In message <000701c0bb1f$dccfcc80$6a01a8c0jason>, "Jason Haag" writes:
>Are the patches re: "isakmpd broken in 2.8" (-tech list) in 2.8-stable yet?
>[.....]
>As soon as the isakmpd flows are established, I lose ssh to the remote
>gateway and can't get it back in until I kill the isakmpd and do "ipsecadm
>flush" on both ends. I can't ping any hosts in the remote (private) network,
>either.

The answer would appear to be "no" then. From the flows you show,
isakmpd is establishing asymetric requirements (three encryption
required incoming flows, one encryption done outgoing flow), which is
what the isakmpd in OpenBSD 2.8-release did.

The reason you lose connectivity (_all_ conectivity apart from IKE as
far as I can tell) between the two gateway boxes is that one end will
only accept encrypted traffic, and the other end is sending unencrypted
traffic because there is nothing to tell it to encrypt the traffic (let
alone how to encrypt it, and with what key). This happens at both ends,
so the result is a dead loss all around.

However with the flows up, you should be able to access from one
internal network to the other internal network. (Neither of the gateways
will be able to send the other internal network, or vice versa, due to
the aforementioned flow asymetry.)

If you can't, then look at the esp stats (netstat -p esp); if they show
a lot of weird corrupted packets, you're probably trying to use AES
which was also broken in 2.8-release. (There's a kernel patch on the
website if you want to build a new kernel and get AES going; or use some
other encryption algorithm like Blowfish or 3DES -- I'm using blowfish.)
(And yes, the examples in 2.8-release use AES -- I can only assume this
was wishful thinking, as I couldn't make them work with the 2.8-release
code.)

The isakmpd in -current is MUCH better than the isakmpd in 2.8-release,
and at least as of a month or so ago, you could copmile the isakmpd in
-current (from CVS) against the 2.8-release kernel/headers and it
would work pretty well.

With a kernel with the AES patch, and a isakmpd compiled from the
-current source, you should be able to get most of your ipsec stuff
going. However there will still be some minor issues, most noticably
that if one end of the tunnel goes down, then when it comes back up
again, the tunnel will not establish again properly. (Well it will, but
the end that didn't go down continues to use the old SAs, sending
traffic that the end that did go down cannot decrypt, so basically its
broken.)

The -current kernel (at least as of 3 weeks or so ago) fixed the
re-establishing problem as well. But if you build a kernel from
-current you'll need to build a few kernel-related things as well
particularly libkvm, and the tools that use libkvm (ps, vmstat, top, etc).

I posted a message to openbsd-tech about 3 weeks ago detailing what I
had to rebuild from -current to get a reliable working system; it should
be in the archives. After doing that it's been very reliable, and I'm
very pleased with it. I've since helped a few other people do this
setup on their OpenBSD boxes, and they seem to have been very successful
too.

Ewen

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]