Hi. We have upgraded one cluster of firewalls that had OpenBSD 3.8 (with more to come) and we have problem with some of the IPsec tunnels.
I found this information that seems very interesting: http://www.openbsd.org/faq/upgrade47.html#hmac-sha2 "IPsec HMAC-SHA2 incompatibility: Two bugs in IPsec/HMAC-SHA2 were fixed, resulting in an incompatibility with the HMAC-SHA-256/384/512 hash algorithms with previous versions of OpenBSD and other IPsec implementations sharing the bugs. In particular the default authentication algorithm HMAC-SHA-256 is affected. Upgrade both sides together, or switch to another authentication algorithm during the transition." All tunnels in our isakmpd.conf is working perfect but the ones that are specified in the "new" way in ipsec.conf does not work. They are all in the simplest form like this example: ike esp from 192.168.1.1 to 10.0.0.17 peer 192.168.10.1 psk mekmitasdigoat The man page of ipsec.conf says that hmac-sha1, aes, and modp1024 is used as mode auth algorithm enc algorithm group group if omitted Is is so that the default hmac-sha1 (160 bits) is affected by this bug or is it only hmac-sha2 that are affected. The documentation say that "In particular the default authentication algorithm HMAC-SHA-256 is affected" I could just try to change the config on both ends and add "auth hmac-md5" but I don't want to "trial and error" in this case. Best regards Johan Ryberg
