Thank you for this hint. I indeed have ike.c r=1.76. I will refresh my system tonight, give it a try and report my result.
Best Regards Christoph > -----Ursprüngliche Nachricht----- > Von: Otto Moerbeek [mailto:o...@drijf.net] > Gesendet: Montag, 24. September 2012 22:03 > An: Christoph Leser > Cc: Stuart Henderson; misc@openbsd.org > Betreff: Re: Router project on OpenBSD questions > > On Mon, Sep 24, 2012 at 06:57:26PM +0000, Christoph Leser wrote: > > > Thanks for clarification. > > > > I disabled NAT-T with isakmpd -K -T. > > > > A few of my VPNs came to life with this setting, but were instable ( rapid > renegotiation ). > > > > Still only about one third of my vpns (that worked with OpenBSD 4.6 ) work > with OpenBSD 5.2. > > > > Many negotiations get rejected by OpenBSD with 'NO PROPOSAL CHOSEN', > or 'PAYLOAD MALFORMED' or 'INVALID ID' > > > > For some of those I see messages in /var/log/messages like : > > > > Sep 24 20:00:09 q-dsl isakmpd[3828]: attribute_unacceptable: attr > > ENCRYPTION_ALGORITHM does not exist in > > phase1-transform-peer-a.b.c.d-PRE_SHARED-MD5-AES128 > > > > ( for a VPN peer which is configured with MD5-AES-128 in ipsec.conf and > which, according to tcpdump, tries to negotiate exactly MD5 and AES-128 ). > > > > No idea what this means. > > Are you running an ipsecctl from about a week ago? > > For two days or so there was a bug in it. This bug was fixed by this commit: > http://www.openbsd.org/cgi- > bin/cvsweb/src/sbin/ipsecctl/ike.c.diff?r1=1.76;r2=1.77;only_with_tag=MAI > N > > -Otto > > > > > Regards > > > > > -----Urspr??ngliche Nachricht----- > > > Von: Stuart Henderson [mailto:s...@spacehopper.org] > > > Gesendet: Montag, 24. September 2012 16:41 > > > An: Christoph Leser > > > Cc: misc@openbsd.org > > > Betreff: Re: Router project on OpenBSD questions > > > > > > On 2012/09/24 13:24, Christoph Leser wrote: > > > > It seems that the patch from Stuart Henderson, proposed on Aug.4 > > > > 2012 on tech@ has not made it into ???current yet. > > > > > > I only forwarded it, the patch is from hshoexer. Also it is only a > > > partial diff, not suitable to be committed, the encap mode value > > > needs to be controllable per-peer so it needs a config option, changes to > ipsecctl, etc. > > > > > > This problem certainly would have affected older OpenBSD versions > > > though, if they negotiated NAT-T they would have used the value from > > > the RFC not the one from the internet-draft that cisco use. > > > > > > Have you tried just disabling nat-t completely, see the options list > > > in isakmpd(8), to see what happens?
