On Sun, Oct 28, 2012 at 12:31:32AM +0200, Erwin Schliske wrote: > Hello, > > Thanks for all responses. The hints like pinging not from gateway but from > the network, debug mode and so on were checked by me before I sent the email > to this list. Also is to mention that the tunnel which makes trouble is not > the only one on the gateway. Other tunnels work without problems. > > But now I have figured out what I have to change to bring up the tunnels > after loading the config with ipsecctl. > > I have to disable sasyncd, which if enabled causes to start isakmpd with > parameter S. If isakmpd starts without this parameter the tunnels come up and > work smoothly. > > So the question. Is this a know behaviour, that isakmpd switches to passive > if sasyncd is enabled? Or is this a bug?
I have seen this before. In my experience, in the end the -S parameter works, but it might take a while before isakmpd realises it is running on the master. Never have figured out why it takes long some of the time. -Otto > > > Thanks. > > Erwin > > Am 02.10.2012 um 11:01 schrieb Janne Johansson <icepic...@gmail.com>: > > > 2012/10/1 Erwin Schliske <erwin.schli...@sevenval.com>: > >> Hello, > >> > >> I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish > >> is > >> with a Cisco ASA 5505, which is not under my administration. > >> > >> Here is the ipsec.conf > >> > >> ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24, 10.77.4.0/24 } > >> to { > >> 172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \ > >> peer a.b.102.219 \ > >> local c.d.3.254 \ > >> main auth hmac-sha1 enc 3des group modp1024 \ > >> quick auth hmac-sha1 enc 3des group none \ > >> psk password > >> > >> If I try to ping one host on cisco side from OpenBSD side the tunnel > >> doesn't > >> come up. If I look with tcpdump on the external interface or in the tcpdump > >> logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping > >> from > >> the Cisco side an host on OpenBSD side the tunnel comes up. In the logging > >> of > >> isakmpd I see this loglines > > > > "from the X side", does that mean you try to ping from the openbsd, > > OR, from one of the networks listed in the from-line? > > One of the common mistakes is to test from the ipsec-gw itself and not > > accounting for the fact that the ipsec.conf lines mostly are > > "to talk from net A to net B, host X will do ipsec to peer Y". In such > > a case, testing from host X will not go through the tunnel, since the > > rule is "from net A". > > Most of the time the host X has a leg on net A and can "ping -I > > my-ip-at-NetA dest-on-net-B" but not always. > > > > Then again, since active esp is the default for ipsec.conf when you > > write "ike esp ...", it should start trying to set the tunnel up as > > soon as you load the rules, and not wait until packets want to > > traverse it. > > > > -- > > To our sweethearts and wives. May they never meet. -- 19th century toast