On Thu, 4 Oct 2001, Matt Hempel wrote:
=2E..
> [Default-quick-mode]
>
> DOI=3D IPSEC
> EXCHANGE_TYPE=3D QUICK_MODE
> Suites=3D QM-ESP-3DES-SHA-PFS-SUITE
>
> # Suites
>
> [QM-ESP-3DES-SHA-PFS-SUITE]
> Protocols=3D QM-ESP-3DES-SHA-PFS
>
> # Quick mode protocols
>
> [QM-ESP-3DES-SHA-PFS-XF]
> PROTOCOL_ID=3D IPSEC_ESP
> Transforms=3D QM-ESP-3DES-SHA-PFS-XF

The above section should have been named just 'QM-ESP-3DES-SHA-PFS', i.e
you should skip the trailing '-XF'.

It is a bit dangerous, although perfectly legitimate, to re-use the names
of the autogenerated configuration. The problem, of course, is that typos
are hard to spot and you'll probably end up with a configuration that
isakmpd will accept since the default values are still there, but your
negotiations may fail since you depend on a critical changed value
somwhere. In this case, you most likely fell through to a TUNNEL mode
transform using the "predefined" QM-ESP-3DES-SHA-PFS name.

Actually, in your case you should be able to get by with just the
following (using one of the predef'd values for transport mode IPsec):

  [Default-quick-mode]
  DOI=3D           IPSEC
  EXCHANGE_TYPE=3D QUICK_MODE
  Suites=3D        QM-ESP-TRP-3DES-SHA-PFS-SUITE

and skip the rest, i.e suites, protocols and xform definitions. Note that
the '-TRP' above means transport mode.

Additionally, you may want to tweak

  [General]
  Default-phase-2-lifetime=3D       1200,60:86400

to match your 'LIFE_PHASE2'...

For more info, read isakmpd.conf(5).

//H=E5kan

--
H=E5kan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB