Hi,
I've set up two hosts to experiment with IPsec, obsd1 (192.168.0.1) and
obsd2 (192.168.0.2).
ipsec.conf on obsd1:
ike passive esp transport \
from 192.168.0.1 to any \
main auth hmac-sha2-256 enc aes-128 group modp8192 \
quick auth hmac-sha2-256 enc aes-128 group modp8192 \
psk puffy
ipsec.conf on obsd2:
ike active esp transport \
from 192.168.0.2 to 192.168.0.1 \
main auth hmac-sha2-256 enc aes-128 group modp8192 \
quick auth hmac-md5 enc blowfish group modp768 \
psk puffy
If the phase 1 parameters don't match, then negotiation fails, which is
what I expect. However, isakmpd seems to accept the phase 2 parameters
from the initiating end (obsd2) unconditionally. With the above
config, ipsecctl -s sa prints:
esp transport from 192.168.0.1 to 192.168.0.2 spi 0x32345f6f auth
hmac-md5 enc blowfish
esp transport from 192.168.0.2 to 192.168.0.1 spi 0x6cf20561 auth
hmac-md5 enc blowfish
How do I configure isakmpd such that phase 2 parameters must also match
on both ends in order to establish security associations?
Thanks.
Julian Hsiao
