> it is more productive to make the .conf simpler, and > not more complex. more complex usually ends up in
Great advice. > the 'Address' line within an <ISAKMP-peer> is to be > interpreted as optional, so these seem to be two If I'm not mistaken, it's *optional* for Passive-connections= IPsec-clients,CONN-VPNPrueba2 but not > > [Phase 2] > > Connections= IPsec-clients,CONN-VPNPrueba2 ... > > I can see the tunnels via: "netstat -rn | grep > > encap" but the only way to begin the real communication is starting it by > > one > > of the sides. If a try to begin with the other side it doesn't work until I > > do a ping (or some kind of communication) from the other side. Try using the "Passive-connections= ..." on one of the VPN-peers only. > to blame the .confs. if i haven't been of much use so far, please I think you've been very helpful here. > switch the more predictable/stable/static peer to using > 'Passive-connections=' for the CONN-VPNPrueba. I would give this a shot as it is not going to hurt to try :) Mark T. Uemura OpenBSD Support Japan Inc. www.openbsd-support.com