On 2013-09-26, Daniel Polak <dan...@sys.nl> wrote: > On a computer running OpenBSD 5.3 system I am migrating from an > isakmpd.conf based configuration to an ipsec.conf based configuration. > > The tunnel comes up and works correctly when using isakmpd.conf but I > can't get the tunnel to come up when I use ipsec.conf. > As far as I can see ipsec.conf contains the same settings as the > settings that are in isakmpd.conf. > > The error message when using ipsec.conf is: attribute_unacceptable: > ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC. > This means the proposal from the peer does not match the configuration > added by ipsecctl and isakmpd is trying to use its default settings. > > I've double-checked the settings ipsec.conf and especially the IP > addresses. I have also looked at the packets and the isakmpd debug > output but all I can see is the peer offering a proposal that matches > what is in ipsec.conf. > > I'd like to see how isakmpd interprets the settings in ipsec.conf and > isakmpd.conf and would like to compare those interpretations. > > ipsecctl -nvf /etc/ipsec.conf shows the settings from ipsec.conf as they > would be used by isakmpd but don't see how to do the same with isakmpd.conf. > > How can I get the settings from isakmpd.conf and ipsec.conf in the same > format so I can compare them?
isakmpd does not interpret settings in ipsec.conf *at all*; ipsecctl converts them into control commands which generate isakmpd.conf sections. to compare, you'll need to adjust the format manually; ipsecctl -nvf outputs a bunch of lines like this: C set [sectionname]:variable1=setting1 C set [sectionname]:variable2=setting2 C set [sectionname]:variable3=setting3 which equate to isakmpd.conf entries like this: [sectionname] variable1=setting1 variable2=setting2 variable3=setting3
