Please forget about my last response. I didn't read the original message properly.
The original post states clearly that the VPN tunnel works, when it is initiated from the remote side, but does not get initiated from the obsd side when needed ( by a ping packet for instance ). This somehow suggests that obsd initiates tunnels on demand ( when a packet for a remote network arrives ). I do not believe that this is how obsd works, but perhaps those who know can tell as for sure. As for why obsd does not try to initiate the tunnel actively, as suggested by the isakmpd.pcap: What did the debug output in messages shows for this? Best Regards / Mit freundlichen Grüßen Christoph Leser S&P Computersysteme GmbH Zettachring 4 70567 Stuttgart Fasanenhof EMail: [email protected] ________________________________________ Von: Christoph Leser Gesendet: Dienstag, 2. Oktober 2012 14:50 An: Janne Johansson; Erwin Schliske Cc: [email protected] Betreff: AW: OpenBSD does not initiate ipsec connection Do a ping -I as Janne advised and take a on the enc0 device and on your external interface ( both with ip host a.b.102.219 parameter ). You should see the icmp packet on enc0 and some esp paket at the same time on the external interface. If one or both are missing, you may have a problem with your pf.conf. If you see both, I would believe your tunnel is ok and the remote side is filtering your icmp or does not route your packet properly into the (remote) internal net. Christoph Leser S&P Computersysteme GmbH Zettachring 4 70567 Stuttgart Fasanenhof EMail: [email protected] ________________________________________ Von: [email protected] [[email protected]]" im Auftrag von "Janne Johansson [[email protected]] Gesendet: Dienstag, 2. Oktober 2012 11:01 An: Erwin Schliske Cc: [email protected] Betreff: Re: OpenBSD does not initiate ipsec connection 2012/10/1 Erwin Schliske <[email protected]>: > Hello, > > I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish is > with a Cisco ASA 5505, which is not under my administration. > > Here is the ipsec.conf > > ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24, 10.77.4.0/24 } to { > 172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \ > peer a.b.102.219 \ > local c.d.3.254 \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group none \ > psk password > > If I try to ping one host on cisco side from OpenBSD side the tunnel doesn't > come up. If I look with tcpdump on the external interface or in the tcpdump > logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping from > the Cisco side an host on OpenBSD side the tunnel comes up. In the logging of > isakmpd I see this loglines "from the X side", does that mean you try to ping from the openbsd, OR, from one of the networks listed in the from-line? One of the common mistakes is to test from the ipsec-gw itself and not accounting for the fact that the ipsec.conf lines mostly are "to talk from net A to net B, host X will do ipsec to peer Y". In such a case, testing from host X will not go through the tunnel, since the rule is "from net A". Most of the time the host X has a leg on net A and can "ping -I my-ip-at-NetA dest-on-net-B" but not always. Then again, since active esp is the default for ipsec.conf when you write "ike esp ...", it should start trying to set the tunnel up as soon as you load the rules, and not wait until packets want to traverse it. -- To our sweethearts and wives. May they never meet. -- 19th century toast
