I've got a number of VPN clients using X.509 certs to access a
central site configured by ipsec.conf like this.
ike passive esp \
from {$SOMENET, 192.168.40.0/21} to any \
main auth hmac-sha1 enc aes group grp2 \
quick auth hmac-sha1 enc aes group grp2 \
tag ipsec-$id
Now someone would like to add a device which (like some other devices
connecting to this machine) is not on a fixed address so it needs to
use the "to any" rule. Though it supports AES in phase 2, only DES or
3DES are permitted in phase 1 (which of course is already set to AES
on other devices).
Does anyone know of a way, either using ipsec.conf or isakmpd.conf,
to permit use of _either_ AES _or_ 3DES in phase 1? Or do I need to go
to all the other endpoints and reconfigure them to a common algorithm
(i.e. 3DES)?
(it's not especially useful information, but central site is running
May 2 2008 code, clients are mixed cheap CPE routers - draytek/zyxel
etc. hence the problem. :)
