Re: OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device

2015-07-13 Thread Stuart Henderson 
On 2015-07-10, Motty Cruz motty.c...@gmail.com wrote:
 Hello,

 I have a gateway machine OpenBSD 5.5 that won't not initiate connection 
 to peer. The one way to establish VPN tunnel is if peer ping IP in my 
 subnet.

isakmpd usually tries to bring up the connection as soon as it's configured,
but perhaps this negotiation is failing, maybe due to a firewall rule somewhere
on/near the cisco side?

Last time I setup a VPN with a cisco device, it only brought up the tunnel
from their side on-demand, so if the initiation from isakmpd side fails,
it might rely on network traffic from the peer's side to bring it up.

Re: OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device

2015-07-11 Thread Motty Cruz 
Thank you for your suggestion,

I already have connections to peers using isakmpd, am afraid to bring 
those connections down to switch over to ipsec.

On 07/11/2015 05:02 PM, carlos albino garcia grijalba wrote:
 use ipsec.conf the new configuration are simple i have connections 
 from cisco peers and the only problem were using
 wrong credentials

  Date: Fri, 10 Jul 2015 12:59:56 -0700
  From: motty.c...@gmail.com
  To: misc@openbsd.org; motty.c...@gmail.com
  Subject: OpenBSD 5.5 won't initiate VPN (Ipsec 
 site-to-site)connection to Cisco device
 
  Hello,
 
  I have a gateway machine OpenBSD 5.5 that won't not initiate connection
  to peer. The one way to establish VPN tunnel is if peer ping IP in my
  subnet.
  in pf.conf
  IpsecClients={ 173.16.2.20/32, 139.19.10.51/32 }
  IpsecHosts={ 192.16.38.24/27 }
 
  # IPSec VPN tunnel
  pass in on $OUTSIDE inet proto udp from $IpsecClients to $IpsecHosts
  port 500
  pass in on $OUTSIDE inet proto esp from $IpsecClients to $IpsecHosts
 
 
  isakmpd.conf
  phase 1
  139.19.10.51= ISAKMP-peer-CORP1
  phase 2
  connections = IPsec-CORP1-DataCenter1
 
  #Phase 1 peers
  ## CORP1
  [ISAKMP-peer-CORP1]
  Phase= 1
  Transport= udp
  Address= 139.19.10.51
  Configuration= Default-main-mode3
  Authentication= psecret
 
  # phase 2
  [IPsec-CORP1-DataCenter1]
  Phase= 2
  ISAKMP-peer= ISAKMP-peer-CORP1
  Configuration= Default-quick-mode3
  Local-ID= Net-datacenter1
  Remote-ID= Net-corp1
 
  [IPsec-CORP1-DataCenter2]
  Phase= 2
  ISAKMP-peer= ISAKMP-peer-CORP1
  Configuration= Default-quick-mode3
  Local-ID= Net-datacenter2
  Remote-ID= Net-corp2
 
  any ideas?