On Sun, Sep 27 2015 at 42:13, Alexandre Westfahl wrote: > Hi, Hello, > > I have trouble configuring ipsec with my sokeris 6501 (OBSD 5.7) with a > carrier router (Juniper). > SA seems to work well, I see packets going out on em0 and also see them on > enc0. However, the other side said nothing come but they also see SA > working and can see traffic going out. > > There may be explanation for this situation: > > - I have another IPSEC tunnel on same public IP (both on em0/enc0) > - the carrier IPs seems to be on same network so OBSD may be lost with it > > > *network* > dmz network (DDD.EEE.FFF.0/28) <--(AAA.BBB.CCC.192)-->Internet<--( > GGG.HHH.III.150)--> .... server (GGG.HHH.III.149) If you dont want to show your real address, at least use real numbers.
> *ipsec.conf:* > //working ipsec tunnel > ike passive esp from {192.168.10.0/24, 192.168.11.0/24 192.168.12.0/24} to > 192.168.1.0/24 \ > local AAA.BBB.CCC.192 \ > main auth hmac-sha1 enc 3des group modp1024 lifetime 28800 \ > quick auth hmac-sha1 enc aes-256 group none lifetime 28800 \ > srcid "gtfwpo192" dstid "pojimusho169" \ > psk secret > > //carrier ipsec (not working) > ike esp from DDD.EEE.FFF.0/28 to GGG.HHH.III.149/32 \ > local AAA.BBB.CCC.192 peer GGG.HHH.III.150 \ > main auth hmac-sha1 enc aes group modp1024 lifetime 86400 \ > quick auth hmac-sha2-256 enc aes group none lifetime 86400 \ > srcid "AAA.BBB.CCC.192" dstid "GGG.HHH.III.150" \ > psk secret2 src and dst ids are not needed. > I tried to enable or disable PF and use super permissive rules but nothing > change. > > Do you have some ideas on what it could be? When debuging ipsec, it is really easy to turn on ike packet capture unencrypted then analysing them with tcpdump. See isakmpd -L or 'p=on' on the fifo file. By default the capture file is located in /var/run/isakmpd.pcap I usually type tcpdump -nevvs 1550 -r /var/run/isakmpd.pcap |less to check what's wrong. With ScreenOS software (not JunOS like you, but they should be similar) the "encryption domain" is usually set to 0/0 and the OS manages routes to determine what to send to the tunnel. This will not work with your configuration and the network/sys admin on the other side needs to do some ajustments. Do you have the configuration of the other side? Good luck with troubleshooting. Claer