On Mon, Sep 24, 2012 at 06:57:26PM +0000, Christoph Leser wrote: > Thanks for clarification. > > I disabled NAT-T with isakmpd -K -T. > > A few of my VPNs came to life with this setting, but were instable ( rapid > renegotiation ). > > Still only about one third of my vpns (that worked with OpenBSD 4.6 ) work > with OpenBSD 5.2. > > Many negotiations get rejected by OpenBSD with 'NO PROPOSAL CHOSEN', or > 'PAYLOAD MALFORMED' or 'INVALID ID' > > For some of those I see messages in /var/log/messages like : > > Sep 24 20:00:09 q-dsl isakmpd[3828]: attribute_unacceptable: attr > ENCRYPTION_ALGORITHM does not exist in > phase1-transform-peer-a.b.c.d-PRE_SHARED-MD5-AES128 > > ( for a VPN peer which is configured with MD5-AES-128 in ipsec.conf and > which, according to tcpdump, tries to negotiate exactly MD5 and AES-128 ). > > No idea what this means.
Are you running an ipsecctl from about a week ago? For two days or so there was a bug in it. This bug was fixed by this commit: http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/ipsecctl/ike.c.diff?r1=1.76;r2=1.77;only_with_tag=MAIN -Otto > > Regards > > > -----Urspr??ngliche Nachricht----- > > Von: Stuart Henderson [mailto:s...@spacehopper.org] > > Gesendet: Montag, 24. September 2012 16:41 > > An: Christoph Leser > > Cc: misc@openbsd.org > > Betreff: Re: Router project on OpenBSD questions > > > > On 2012/09/24 13:24, Christoph Leser wrote: > > > It seems that the patch from Stuart Henderson, proposed on Aug.4 2012 > > > on tech@ has not made it into ???current yet. > > > > I only forwarded it, the patch is from hshoexer. Also it is only a partial > > diff, > > not suitable to be committed, the encap mode value needs to be > > controllable per-peer so it needs a config option, changes to ipsecctl, etc. > > > > This problem certainly would have affected older OpenBSD versions though, > > if they negotiated NAT-T they would have used the value from the RFC not > > the one from the internet-draft that cisco use. > > > > Have you tried just disabling nat-t completely, see the options list in > > isakmpd(8), to see what happens?
