Hello I recently updated to the 11-9 amd64 snapshot. I had started following current, and, in general, seem to be doing fine.
But, after this last update, an IPSEC tunnel that I have been using for months/years all of a sudden is not coming up with a system reboot. I have not changed the ipsec.conf files in a really long time. So, I did not included them, but can if necessary. The important point (I think) is that I am using some FQDN with dynamic ip's. What I have noticed is that the "dynamic" side of the tunnel seems to be trying to connect, but the "passive" side refuses to accept the connection. On the passive side, I get this: ... Nov 10 10:21:46 xxx isakmpd[12622]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Nov 10 10:21:46 xxx isakmpd[12622]: message_negotiate_sa: no compatible proposal found Nov 10 10:21:46 xxx isakmpd[12622]: dropped message from a.b.c.d port 500 due to notification type NO_PROPOSAL_CHOSEN ... So, I understand this is because isakmpd is "falling back" to a default 3DES setting, and the AES proposal from the dynamic side of the tunnel is being rejected. This led me to the dmesg on the passive host: ... starting early daemons: syslogd pflogd ntpd isakmpd. no IP address found for ipsec1.FQDN.com /etc/ipsec.conf: 40: could not parse host specification no IP address found for ipsec1.FQDN.com /etc/ipsec.conf: 41: could not parse host specification no IP address found for ipsec2.FQDN.com /etc/ipsec.conf: 42: could not parse host specification no IP address found for ipsec2.FQDN.com /etc/ipsec.conf: 43: could not parse host specification ipsecctl: Syntax error in config file: ipsec rules not loaded ... So, I reload the ipsec.conf file manually - "ipsecctl -f /etc/ipsec.conf" - and the tunnel goes up. Now, on the dynamic host, there is no issue loading ipsec at boot - dmesg for the dynamic host: ... starting early daemons: syslogd pflogd ntpd isakmpd. starting RPC daemons:. ... As I said, no changes to ipsec.conf, and it was working last week before the current snapshot. I don't see anything in 'following current' about changes to ipsec configuration. Also, both ends of the tunnel point to the same resolver (openDNS) during the boot up process. If it was an issue with the resolver, I would have expected a problem on both ends of the tunnel. The confusing thing to me is why a line like: "ike passive esp from $local_ip to $remote_gw srcid $local_id dstid $remote_id" is failing during boot with "could not parse host specification." But, a line like: "ike dynamic esp from $local_ip to $remote_gw srcid $local_id dstid $remote_id" works without an issue. So, am I missing something, or is this a bug? And, if so, what should I do? Thanks Ted W.
