On 2013/03/01 20:16, Loïc BLOT wrote: > Thanks for the reply Stuart, but: > - It's a test network, with an offline switch > - only the two routers are on the switch, with the good VLAN connected > by one LACP trunk (for each device) > - isakmp negotation is from the expected hosts > - the certificate are default certificates, generated by OpenBSD > > What's wrong ? I think it's another problem, but the configuration is > trivial. Two monthes before i tested it with under two KVM hosts and i > haven't this problem. Now with servers i have this problem, and many > guys have this problem but nobody have an answer. > > Someone know how can i switch to AES instead of 3DES ? > Thanks for advance
Your ipsec.conf lines are already setup for AES, to see the isakmpd config sections used, try this: echo 'ike esp transport from 10.0.0.1 to 10.0.0.2' | ipsecctl -nvf - The fact that the log shows it expecting 3DES means that the connection attempt isn't matching any of the configuration sections which ipsecctl added to isakmpd, so isakmpd falls back to its built-in default (3DES-SHA-RSA_SIG) and fails because the other side *is* using AES. Mismatching IP addresses is usually the most common reason on multihomed hosts but there are other possibilities. Sometimes it helps to tcpdump -vvs1500 -nienc0, sometimes it helps to use "isakmpd -L" to generate a decrypted /var/run/isakmpd.pcap file and examining that with tcpdump -r..but whatever the cause, the 3DES thing means it is not using your configuration section.
