View Single Post
  #4   (View Single Post)  
Old 6th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

OpenBSD does not use MAJOR.minor release numbering. Instead, the number just increases by 0.1 every six months. 5.0 was half a year after 4.9, as 3.0 was half a year after 2.9.

Which specific release you are running may sometimes be important, even when it is a legacy system such as yours. There have been regular changes to IPSec capabilities over time. And sometimes incompatibilities occur, such as when there were two hash algorithm bug fixes at OpenBSD 4.7 for HMAC-SHA2.

----

There are few IPSec users here. I'm one, but I do not use isakmpd.conf; instead, I use ipsecctl(8) and ipsec.conf(5).
Quote:
does openbsd accept in phase 2 a remote-subnet, which is not configured as a reachable subnet through vpn ?
I'm not sure I understand the question. Is it possible that this OpenBSD Journal article describes what you're looking for?

If not, and if you don't get any useful responses, you might consider posting your question to the misc@ mailing list.
If you decide to post to misc@, I'm sure you will be asked to post your specific release, the specifics of the configuration problem you are trying to solve, as well as both your isakmpd.conf and any captured Phase 2 negotiation logs -- these last two may be safely posted after redacting private information, such as publicly facing IP addresses.
------

Edited to add:

The capabilities described in the Journal article were added to -current in January of 2009, and were included in 4.5-release in April of that year:
Quote:
Add support in isakmpd(8) and ipsecctl(8) to install SAs with a different source network than we have negotiated with a peer

Last edited by jggimi; 6th August 2012 at 09:39 PM. Reason: addendum
Reply With Quote