Re: IPSEC not routing back packets on NetBSD 6.0_BETA2

[mlelstv%serpens.de@localhost (Michael van Elst)]

imil%home.imil.net@localhost (iMil) writes:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1


>>> hmac_sha256 became incompatible.
>>
>> Fixed, and now works as expected. Thanks for the tip.

>FWIW, NetBSD 6.0 racoon.conf manpage still says:

>              authentication_algorithm algorithms;
>                      des, 3des, des_iv64, des_iv32, hmac_md5, hmac_sha1,
>                      hmac_sha256, hmac_sha384, hmac_sha512, non_auth (used
>                      with ESP authentication and AH)

>Where did you get that information? is it a well known fact?

I got hit by it too.

The change is a bit older:

http://mail-index.netbsd.org/source-changes/2011/02/25/msg019329.html

but you only saw it if you built a kernel with FAST_IPSEC. Since netbsd-6
went to use FAST_IPSEC instead of the old KAME code, it is now also
standards compliant but will not interoperate with netbsd-5 or older
if you use hmac_sha256.

-- 
-- 
                                Michael van Elst
Internet: mlelstv%serpens.de@localhost
                                "A potential Snark may lurk in every tree."