Hello.
I am trying to establish an ipsec connection in transport mode between two
hosts located in the same LAN, using PSK for authentication and ikev1 for
automatic keying. So far, my attempts have resulted in failure.
Host A ( 192.168.1.11 ) runs OpenBSD 6.1 and uses the following
configurations:
/etc/ipsec.conf
ike passive esp transport from 192.168.1.11 to 192.168.1.12 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes group modp1024 \
psk "test"
/etc/rc.conf.local
isakmpd_flags=-K -T
ipsec=YES
Host B ( 192.168.1.12 ) runs Knoppix 7.7.1, Strongswan 5.5.0, and uses the
following configurations:
/etc/ipsec.conf
[...]
conn test
left=192.168.1.12
right=192.168.1.11
authby=secret
auto=start
type=transport
ike=aes-sha1-modp1024
esp=aes-sha1-modp1024
compress=no
/etc/ipsec.secrets
192.168.1.12 192.168.1.11 : PSK "test"
This shows up in /var/log/messages on Host A when establishing ipsec between
both hosts is attempted:
May 10 16:57:39 server isakmpd[37746]: isakmpd: starting
May 10 16:57:58 server isakmpd[4052]: attribute_unacceptable:
ENCRYPTION_ALGORIT HM: got AES_CBC, expected 3DES_CBC
May 10 16:57:58 server isakmpd[4052]: message_negotiate_sa: no compatible
propos al found
May 10 16:57:58 server isakmpd[4052]: dropped message from 192.168.1.12 port
500 due to notification type NO_PROPOSAL_CHOSEN
Notice that isakmpd is expecting 3DES, when I configured the connection to
use aes at both ends. More worrysome: When I configure the Host B to use
3DES for phase 1, isakmpd complains because it was offered PSK, but RSA_SIG
was expected! This leads me to believe that isakmpd is ignoring the
configuration parameters.
Any help is appreciated.
