Hi,

I'm on OpenBSD 6.

I have a simple ipsec config as follows :

ike esp from 172.16.1.0/24 to 10.10.10.0/24 \
        local 192.168.1.1 \
        peer 192.168.50.1 \
        main auth hmac-sha1 enc aes-128 group modp1024 lifetime 28800 \
        quick auth hmac-sha1 enc aes-128 group modp1024 lifetime 28800\
        srcid 192.168.1.1 dstid 192.168.50.1 \
        psk “1337” \
        tag XYZ


Tcpdump shows my neighbor sending me multiple encryption options :
                payload: TRANSFORM len: 36
                    transform: 0 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = 3DES_CBC
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute HASH_ALGORITHM = SHA
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00007080
                        attribute AUTHENTICATION_METHOD = PRE_SHARED
                payload: TRANSFORM len: 40
                    transform: 1 ID: ISAKMP
                        attribute ENCRYPTION_ALGORITHM = AES_CBC
                        attribute KEY_LENGTH = 128
                        attribute GROUP_DESCRIPTION = MODP_1024
                        attribute HASH_ALGORITHM = SHA
                        attribute LIFE_TYPE = SECONDS
                        attribute LIFE_DURATION = 00007080
                        attribute AUTHENTICATION_METHOD = PRE_SHARED


However OpenBSD seems to be unable to pick the right one ?  As per my logs :


isakmpd[5246]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got
3DES_CBC, expected AES_CBC

Reply via email to