The following reply was made to PR system/6601; it has been noted by GNATS.
From: Stuart Henderson <[email protected]> To: [email protected] Cc: Subject: system/6601 Date: Fri, 20 May 2011 10:55:45 +0100 Forwarding to gnats as requested by submitter. ----- Forwarded message from Pawel Wieleba <[email protected]> ----- From: Pawel Wieleba <[email protected]> Date: Fri, 20 May 2011 11:42:45 +0200 To: [email protected], [email protected] User-Agent: Mutt/1.5.20 (2009-06-14) Subject: Re: [isakmpd] IPSEC SA is established with different keys key_authkey and key_encrypt on both peers -- VPN does not work. On Sun, May 15, 2011 at 05:49:47AM +0200, Pawel Wieleba wrote: > On Tue, May 10, 2011 at 03:08:43PM +0200, Pawel Wieleba wrote: > > >Number: 6601 > > >Category: pending > > >Synopsis: [isakmpd] IPSEC SA is established with different keys key_authkey and key_encrypt on both peers. The problem repeats every few days. Hello, I've proceeded some more tests regarding the problem report 6601 I've submitted. PR 6601 describes the problem with different authkeys as well as enckeys on both peers for the same IPSEC SA. The problem repeats regularly and its frequency depends on the default lifetimes. More information was gathered in my previous posts. I've created testing environments as described in my previous post: Date: Tue, 10 May 2011 15:08:43 +0200 From: Pawel Wieleba <[email protected]> To: [email protected] Subject: [isakmpd] IPSEC SA is established with different keys key_authkey and key_encrypt on both peers -- VPN does not work. The testing environments where run using the following OpenBSD configurations. 1) The problem occurs when running: - OpenBSD 4.6 and OpenBSD 4.8 peer - OpenBSD 4.9 and OpenBSD 4.9 peer - OpenBSD 4.8 and OpenBSD 4.9 peer - OpenBSD 4.8 and OpenBSD 4.8 peer 2) The problem _does not_ occur (3 days without a problem) when running: - OpenBSD 4.6 and OpenBSD 4.6 peer - OpenBSD 4.7 and OpenBSD 4.7 peer The above test were done using the ISAKMP SA and IPSEC SA configuration, which was mentioned in my previous post, and I qoute it here: main auth hmac-sha1 enc aes group modp1024 quick auth hmac-sha1 enc aes group psk "<shared_key" Moreover I've tested a few more algorithms used for phase 1 and 2. The following algorithms were tested for both OpenBSD 4.9 peers, and the described problem existed in all cases: - main auth hmac-sha1 enc aes group modp1024 quick auth hmac-sha1 enc aes group modp1024 psk "<shared_key>" - main auth hmac-sha1 enc 3des group modp1024 quick auth hmac-sha1 enc 3des group modp1024 psk "<shared_key>" - main auth hmac-md5 enc 3des group modp1024 quick auth hmac-md5 enc 3des group modp1024 psk "<shared_key>" - main auth hmac-sha2-256 enc aes group modp1024 quick auth hmac-sha2-256 enc aes group modp1024 psk "<shared_key>" It is a very important regression comparing to OpenBSD 4.6. With default lifetimes set to 120sec, the problem repeats every 1 to 5 hours. I think that it would be usefull to append this information to the original PR, so if someone in charge can do this please update PR 6601: http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=6601 Best regards, Pawel Wieleba ----- End forwarded message -----
