first and second rule will both use the default values (aes/sha1/modp1024 for phase 1 and aes/sha2-256 for phase 2). try this: ike esp from $ext_IP to $peer_GW \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk "XXXX" ike esp from $ext_IP to $peer_LAN peer $peer_GW \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk "XXXX" ike esp from $int_LAN to $peer_LAN peer $peer_GW \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk "XXXX"
