On Thu, May 26, 2011 at 08:13:19AM +0200, Pawel Wieleba wrote: > > I've already compiled isakmpd sources from OpenBSD_4_7 CVS branch on > OpenBSD 4.8 system and this problem does not exist (2 days without a > problem). > > I can confirm that isakmpd sources from OpenBSD_4_7 CVS branch works > fine on OpenBSD 4.8 -- two OpenBSD 4.8 peers with isakmpd from > OpenBSD_4_7 CVS branch. > The only change after that date was Diffie-Hellman implementation, and > it is probably problem in this area: > date: 2010/06/29 19:50:16; author: reyk; state: Exp;
Hello, For all of you waiting for the official patch commit in CVS which fixes the Diffie-Hellman algorithm problem. I attach the patch for OpenBSD 4.8, which fixes the described problem of different authkeys and enckeys on two peers for the same SA. The below patch includes the DH algorithm from the OpenBSD 4.7 and all relevent patches, which were commited to OpenBSD 4.9 and CVS HEAD, which were available on 2011.06.01. The patch does not include new AES algorithms introduced in OpenBSD 4.9 as other changes to OpenBSD 4.8 would have been required. To build and install the isakmpd with the attached patch run the following: openbsd48# cd /usr/src/sbin openbsd48# patch --directory=isakmpd --strip=1 < isakmpd-4.8+patch4.7+4.9+HEAD20110601.diff openbsd48# cd isakmpd openbsd48# make obj openbsd48# make openbsd48# make install I also attach the binary (ready-to-run for OpenBSD 4.8): # md5 isakmpd-4.8-patched MD5 (isakmpd-4.8-patched) = ffe92cbc1a43e9a50dc5d37be77cc504 # pkill isakmpd # cp isakmpd-4.8-patched /sbin/isakmpd Regards, Pawel Wieleba [demime 1.01d removed an attachment of type text/x-diff] [demime 1.01d removed an attachment of type application/octet-stream]
