Hello,

I've just noticed there is a slight difference between iked and isakmpd.
isakmpd does not allow modp1024 when I use this in my ipsec.conf:

ike dynamic esp transport proto udp from egress to l2tpd.endpoint port l2tp \
        main auth "hmac-sha" enc "3des" group "modp1024" \
        quick auth "hmac-sha" enc "3des" group none \
        psk j3ym8RWVICaoUhrfy5OdbYVkz4aZ5l

when I try to do ipsec -vf ipsec.conf the isakmpd rewards me with
message as follows:

    Aug 18 22:25:45 lifty isakmpd[38350]: attribute_unacceptable: \
	GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048

with tweak below I'm able to initiate transport to l2tpd.endpoind

What's interesting iked is happy with selection hmac-sha-3des-modp1024.

What I'd like to check here if we should make behavior of isakmpd same as iked
in this respect.

IPsec is not my department.

thanks and
regards
sashan

--------8<---------------8<---------------8<------------------8<--------
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index 14bc6c45770..6248128e2e0 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1296,7 +1296,7 @@ ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t *value, u_int16_t len,
 		case IKE_ATTR_GROUP_DESCRIPTION:
 			return (dv < IKE_GROUP_DESC_MODP_768 ||
 			    dv > IKE_GROUP_DESC_MODP_1536) &&
-			    (dv < IKE_GROUP_DESC_MODP_2048 ||
+			    (dv < IKE_GROUP_DESC_MODP_1024 ||
 			    dv > IKE_GROUP_DESC_ECP_521) &&
 			    (dv < IKE_GROUP_DESC_ECP_192 ||
 			    dv > IKE_GROUP_DESC_BP_512);