I have seen this same behaviour with a configured Cisco ASA endpoint.
The Cisco end needs to ping our network to initiate the connection, and
from watching the IPSEC negotiations from the isakmpd capture files, the
Cisco end rejects our proposal, but we accept their proposal. As Dag
says, both ends are supposedly configured for the same encryption
scheme, although the Cisco rejects our proposal.
Cam
Dag Richards wrote:
I recently had a problem that looked similar.
I would try to bring up the tunnels configured in ipsec.conf.
No Phase 2
A dump on the external iface revealed that we were sending Phase 1
initiation. Their end was configured for a different encryption
scheme, than ours ( even though we had agreed on one ). Since they
were showing up with a vlaid PSK we accepted the values they proposed,
whereas they rejected our proposal's.
tcpdump -nvs1400 port 500
Christoph Leser wrote:
Are you sure that obsd does not try to initiate the connection at
least once?
I have noticed the following problem with cisco:
Some Cisco models delete the security association after an inactivity
timeout,
they call it "Cisco IPSec Security Association Idle Timers".
When this happens, openBSDs drop the information for this tunnel and
is unable
to recreate it. Cisco keeps the information and can reestablish the
connection
when someone pings or otherwise addresses the remote end.
I had a short conversation about this with Hans-Jvrg Hvxer, but
cannot say
whether this behaviour is desired or considered a bug.
I would try to delete the tunnel complete and configure it again
while running
tcpdump on the external interface ( or enable isakmpd packet capture,
see the
-L switch of isakmpd ).
This will at least answer the question, whether openBSD attempts to
establish
the connection when the tunnel is defined for the first time.
Regards
Christoph
-----Urspr|ngliche Nachricht-----
Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
Im Auftrag von Chris Bullock
Gesendet: Dienstag, 17. November 2009 15:45
An: misc@openbsd.org
Betreff: isakmpd will not initiate connection to Cisco ASA
We have many tunnels and for some reason I just set up a
tunnel with a Cisco ASA and we can not initiate the
connection from the OpenBSD side. If the Cisco side pings a
device on the OpenBSD side the tunnel comes up. On the Cisco
side they have bidirectional enabled, and they are not seeing
the OpenBSD try to initiate the tunnel. Any help would be
appreciated, Regards, Chris Bullock