Toni Mueller wrote:
Darn, I should write better messages. So here goes an important
addendum:
On Wed, 17.03.2010 at 17:55:34 +0100, Toni Mueller <openbsd-m...@oeko.net>
wrote:
I've installed the latest snapshot, with kernel bsd.mp#488, on a
machine that has several IPSEC connections to handle, some fixed
(branch offices), some for road warriors. The setup per se runs well
for several years, but after this upgrade, traffic to the branch
offices stopped. I checked one of the branch office's firewalls, which
runs a slightly older version of OpenBSD, that the encryped packets
arrive on the WAN interface. So I conclude that the gateway, running
the snapshot, pushes the packets out ok (I can observe these packets on
the gateway's enc0 interface, too, so confidence is high). In the
branch office's gateway, using 'netstat -rnf encap', I see all the
entries that there used to be, but I see _NO_ packets on its enc0
interface.
This was binary-upgrading an existing machine from 4.6-stable to
-current, including 'sysmerge', and it is i386 (again).
Traffic from and to road warriors is unaffected by the problem, only
traffic to networks (with a netmask < 32 - I can only test /16 so far).
If you want me to test something, that can probably be arranged.
Could the following be your issue
2010/01/10 - IPsec/HMAC-SHA2 incompatible change
Two bugs in IPsec/HMAC-SHA2 were fixed, resulting in an incompatibility
with the HMAC-SHA-256/384/512 hash algorithms with previous versions of
OpenBSD and other IPsec implementations sharing the bugs. In particular
the default authentication algorithm HMAC-SHA-256 is affected. Upgrade
both sides together, or switch to another authentication algorithm
during the transition. The per-packet overhead has increased; if you are
clamping the MSS to exact values (i.e. without slack), this will need to
be recalculated.
--
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca
