I have an OpenBSD 3.9 box and I've been asked to configure it to terminate a VPN using AES-256 encryption with SHA authentication, DH Group 5 (rather than the default group 2) and a lifetime of one day. I configured my isakmpd.conf file like this:
** [Phase 1] Default= ISAKMP-peer-default 10.1.2.138= ISAKMP-peer-xx [Phase 2] Connections= IPsec-xx1-rl1-2, IPsec-xx1-rl1-3 [ISAKMP-peer-xx] Phase= 1 Transport= udp Address= 10.1.2.138 Local-address= 192.168.166.174 Configuration= XX-main-mode Authentication= mekmitasdigoat [IPsec-xx1-rl1-2] Phase= 2 ISAKMP-peer= ISAKMP-peer-bp Configuration= Default-quick-mode Local-ID= Net-rl1-2 Remote-ID= Host-xx1 [IPsec-xx1-rl1-3] Phase= 2 ISAKMP-peer= ISAKMP-peer-bp Configuration= Default-quick-mode Local-ID= Net-rl1-3 Remote-ID= Host-xx1 [Net-syd-rl1-2] ID-type= IPV4_ADDR_SUBNET Network= 172.16.16.96 Netmask= 255.255.255.240 [Net-syd-rl1-3] ID-type= IPV4_ADDR_SUBNET Network= 10.33.66.0 Netmask= 255.255.255.0 [Host-bp1] ID-type= IPV4_ADDR Address= 10.180.1.201 [XX-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= AES-SHA-GRP5 ** What ended up happening was that my end was initiating the tunnel using AES-128, and a lifetime of 1 hour (the default configuration as indicated in the man page). I defined my own Transform and placed it at the bottom of my isakmpd.conf as follows: ** ~ [XX-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= XX-AES-SHA [XX-AES-SHA] ENCRYPTION_ALGORITHM= AES_CBC KEY_LENGTH= 256,128:256 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1536 Life= XX-phase-1-lifetime [XX-phase-1-lifetime] LIFE_TYPE= SECONDS LIFE_DURATION= 86400,1800:86400 ** My understanding from reading the man page is that is the syntax I need to use. It also means that we should be attempting to send a 256 bit key length with a lifetime of 1 day (86400 seconds) whenever we're initiating the tunnel. Also, MODP_1536 should be correct for DH Group 5. Please let me know if I am wrong here. What actually happened was that my box stopped trying to initiate the tunnel. With the old configuration I was getting a packet exchange every couple of minutes. After I made this change all my other VPNs came up as usual but there was no traffic at all relating to this tunnel. Is my syntax incorrect? Is there something I am missing about the structure of isakmpd.conf about the placement or reference of these new sections for lifetime and XX-AES-SHA? If not, can you show me what I am doign wrong, so that I can do it right? TIA! nuffnough
