I used to configure VPNs using isakmpd.conf, for 2 dozen VPNs, each with a hand crafted set of parameters ( encryption, hmac, key length etc. ).
Now I tried to move this setup to ipsec.conf by spelling out the complete line for every VPN like this: ike active esp tunnel from a.b.c.d to e.f.g.h peer u.v.w.x main auth hmac-sha1 enc aes group modp1024 quick auth hmac-sha1 enc aes group modp1024 psk xyz When I start isakmpd and configure these VPNs with ipsecctl -f /etc/ipsec.conf, all VPNs come up properly. But: alter a while, some VPNs stop working. tcpdump of isakmpd.pcap shows that the remote end tries to establish phase-1 with the same parameters that were used when my side ( openBSD ) establishes phase-1. But is rejected with 'NO PROPOSAL CHOSEN'. After setting isaqkmpd debug level, daemon.log reveals: Jan 12 14:00:09 q-dsl isakmpd[31387]: exchange_setup_p1: 0x8a499400 peer-u.v.w.x Default-phase-1-configuration policy responder phase 1 doi 1 exchange 2 step 0 This seems to indicate that for the incoming IP_PROT exchange the Default-phase-1-configuration is used, and the info from ipsec.conf is ignored. I found other incidences in the logfile where the remote end re-established the phase-1 successfully by initiating a ID_PROT exchange. In these case the debug message looks like: Jan 12 14:00:05 q-dsl isakmpd[31387]: exchange_setup_p1: 0x841b2700 peer-u.v.w.x phase1-peer-u.v.w.x policy responder phase 1 doi 1 exchange 2 step 0 I'm with you if you think the above text is rather confused, I apologize for that, I tried my very best :-) But you could do me a favour if you answered the following question: 1. Is it ok that the remote end initiates a phase-1 ID_PROT exchange for a VPN which I have defined as 'active' in my ipsec.conf. 2. If the answer is yes, am I right to expect that isakmpd uses the parameters I have specified for this VPN in ipsec.conf, finding the line with peer u.v.x.x = <sender's IP> Thank you for your patience. Regards Christoph
