On Sun, Oct 28, 2012 at 12:31:32AM +0200, Erwin Schliske wrote:
> Hello,
>
> Thanks for all responses. The hints like pinging not from gateway but from
> the network, debug mode and so on were checked by me before I sent the email
> to this list. Also is to mention that the tunnel which makes trouble is not
> the only one on the gateway. Other tunnels work without problems.
>
> But now I have figured out what I have to change to bring up the tunnels
> after loading the config with ipsecctl.
>
> I have to disable sasyncd, which if enabled causes to start isakmpd with
> parameter S. If isakmpd starts without this parameter the tunnels come up and
> work smoothly.
>
> So the question. Is this a know behaviour, that isakmpd switches to passive
> if sasyncd is enabled? Or is this a bug?
I have seen this before. In my experience, in the end the -S parameter
works, but it might take a while before isakmpd realises it is running
on the master. Never have figured out why it takes long some of the
time.
-Otto
>
>
> Thanks.
>
> Erwin
>
> Am 02.10.2012 um 11:01 schrieb Janne Johansson <icepic...@gmail.com>:
>
> > 2012/10/1 Erwin Schliske <erwin.schli...@sevenval.com>:
> >> Hello,
> >>
> >> I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish
> >> is
> >> with a Cisco ASA 5505, which is not under my administration.
> >>
> >> Here is the ipsec.conf
> >>
> >> ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24, 10.77.4.0/24 }
> >> to {
> >> 172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \
> >> peer a.b.102.219 \
> >> local c.d.3.254 \
> >> main auth hmac-sha1 enc 3des group modp1024 \
> >> quick auth hmac-sha1 enc 3des group none \
> >> psk password
> >>
> >> If I try to ping one host on cisco side from OpenBSD side the tunnel
> >> doesn't
> >> come up. If I look with tcpdump on the external interface or in the tcpdump
> >> logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping
> >> from
> >> the Cisco side an host on OpenBSD side the tunnel comes up. In the logging
> >> of
> >> isakmpd I see this loglines
> >
> > "from the X side", does that mean you try to ping from the openbsd,
> > OR, from one of the networks listed in the from-line?
> > One of the common mistakes is to test from the ipsec-gw itself and not
> > accounting for the fact that the ipsec.conf lines mostly are
> > "to talk from net A to net B, host X will do ipsec to peer Y". In such
> > a case, testing from host X will not go through the tunnel, since the
> > rule is "from net A".
> > Most of the time the host X has a leg on net A and can "ping -I
> > my-ip-at-NetA dest-on-net-B" but not always.
> >
> > Then again, since active esp is the default for ipsec.conf when you
> > write "ike esp ...", it should start trying to set the tunnel up as
> > soon as you load the rules, and not wait until packets want to
> > traverse it.
> >
> > --
> > To our sweethearts and wives. May they never meet. -- 19th century toast
