Openiked not able to set up tunnel with CISCO router

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

Openiked not able to set up tunnel with CISCO router

Tibor Várkonyi
OpenBSD 6.1 installed from image and runs fine.

I tried to set up an "active" connection towards a CISCO router (Cisco IOS
Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5,
Passive mode runs great when the router initiates the connection, but the
CISCO router does not accept the IPSEC_SA proposal.
This is because the CISCO router enforces RFC5996/3.3.1 so that all
proposals must be starting from 1.
Openiked however sends the IPSEC_SA as proposal 2 (as proposals are handled
somewhat globally in openiked.)
As they are sent in two different messages, the IPSEC_SA proposal should be
proposal 2, and not proposal 1.
I also see that Openiked sends only one proposal per message, so I tried
out the attached patch.
With the patch applied, Openiked with an active configuration was able to
negotiate the tunnel and worked.

Thank you!

cisco.diff (1K) Download Attachment