Hello @misc,after a nightly release upgrade of our VPN-Gateway(s) from 6.0 via 6.1 to 6.2 (amd64) I noticed some trouble with my VPN connections.
Scenario: - a CARPed OpenBSD VPN gateway with sasyncd (master and backup)- a bunch of customer VPN client gateways (several brands -> Sophos, Fortigate, Cisco , ... ).
- ISAKMPD/ipsec (no iked yet) - no syntax errors in ipsec.conf files (checked) - with release 6.0 no problems at all.- with 6.2 sometimes several of the connections drop nearly at the same time and I have do restart them manually.
Configuration:ipsec.conf includes - configuration is pretty simple - one include-file for every connection:
# -------------------------- LOCAL_PEER = "IP_of_my_gateway" LOCAL_NET = "my_network/mask bits" REMOTE_NET_XY = "foreign_network_YX/mask bits" REMOTE_PEER_XY = "IP_of_remote_gateway" ike esp from $LOCAL_NET to $REMOTE_NET_XY \ peer $REMOTE_PEER_XY \ main auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 3600 \ quick auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 1200 \ srcid $LOCAL_PEER psk "SomethingTotalSecretAsPSKsCanBe" Single VPNs are startet by "ipsecctl -f /etc/ipsec/ipsec.include.xy" and deleted by "ipsecctl -d -f /etc/ipsec/ipsec.include.xy)(Deleting connections is a special matter and doesn't work well, but that is not the point here)
The problem so far: prior to the connection drops I see isakmpd error messages:
isakmpd[35939]: dropped message from "REMOTE_PEER_XY" port 500 due to notification type NO_PROPOSAL_CHOSEN isakmpd[35939]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
isakmpd[35939]: message_negotiate_sa: no compatible proposal found My question: why (and where) do I expect 3DES_CBC encrytion ? And sometimes also other additional error messages appear in the Log. Example: ... ipsec_get_id: section to-10.10.244.0/25 has no "ID-type" tagMar 16 08:06:11 redacc01-a isakmpd[35939]: connection_init: could not record connection "from-172.16.0.0/16-to-10.10.244.0/25"
... I'm clueless...There are no infos in the upgrade guides (6.0 to 6.1 and 6.1 to 6.2) concerning isakmpd/ipsec changes....
Sysctl lists: net.inet.ip.ipsec-expire-acquire=30 net.inet.ip.ipsec-invalid-life=60 net.inet.ip.ipsec-pfs=1 net.inet.ip.ipsec-soft-allocs=0 net.inet.ip.ipsec-allocs=0 net.inet.ip.ipsec-soft-bytes=0 net.inet.ip.ipsec-bytes=0 net.inet.ip.ipsec-timeout=86400 net.inet.ip.ipsec-soft-timeout=80000 net.inet.ip.ipsec-soft-firstuse=3600 net.inet.ip.ipsec-firstuse=7200 net.inet.ip.ipsec-enc-alg=aes net.inet.ip.ipsec-auth-alg=hmac-sha1 net.inet.ip.ipsec-comp-alg=deflate Any hints? Best regards Andre Ruppert
smime.p7s
Description: S/MIME Cryptographic Signature