hi,
comments below
Am 19.04.2017 um 23:23 schrieb Remi Locherer:
here is the ipsec.conf on the openbsd machine
ike from {10.10.10.0/24} to 10.10.15.0/24 \
You need to add "peer AA.BB.CC.DD" here.
why, it's a passive setup the active site can have the peer part or did
this change lately ?
If you control both ends of the VPN I recommend you choose stronger
cyphers. Check the defaults of OpenBSD or the recommendation of ENISA:
https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
I start with a simple setup using a stronger cypher will be the next
step after I confirmed my setup works
How do you start isakmpd? This should configure your system to start
isakmpd and load the ipsec rules during boot:
# rcctl enable isakmpd
# rcctl set isakmpd flags -vK
# rcctl enable ipsec
I just us the -K flag
and here is the pf.conf
Add the log keyword to your pf rules. Without that it's hard to debug.
Also check man ipsec.conf for a full example.
if there is no traffic it seems kinda useless trying to log it at that
point. I tried tailing the daemon log but it wasn't to helpful either.
--
Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT
