I'm running several OpenBSD VPN gateways using 3.6, and I'm trying to add
a 3.7 box into the mix. I've been using rc.vpn and manual keying. But
when I tried to fire up the new VPN, the networks never could connect, and
the gateway machines lost contact with each other (no ping, no shh, etc.)
until I did an ipsecadm flush.
A little playing around with setting things up manually shows:
openbsd-3.7:~# ipsecadm flush
openbsd-3.7:~# ipsecadm new esp -enc aes -auth sha1 -spi 1030 -dst 5.0.1.1
-src 5.1.1.1 -keyfile /etc/vpn/enc.key -authkeyfile /etc/vpn/auth.key
openbsd-3.7:~#ipsecadm show
sadb_dump: satype esp vers 2 len 21 seq 0 pid 0
errno 150: Unknown error: 150
sa: spi 0x00001030 auth hmac-sha1 enc aes
state larval replay 0 flags 0
lifetime_cur: alloc 0 bytes 0 add 1118526715 first 0
address_src: 5.1.1.1
address_dst: 5.0.1.1
key_auth: bits 160: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
key_encrypt: bits 128: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On the 3.6 boxes, no error message, and a few other differences (satype
has changed):
openbsd-3.6:~# ipsecadm flush
openbsd-3.6:~# ipsecadm new esp -enc aes -auth sha1 -spi 1040 -dst 5.3.1.1
-src 5.4.1.1 -keyfile /etc/vpn/enc.key -authkeyfile /etc/vpn/auth.key
openbsd-3.6:~# ipsecadm show
sadb_dump: satype unspec vers 2 len 21 seq 1 pid 1044
sa: spi 0x00001040 auth hmac-sha1 enc aes
state larval replay 0 flags 0
lifetime_cur: alloc 0 bytes 0 add 1118528077 first 0
address_src: 5.4.1.1
address_dst: 5.3.1.1
key_auth: bits 160: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
key_encrypt: bits 128: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I've tried this on three different 3.7 boxes (obviously some information
above has been changed) and gotten exactly the same error message on two
of them, the third gave an identical message but with errno 160. Can
anyone tell me what's going on?
--
[EMAIL PROTECTED]
