Hey, Based on my experience you could try three things: - Provide us with the Cisco configuration on that side. - Use packet-tracer from the cisco device, it's really helpful in these situations. - Verify every little bit of configuration on both sides so that they are exactly the same.
Alexander Salmin On 2015-04-07 16:28:00, jean-yves boisiaud wrote: > hello, > > I'm using IPSec with OpenBSD. > > I cannot connect with some Cisco appliances, a Cisco Asa and a Cisco 2951. > > For these two Cisco gw, I can see in the log the same messages : > > Apr 7 16:10:00 billy isakmpd[31908]: isakmpd: phase 1 done: initiator id > X, responder id Y, src: X dst: Y > Apr 7 16:10:00 billy isakmpd[31908]: isakmpd: Peer Y made us delete live > SA peer-Y-local-X for proto 1, initiator id: X, responder id: Y > > As the remote IT engineers wanted me to enable DPD, I changed the ipsec > configuration from active to dynamic, but nothing changes. > > Is there something wrong in my configuration ? > > ike dynamic esp from 192.168.36.0/24 to 10.0.0.0/8 \ > local X peer Y \ > main auth hmac-md5 enc 3des group grp2 lifetime 28800 \ > quick auth hmac-sha1 enc 3des group grp2 lifetime 28800 \ > srcid "X" dstid "Y" \ > psk "z" > > -- > Jean-Yves Boisiaud - Alcor Consulting > 24, rue de la Glycine > 49250 Saint Remy la Varenne > mobile : +33 6 63 71 73 46 fixe : +33 9 72 41 19 35
