Markus Wernig wrote: > Hello all > > I am trying a - what I think is - simple ipsec setup. The point is to > ipsec-encrypt all traffic between a pair of firewalls (gateA and gateB, > both OBSD 4.0), in order to send pfsync traffic over the encrypted link. > Although having read through ipsec, ipsec.conf, isakmpd and friend's > manpages, I get stuck on the same point. Obviously I'm missing some > important point. > > gateA:/etc/ipsec.conf: > ike esp from 10.111.1.1 to 10.111.1.2 > > gateB:/etc/ipsec.conf: > ike esp from 10.111.1.2 to 10.111.1.1 > > private and public key created by rc on initial boot in > /etc/isakmpd/private on both machines. > copied > gateA's /etc/isakmpd/private/local.pub to > gateB:/etc/isakmpd/pubkeys/ipv4/10.111.1.1 > and > gateB's /etc/isakmpd/private/local.pub to > gateA:/etc/isakmpd/pubkeys/ipv4/10.111.1.2 > > /etc/rc.conf.local > ipsec=YES > isakmpd_flags="-K -f /var/run/isakmpd.fifo" > > > I thought that with this, automatic keying would setup a tunnel between > 10.111.1.1 and 10.111.1.2 on system start. But nothing of the like > happens, not even a single IKE package is exchanged between the two > hosts. Consequently, when pinging from 10.111.1.1 to 10.111.1.2 or vice > versa, the packets go over the wire in the clear. > > I'm sorry, but I just can't see what I'm missing. Would anybody have a > pointer for a lost soul? > > thx /markus > >
It seems you just forgot to load your rules. Just add "ipsecctl -f /etc/ipsec.conf" in the rc.local of both your firewalls and everything should just work fine.
