I'm using an OpenBSD 3.7 box to try to connect to our cisco concentrator at work. Here is what I was sent by our network admin:
10.0.0.0/0.0.0.255 192.168.240.0/0.0.15.255 172.22.0.0/0.0.0.255 10.10.0.0/0.0.255.255 10.20.0.0/0.0.255.255 as networks I would need to tunnel to. Here is my isakmpd.conf file with the proper edits: [General] Listen-On= xx.xxx.xxx.xx [Phase 1] yy.yyy.yyy.yy= concentrator [Phase 2] Connections= VPN-home-240, VPN-home-10_0, VPN-home-172, VPN-home-10_10, VPN-home-10_20 [concentrator] Phase= 1 Transport= udp Address= yy.yyy.yyy.yy Configuration= Default-main-mode Authentication= my_shared_secret [VPN-home-240] Phase= 2 ISAKMP-peer= concentrator Configuration= Default-quick-mode Local-ID= home-net Remote-ID= work_240 [VPN-home-10_0] Phase= 2 ISAKMP-peer= concentrator Configuration= Default-quick-mode Local-ID= home-net Remote-ID= work-10_0 [VPN-home-172] Phase= 2 ISAKMP-peer= concentrator Configuration= Default-quick-mode Local-ID= home-net Remote-ID= work-172 [VPN-home-10_10] Phase= 2 ISAKMP-peer= concentrator Configuration= Default-quick-mode Local-ID= home-net Remote-ID= work-10_10 [VPN-home-10_20] Phase= 2 ISAKMP-peer= concentrator Configuration= Default-quick-mode Local-ID= home-net Remote-ID= work-10_20 ################################ #### Network Defs ############## ################################ [home-net] ID-type= IPV4_ADDR_SUBNET Network= 192.168.0.0 Netmask= 0.0.255.255 [work_240] ID-type= IPV4_ADDR_SUBNET Network= 192.168.240.0 Netmask= 0.0.15.255 [work-10_0] ID-type= IPV4_ADDR_SUBNET Network= 10.0.0.0 Netmask= 0.0.0.255 [work-172] ID-type= IPV4_ADDR_SUBNET Network= 172.22.0.0 Netmask= 0.0.0.255 [work-10_10] ID-type= IPV4_ADDR_SUBNET Network= 10.10.0.0 Netmask= 0.0.255.255 [work-10_20] ID-type= IPV4_ADDR_SUBNET Network= 10.20.0.0 Netmask= 0.0.255.255 ################################ #####Mode Defs ################# ################################ [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-MD5 [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE where x's represent my ip address and y's represent the concentrator. Here is my isakmpd.policy file: Keynote-version: 2 Authorizer: "POLICY" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; and the output of isakmpd -d bash-3.00# isakmpd -d 191943.477359 Default ipsec_validate_id_information: dubious ID information accepted 191951.404865 Default ipsec_validate_id_information: dubious ID information accepted 192010.536856 Default transport_send_messages: giving up on message 0x3c069780, exchange VPN-home-240 192010.537309 Default transport_send_messages: giving up on message 0x3c069900, exchange VPN-home-10_0 192010.537697 Default transport_send_messages: giving up on message 0x3c069a80, exchange VPN-home-172 192010.538067 Default transport_send_messages: giving up on message 0x3c069c00, exchange VPN-home-10_10 192010.538467 Default transport_send_messages: giving up on message 0x3c069d80, exchange VPN-home-10_20 relevant sections of my pf.conf file: pass in proto esp from any to any pass out proto esp from any to any keep state pass in on enc0 from any to any pass out on enc0 from any to any pass in on $ext_if proto udp from any to any port 500 pass out on $ext_if proto udp from ($ext_if) to any port 500 which I know is way relaxed, but just wanting to rule out any pf related issues. Ultimately I'm trying to reach 192.168.250.111 which is a voip server. I don't get any reples when I try to ping it, nor do I see anything on the enc0 interface. Let me know if you have any thoughts or if you need more information. I've really been banging my head against the wall trying to figure this one out.
