From: Alexandr Nedvedicky <sashan@fastmail.net>
Subject: Re: modp1024 in isakmpd
To: YASUOKA Masahiko <yasuoka@openbsd.org>
Cc: tech@openbsd.org
Date: Thu, 22 Aug 2024 14:45:55 +0200

Hello,

On Thu, Aug 22, 2024 at 07:39:59PM +0900, YASUOKA Masahiko wrote:
> Hi,
> 
> On Mon, 19 Aug 2024 15:32:52 +0200
> Alexandr Nedvedicky <sashan@fastmail.net> wrote:
> > Hello,
> > 
> > I've just noticed there is a slight difference between iked and isakmpd.
> > isakmpd does not allow modp1024 when I use this in my ipsec.conf:
> > 
> > ike dynamic esp transport proto udp from egress to l2tpd.endpoint port l2tp \
> >         main auth "hmac-sha" enc "3des" group "modp1024" \
> >         quick auth "hmac-sha" enc "3des" group none \
> >         psk j3ym8RWVICaoUhrfy5OdbYVkz4aZ5l
> > 
> > when I try to do ipsec -vf ipsec.conf the isakmpd rewards me with
> > message as follows:
> > 
> >     Aug 18 22:25:45 lifty isakmpd[38350]: attribute_unacceptable: \
> > 	GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048
> 
> I can't repeat the problem.  I suppose the log message shows that the peer
> sent SA with modp1024, but isakmpd configured modp2048 for Phase-1.  So, I
> think it is not matched with what you report.

    I agree it might be the case. I'm just learning the IPsec here and
    got bitten by it.


thanks and
regards
sashan