4 port router card
I bought a Realtek based 4 port pci 10/110 card off of ebay. I was hoping I would be able to use this card to set-up for individual networks. When I boot the card in openbsd it only comes up with one (ral0) interface. Is it possible this is just a 'switching' card and I cant route traffic across the ports? It has a realtek RTL8305SC controller chip on it - which according to what I've read has 5 MAC's - Maybe I'm not understanding what this card is supposed to do correctly. Shouldn't OpenBSD provide four ral interfaces when you boot with this card? Is there something I need to change to get openbsd to recognize the additional ports. I've read that there may be problems with 'older' computers. I have this in a PIII - perhaps that would qualify as 'older' ? Thanks!
Re: maxcluster errors
mail-lists wrote: I've looked over this mailing list and noticed some questions about maxclusters I'm running a wireless ap and for some reason the wireless link seems to die on me intermittently Looking at /var/log/messages I notice errors referring to maxclusters. I then increased my maxclusters to 65000 and haven't had it going out yet (I'm running very aggressive ping tests from a host connected to a local WIRED network) However, when I do a netstat -m I notice mbuf clusters goes up and up and never comes back down. Is this what's supposed to happen? What happens when it maxes out again - I imagine I lose my wireless link? I'm running openbsd 4.0 Sorry about the lack of detail in this post - unfortunately (much to my emberassment) this is running in production and I need to babysit this thing. Any suggestions would be appreciated Thanks! Sorry - I should have mentioned I'm using the ral driver on my wireless interface.
acx on soekris with openbsd 4.0
Sorry, I've asked this before and didn't get a response.. am I asking this incorrectly - or in the wrong place? Hello all, I'm trying to get a mini pci card working on OpenBSD 4.0. I ripped this card out of a dlink router that we weren't using. From what I understand it's supposed to use the acx driver. When I try to do an 'ifconfig acx0 up' it gives me 'Device no configured' I'm assuming that this is because OpenBSD didn't detect the card. I scoured the dmesg output but didn't find anything that looks like a wireless card. I'm not overly familiar with the way openbsd handles hardware so is there a way to 'force' openbsd to find the card? I've already installed the firmware as specified in the man-page, but I don't know where to go from here.. I have a feeling I'm SOL with this card Thanks! I've appended the dmesg output in case there's something I'm missing: OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by Nataonal Semi ("Geode by NSC" 586-class) 267 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX cpu0: TSC disabled real mem = 268005376 (261724K) avail mem = 236724224 (231176K) using 3297 buffers containing 13504512 bytes (13188K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 20/50/29, BIOS32 rev. 0 @ 0xf7840 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0x9000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Cyrix GXm PCI" rev 0x00 sis0 at pci0 dev 6 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: irq 10, address 00:00:24:c8:01:a0 nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 7 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: irq 10, address 00:00:24:c8:01:a1 nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci0 dev 8 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: irq 10, address 00:00:24:c8:01:a2 nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 gscpcib0 at pci0 dev 18 function 0 "NS SC1100 ISA" rev 0x00 gpio0 at gscpcib0: 64 pins "NS \M-[C1100 SMI" rev 0x00 at pci0 dev 18 function 1 not configured pciide0 at pci0 dev 18 function 2 "NS SCx200 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 1-sector PIO, LBA, 1946MB, 3985632 sectors wd0(pciide0:0:0): using PIO mode 4 geodesc0 at pci0 dev 18 function 5 "NS SC1100 X-Bus" rev 0x00: iid 6 revision 3 wdstatus 0 ohci0 at pci0 dev 19 function 0 "Compaq USB OpenHost" rev 0x08: irq 11, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Compaq OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered isa0 at gscpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS gpio1 at nsclpcsio0: 29 pins gscsio0 at isa0 port 0x15c/2: SC1100 SIO rev 1: npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo biomask fbe5 netmask ffe5 ttymask ffe7 pctr: no performance counters in CPU dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 syncing disks... done OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by National Semi ("Geode by NSC" 586-class) 267 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX cpu0: TSC disabled real mem = 268005376 (261724K) avail mem = 236724224 (231176K) using 3297 buffers containing 13504512 bytes (13188K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 20/50/29, BIOS32 rev. 0 @ 0xf7840 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0x9000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Cyrix GXm PCI" rev 0x00 sis0 at pci0 dev 6 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: irq 10, address 00:00:24:c8:01:a0 nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 7 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: irq 10, address 00:00:24:c8:01:a1 nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci0 dev 8 function 0 "NS DP83815 10/100" rev 0x00, DP83816A: irq 10, address 00:00:24:c8:01:a2 nsphyter2 at sis2 phy 0: DP83815 10/1p0 PHY, rev. 1 gscpcib0 at pci0 dev 18 function 0 "NS SC1100 ISA" rev 0x00 gpi
OpenBSD wierdness
Hi everyone, I'm at my wits end here with this and I don't know who to ask.. For about a week now my OpenBSD router has been acting up in the strangest ways. Route's dissapear, ethernet speeds crawl to a halt and other wierdness.. I'm about to wipe this box clean and start from scratch but I would really like to try and figure out what's going on first.. I don't know if it helps if I describe some of the symptoms.. I'll try and draw a diagram first if I may... ISP1ISP2 | | | | | | dc1--- dc2 | obsd3.9 | | | |-sis0--dc0--| || ||-DMZ | -10.110.38/24 Interface dc0 is bridged with interfaces dc1&dc2 Firstly, and perhaps most alarming When I run the iperf utitlity between the router and a system on the network I get about 3Mb/s throughput. When I run it between a system on the DMZ and the router - the same thing. I tried disabling pf and get the same results. Running iperf between the boxes on the LAN I get proper results - of course. My only ideas are 1) failing NIC 2) NIC Drivers?? 3) routing issues? The second symptom is that periodically my vpn will drop throughout the day - corresponding with this (I think) whenever I run a continual ping to somewhere(anywhere) on the internet it will work fine any number of times but then it'll stop - sit there and hang for 10 seconds perhaps and then start back up IF it is a failing NIC - could one bad NIC make the others act up (interrupts?) I'm not sure I made myself very clear on this - I'm having a very hard time tracking this down. Any ideas or suggestions on investigation this would be appreciated. Any beautifully simple solutions even more so :) I REALLY want to figure out what's going on instead of simply wiping the box clean. Think of all the knowledge value :| Thanks a lot... Steve Glaus
Re: Openbsd 3.9 + trunk
Spruell, Darren-Perot wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Tim Pushor wrote: Steve Glaus wrote: Ok, I gotcha, trunk just looked like a ready mad solution for what I was trying to do... Could you tell me WHY it's not able to be used for that and what it is for? I've gone the pf route before to but it seems to add a lot of complexity to my ruleset trunk(4) is mainly used to provide redundancy or performance enhancement on the same network. I was using it to provide switch redundancy by putting one cable in one switch, one in the other, and the switches connected together. If I lose a switch, it keeps chugging along. Alright. Just so I understand.. COULD it be used to do what I'm trying to do? When you trunk two network interfaces together, are they adressless? Do the devices on the switch address the IP of the pseudo trunk interface? Trunk(4) provides link redundancy. Say you had a NIC on a box cabled into a switch. That switch port dies, your box falls off the network. Introduce trunk, now you have two NICs in your box, cabled to two switch ports. One port dies (or one NIC); you have a redundant link to the switch and your box stays online. Read the manual and you'll find it has other uses as well (e.g. thoughput aggregation traditionally) but what you described is really not what it would be. Your word was "routing", which is certainly not what it does (higher in the stack than trunk(4).) DS Ok. I think I understand. The trunk interface really has no idea how to route anything. It just sees packets (like any other interaface?). But couldn't one then use routed to route packets coming in over the trunk interface to anywhere else? I'm probably just revealing my ignorance here. I'm really just harping on this to further my understanding. Feel free to ignore or respond as you wish. I've given up on the idea of using trunk for this paraticular application and am gonna go back to pf Thanks for all the help
Re: Openbsd 3.9 + trunk
Tim Pushor wrote: Steve Glaus wrote: Ok, I gotcha, trunk just looked like a ready mad solution for what I was trying to do... Could you tell me WHY it's not able to be used for that and what it is for? I've gone the pf route before to but it seems to add a lot of complexity to my ruleset trunk(4) is mainly used to provide redundancy or performance enhancement on the same network. I was using it to provide switch redundancy by putting one cable in one switch, one in the other, and the switches connected together. If I lose a switch, it keeps chugging along. Alright. Just so I understand.. COULD it be used to do what I'm trying to do? When you trunk two network interfaces together, are they adressless? Do the devices on the switch address the IP of the pseudo trunk interface?
Re: Openbsd 3.9 + trunk
that's not what trunk(4) is for. You should read the PF FAQ about using multiple internet connections. Ok, I gotcha, trunk just looked like a ready mad solution for what I was trying to do... Could you tell me WHY it's not able to be used for that and what it is for? I've gone the pf route before to but it seems to add a lot of complexity to my ruleset
Openbsd 3.9 + trunk
Hello all, I am trying to do load-balancing/failover with the trunk pseudo interface. I'm not quite sure how to set this up. The following is my setup: sis0 : internal network - 10.110.38.1 dc0 : dmz dc1 : isp1: 24.38.97.22 dc2 : isp2: 77.2.2.3 So if I attempt to do an ifconfig trunk0 trunkproto roundrobin trunkport dc1 trunkport dc2 10.110.38.1 netmask 255.255.255.0 how do I then use the trunk interface? I guess I'm just confused as to how the routing works
Re: IPSec Tunnel - OpenBSD to NetScreen
Sean Hafeez wrote: Can someone help me. I am quite stuck. I have spend hours trying various combinations in order to get an 3.9 box bring up a tunnel to a NetScreen 25. Below is all the information. I have full control over both boxes and I am willing to try anything at this point. isakmpd.conf # Filter incoming phase 1 negotiations so they are only # valid if negotiating with this local address. [General] Listen-On=1.1.1.1 [Phase 1] 2.2.2.2=peer-machineB # 'Phase 2' defines which connections the daemon # should establish. These connections contain the actual # "IPsec VPN" information. [Phase 2] Connections=VPN-A-B # ISAKMP phase 1 peers (from [Phase 1]) [peer-machineB] Phase=1 Address=2.2.2.2 Configuration=Default-main-mode Authentication=bbb111aaaccceee # IPSEC phase 2 connections (from [Phase 2]) [VPN-A-B] Phase=2 ISAKMP-peer=peer-machineB Configuration=Default-quick-mode Local-ID=machineA-internal-network Remote-ID=machineB-internal-network # ID sections (as used in [VPN-A-B]) [machineA-internal-network] ID-type=IPV4_ADDR_SUBNET Network=192.168.22.0 Netmask=255.255.255.0 [machineB-internal-network] ID-type=IPV4_ADDR_SUBNET Network=192.168.0.0 Netmask=255.255.255.0 # Main and Quick Mode descriptions # (as used by peers and connections). [Default-main-mode] EXCHANGE_TYPE=ID_PROT Transforms=3DES-SHA [Default-quick-mode] EXCHANGE_TYPE=QUICK_MODE Suites=QM-ESP-3DES-SHA-SUITE,QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-AES-SHA-SUITE,QM-ESP-AES-SHA-PFS-SUITE isakmpd -d -DA=50 You may want to do a -DA=90 here for a little more info. Just a thought? Have you tried with ipsecctl? What are the default phase1 and phase2 lifetimes set to on the Netscreen? I'm really not sure how suite negotiations work but I know that you can't have a suite using pfs with one that doesn't. I would try getting rid of all the suites but one in your quick mode and matching up to that on the netscreen side. I feel your pain. I spent a week trying to get openbsd 3.9 connected to a sonicwall vpn.
Re: OPENBSD isakmpd VPN Problems
Hekan Olsson wrote: On 10 aug 2006, at 16.26, Tech Support wrote: Question: Can I have an isakmpd.conf file, set only the config options I want, run isakmpd WITHOUT the -K and still use ipsectl? Yes. Another item - IS PFS disabled or enabled by default when one uses ipsecctl? Can this be set? pfs is enabled by default. PFS is off on the vendors side, does this matter? I will search how to disable on my end Definitely. A suite proposal with PFS can never match a proposal without it. /H Alright! Thanks for all the help from this list - it's very appreciated. I have gotten this working reliably for the most part. I decided to go back and try to use the 'old' way of doing things. Namely using isakmpd.conf I couldn't quit figure out how to override the default suite proposal using ipsecctl. I'm mostly asking questions now for my own curiousity so feel free everyone to ignore these ramblings. - Is PFS something that's negotiated only during phase 2? Could this be why it was passing phase one but not passing phase two? - when I specify a quick mode suite in isakmpd.conf does ipsecctl USE that suite? Can I do something like this in isakmpd.conf and then use ipsecctl to add the add the flows? [General] listen on = x.x.x.x [Phase 1] x.x.x.x = Remote [Phase 2] Connections = VPN1 [Remote] Configuration = Default-main-mode [VPN1] Configuration = Default-quick-mode [Default-main-mode] Transforms=(whatever) [Default-quick-mode] Suites=(whatever) Does isakmpd -K simply use a default policy of allowing everything? Again, thank you everyone for their help!
Re: OPENBSD isakmpd VPN Problems
Matthew Closson wrote: On Thu, 10 Aug 2006, Steve Glaus wrote: Daniel Ouellet wrote: Steve Glaus wrote: Hello all, I'm finally desperate enough to post this to a list... I have been trying for two days to set up a basic VPN between my OpenBSD box at home and my OpenBSD box at work. The box at home is running 3.7 and the box here at work is running 3.9. May be worth to have 3.9 both place. Here is something that might help: http://www.securityfocus.com/infocus/1859 Also may be good to read: http://www.undeadly.org/cgi?action=article&sid=2006062116 and this specially: http://www.undeadly.org/cgi?action=article&sid=20060606210130 man 8 ipsecctl man 8 isakmpd man 5 isakmpd.conf So many changes happened in the last few months and many things have been replace that I think trying to setup a VPN using what we may call the old way is a waist of time. I have seen many articles and examples in the last few months explaining all the great changes to this that I would say trying to use 3.7 for this is wrong. But I may be wrong for sure. It's just based on what was posted in the lately really. I am not 100% sure, but I think even some of the best changes are in current that make the setup very simple now based on articles on undeadly.org about the subject. Just a thought. Hope this help you some. Hello again, Thanks for your help earlier. I haven't really had time to look at this problem in the last few weeks. I've started trying to use ipsecctl on my 3.9 box to connect to the actual service we will be using this for and I've made SOME progress so thank you for steering me in the right direction. Now, Whenever I try to connect to one of our cheesy little VPN routers (DLINK DFL-300's) using ipsectl it works perfectly. The tunnel comes up everything looks beautiful. But I can't stop there I'm afraid (though GOD I wish I could) I'm trying to connect to a sonicwall 4060 VPN that our software vendor uses. When I try to do this using the same setup (with the appropriate changes made) I get NO_PROPOSAL_CHOSEN messages. One glaring difference that I can see is that when I connect to the DLINK I use a passive connection and isakpmd sits and listens for incoming connections. Could this be a lifetime issue? Tech support at the other end said this is possible. How do you set the lifetime using ipsecctl (I've read that this is only possible with -current) Another item - IS PFS disabled or enabled by default when one uses ipsecctl? Can this be set? Looking at my logs I'm pretty sure that it's making it through phase1. Our vendors phase1 and phase2 use identical encryption/authorization so I don't quite understand why I would be getting NO_PROPOSALS for only phase2. The lifetimes for both phases are also identical on the vendors end. This is the relevant configuration info: ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134 main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des psk "XX" The debug outpout can be found here: http://ww2.bartowpc.com:8080/isakmpd_out I really don't know where to go from here. I've invested hours & hours into this and we've (foolishly?) commited to this direction. Thanks for any help anyone can give. Ask the SonicWall4060 admin how he/she is defining their network objects. You have specified 172.28.128.0/21. On SonicOS enhanced you can define address objects as "Single Host", "Network", or "Address Range". I think they want to use Network, and specify the netmask rather than address range, that could be an issue. Also SonicOS also uses 28800/28800 SA lifetime's as opposed to 86400/28800. Good luck! I've connected to a 4060 multiple times before but not using the new ipsecctl syntax, I used the old isakmpd.conf syntax. Later, -Matt- Alright, an update: I've managed to connect to the sonicwall. Once. And everything worked perfectly until I took the tunnel down, made some changes and tried to reconnect again and lo and behold no joy. To get it working in the FIRST place i had to set the connection type to "passive" in ipsec.conf. I ran isakmpd, ran ipsecctl and the tunnels came right up. Now, when I bring it up again I get INVALID_COOKIE errors. I might be WAY off base here but I think that this is because they're trying to re-establish the same connection (I had them set 'keep alive' to yes on their end) and I'm just sitting here listening passively, not re-initializing a new connection? I don't know if that makes sense or not (I might just be revealing my ignorance). The one time it DID work was the first time I tried connecting to this specific endpoint. When I try to connect without using passive I get the same old NO_PROPOSAL_FOUND errors. Thanks for all the help so far everyone.
Re: OPENBSD isakmpd VPN Problems
Daniel Ouellet wrote: Steve Glaus wrote: Hello all, I'm finally desperate enough to post this to a list... I have been trying for two days to set up a basic VPN between my OpenBSD box at home and my OpenBSD box at work. The box at home is running 3.7 and the box here at work is running 3.9. May be worth to have 3.9 both place. Here is something that might help: http://www.securityfocus.com/infocus/1859 Also may be good to read: http://www.undeadly.org/cgi?action=article&sid=2006062116 and this specially: http://www.undeadly.org/cgi?action=article&sid=20060606210130 man 8 ipsecctl man 8 isakmpd man 5 isakmpd.conf So many changes happened in the last few months and many things have been replace that I think trying to setup a VPN using what we may call the old way is a waist of time. I have seen many articles and examples in the last few months explaining all the great changes to this that I would say trying to use 3.7 for this is wrong. But I may be wrong for sure. It's just based on what was posted in the lately really. I am not 100% sure, but I think even some of the best changes are in current that make the setup very simple now based on articles on undeadly.org about the subject. Just a thought. Hope this help you some. Hello again, Thanks for your help earlier. I haven't really had time to look at this problem in the last few weeks. I've started trying to use ipsecctl on my 3.9 box to connect to the actual service we will be using this for and I've made SOME progress so thank you for steering me in the right direction. Now, Whenever I try to connect to one of our cheesy little VPN routers (DLINK DFL-300's) using ipsectl it works perfectly. The tunnel comes up everything looks beautiful. But I can't stop there I'm afraid (though GOD I wish I could) I'm trying to connect to a sonicwall 4060 VPN that our software vendor uses. When I try to do this using the same setup (with the appropriate changes made) I get NO_PROPOSAL_CHOSEN messages. One glaring difference that I can see is that when I connect to the DLINK I use a passive connection and isakpmd sits and listens for incoming connections. Could this be a lifetime issue? Tech support at the other end said this is possible. How do you set the lifetime using ipsecctl (I've read that this is only possible with -current) Another item - IS PFS disabled or enabled by default when one uses ipsecctl? Can this be set? Looking at my logs I'm pretty sure that it's making it through phase1. Our vendors phase1 and phase2 use identical encryption/authorization so I don't quite understand why I would be getting NO_PROPOSALS for only phase2. The lifetimes for both phases are also identical on the vendors end. This is the relevant configuration info: ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134 main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des psk "XX" The debug outpout can be found here: http://ww2.bartowpc.com:8080/isakmpd_out I really don't know where to go from here. I've invested hours & hours into this and we've (foolishly?) commited to this direction. Thanks for any help anyone can give.
OPENBSD isakmpd VPN Problems
Hello all, I'm finally desperate enough to post this to a list... I have been trying for two days to set up a basic VPN between my OpenBSD box at home and my OpenBSD box at work. The box at home is running 3.7 and the box here at work is running 3.9. I know this is going to look like a lot of information but I don't really know what else to do: HOME GATEWAY This is isakmpd.conf on the home end: [General] Listen-on= [Phase 1] = work [work] Phase = 1 Transport = udp Address = Local-address= Configuration = Default-main-mode Authentication =sharedsecret [Phase 2] Connections = VPN-home-work [VPN-home-work] Phase = 2 ISAKMP-peer=work Configuration = Default-quick-mode Local-ID = internal-net Remote-ID = remote-net [internal-net] ID-type=IPV4_ADDR_SUBNET Network = 192.168.2.0 Netmask = 255.255.255.0 [remote-net] ID-type=IPV4_ADDR_SUBNET Network = 10.113.10.0 Netmask = 255.255.255.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE=ID_PROT Transforms=3DES-SHA [Default-quick-mode] DOI = IPSEC EXCHANGE_TYPE=QUICK_MODE Suites = QM-ESP-3DES-SHA-SUITE This is isakmpd.policy: KeyNote-Version 2 Authorizer: "POLICY" Licensees: "sharedsecret" Conditions: app_domain == "IPsec policy" && esp_present=="yes" esp_enc_alg != "null" -> "true"; WORK GATEWAY This is isakmpd.conf on the work end: [General] Listen-on = [Phase 1] = steveHome [Phase 2] Connections = VPN-Peachnet-steveHome [steveHome] Phase = 1 Transport = udp Address = Local-address = Configuration = Default-main-mode Authentication = sharedsecret [VPN-Peachnet-steveHome] Phase = 2 ISAKMP-peer = steveHome Configuration = Default-quick-mode Local-ID = local-internal-network Remote-ID = steveHome-net [local-internal-network] ID-type = IPV4_ADDR_SUBNET Network = 10.113.10.0 Netmask = 255.255.255.0 [steveHome-net] ID-type = IPV4_ADDR_SUBNET Network = 192.168.2.0 Netmask = 255.255.255.0 [Default-main-mode] DOI = IPSEC EXCHANGE_TYPE = ID_PROT Transforms = 3DES-SHA [Default-quick-mode] DOI = IPSEC EXCHANGE_TYPE = QUICK_MODE Suites = QM-ESP-3DES-SHA-SUITE This is isakmpd.policy on the work end: KeyNote-Version: 2 Authorizer: "POLICY" Licensees: "passphrase:sharedsecret" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" -> "true"; END CONFIG FILES - Now as far as I know the config files are OK (I've tired them every which way) Now here is what I do. I start up the work end of the VPN (isakmpd -d -DA=90 >& outfile) and then start up the home end the same way. the outfile on the home end is here: http://bartowpc.com/home_outfile outfile on the work end is here: http://bartowpc.com/work_outfile (I marked the file about halfway down at around the point where I start my home isakmpd) I can provide the TCPDUMPS too if necessary. I know this is a lot of info to pore over but I'm at my wits end. The VPN between my home and work isn't even the ultimate goal here but I'm trying to take it one step at a time. Thanks a ton for any help!!