Hi, I'm on OpenBSD 6.
I have a simple ipsec config as follows : ike esp from 172.16.1.0/24 to 10.10.10.0/24 \ local 192.168.1.1 \ peer 192.168.50.1 \ main auth hmac-sha1 enc aes-128 group modp1024 lifetime 28800 \ quick auth hmac-sha1 enc aes-128 group modp1024 lifetime 28800\ srcid 192.168.1.1 dstid 192.168.50.1 \ psk “1337” \ tag XYZ Tcpdump shows my neighbor sending me multiple encryption options : payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute GROUP_DESCRIPTION = MODP_1024 attribute HASH_ALGORITHM = SHA attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00007080 attribute AUTHENTICATION_METHOD = PRE_SHARED payload: TRANSFORM len: 40 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute GROUP_DESCRIPTION = MODP_1024 attribute HASH_ALGORITHM = SHA attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00007080 attribute AUTHENTICATION_METHOD = PRE_SHARED However OpenBSD seems to be unable to pick the right one ? As per my logs : isakmpd[5246]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC