On Thu, Aug 09, 2007 at 02:22:31AM +0200, James Lepthien wrote:
quoted text
> Hi,
>
> I have set  up a vpn from my OpenBSD Box (4.1-current) to our company 
> WatchGuard X700. My problem is that the re-keying
> isn't always working and my tunnel does not come up if I send traffic to 
> the destination network. I must manually
> restart the isakmpd and then start the tunnel by using ipsecctl -f 
> /etc/ipsec.conf. I see some strange errors in my /var/log/messages
> even when the tunnel is up. What do these errors mean?:
>
> Aug  9 01:52:40 voldemort isakmpd[20491]: attribute_unacceptable: 
> ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC
>
...
quoted text
>
> My ipsec.conf looks like this:
>
> ike esp from $ext_IP to $peer_GW
> ike esp from $ext_IP to $peer_LAN peer $peer_GW
> ike esp from $int_LAN to $peer_LAN \
>   peer $peer_GW \
>   main auth hmac-sha1 enc 3des group modp1024 \
>   quick auth hmac-sha1 enc 3des group none \
>   psk "XXXX"

this enables 3des/sha1/modp1024 only for the third rule.  The first and
second rule will both use the default values (aes/sha1/modp1024 for phase
1 and aes/sha2-256 for phase 2).

try this:

ike esp from $ext_IP to $peer_GW \
  main auth hmac-sha1 enc 3des group modp1024 \
  quick auth hmac-sha1 enc 3des group none \
  psk "XXXX"
ike esp from $ext_IP to $peer_LAN peer $peer_GW \
  main auth hmac-sha1 enc 3des group modp1024 \
  quick auth hmac-sha1 enc 3des group none \
  psk "XXXX"
ike esp from $int_LAN to $peer_LAN peer $peer_GW \
  main auth hmac-sha1 enc 3des group modp1024 \
  quick auth hmac-sha1 enc 3des group none \
  psk "XXXX"