Re: [isakmpd] IPSEC SA is established with different keys key_authkey and key_encrypt on both peers -- VPN does not work.

Fri, 20 May 2011 02:43:58 -0700 

On Sun, May 15, 2011 at 05:49:47AM +0200, Pawel Wieleba wrote:
> On Tue, May 10, 2011 at 03:08:43PM +0200, Pawel Wieleba wrote:
> > >Number:         6601
> > >Category:       pending
> > >Synopsis:       [isakmpd] IPSEC SA is established with different keys
key_authkey and key_encrypt on both peers. The problem repeats every few
days.

Hello,

I've proceeded some more tests regarding the problem report 6601 I've
submitted.  PR 6601 describes the problem with different authkeys as
well as enckeys on both peers for the same IPSEC SA. The problem
repeats regularly and its frequency
depends on the default lifetimes. More information was gathered in my
previous posts.

I've created testing environments as described in my previous post:
Date: Tue, 10 May 2011 15:08:43 +0200
From: Pawel Wieleba <[email protected]>
To: [email protected]
Subject: [isakmpd] IPSEC SA is established with different keys key_authkey
                and key_encrypt on both peers -- VPN does not work.

The testing environments where run using the following OpenBSD
configurations.

1) The problem occurs when running:
        - OpenBSD 4.6 and OpenBSD 4.8 peer
        - OpenBSD 4.9 and OpenBSD 4.9 peer
        - OpenBSD 4.8 and OpenBSD 4.9 peer
        - OpenBSD 4.8 and OpenBSD 4.8 peer

2) The problem _does not_ occur (3 days without a problem) when
running:
        - OpenBSD 4.6 and OpenBSD 4.6 peer
        - OpenBSD 4.7 and OpenBSD 4.7 peer

The above test were done using the ISAKMP SA and IPSEC SA
configuration, which was mentioned in my previous post, and I qoute it
here:
  main auth hmac-sha1 enc aes group modp1024
  quick auth hmac-sha1 enc aes group
  psk "<shared_key"

Moreover I've tested a few more algorithms used for phase 1 and 2.
The following algorithms were tested for both OpenBSD 4.9 peers, and
the described problem existed in all cases:
 - main  auth hmac-sha1 enc aes group modp1024
   quick auth hmac-sha1 enc aes group modp1024
   psk "<shared_key>"
 - main  auth hmac-sha1 enc 3des group modp1024
   quick auth hmac-sha1 enc 3des group modp1024
   psk "<shared_key>"
 - main  auth hmac-md5 enc 3des group modp1024
   quick auth hmac-md5 enc 3des group modp1024
   psk "<shared_key>"
 - main  auth hmac-sha2-256 enc aes group modp1024
   quick auth hmac-sha2-256 enc aes group modp1024
   psk "<shared_key>"


It is a very important regression comparing to OpenBSD 4.6.
With default lifetimes set to 120sec, the problem repeats every 1 to 5
hours.

I think that it would be usefull to append this information to the
original PR, so if someone in charge can do this please update PR
6601:
http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=6601

Best regards,
PaweE Wieleba

Reply via email to