On 2017-10-02, Charles Amstutz <charl...@infinitesys.com> wrote:
> Hello Sterling,
>
> Thanks for the response. I changed it to
>
> ike passive esp transport \
> proto udp from $public_ip to any port 1701 \
> main auth "hmac-sha1" enc "aes-256" group modp1024\
> quick auth "hmac-sha1" enc "aes-256" \
> PSK "PSK-GOES-HERE"
>
> and still no luck. I found out that Android 8 will connect (using aes). I
> am dumpping pflog0 and seeing no blocks. However, that doesn't mean it still
> isn't a potential pf problem I guess. However, if IOS and android 8 would
> connect, I would think that would rule a pf problem?
>
> Is there a way to turn on additional debugging? I'm using isakmpd -K in
> rc.conf.local, so not using isakmpd.policy/.conf (from my understanding)
> Everything in /var/log/messages is just from npppd. Unless I'm reading it
> wrong, there doesn't appear to be any errors.
I have "isakmpd_flags=-Kv -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30
-D8=30 -D9=30 -D10=20" in rc.conf.local as a general-purpose debugging
config, then if there's a particular area I look at isakmpd source to
see if I need to bump one of them up a little. These end up in
/var/log/daemon (or start it by hand to run in the foreground
using -d).
>> 1) Can you have more than one ike line in ipsec.conf? from my
>> presumption of looking at sites on the internet, you can, however, I am not
>> sure.
You can, *but* only one "default peer" ("to any" line) will take effect.
>> https://www.authbsd.com/blog/?p=20 makes it seem like you can, unless
>> it is just two examples
That site makes it look like you can use the two, but it won't work like that.
One config will override the other.
