From owner-freebsd-questions@FreeBSD.ORG  Thu Jul 17 14:14:16 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6D0B91065670
	for <freebsd-questions@freebsd.org>;
	Thu, 17 Jul 2008 14:14:16 +0000 (UTC)
	(envelope-from ralf@best.homeunix.org)
Received: from nasec.de (host-88-217-139-11.customer.m-online.net
	[88.217.139.11])
	by mx1.freebsd.org (Postfix) with ESMTP id 05DB78FC16
	for <freebsd-questions@freebsd.org>;
	Thu, 17 Jul 2008 14:14:15 +0000 (UTC)
	(envelope-from ralf@best.homeunix.org)
Received: from mail.ralf-hornik.de ([217.111.95.14])
	by nasec.de (8.14.1/8.14.1) with ESMTP id m6HE04Vf021391
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <freebsd-questions@freebsd.org>; Thu, 17 Jul 2008 16:00:04 +0200
Received: from localhost (localhost [127.0.0.1])
	by mail.ralf-hornik.de (8.14.3/8.14.3) with ESMTP id m6HE0RWN016682
	for <freebsd-questions@freebsd.org>; Thu, 17 Jul 2008 16:00:27 +0200
Received: from 82.210.242.242 ([82.210.242.242]) by www.ralf-hornik.de
	(Horde Framework) with HTTP; Thu, 17 Jul 2008 16:00:27 +0200
Message-ID: <20080717160027.13371z3sdsm60z9c@www.ralf-hornik.de>
Date: Thu, 17 Jul 2008 16:00:27 +0200
From: "Ralf Hornik Mailings" <ralf@best.homeunix.org>
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain;
	charset=ISO-8859-1;
	DelSp="Yes";
	format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.2)
X-Spam-Score: -2.549 () AWL,BAYES_00,RDNS_NONE
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.62 on 88.217.139.11
X-Scanned-By: MIMEDefang 2.63 on 172.16.0.2
Subject: Using OpenBSD's isakmpd in FreeBSD
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jul 2008 14:14:16 -0000

Dear List,

I want to switch my routers from openbsd to freebsd and use the port  
of isakmpd for my
vpn tunnels.  But when I want to use my config from openbsd, isakmpd  
doesn't seem to
configure aes in phase I proposal.

The corresponding configentry is:

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             AES-SHA-GRP5-RSA_SIG

starting isakmpd shows up:

ike_phase_1_initiator_send_SA: section [AES-SHA-GRP5-RSA_SIG] has  
unsupported attribute(s)

When I use 3des insteed, isakmpd starts without errors.  But I MUST  
use aes in phase I
because all remote peers use it, I cannot change them all.  Has  
anybody an idea, why
isakmpd won't use aes in phase I but in phase II?
Thank you and best Regards

Ralf

-- 
alles bleibt anders...