Re: VPN packets not passing remote gateway [RESOLVED... sorta]
On Jan 4, 2006, at 9:32 AM, Hekan Olsson wrote: On 4 jan 2006, at 05.57, Jason Dixon wrote: After some gentle persuading by Adrian Close, I dropped ipsecadm and went back to automatic key exchange with isakmpd. A quick configuration based on the east/west and all is good. Same PF configuration, no changes there except for the addition of ISAKMP traffic. Don't know what the problem was, although I'm sure it was user related. Your manual setup only included one SA (SPI 0x100a), and you always need atleast two, as an SA is unidirectional. I tried that too before moving over to ISAKMP. It was still behaving the same, but it was probably user error. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: VPN packets not passing remote gateway [RESOLVED... sorta]
Jason Dixon wrote: On Jan 4, 2006, at 9:32 AM, Hekan Olsson wrote: On 4 jan 2006, at 05.57, Jason Dixon wrote: After some gentle persuading by Adrian Close, I dropped ipsecadm and went back to automatic key exchange with isakmpd. A quick configuration based on the east/west and all is good. Same PF configuration, no changes there except for the addition of ISAKMP traffic. Don't know what the problem was, although I'm sure it was user related. Your manual setup only included one SA (SPI 0x100a), and you always need atleast two, as an SA is unidirectional. I tried that too before moving over to ISAKMP. It was still behaving the same, but it was probably user error. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net Here is the most simple manual keying setup I could make: I can create a manually keyed host to host vpn with two lines in /etc/ipsec.conf On the other host, just make sure to swap the IPs, spi numbers and the auth and enc keys. They key values are for testing only. flow esp from 192.168.71.129 to 192.168.71.128 esp from 192.168.71.129 to 192.168.71.128 spi 0x1000:0x1001 authkey 0x:0x0001 enckey 0x:0x0001
Re: VPN packets not passing remote gateway [RESOLVED... sorta]
After some gentle persuading by Adrian Close, I dropped ipsecadm and went back to automatic key exchange with isakmpd. A quick configuration based on the east/west and all is good. Same PF configuration, no changes there except for the addition of ISAKMP traffic. Don't know what the problem was, although I'm sure it was user related. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net