2012/10/1 Erwin Schliske <erwin.schli...@sevenval.com>:
> Hello,
>
> I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish is
> with a Cisco ASA 5505, which is not under my administration.
>
> Here is the ipsec.conf
>
> ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24, 10.77.4.0/24 } to {
> 172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \
> peer a.b.102.219 \
> local c.d.3.254 \
> main auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des group none \
> psk password
>
> If I try to ping one host on cisco side from OpenBSD side the tunnel doesn't
> come up. If I look with tcpdump on the external interface or in the tcpdump
> logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping from
> the Cisco side an host on OpenBSD side the tunnel comes up. In the logging of
> isakmpd I see this loglines
"from the X side", does that mean you try to ping from the openbsd,
OR, from one of the networks listed in the from-line?
One of the common mistakes is to test from the ipsec-gw itself and not
accounting for the fact that the ipsec.conf lines mostly are
"to talk from net A to net B, host X will do ipsec to peer Y". In such
a case, testing from host X will not go through the tunnel, since the
rule is "from net A".
Most of the time the host X has a leg on net A and can "ping -I
my-ip-at-NetA dest-on-net-B" but not always.
Then again, since active esp is the default for ipsec.conf when you
write "ike esp ...", it should start trying to set the tunnel up as
soon as you load the rules, and not wait until packets want to
traverse it.
--
To our sweethearts and wives. May they never meet. -- 19th century toast
