Am 19.03.2017 15:36 schrieb Jurjen Oskam:
So, to validate that I'm indeed hitting this bug (and also as a
workaround)
I tried to set up the OpenBSD side to not use SHA2. I haven't been able
to
get this running yet: isakmpd always seems to offer HMAC_SHA2_256.
It's not offering that - but accepting "better" Phase2 transforms. If
isakmpd
would start the negotiation, it'd propose HMAC_SHA.
To keep out unwanted proposals, you need an isakmpd.policy. (hint: no
-K)
In my eyes this is 'bad behaviour' and tends to lead to situations where
e.g.
a remote end "upgrades" (and locks down) the transforms and thus
rekeying
started by isakmpd start to fail.
HTH,
--
pb
