Hi Daniel, On Mon, Jun 15, 2020 at 08:04:43PM -0400, Daniel Ouellet wrote: > > Probably related to the following change documented in > > https://www.openbsd.org/faq/upgrade67.html: > > > > iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by > > iked(8) or > > isakmpd(8) was changed from "use" to "require". This means unencrypted > > traffic > > matching the flows will no longer be accepted. Flows of type "use" can > > still be > > set up manually in ipsec.conf(5). > > I have what appear to be similar problem. I used iked form 5.6 all the > way to 6.6 no problem, wel some, but I worked it out. All in archive. > > But going from 6.6 to 6.7 I can't get it to work anymore. Nothing > changed, same configuration, just a sysupgrade and that's it. > > I read this and I can understand the words, but may be I am think, but I > don't understand what to do with it.
The default behavior if IPsec flows was changed to not accept unencrypted packets matching a registered flow. You can list your flows with 'ipsecctl -sf'. > > I see the require type modifier in ipsec.conf man page, not into > iked.conf man page. > > Do you mean what ever rules we had in iked.conf needs to be in > ipsec.conf now? No, that won't work. > > I am really sorry if I don't follow the meaning or what you tried to > say, but how can this be fix, or changed? > To help you I will need to know a bit more about your setup. In particular the architecture of your network, your iked.conf and the output of 'ipsecctl -sa' would be helpful. A more detailed description of what exactly does not work would also help. > My guess is that it is simple and I don't think about it properly, but I > am hitting a road block trying to figure it out. > > I am a bit at a lost and any clue stick would be greatly appreciated. > > Thanks > > Daniel > - Tobias
