Thanks for clarification.
I disabled NAT-T with isakmpd -K -T. A few of my VPNs came to life with this setting, but were instable ( rapid renegotiation ). Still only about one third of my vpns (that worked with OpenBSD 4.6 ) work with OpenBSD 5.2. Many negotiations get rejected by OpenBSD with 'NO PROPOSAL CHOSEN', or 'PAYLOAD MALFORMED' or 'INVALID ID' For some of those I see messages in /var/log/messages like : Sep 24 20:00:09 q-dsl isakmpd[3828]: attribute_unacceptable: attr ENCRYPTION_ALGORITHM does not exist in phase1-transform-peer-a.b.c.d-PRE_SHARED-MD5-AES128 ( for a VPN peer which is configured with MD5-AES-128 in ipsec.conf and which, according to tcpdump, tries to negotiate exactly MD5 and AES-128 ). No idea what this means. Regards > -----Ursprüngliche Nachricht----- > Von: Stuart Henderson [mailto:s...@spacehopper.org] > Gesendet: Montag, 24. September 2012 16:41 > An: Christoph Leser > Cc: misc@openbsd.org > Betreff: Re: Router project on OpenBSD questions > > On 2012/09/24 13:24, Christoph Leser wrote: > > It seems that the patch from Stuart Henderson, proposed on Aug.4 2012 > > on tech@ has not made it into –current yet. > > I only forwarded it, the patch is from hshoexer. Also it is only a partial > diff, > not suitable to be committed, the encap mode value needs to be > controllable per-peer so it needs a config option, changes to ipsecctl, etc. > > This problem certainly would have affected older OpenBSD versions though, > if they negotiated NAT-T they would have used the value from the RFC not > the one from the internet-draft that cisco use. > > Have you tried just disabling nat-t completely, see the options list in > isakmpd(8), to see what happens?