On 2009-11-04, Dag Richards <dagricha...@speakeasy.net> wrote:
> Running 4.3 GENERIC#698 i386
>
> I have a VPN with a vendor using a I think he said it was a Sonic Wall
> FW. We are able to get Phase 1 associations up and happy. But Phase 2
> never seems to start, at least not from my side.
>
> If he sends traffic from his side then his device makes a phase 2
> proposal, and I accept and traffic flows. I can do nothing to kick this
> off from my end.
>
> I have an ipsec.conf phile for this vendor
>
> ike active esp from { 172.18.101.22 } to { 10.0.3.222 10.0.6.222
> 10.0.11.43 10.0.11.188 10.0.11.222 10.0.11.36 } local 10.120.10.50 peer
> xxx.xxx.xx.xx.x0x main auth hmac-sha1 enc 3des-cbc group modp1024 quick
> auth hmac-sha1 enc 3des-cbc group none psk "SEKRET"
>
> He sends me i a ping I get a flow
>
> ipsecctl -s flow | grep xxx.xxx.xx.xx.x0x
> flow esp in from 10.0.11.43 to 172.18.101.22 peer xxx.xxx.xx.xx.x0x
> srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type use
> flow esp out from 172.18.101.22 to 10.0.11.43 peer xxx.xxx.xx.xx.x0x
> srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type require
>
>
> I the past I have been able to: echo "M active" > /var/run/isakmpd.fifo
> But since I have a phase 1 up, I guess this won't have any effect?
>
> I guess I am not really even sure what to be showing anyone, usually
> once pahse 1 is established everything has just worked.
turn on pcap (see the isakmpd manual) and read the capture file
with tcpdump, this often gives clues more easily than looking at
isakmpd's logs.
