On Sun, Apr 15, 2007 at 08:32:00PM +0200, Markus Wernig wrote: > Hello! > > Renaud Allard wrote: > > Markus Wernig wrote: > >> Renaud Allard wrote: > >> > >>> Did you verify that isakmpd is running? > >> Yes. It runs as follows: > >> > >> 11967 ?? Is 0:00.05 isakmpd: monitor [priv] (isakmpd) > >> 18753 ?? I 0:01.40 isakmpd -S -K -f /var/run/isakmpd.fifo > >> > >> > > -S is used for redundant setups. Did you try without that flag? > > Infact, this resolves the problem! Thanks a lot. > > Yet, it brings me to the next problem that I didn't set the -S flag, but > /etc/rc does so automatically because of sasyncd, which will be used on > those boxes in a further step. (The far goal being two firewall clusters > encrypting traffic between the networks behind them, and encrypting > traffic between the two members respectively.)
Currently the order in which isakmpd, ipsecctl and sasyncd need to be invoked in order for everything to work is pretty rigid. # isakmpd -KS # ipsecctl -f /etc/ipsec.conf # sasyncd First start isakmpd with -KS, this brings up isakmpd in passive mode, isakmpd won't initiate any IKE traffic until an sasyncd process sets isakmpd to "active" mode through the fifo, you can do this by hand by issuing "M active" into the fifo with echo. Don't forget to load your rules before you issue this command. If you are not going to use sasyncd, don't use -S. -- Mathieu Sauve-Frankel
