On 2020-06-12, Tobias Heider <tobias.hei...@stusta.de> wrote:
> Probably related to the following change documented in
> https://www.openbsd.org/faq/upgrade67.html:
>
> iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by iked(8)
> or
> isakmpd(8) was changed from "use" to "require". This means unencrypted traffic
> matching the flows will no longer be accepted. Flows of type "use" can still
> be
> set up manually in ipsec.conf(5).
>
> The problem is that the incoming packet on 10.200.200.3 matches the installed
> IPsec flow which only accepts encrypted packets.
>
>
Just leaving this for the list archive, if anyone needs it this
is how you can reverse that change:
Index: pfkey.c
===================================================================
RCS file: /cvs/src/sbin/iked/pfkey.c,v
retrieving revision 1.65
diff -u -p -r1.65 pfkey.c
--- pfkey.c 13 May 2020 18:28:51 -0000 1.65
+++ pfkey.c 16 Jun 2020 22:47:54 -0000
@@ -280,7 +280,9 @@ pfkey_flow(int sd, uint8_t satype, uint8
sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE;
sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8;
sa_flowtype.sadb_protocol_direction = flow->flow_dir;
- sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_REQUIRE;
+ sa_flowtype.sadb_protocol_proto =
+ (flow->flow_dir == IPSP_DIRECTION_IN ?
+ SADB_X_FLOW_TYPE_USE : SADB_X_FLOW_TYPE_REQUIRE);
bzero(&sa_protocol, sizeof(sa_protocol));
sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL;
