Hi,
I'm on OpenBSD 6.
I have a simple ipsec config as follows :
ike esp from 172.16.1.0/24 to 10.10.10.0/24 \
local 192.168.1.1 \
peer 192.168.50.1 \
main auth hmac-sha1 enc aes-128 group modp1024 lifetime 28800 \
quick auth hmac-sha1 enc aes-128 group modp1024 lifetime 28800\
srcid 192.168.1.1 dstid 192.168.50.1 \
psk “1337” \
tag XYZ
Tcpdump shows my neighbor sending me multiple encryption options :
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute GROUP_DESCRIPTION = MODP_1024
attribute HASH_ALGORITHM = SHA
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00007080
attribute AUTHENTICATION_METHOD = PRE_SHARED
payload: TRANSFORM len: 40
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute KEY_LENGTH = 128
attribute GROUP_DESCRIPTION = MODP_1024
attribute HASH_ALGORITHM = SHA
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00007080
attribute AUTHENTICATION_METHOD = PRE_SHARED
However OpenBSD seems to be unable to pick the right one ? As per my logs :
isakmpd[5246]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got
3DES_CBC, expected AES_CBC
