I am converting over to ipsec.conf from isakmpd.conf|policy.
I have a default vpn configuration to allow people from their home pc
to access. Under isakmpd.conf it works perfectly well. I can use
any number of settings, including the desired aes-256 for both phase
1 and phase 2.
My isakmpd.conf sections:
[Phase 1]
Default=ISAKMP-peer-default
61.62.63.64= ISAKMP-peer-default
Passive-Connections=IPsec-default
[ISAKMP-peer-default]
Phase= 1
Transport= udp
Local-address= 61.62.63.64
Configuration= AES-main-mode
Authentication= redacted
[IPsec-default]
Phase= 2
ISAKMP-peer=ISAKMP-peer-default
Configuration= Default-quick-mode
Local-ID= Net-corp
[Net-corp]
ID-type=IPV4_ADDR_SUBNET
Network=10.10.10.0
Netmask=255.255.255.0
[AES-main-mode]
DOI=IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= AES-SHA
[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
I put the following into my ipsec.conf:
ike dynamic from any to 10.10.10.0/24 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
psk redacted
I've tried changing the settings to hmac-sha2-256 and aes-256, I've
tried changing the client settings to everything from auto through
128, 192 256. Nothing seems to work.
The debug when I try to connect does show phase 1 done, but later
says it's been told to delete the session. See below.
It does not seem to matter what settings I change in the vpn client
config, I cannot get it to maintain this connection.
What is the difference between the ipsec.conf and isakmpd.conf tunnels?
What is telling isakmpd to delete this SA?
040442.728781 Exch 10 exchange_finalize: phase 1 done: initiator id
192.168.1.9, responder id fw.example.com, src: 61.62.63.64 dst:
43.100.100.77
040442.728808 Timr 10 timer_add_event: event
sa_soft_expire(0x8b057000) added last, expiration in 74131s
040442.728819 SA 80 sa_reference: SA 0x8b057000 now has 5 references
040442.728838 Timr 10 timer_add_event: event
sa_hard_expire(0x8b057000) added last, expiration in 86400s
040442.728849 SA 80 sa_reference: SA 0x8b057000 now has 6 references
040442.728861 SA 80 sa_release: SA 0x8b057000 had 6 references
040442.770769 Trpt 70 transport_setup: added 0x87a3c0c0 to transport list
040442.770808 Trpt 70 transport_setup: added 0x87a3c1c0 to transport list
040442.770821 Trpt 50 virtual_clone: old 0x89f49e40 new 0x87a3c2c0
(main is 0x87a3c0c0)
040442.770832 Trpt 70 transport_setup: virtual transport 0x87a3c2c0
040442.770846 Mesg 90 message_alloc: allocated 0x86887100
040442.770858 Mesg 70 message_recv: message 0x86887100
040442.770871 Mesg 70 ICOOKIE: 864ee9d5f19da22f
040442.770885 Mesg 70 RCOOKIE: db55da1a362c3ba3
040442.770896 Mesg 70 NEXT_PAYLOAD: HASH
040442.770909 Mesg 70 VERSION: 16
040442.770920 Mesg 70 EXCH_TYPE: INFO
040442.770931 Mesg 70 FLAGS: [ ENC ]
040442.770943 Mesg 70 MESSAGE_ID: f09ac655
040442.770954 Mesg 70 LENGTH: 92
040442.770978 Mesg 70 message_recv: 864ee9d5 f19da22f db55da1a
362c3ba3 08100501 f09ac655 005c 2cf32098
040442.771002 Mesg 70 message_recv: df99aee4 72eb2103 30579627
a79aac92 3029017f 53433540 0af8aaea 2e464200
040442.771024 Mesg 70 message_recv: fa2d9ad3 1b156485 b4bcf4f2
4befc80a 68c3a13d 07a57a34 cbbfe575
040442.771036 SA 80 sa_reference: SA 0x8b057000 now has 6 references
040442.771053 Cryp 60 hash_get: requested algorithm 1
040442.771063 Cryp 80 ipsec_get_keystate: final phase 1 IV:
040442.771079 Cryp 80 e1859bae f2a4943b 98d51085 c2d0d538
040442.771089 Cryp 80 ipsec_get_keystate: message ID:
040442.771100 Cryp 80 f09ac655
040442.771117 Cryp 50 crypto_init_iv: initialized IV:
040442.771134 Cryp 50 1019151c c500b0c4 eedeef0b 890f3dfd
040442.771144 Cryp 80 ipsec_get_keystate: phase 2 IV:
040442.771161 Cryp 80 1019151c c500b0c4 eedeef0b 890f3dfd
040442.771171 Cryp 70 crypto_decrypt: before decryption:
040442.771194 Cryp 70 2cf32098 df99aee4 72eb2103 30579627 a79aac92
3029017f 53433540 0af8aaea
040442.771217 Cryp 70 2e464200 fa2d9ad3 1b156485 b4bcf4f2 4befc80a
68c3a13d 07a57a34 cbbfe575
040442.771231 Cryp 70 crypto_decrypt: after decryption:
040442.771255 Cryp 70 0c18 9d93aa16 924a5147 05435224 1f50245c
6bb1cfe2 001c 0001
040442.771279 Cryp 70 0111 864ee9d5 f19da22f db55da1a 362c3ba3
040442.771291 Mesg 50 message_parse_payloads: offset 28 payload HASH
040442.771303 Mesg 50 message_parse_payloads: offset 52 payload DELETE
040442.771316 Mesg 60 message_validate_payloads: payload HASH at
0x8688779c of message 0x86887100
040442.771326 Mesg 70 DATA:
040442.771337 Cryp 60 hash_get: requested algorithm 1
040442.771347 Misc 90 message_validate_hash: SKEYID_a:
040442.771365 Misc 90 540cb39d 7776c123 4049eda1
