Hi, I tried now for 2 days to say isakmpd that I want to have SHA2-256 in Phase1 and AES-256 in Phase2, I read several documents, posts, and .c files - but I'm lost and ready to take some shame not beeing able to accomplish such simple tasks. The system in use is a Soekris 4801 with the VPN1411, OS is base36.tgz+etc36.tgz + custom Kernel (the config was mostly stolen from flashdist and a little bit customized)
Any hints are welcome! regards Philipp --- isakmpd.conf --- Renegotiate-on-HUP= yes Check-interval= 5 DPD-check-interval= 15 Exchange-max-time= 60 #Logverbose= yes #Loglevel= 0=0,1=0,2=0,3=0,4=0,5=0,6=80,7=80,8=80,9=80,10=0 Loglevel= A=90 # Still searching for a reasonable loglevel stanza... # 0 Misc # 1 Transport # 2 Message # 3 Crypto # 4 Timer # 5 Sysdep # 6 SA # 7 Exchange # 8 Negotiation # 9 Policy # 10 FIFO user interface # A All # Certificates stored in PEM format [X509-certificates] CA-directory= /etc/isakmpd/ca/ Cert-directory= /etc/isakmpd/certs/ Private-key= /etc/isakmpd/private/sovereignity.dominion.ch_key.pem # Basics [Phase 1] 212.25.4.5= immunity_p1_ipv4 #2001::1= immunity_p1_ipv6 [Phase 2] Connections= immunity_p2_ipv4 # Phase 1 [immunity_p1_ipv4] Phase= 1 ID= local-ID Remote-ID= remote-ID Configuration= Default-main-mode Address= 212.25.4.5 [local-ID] ID-type= FQDN Name= sovereignity.dominion.ch [remote-ID] ID-type= FQDN Name= immunity.dominion.ch [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= AES256-SHA256-RSA_SIG-EC2N_185-LIFE_10M [AES256-SHA256-RSA_SIG-EC2N_185-LIFE_10M] ENCRYPTION_ALGORITHM= AES_CBC # I'm not get a workiing SHA2-256 here... HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= RSA_SIG GROUP_DESCRIPTION= EC2N_185 KEY_LENGTH= 256,256:256 Life= LIFE_10M # Phase 2 [immunity_p2_ipv4] Phase= 2 ISAKMP-peer= immunity_p1_ipv4 Configuration= Default-quick-mode Local-ID= Host-local Remote-ID= Host-remote [Host-local] ID-type= IPV4_ADDR_SUBNET Network= 212.25.4.24 Netmask= 255.255.255.248 [Host-remote] ID-type= IPV4_ADDR_SUBNET Network= 0.0.0.0 Netmask= 0.0.0.0 [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA2-512-PFS-GRP14-SUITE [QM-ESP-AES-SHA2-512-PFS-GRP14-SUITE] Protocols= QM-ESP-AES-SHA2-512-PFS-GRP14 [QM-ESP-AES-SHA2-512-PFS-GRP14] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-AES-SHA2-512-PFS-GRP14-XF [QM-ESP-AES-SHA2-512-PFS-GRP14-SUITE] Protocols= QM-ESP-AES-SHA2-512-PFS-GRP14 [QM-ESP-AES-SHA2-512-PFS-GRP14] PROTOCOL_ID= IPSEC_ESP Transforms= QM-ESP-AES-SHA2-512-PFS-GRP14-XF [QM-ESP-AES-SHA2-512-PFS-GRP14-XF] TRANSFORM_ID= AES # I tried the KEY_LENGTH also in the upper sections, but it didn't help... KEY_LENGTH= 256,256:256 ENCAPSULATION_MODE= TUNNEL GROUP_DESCRIPTION= HMAC_SHA2-512 Life= LIFE_1h [QM-ESP-AES-SHA2-512-PFS-GRP14-SUITE-XF] KEY_LENGTH= 256,256:256 # Lifetimes [LIFE_1h] LIFE_TYPE= SECONDS LIFE_DURATION= 3600,3300:3900 [LIFE_10M] LIFE_TYPE= KILOBYTES LIFE_DURATION= 10000,7500:12500
