Re: IPsec IKEv1 accepts non-matching phase 2 parameters

On 2016-01-03, Julian Hsiao wrote: > On 2016-01-02 13:18:15 +, Stuart Henderson said: > >> See isakmpd.policy(5). It's an utter pain but it's necessary in order to >> secure things with isakmpd. > > Right, I eventually figured that out by having isakmpd dump out the >

Re: IPsec IKEv1 accepts non-matching phase 2 parameters

On 2015-12-31, Julian Hsiao wrote: > Hi, > > I've set up two hosts to experiment with IPsec, obsd1 (192.168.0.1) and > obsd2 (192.168.0.2). > > ipsec.conf on obsd1: > > ike passive esp transport \ > from 192.168.0.1 to any \ > main auth hmac-sha2-256 enc aes-128 group

Re: IPsec IKEv1 accepts non-matching phase 2 parameters

On 2016-01-02 13:18:15 +, Stuart Henderson said: See isakmpd.policy(5). It's an utter pain but it's necessary in order to secure things with isakmpd. Right, I eventually figured that out by having isakmpd dump out the isakmpd.conf(5) equivalent config. Turns out "ike passive [...]" is

Re: IPsec IKEv1 accepts non-matching phase 2 parameters

I restart isakmpd on both hosts whenever I change ipsec.conf, and check that ipsecctl -s sa is empty afterwards. To be sure, I just tried rebooting both hosts--surely the SAD doesn't persist across reboot--and I got the same results. On 2015-12-31 07:34:25 +, Philipp Buehler said: Am

IPsec IKEv1 accepts non-matching phase 2 parameters

Hi, I've set up two hosts to experiment with IPsec, obsd1 (192.168.0.1) and obsd2 (192.168.0.2). ipsec.conf on obsd1: ike passive esp transport \ from 192.168.0.1 to any \ main auth hmac-sha2-256 enc aes-128 group modp8192 \ quick auth hmac-sha2-256 enc aes-128 group modp8192 \ psk

Re: IPsec IKEv1 accepts non-matching phase 2 parameters

Am 31.12.2015 06:56 schrieb Julian Hsiao: How do I configure isakmpd such that phase 2 parameters must also match on both ends in order to establish security associations? Just a guess, but do: echo r > /var/run/isakmpd.fifo and look into the /var/run/isakmpd.report My bet is, that you had a