Tibor Várkonyi
2017-05-10 13:13:47 UTC
OpenBSD 6.1 installed from image and runs fine.
I tried to set up an "active" connection towards a CISCO router (Cisco IOS
Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5,
RELEASE SOFTWARE (fc1)).
Passive mode runs great when the router initiates the connection, but the
CISCO router does not accept the IPSEC_SA proposal.
This is because the CISCO router enforces RFC5996/3.3.1 so that all
proposals must be starting from 1.
Openiked however sends the IPSEC_SA as proposal 2 (as proposals are handled
somewhat globally in openiked.)
As they are sent in two different messages, the IPSEC_SA proposal should be
proposal 2, and not proposal 1.
I also see that Openiked sends only one proposal per message, so I tried
out the attached patch.
With the patch applied, Openiked with an active configuration was able to
negotiate the tunnel and worked.
Thank you!
I tried to set up an "active" connection towards a CISCO router (Cisco IOS
Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5,
RELEASE SOFTWARE (fc1)).
Passive mode runs great when the router initiates the connection, but the
CISCO router does not accept the IPSEC_SA proposal.
This is because the CISCO router enforces RFC5996/3.3.1 so that all
proposals must be starting from 1.
Openiked however sends the IPSEC_SA as proposal 2 (as proposals are handled
somewhat globally in openiked.)
As they are sent in two different messages, the IPSEC_SA proposal should be
proposal 2, and not proposal 1.
I also see that Openiked sends only one proposal per message, so I tried
out the attached patch.
With the patch applied, Openiked with an active configuration was able to
negotiate the tunnel and worked.
Thank you!