Hi,
I am getting some strange problems with IPSEC tunnels.
There are 5 sites connected using IPSEC tunnels, which used to work perfectly,
but since upgrading to 4.8 (from 4.4),
tunnels started failing, seemly at random intervals.
To investigate I set up two machines in the lab and they exhibit the same
behavior:
After a seemingly random amount of time, when there is a renegotiation of an
SA due to its lifetime expired,
traffic will stop flowing (I have a ping running). 'ipsecctl -sa' and 'netstat
-rn' shows everything as normal.
When that SA lifetime expires and a new SA is negotiated it comes back again.
I recompiled the kernel with 'option ENCDEBUG' and set net.inet.ip.encdebug=1
and when it fails
I get 'esp_input_cb(): authentication failed for packet in SA
xxx.xxx.xxx.97/6e68c6ae'
The machines are installed with stock OpenBSD 4.8, nothing special about the
configuration.
ipsec.conf is very simple, just one line:
ike esp from {192.168.1.9/24 172.16.1.0/24} to {192.168.31.0/24
192.168.32.254} local xxx.xxx.xxx.97 peer xxx.xxx.xxx.99
Public keys copied across, isakmpd started with flags "-K -v"
Does anyone have any ideas about this?
Thank you
Jakob Alvermark
jakob.alverm...@bsdlabs.com
BSDLabs AB
Solna, Sweden
556759-7652
