Hi,

On Mon, 19 Aug 2024 15:32:52 +0200
Alexandr Nedvedicky <sashan@fastmail.net> wrote:
> Hello,
> 
> I've just noticed there is a slight difference between iked and isakmpd.
> isakmpd does not allow modp1024 when I use this in my ipsec.conf:
> 
> ike dynamic esp transport proto udp from egress to l2tpd.endpoint port l2tp \
>         main auth "hmac-sha" enc "3des" group "modp1024" \
>         quick auth "hmac-sha" enc "3des" group none \
>         psk j3ym8RWVICaoUhrfy5OdbYVkz4aZ5l
> 
> when I try to do ipsec -vf ipsec.conf the isakmpd rewards me with
> message as follows:
> 
>     Aug 18 22:25:45 lifty isakmpd[38350]: attribute_unacceptable: \
> 	GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048

I can't repeat the problem.  I suppose the log message shows that the peer sent SA with modp1024, but isakmpd configured modp2048 for Phase-1.
So, I think it is not matched with what you report.

> with tweak below I'm able to initiate transport to l2tpd.endpoind
> 
> What's interesting iked is happy with selection hmac-sha-3des-modp1024.
> 
> What I'd like to check here if we should make behavior of isakmpd same as iked
> in this respect.
> 
> IPsec is not my department.
> 
> thanks and
> regards
> sashan
> 
> --------8<---------------8<---------------8<------------------8<--------
> diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
> index 14bc6c45770..6248128e2e0 100644
> --- a/sbin/isakmpd/ipsec.c
> +++ b/sbin/isakmpd/ipsec.c
> @@ -1296,7 +1296,7 @@ ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t *value, u_int16_t len,
>  		case IKE_ATTR_GROUP_DESCRIPTION:
>  			return (dv < IKE_GROUP_DESC_MODP_768 ||
>  			    dv > IKE_GROUP_DESC_MODP_1536) &&
> -			    (dv < IKE_GROUP_DESC_MODP_2048 ||
> +			    (dv < IKE_GROUP_DESC_MODP_1024 ||
>  			    dv > IKE_GROUP_DESC_ECP_521) &&
>  			    (dv < IKE_GROUP_DESC_ECP_192 ||
>  			    dv > IKE_GROUP_DESC_BP_512);
> 
> 

It's hard to check this conditions, but the original seems correct.

In ipsec_num.cst:

154 # IKE group description.
155 IKE_GROUP_DESC
156   MODP_768                              1
157   MODP_1024                             2
158   EC2N_155                              3
159   EC2N_185                              4
160   MODP_1536                             5
161   EC2N_163sect                          6
162   EC2N_163K                             7
163   EC2N_283sect                          8
164   EC2N_283K                             9
165   EC2N_409sect                          10
166   EC2N_409K                             11
167   EC2N_571sect                          12
168   EC2N_571K                             13
169   MODP_2048                             14
170   MODP_3072                             15
171   MODP_4096                             16
172   MODP_6144                             17

See dh.c also, isakmpd supports EC2N_{155,185} but it doesn't support
other EC2Ns.  So we want to skip (MODP_1056 < dv &&) dv < MODP_2048.