On Wednesday, June 18, 2014 15:27 CEST, Stuart Henderson <s...@spacehopper.org> wrote: > On 2014-06-18, Sebastian Reitenbach <sebas...@l00-bugdead-prods.de> wrote: > > The only difference I see, but I'm unsure if this is OK or not, is that > > the OpenBSD box sends ENCAPSULATION_MODE = TUNNEL, and the > > Cisco box sends ENCAPSULATION_MODE = UDP_ENCAP_TUNNEL. > > I'm not sure if that is expected, since the Cisco is behind a NAT > > gateway. > > Try > http://packetmischief.ca/files/openbsd/patches/isakmpd-nat-t-encap-mode.diff > > For the configuration where I had problems with nat-t interop with cisco, I > had > to just get it working so I replaced the isakmpd box with an asa5505. >
yay, applied the patch, restarted isakmpd, loaded the ipsec configuration, and voila, flows and SAs got established. So the patch, even it if it looks a bit hackish, was able to "fix" the problem. many thanks, Sebastian cheers, Sebastian
