On 2011-07-08, Tony Sarendal <t...@polarcap.org> wrote: >> > If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull >> > up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly >> > see problems from time to time. >> > > Is this a cosmetic thing or does it affect connectivity ?
dh.c r1.14 affects stability. Between 4.7 and 4.8 isakmpd switched from internal to openssl DH; an openssl function wasn't padding with leading 0's where it was expected that they would, so there was junk at the end of the key, causing key mismatches.