Re: OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device
On 2015-07-10, Motty Cruz motty.c...@gmail.com wrote: Hello, I have a gateway machine OpenBSD 5.5 that won't not initiate connection to peer. The one way to establish VPN tunnel is if peer ping IP in my subnet. isakmpd usually tries to bring up the connection as soon as it's configured, but perhaps this negotiation is failing, maybe due to a firewall rule somewhere on/near the cisco side? Last time I setup a VPN with a cisco device, it only brought up the tunnel from their side on-demand, so if the initiation from isakmpd side fails, it might rely on network traffic from the peer's side to bring it up.
Re: OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device
Thank you for your suggestion, I already have connections to peers using isakmpd, am afraid to bring those connections down to switch over to ipsec. On 07/11/2015 05:02 PM, carlos albino garcia grijalba wrote: use ipsec.conf the new configuration are simple i have connections from cisco peers and the only problem were using wrong credentials Date: Fri, 10 Jul 2015 12:59:56 -0700 From: motty.c...@gmail.com To: misc@openbsd.org; motty.c...@gmail.com Subject: OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device Hello, I have a gateway machine OpenBSD 5.5 that won't not initiate connection to peer. The one way to establish VPN tunnel is if peer ping IP in my subnet. in pf.conf IpsecClients={ 173.16.2.20/32, 139.19.10.51/32 } IpsecHosts={ 192.16.38.24/27 } # IPSec VPN tunnel pass in on $OUTSIDE inet proto udp from $IpsecClients to $IpsecHosts port 500 pass in on $OUTSIDE inet proto esp from $IpsecClients to $IpsecHosts isakmpd.conf phase 1 139.19.10.51= ISAKMP-peer-CORP1 phase 2 connections = IPsec-CORP1-DataCenter1 #Phase 1 peers ## CORP1 [ISAKMP-peer-CORP1] Phase= 1 Transport= udp Address= 139.19.10.51 Configuration= Default-main-mode3 Authentication= psecret # phase 2 [IPsec-CORP1-DataCenter1] Phase= 2 ISAKMP-peer= ISAKMP-peer-CORP1 Configuration= Default-quick-mode3 Local-ID= Net-datacenter1 Remote-ID= Net-corp1 [IPsec-CORP1-DataCenter2] Phase= 2 ISAKMP-peer= ISAKMP-peer-CORP1 Configuration= Default-quick-mode3 Local-ID= Net-datacenter2 Remote-ID= Net-corp2 any ideas?