A charity that I support has been having trouble with its internet provider (Rogers). The problem I have is that Roger is the only supplier that is available that will give a fixed IP address.
I want the fixed IP address so I don't have to drive there to fix problems. It occurred to me that if I could get a VPN set up automatically when their OpenBSD firewall boots. I could then use the VPN to reach back into their computer. Having never set up a VPN using OpenBSD I started by reading, and I was left very confused. I came up with: On my firewall I have /etc/ipsec.conf ike passive from egress to 192.168.254/24 peer 192.168.254.1 srcid thinkage.ca dstid kwaccessability.ca tag ipsec-kwa ike passive from 192.102.11.0/24 to 192.168.254.0/24 peer 192.168.254.1 srcid thinkage.ca dstid kwaccessability.ca tag ipsec-kwa on their firewall ike from egress to 192.102.11/24 peer 192.102.11.1 srcid kwaccessability.ca dstid thinkage.ca tag ipsec-kwa ike from 192.168.254/24 to 192.102.11/24 peer 192.102.11.1 srcid kwaccessability.ca dstid thinkage.ca tag ipsec-kwa I also opened up the firewall to allow packed in from both networks without restrictions, something I will have to clean up later On both system I have isakmpd_flags=-K -v -D A=10 because of some of the readings I also put on both systems into /etc/hostname.enc0 up when I try to start isakmpd on the remote system I get only a message about privilege droping. on my local system I get Jan 2 16:23:55 gateway isakmpd[71980]: timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s Jan 2 16:23:55 gateway isakmpd[71980]: timer_remove_event: removing event ui_conn_reinit(0x0) Jan 2 16:23:55 gateway isakmpd[71980]: timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s gateway:/etc # Jan 2 16:24:00 gateway isakmpd[71980]: timer_handle_expirations: event ui_conn_reinit(0x0) Jan 2 16:24:00 gateway isakmpd[71980]: ipsec_get_id: invalid section to-192.168.254/24 network 192.168.254 Jan 2 16:24:00 gateway isakmpd[71980]: connection_init: could not record passive connection "from-ste0-to-192.168.254/24" Jan 2 16:24:00 gateway isakmpd[71980]: ipsec_get_id: invalid section from-192.102.11/24 network 192.102.11 Jan 2 16:24:00 gateway isakmpd[71980]: connection_init: could not record passive connection "from-192.102.11/24-to-192.168.254/24" JaJan 2 16:23:55 gateway isakmpd[71980]: timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s Jan 2 16:23:55 gateway isakmpd[71980]: timer_remove_event: removing event ui_conn_reinit(0x0) Jan 2 16:23:55 gateway isakmpd[71980]: timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s gateway:/etc # Jan 2 16:24:00 gateway isakmpd[71980]: timer_handle_expirations: event ui_conn_reinit(0x0) Jan 2 16:24:00 gateway isakmpd[71980]: ipsec_get_id: invalid section to-192.168.254/24 network 192.168.254 Jan 2 16:24:00 gateway isakmpd[71980]: connection_init: could not record passive connection "from-ste0-to-192.168.254/24" Jan 2 16:24:00 gateway isakmpd[71980]: ipsec_get_id: invalid section from-192.102.11/24 network 192.102.11 Jan 2 16:24:00 gateway isakmpd[71980]: connection_init: could not record passive connection "from-192.102.11/24-to-192.168.254/24" any hint as to what I am doing wrong?
