need help converting to ipsec.conf

Sun, 20 Nov 2011 11:38:26 -0800 

Hi,

I am converting a bunch of VPNs from my isakmpd.[conf|policy] files to
ipsec.conf mostly because it seems they're deprecated,  but partly
because I saw an old thread that spoke of functionality I want to
explore.

I figured I should work through them one by one.   I got my own VPN
from one site to another working fine,  after I figured out that
ipsec.conf doesn't handle a space in the psk.

The next one is site to site vpn from a client.   They are using (I
think) a juniper device to terminate with teh following settings:



Client side:
IP Address: 10.10.10.66
Peer: 10.100.1.66
Phase1 DH Group 1
Encryption: AES-256
Authentication: SHA1
Lifetime: 28800 seconds
Phase2 DH Group 2
Encryption: AES-256
Authentication: SHA1
Lifetime: 3600 seconds
Preshared Key: Changed
PFS: enabled


So.....  I put into my ipsec.conf:

ike esp from 172.18.18.0/24 to 172.20.20.0/24 \
        local 10.100.1.66 peer 10.10.10.66 \
        #main auth hmac-md5 enc aes-256 group modp768 \
        #main auth hmac-sha1 enc aes-256 group modp768 \
        main auth hmac-sha1 enc aes group modp768 \
        quick auth hmac-sha1 enc aes-256 group modp768 \
        srcid ca...@fw0.example.com \
        psk Changed


Then I start up isakmpd and dump debug to a file and I get weird messages.

# cat ipsec.log | grep unac
044235.728559 Default attribute_unacceptable: ENCRYPTION_ALGORITHM:
got AES_CBC, expected 3DES_CBC
044255.325011 Default attribute_unacceptable: GROUP_DESCRIPTION: got
MODP_768, expected MODP_1024
044315.878550 Default attribute_unacceptable: AUTHENTICATION_METHOD:
got PRE_SHARED, expected RSA_SIG
044315.878641 Default attribute_unacceptable: HASH_ALGORITHM: got MD5,
expected SHA

As soon as I switch back to my beloved isakmpd.conf (was its syntax
really so complicated?) it comes back up instantly.


Why is ipsec expecting 3DES_CBC?   There is no reference to 3des in my config...
Why is it expecting MODP_1024?  Or RSA_SIG?
Where is it getting MD5 from?

Changing the hash to md5 doesn't seem to make any difference.  :(


And finally...  Does ipsec.conf still parse the policy file to secure
the connections?

Is there a better way?  Or am I wrong in thinking this was a good thing to do?


TIA


nuffi

Reply via email to