Hi, I'm running 4.1 and today when I was updating ipsec.conf to add a new VPN to problems hit me. Loading the new ipsec.conf with ipsecctl it loaded all of the VPN in passive mode - passive. I didn't want passive tunnels, I want them to be active. After setting "ike active esp" their still loaded passive. Like this:
Nov 22 22:20:35 obsd41i386 isakmpd[23153]: connection_reinit: reinitializing connection list Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: [Phase 2]:Connections->IPsec-192.168.5.129-192.168.0.22,IPsec-192.168.5.129- 192.168.0.27 Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: configuration value not found [IPsec-192.168.5.129-192.168.0.22]:Flags Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: [IPsec-192.168.5.129-192.168.0.22]:Local-ID->lid-192.168.5.129 Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: [IPsec-192.168.5.129-192.168.0.22]:Remote-ID->rid-192.168.0.22 Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: [lid-192.168.5.129]:ID-type->IPV4_ADDR Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: [lid-192.168.5.129]:Address->192.168.5.129 Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: configuration value not found [lid-192.168.5.129]:Protocol Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: [rid-192.168.0.22]:ID-type->IPV4_ADDR Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: [rid-192.168.0.22]:Address->192.168.0.22 Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: configuration value not found [rid-192.168.0.22]:Protocol Nov 22 22:20:35 obsd41i386 isakmpd[23153]: connection_record_passive: passive connection "IPsec-192.168.5.129-192.168.0.22" added Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: configuration value not found [IPsec-192.168.5.129-192.168.0.27]:Flags Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: [IPsec-192.168.5.129-192.168.0.27]:Local-ID->lid-192.168.5.129 Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: [IPsec-192.168.5.129-192.168.0.27]:Remote-ID->rid-192.168.0.27 Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: [lid-192.168.5.129]:ID-type->IPV4_ADDR Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: [lid-192.168.5.129]:Address->192.168.5.129 Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: configuration value not found [lid-192.168.5.129]:Protocol Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: [rid-192.168.0.27]:ID-type->IPV4_ADDR Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: [rid-192.168.0.27]:Address->192.168.0.27 Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: configuration value not found [rid-192.168.0.27]:Protocol Nov 22 22:20:35 obsd41i386 isakmpd[23153]: connection_record_passive: passive connection "IPsec-192.168.5.129-192.168.0.27" added Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: configuration value not found [Phase 2]:Passive-Connections Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: configuration value not found [General]:check-interval Nov 22 22:20:35 obsd41i386 isakmpd[23153]: conf_get_str: configuration value not found [General]:check-interval >From earlier I'm used to that isakmpd.conf pulls up the VPN's faster them my terminal can display -D 0=99. Even trying to send traffic to remote end didn't force tunnel negotiation. My head hurts after bashing my head against the wall. If someone could hit me with a cluestick of where to find my typo I would be gratefull man. What really made me feel like a clueless batter was that I found out in the prosess of googling that ipsec.conf alone does not provide aes with 256 keylength. I was left heavy chested as this could mean that I neededd to walk into the dark corners of isakmpd.conf again. So if I've found the rigth clues is this like the rigth way to do it? [AES-SHA] KEY_LENGTH=256,128:256 Do I need to do this on a pr SUITE in MAIN and QUICK that I want to use, thus overriding the defaults? -- Runo Fxrrisdahl - Basefarm AS http://www.basefarm.no/
