IPsec/ISAKMP-trouble after Upgrade 6.0 --> 6.1 --> 6.2 amd64 : ISAKMPD: got AES_CBC, expected 3DES_CBC

Fri, 16 Mar 2018 05:06:51 -0700 

Hello @misc,
after a nightly release upgrade of our VPN-Gateway(s) from 6.0 via 6.1 to 6.2 (amd64) I noticed some trouble with my VPN connections. 

Scenario:

- a CARPed OpenBSD VPN gateway with sasyncd (master and backup)

- a bunch of customer VPN client gateways (several brands -> Sophos, 
Fortigate, Cisco , ... ).

- ISAKMPD/ipsec  (no iked yet)
- no syntax errors in ipsec.conf files (checked)
- with release 6.0 no problems at all.

- with 6.2 sometimes several of the connections drop nearly at the same 
time and I have do restart them manually.


Configuration:


ipsec.conf includes - configuration is pretty simple - one include-file 
for every connection:


# --------------------------
LOCAL_PEER = "IP_of_my_gateway"
LOCAL_NET = "my_network/mask bits"
REMOTE_NET_XY = "foreign_network_YX/mask bits"
REMOTE_PEER_XY = "IP_of_remote_gateway"

ike esp from $LOCAL_NET to $REMOTE_NET_XY \
    peer $REMOTE_PEER_XY \
    main auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 3600 \
    quick auth hmac-sha2-256 enc aes-256 group modp1536 lifetime 1200 \
    srcid $LOCAL_PEER psk "SomethingTotalSecretAsPSKsCanBe"


Single VPNs are startet by "ipsecctl -f /etc/ipsec/ipsec.include.xy"
and deleted by "ipsecctl -d -f /etc/ipsec/ipsec.include.xy)


(Deleting connections is a special matter and doesn't work well, but 
that is not the point here)



The problem so far: prior to the connection drops I see isakmpd error 
messages:



isakmpd[35939]: dropped message from "REMOTE_PEER_XY" port 500 due to 
notification type NO_PROPOSAL_CHOSEN
isakmpd[35939]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got 
AES_CBC, expected 3DES_CBC

isakmpd[35939]: message_negotiate_sa: no compatible proposal found

My question: why (and where) do I expect 3DES_CBC encrytion ?


And sometimes also other additional error messages appear in the Log.
Example:
...
ipsec_get_id: section to-10.10.244.0/25 has no "ID-type" tag

Mar 16 08:06:11 redacc01-a isakmpd[35939]: connection_init: could not 
record connection "from-172.16.0.0/16-to-10.10.244.0/25"

...


I'm clueless...


There are no infos in the upgrade guides (6.0 to 6.1 and 6.1 to 6.2) 
concerning isakmpd/ipsec changes....



Sysctl lists:

net.inet.ip.ipsec-expire-acquire=30
net.inet.ip.ipsec-invalid-life=60
net.inet.ip.ipsec-pfs=1
net.inet.ip.ipsec-soft-allocs=0
net.inet.ip.ipsec-allocs=0
net.inet.ip.ipsec-soft-bytes=0
net.inet.ip.ipsec-bytes=0
net.inet.ip.ipsec-timeout=86400
net.inet.ip.ipsec-soft-timeout=80000
net.inet.ip.ipsec-soft-firstuse=3600
net.inet.ip.ipsec-firstuse=7200
net.inet.ip.ipsec-enc-alg=aes
net.inet.ip.ipsec-auth-alg=hmac-sha1
net.inet.ip.ipsec-comp-alg=deflate


Any hints?

Best regards
Andre Ruppert





Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to