IKED fails to establish VPN on last 2 amd64 snapshots

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

IKED fails to establish VPN on last 2 amd64 snapshots

Theodore Wynnychenko-2
Hello

I am sorry, but I don't have access to any specific output right at this
moment.

However, there appears to be something odd happening with iked.

Last week I noticed that ssl connections, when attempted through an iked vpn
tunnel, appeared to hang, when those same connections made directly (not via
iked VPN) worked as expected.  I tried mss clamping in pf, but that did not
really seem to do anything.

In hoping for a solution, I upgrade with the 12/1 snapshot for amd64 2 days
ago.

After that upgrade, an openbsd<->openbsd iked VPN was NOT able to be
created.

I had made no changes to pf.conf or iked.conf from the working (over at
least the last 1-2 years) iked VPN to the non-working iked VPN after the
snapshot on 12/1/18.

So, I tried making changes to pf.conf - essentially liberalizing the rules,
even "skipping" filtering on enc0.  But, this made no difference.

Today, I updated again to last night's amd64 snapshot on both ends of the
iked VPN.  No change, the OpenBSD<->OpenBSD iked VPN does not get
established.

But, if I downgrade iked/ikectl (TZ=UTC cvs up -D '2017/03/23 05:29:48' -P
sbin/iked usr.sbin/ikectl - etc... I have been doing this to maintain
function between openbsd iked and apple ios ikev2 - I know there would be no
support for this, I am only mentioning as part of my observations) then
apple ios devices CAN establish an ikev2 connection to the openbsd machine.
At the same time, even though both ends of the openbsd<->openbsd VPN are
running the same exact downgraded versions of iked, they are NOT able to
establish a VPN (but they were able to do so before the 12/1 snapshot).

To recap, after the snapshot of 12/1 on amd64, with no changes to iked.conf
or pf.conf, an ikev2 VPN is no longer created between two openbsd systems.
This is also true for last night's snapshot.

I don't know if this is in anyway related to the ssl over iked difficulties.


I will be happy to provide any information/output that may be helpful, I
just don't know exactly what that information would be.

Thanks
Ted