Dear list, I have a firewall and an ipsec.conf with 42 ike esp connections:
ike esp from 192.168.100.0/24 to 192.168.129.0/24 peer my.firewall \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk "mekmitasdigoat" tag "yet.another.connection" ISAkmpd is started with the "-K -T". I am talking to lots of Watchguard Fireboxes by the way. All connections are established and traffic flows over enc0, all seems good. However, when I try to reload ipsec.conf due to a rule change, either isakmpd dies with nothing in the logs whatsoever and/or my /var/log/daemon is filling up with messages like these: Feb 25 14:00:41 evo-access isakmpd[27974]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG Feb 25 14:00:41 evo-access isakmpd[27974]: message_negotiate_sa: no compatible proposal found Feb 25 14:00:41 evo-access isakmpd[27974]: dropped message from some.ipsec.peer port 500 due to notification type NO_PROPOSAL_ CHOSEN I would like to be using something other than shared keys but the Watchguard boxes only support fancy things like that through a "Watchguard System Manager" which I'd like to avoid. So for the moment I am stuck with preshared keys. If I do "ipsecctl -F" and do a kill and restart of isakmpd the connections seem to be established succesfully again. Am I missing something obvious in reloading/adding connections to ipsec.conf ? Is a simple ipsecctl -f /etc/ipsec.conf sufficient when adding a rule or do I need to give isakmpd a SIGHUP? Thanks in advance, -- Michiel van der Kraats
