Fri, 16 Mar 2018 13:25:49 +0100 Janne Johansson <icepic...@gmail.com>:
> 2018-03-16 12:26 GMT+01:00 Andre Ruppert <a...@in-telegence.net>: > > > Hello @misc, > > > > after a nightly release upgrade of our VPN-Gateway(s) from 6.0 via > > 6.1 to 6.2 (amd64) I noticed some trouble with my VPN connections. > > > > Almost always when you get "expected 3DES" it means "the confs are not > matching so obsd chose some default thing which includes 3DES > which is not what the other side is running". > > Things like mixing up "from NetA to NetB" and the other side not > having the exact opposite is a decent way to get that exact error. > > I don't know what part changed so that it is no longer matching for > you, but something makes the negotiations not think > the remote proposal is what it expects, so it goes into some default > mode from which it will never make a connection. > I agree with you in principle, but the question is: why drop these connections (with untouched configurations) sporadically with 6.2 and _not_ with 6.0? Some of these connections drop several times in 24h. No problems at all with 6.0. And it's always the same behavior: first drops the esp tunnel and the esp flows remain active. And its not possible to stop them with 'ipsecctl -d -f .... ' Is it only possible to stop zombie-type flows with fifo commands? Best regards Andre