Massimo Lusetti wrote:
I got a VPN network which works quite well, i mean works very well
thanks to OpenBSD and its implementation but i got one end point over
the 6 running which causing me troubles.
The configuration is done with ipsec.conf and is identical to others
which works well.
Here some example config:
ike esp from $MY_NET to $OTHER_NET peer $VPN_PEER main auth hmac-md5
enc aes
Are both end points trying to negotiate? Try using the "passive" keyword
on one endpoint: "ike passive esp ..."
Isakmpd is started with no .conf and .policy just with -K and use IPv4
private/pubkeys as identifiers on public static IPs.
This all on a
OpenBSD 3.9-current (GENERIC-RD) #0: Tue Mar 28 12:41:04 EST 2006
From the troubling VPN gateway and respectively from the central VPN
gatewayt i (apparently randomly) got:
unspec transport from x.y.w.z to z.w.y.x spi 0xa0a35d6a
and the tunnel with the flows along falls.
What unspec transport actually means?
What could cause the above message?
I have experienced the same issue. I don't know the details of what
exactly is happening, however, it seems to be a synchronization problem.
Here's what I have done to get rid of the "unspec transport" and setup
the proper flows and SAs:
Execute on the "passive" box first, then the other:
# ipsecctl -F
# echo R > /var/run/isakmpd.fifo
# ipsecctl -f /etc/ipsec.conf
Note: if you have other flows and SAs setup that you want to preserve,
ipsecctl -F may be hazardous.
Also, make sure all IP addresses in ipsec.conf are reachable; check
netstat -rnfinet.
-pachl
