I tested against -current with Kevin's isakmpd.conf and discovered that there is indeed a bug -- isakmpd would try to set a 256-bit key for CAST-128 (whereas the kernel, correctly, allows up to 128-bit keys). This has just been corrected in -current, and I expect Jason will fold it in -STABLE in the next couple of days. For testing purposes, try using another algorithm (3DES or Blowfish). -Angelos