On 2009-11-04, Dag Richards <dagricha...@speakeasy.net> wrote: > Running 4.3 GENERIC#698 i386 > > I have a VPN with a vendor using a I think he said it was a Sonic Wall > FW. We are able to get Phase 1 associations up and happy. But Phase 2 > never seems to start, at least not from my side. > > If he sends traffic from his side then his device makes a phase 2 > proposal, and I accept and traffic flows. I can do nothing to kick this > off from my end. > > I have an ipsec.conf phile for this vendor > > ike active esp from { 172.18.101.22 } to { 10.0.3.222 10.0.6.222 > 10.0.11.43 10.0.11.188 10.0.11.222 10.0.11.36 } local 10.120.10.50 peer > xxx.xxx.xx.xx.x0x main auth hmac-sha1 enc 3des-cbc group modp1024 quick > auth hmac-sha1 enc 3des-cbc group none psk "SEKRET" > > He sends me i a ping I get a flow > > ipsecctl -s flow | grep xxx.xxx.xx.xx.x0x > flow esp in from 10.0.11.43 to 172.18.101.22 peer xxx.xxx.xx.xx.x0x > srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type use > flow esp out from 172.18.101.22 to 10.0.11.43 peer xxx.xxx.xx.xx.x0x > srcid 10.120.10.50/32 dstid xxx.xxx.xx.xx.x0x/32 type require > > > I the past I have been able to: echo "M active" > /var/run/isakmpd.fifo > But since I have a phase 1 up, I guess this won't have any effect? > > I guess I am not really even sure what to be showing anyone, usually > once pahse 1 is established everything has just worked.
turn on pcap (see the isakmpd manual) and read the capture file with tcpdump, this often gives clues more easily than looking at isakmpd's logs.