Hi, I have
lan1 -- gw1 --- internet --- gw2 -- lan2 The setup has been working for years. Now I upgraded one side to 4.9, while the other - so far - is still at 4.6 (I know... :( ). After that, no connection gets established anymore: 1.2.3.4: OpenBSD 4.6 4.3.2.1: OpenBSD 4.9 13:18:25.029033 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 767f6d9ce0fa3890->0000000000000000 msgid: 00000000 len: 184 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = RSA_SIG attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute KEY_LENGTH = 128 payload: VENDOR len: 20 (supports OpenBSD-4.0) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) (ttl 63, id 42430, len 212) 13:18:25.035893 4.3.2.1.isakmp > 1.2.3.4.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 767f6d9ce0fa3890->7779887f9d620aeb msgid: 00000000 len: 184 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = RSA_SIG attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute KEY_LENGTH = 128 payload: VENDOR len: 20 (supports OpenBSD-4.0) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 42377, len 212) 13:15:45.230823 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 228 payload: KEY_EXCH len: 132 payload: NONCE len: 20 payload: NAT-D len: 24 payload: NAT-D len: 24 (ttl 63, id 43396, len 256) 13:15:45.246177 4.3.2.1.isakmp > 1.2.3.4.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 228 payload: KEY_EXCH len: 132 payload: NONCE len: 20 payload: NAT-D len: 24 payload: NAT-D len: 24 (ttl 64, id 4863, len 256) 13:15:45.457272 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 1292 (ttl 63, id 44981, len 1320) 13:15:52.479525 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 1292 (ttl 63, id 43438, len 1320) 13:16:01.501279 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 1292 (ttl 63, id 54363, len 1320) 13:16:12.516937 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 1292 (ttl 63, id 19766, len 1320) 13:16:25.537550 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: 00000000 len: 1292 (ttl 63, id 36623, len 1320) As you can see, there is no SHA2 problem present (see 47.html). Switching the phase2 hash to ripemd didn't help. Any ideas about what to do? The reason for not yet upgrading everything is that road warriors (NCP) are stopped dead in much the same way like shown above, when running against 4.9 (but not if they work against lower versions of OpenBSD, including 4.8). If I could verify that they'll work, I'd uprade rather sooner than later. Kind regards, --Toni++