On 2015-12-31, Julian Hsiao <[email protected]> wrote: > Hi, > > I've set up two hosts to experiment with IPsec, obsd1 (192.168.0.1) and > obsd2 (192.168.0.2). > > ipsec.conf on obsd1: > > ike passive esp transport \ > from 192.168.0.1 to any \ > main auth hmac-sha2-256 enc aes-128 group modp8192 \ > quick auth hmac-sha2-256 enc aes-128 group modp8192 \ > psk puffy > > ipsec.conf on obsd2: > > ike active esp transport \ > from 192.168.0.2 to 192.168.0.1 \ > main auth hmac-sha2-256 enc aes-128 group modp8192 \ > quick auth hmac-md5 enc blowfish group modp768 \ > psk puffy > > If the phase 1 parameters don't match, then negotiation fails, which is > what I expect. However, isakmpd seems to accept the phase 2 parameters > from the initiating end (obsd2) unconditionally. With the above > config, ipsecctl -s sa prints: > > esp transport from 192.168.0.1 to 192.168.0.2 spi 0x32345f6f auth > hmac-md5 enc blowfish > esp transport from 192.168.0.2 to 192.168.0.1 spi 0x6cf20561 auth > hmac-md5 enc blowfish > > How do I configure isakmpd such that phase 2 parameters must also match > on both ends in order to establish security associations?
See isakmpd.policy(5). It's an utter pain but it's necessary in order to secure things with isakmpd. The other "fun" thing a client can do if it's not restricted by keynote policy is to set "their" side of the tunnel to something which diverts the wrong traffic - 0.0.0.0/0 is an obvious example but rather unsubtle.
