> Dear list, > > I have a firewall and an ipsec.conf with 42 ike esp connections: > > ike esp from 192.168.100.0/24 to 192.168.129.0/24 peer my.firewall \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group modp1024 \ > psk "mekmitasdigoat" tag "yet.another.connection" > > ISAkmpd is started with the "-K -T". I am talking to lots of > Watchguard Fireboxes by the way. All connections are established and > traffic flows over enc0, all seems good. However, when I try to reload > ipsec.conf due to a rule change, either isakmpd dies with nothing in > the logs whatsoever and/or my /var/log/daemon is filling up with > messages like these: > > Feb 25 14:00:41 evo-access isakmpd[27974]: attribute_unacceptable: > AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG > Feb 25 14:00:41 evo-access isakmpd[27974]: message_negotiate_sa: no > compatible proposal found > Feb 25 14:00:41 evo-access isakmpd[27974]: dropped message from > some.ipsec.peer port 500 due to notification type NO_PROPOSAL_ > CHOSEN > > I would like to be using something other than shared keys but the > Watchguard boxes only support fancy things like that through a > "Watchguard System Manager" which I'd like to avoid. So for the moment > I am stuck with preshared keys. > > If I do "ipsecctl -F" and do a kill and restart of isakmpd the > connections seem to be established succesfully again. Am I missing > something obvious in reloading/adding connections to ipsec.conf ? Is a > simple ipsecctl -f /etc/ipsec.conf sufficient when adding a rule or do > I need to give isakmpd a SIGHUP? > > Thanks in advance, > > -- > Michiel van der Kraats > Backup Service / BackupStore > > I'm sure wiser minds than me may prove me wrong, but I have a similar situation with some Cisco and Linksys devices <-> OpenBSD. I think the Watchguard devices are quite happily waiting for their key lifetime to expire before re-negotiating with your isakmpd. By reloading isakmpd you are forcing expiry and re-negotiation.
Do you lose all SA's when you change rules, or just to devices affected by your rule change? I've had better luck with other devices by using ike passive, but that's probably unrelated. Cheers
