Am 04/18/17 um 14:08 schrieb Bob Jones:
> Hi,
>
> I have the below in my ipsec.conf :
> ike esp from 198.51.100.0/24 to 10.20.30.0/24 \
> local 198.51.100.15 \
> peer 203.0.113.114 \
> main auth hmac-sha2-512 enc aes-256-gcm group modp8192 lifetime 14400
> \
^^^^^^^^^^^
This is not supported. Look at ipsec.conf(5):
aes-256-gcm 288 bits [phase 2 only, IKE only]
in main, you can only use aes-256. To use aes-256-gcm, you need an
additional line like
quick auth hmac-sha2-512 enc aes-256-gcm group modp8192 lifetime 14400
hth,
Marc
> srcid 198.51.100.15 dstid 203.0.113.114 \
> psk “MY_SECRET” \
> tag MY_TAG
>
> Running "doas ipsecctl -nf /etc/ipsec.conf " (to validate the config)
> yields no errors.
>
> But running "doas ipsecctl -f /etc/ipsec.conf " (to load the config) yields:
>
> ipsecctl: illegal transform aes-256-gcm
> ipsecctl: failed to add ike rule 0
>
