On Fri, Jul 8, 2011 at 4:09 PM, Stuart Henderson <s...@spacehopper.org>wrote:
> On 2011-07-08, Tony Sarendal <t...@polarcap.org> wrote: > >> > If you're running isakmpd from 4.8 or 4.9 with IKE you want to pull > >> > up src/sbin/isakmpd/dh.c to r1.14 otherwise you will certainly > >> > see problems from time to time. > >> > > > > Is this a cosmetic thing or does it affect connectivity ? > > dh.c r1.14 affects stability. Between 4.7 and 4.8 isakmpd switched > from internal to openssl DH; an openssl function wasn't padding with > leading 0's where it was expected that they would, so there was junk > at the end of the key, causing key mismatches. > Sounds like a candidate to our issues that we are seeing on both 4.8 and 4.9. We see it quite easily as we run gre tunnels with bgp inside them using ipsec to encrypt gre. We are seeing the connectivity issue antyhing from a few times a day to a few times a week. And the time I caught it while it was going on things started working immediately after some bi-directional ike traffic. Regards Tony
