Hello, Thanks for all responses. The hints like pinging not from gateway but from the network, debug mode and so on were checked by me before I sent the email to this list. Also is to mention that the tunnel which makes trouble is not the only one on the gateway. Other tunnels work without problems.
But now I have figured out what I have to change to bring up the tunnels after loading the config with ipsecctl. I have to disable sasyncd, which if enabled causes to start isakmpd with parameter S. If isakmpd starts without this parameter the tunnels come up and work smoothly. So the question. Is this a know behaviour, that isakmpd switches to passive if sasyncd is enabled? Or is this a bug? Thanks. Erwin Am 02.10.2012 um 11:01 schrieb Janne Johansson <[email protected]>: > 2012/10/1 Erwin Schliske <[email protected]>: >> Hello, >> >> I've set up an OpenBSD box as vpn gateway. The tunnel I have to establish is >> with a Cisco ASA 5505, which is not under my administration. >> >> Here is the ipsec.conf >> >> ike esp from { 172.30.77.0/24, 10.70.0.0/24, 10.83.0.0/24, 10.77.4.0/24 } to >> { >> 172.16.70.0/24, 172.16.71.0/24, 172.16.72.0/24 } \ >> peer a.b.102.219 \ >> local c.d.3.254 \ >> main auth hmac-sha1 enc 3des group modp1024 \ >> quick auth hmac-sha1 enc 3des group none \ >> psk password >> >> If I try to ping one host on cisco side from OpenBSD side the tunnel doesn't >> come up. If I look with tcpdump on the external interface or in the tcpdump >> logging of isakmpd OpenBSD doesn't try to establish the tunnel. If I ping >> from >> the Cisco side an host on OpenBSD side the tunnel comes up. In the logging of >> isakmpd I see this loglines > > "from the X side", does that mean you try to ping from the openbsd, > OR, from one of the networks listed in the from-line? > One of the common mistakes is to test from the ipsec-gw itself and not > accounting for the fact that the ipsec.conf lines mostly are > "to talk from net A to net B, host X will do ipsec to peer Y". In such > a case, testing from host X will not go through the tunnel, since the > rule is "from net A". > Most of the time the host X has a leg on net A and can "ping -I > my-ip-at-NetA dest-on-net-B" but not always. > > Then again, since active esp is the default for ipsec.conf when you > write "ike esp ...", it should start trying to set the tunnel up as > soon as you load the rules, and not wait until packets want to > traverse it. > > -- > To our sweethearts and wives. May they never meet. -- 19th century toast
