On 2012-06-01, Sarah Caswell <[email protected]> wrote: > Hi all, > > I am currently using vpnc to connect to a client site (which has an CISCO ASA > firewall/vpn endpoint) > This setup works, but everytime I use vpnc from my server it breaks other > networking, especially the openvpn tunnels I maintain to other sites. > > I'd prefer to use the built-in IPSEC software in OpenBSD to establish the > tunnel instead (and terminate it locally on a tun or tap interface) > > All my attempts so far have failed and I must admit I'm an IPSEC newbie, at > least with the OpenBSD tools. > > My vpc.conf file is very simple: > > ------- > IPSec gateway ww.xx.yy.zz > IPSec ID somevpn > IPSec secret somesecretString > IKE Authmode psk > ------- > > Is there an equivalent config for ipsecctl (and/or isakmpd) that is known to > work with remote ASA firewalls? > > Any help or suggestions would be greatly appreciated. > > Thanks in advance. > >:-) > > Sarah > >
Presumably some default settings are different between vpnc and isakmpd. Typical possibilities are the authentication and encryption parameters and one which people often forget, lifetime values. Usually you would get these settings froe the people operating the other side (or tell them what you are using and have them adjust theirs). If they are not forthcoming then tcpdump can help (on the physical interface and also on isakmpd packet capture files, see isakmpd manual about -L). Note that lifetimes are set in /etc/isakmpd/isakmpd.conf even if you use ipsec.conf, here's an example of a file I'm using [General] Default-phase-1-lifetime=86400,60:86400 Default-phase-2-lifetime=86400,60:86400 The biggest problem I had running IPsec to an ASA with isakmpd was when the ASA was behind NAT; cisco didn't bother to follow the RFC document they helped write and still use encapsulation-type values from the internet-draft... But if NAT is not involved then that's not your problem.
