Hi,
I have
lan1 -- gw1 --- internet --- gw2 -- lan2
The setup has been working for years. Now I upgraded one side to 4.9,
while the other - so far - is still at 4.6 (I know... :( ).
After that, no connection gets established anymore:
1.2.3.4: OpenBSD 4.6
4.3.2.1: OpenBSD 4.9
13:18:25.029033 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: 767f6d9ce0fa3890-> msgid: len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute KEY_LENGTH = 128
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) (ttl 63, id 42430, len 212)
13:18:25.035893 4.3.2.1.isakmp > 1.2.3.4.isakmp: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: 767f6d9ce0fa3890->7779887f9d620aeb msgid: len: 184
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute KEY_LENGTH = 128
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 42377, len 212)
13:15:45.230823 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 (ttl 63, id 43396, len 256)
13:15:45.246177 4.3.2.1.isakmp > 1.2.3.4.isakmp: [udp sum ok] isakmp v1.0
exchange ID_PROT
cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: len: 228
payload: KEY_EXCH len: 132
payload: NONCE len: 20
payload: NAT-D len: 24
payload: NAT-D len: 24 (ttl 64, id 4863, len 256)
13:15:45.457272 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0
exchange ID_PROT encrypted
cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: len: 1292
(ttl 63, id 44981, len 1320)
13:15:52.479525 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0
exchange ID_PROT encrypted
cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: len: 1292
(ttl 63, id 43438, len 1320)
13:16:01.501279 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0
exchange ID_PROT encrypted
cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: len: 1292
(ttl 63, id 54363, len 1320)
13:16:12.516937 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0
exchange ID_PROT encrypted
cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: len: 1292
(ttl 63, id 19766, len 1320)
13:16:25.537550 1.2.3.4.isakmp > 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0
exchange ID_PROT encrypted
cookie: 8d07fcf0a2492be7->915168361b6b77c1 msgid: len: 1292
(ttl 63, id 36623, len 1320)
As you can see, there is no SHA2 problem present (see 47.html).
Switching the phase2 hash to ripemd didn't help.
Any ideas about what to do?
The reason for not yet upgrading everything is that road warriors (NCP)
are stopped dead in much the same way like shown above, when running
against 4.9 (but not if they work against lower versions of OpenBSD,
including 4.8). If I could verify that they'll work, I'd uprade rather
sooner than later.
Kind regards,
--Toni++
