On 2007/08/13 21:00, Steve B wrote:
quoted text
> If I am interpreting the logs correctly then I have partial success using
> 
> ike dynamic esp tunnel from any to 192.168.1.0/24 \
> main  auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha2-256 enc 3des \
> psk abc123
> 
> I am confident that the first two lines are correct. The dynamic variable
> should be correct if the incoming IP address is different for every user.
> Line two should be OK since it appears I have a successful Phase 1. I've
> SSH'd into the endpoint and run tcpdump against my external interface and
> enc0. I have also used "ipssectl -m". So far I have not picked up any new
> clues to help resolve the remainder of the problem.

turn on packet tracing;

# echo "p on" > /var/run/isakmpd.fifo

try and make a connection, then turn tracing back off:

# echo "p off" > /var/run/isakmpd.fifo

see isakmpd(8) for more FIFO commands.
Then you can look at the capture file with tcpdump:

# tcpdump -r /var/run/isakmpd.pcap -vvn

this should give some clues about how the peer is configured.
You may well find it's using SHA1 not SHA2, but go through the
pcap/tcpdump thing anyway, it's the easiest way to debug the
peer connection.

In the tcpdump you posted I think you didn't increase snaplen
(e.g. -s 2000) to see the actual exchange (otherwise you would
have seen more details for phase 1). Not necessary for the -r
used here since isakmpd writes the pcap file with larger packet
sizes.