On Fri, 10 Mar 2006, Paolo Supino wrote:
Hi
I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear
(out of my control) and the other runs OpenBSD (my decision). I've never
setup a VPN between Cisco and OpenBSD before (I did between Cisco to Cisco
and OpenBSD to OpenBSD) and I was wondering if there are any pitfalls or
incompatibilities between Cisco and OpenBSD implementations of IPSEC that
will cause problems?
TIA
Paolo
Paolo,
As others have said we need more details. I have setup isakmpd and IPSEC
in tunnel mode with Cisco PIX's, as well as Cisco 3000 series VPN
concentrators (which is really from Altiga Networks). Getting the tunnel
established between these devices is never a problem, especially if you
define out every section in isakmpd.conf and only offer a single
encryption/hash algorithm in your proposals. The biggest problem I have
had is rekeying. I have had a lot of issues with tunnels getting out of
sync, where my side keeps using XXX SA/SPI, while the other said moves on
to another one or the reverse of that.
Cisco devices I have seen default their lifetime's to 86400 seconds for
IKE and 28800 seconds for IPSEC. This is of course different from isakmpd
so you will want to keep that in mind.
I would highly recommend you read all the info listed here.
https://www.icsalabs.com/icsa/main.php?pid=fggfgd
iCSA does interoperability testing between various IPSEC implementations
and they cover several Cisco products. As well as in their paper:
"IPSEC VPN Advanced Troubleshooting" - they state that an excellent tools
for debugging interoperability problems in the field is OpenBSD's isakmpd.
A lot of information on the specific cisco device you want to talk to may
be available at http://www.cisco.com/univercd
I am also curious as to the successes and failures other people have had
with cisco devices and rekeying, especially cisco 3005, cisco 3030
concentrators.
-Matt-
