Bryan wrote:
On Tue, May 25, 2010 at 14:06, j...@fixedpointgroup.com
<j...@fixedpointgroup.com> wrote:
over the past several years i have encountered a variety of problems with
isakmpd that range from difficult to translate error messages to tunnels
dropping without explanation.
<snipped...>
Greetings,
Did you try different hardware?
Did you troubleshoot the issue and raise a question on m...@?
Are you using 4.7 or even -current?
What is on the distant end? is it openbsd -> openbsd, or is it
something else on the other end?
What network adapters are being used in both boxes?
Are you using wireless to connect through to the distant end? shaky
wireless could cause connection issues.
I mean, have you asked any questions, or asked for help?
Maybe if you took the time to explain what is wrong, you might get an answer.
Make sure you have a dmesg, and can reproduce the error in 4.7
(-current or latest cvs pull is even better), and any and all error
messages, and any verbose logfile output you can receive, your
ipsec.conf, and pf.conf if you use that...
Only you can help you...
seriously...
have you ever used isakmpd? i ask this because i get the impression that
you have not used it much if you missed the point of my message. it
totally sucks - i've been using it since 2003 and very little has
changed except the ipsecctl interface making it quicker to setup
tunnels. a number of people in the openbsd community have discussed the
possibility of a total rewrite with me over the past several years
because they too believe it is old and flaky.
isakmpd is brittle as hell and endpoints being snapshots that are a few
months apart is enough to cause serious interoperation problems. someone
may or may not have developed an improved version of isakmpd that runs
on openbsd, i will not name names, and that is because isakmpd is not
commercial grade software. there is a lot of neat and challenging crypto
code in isakmpd but, imo, further improvements are tolerated turd polishing.
i'm looking for an alternative so i don't have to resort to excessive
debugging and answering a series of 10 questions to figure out wtf is
going on. i am not saying that your list of questions is the wrong way
to debug this, it's totally correct, only that you're a fucking idiot
for not getting the point of my original message. it is amazing that you
have the patience to follow the ridiculously long trail to troubleshoot
and fix isakmpd but don't see that walking this trail is due to the code
being old and brittle.
based on the lack of replies i speculate not many people use an ssh vpn...