On 6/15/20 8:04 PM, Daniel Ouellet wrote: >> Probably related to the following change documented in >> https://www.openbsd.org/faq/upgrade67.html: >> >> iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by iked(8) >> or >> isakmpd(8) was changed from "use" to "require". This means unencrypted >> traffic >> matching the flows will no longer be accepted. Flows of type "use" can still >> be >> set up manually in ipsec.conf(5). > > I have what appear to be similar problem. I used iked form 5.6 all the > way to 6.6 no problem, wel some, but I worked it out. All in archive. > > But going from 6.6 to 6.7 I can't get it to work anymore. Nothing > changed, same configuration, just a sysupgrade and that's it. > > I read this and I can understand the words, but may be I am think, but I > don't understand what to do with it. > > I see the require type modifier in ipsec.conf man page, not into > iked.conf man page. > > Do you mean what ever rules we had in iked.conf needs to be in > ipsec.conf now? > > I am really sorry if I don't follow the meaning or what you tried to > say, but how can this be fix, or changed? > > My guess is that it is simple and I don't think about it properly, but I > am hitting a road block trying to figure it out. > > I am a bit at a lost and any clue stick would be greatly appreciated. > > Thanks > > Daniel
Just for the records, I just took a copy of iked version 6.6 and used that instead of 6.7 and all is good. I saved the 6.7 version. gateway# ls -al /sbin/iked* -r-xr-xr-x 1 root bin 436584 Jun 15 20:42 /sbin/iked -r-xr-xr-x 1 root bin 448744 May 7 12:52 /sbin/iked.original So it's definitely nothing else that is stopping it from working. Just a new requirement for iked to use this new way and so far I am coming short as to how to get this done right.
