Please cc me on replies. Can't seem to get this to work. I was following the directions from http://stuffresearch.tor.hu/?p=64 Both OpenBSD 4.9 machines are behind NAT, but set as DMZ(crappy linksys routers) PF is default hasn't been changed.
I SCPed the local.pubs into the /etc/isakmpd/pubkeys/ipv4/ipaddress Site A: local_ip="1.2.3.4" local_network="192.168.1.0" remote_ip="5.6.7.8" remote_network="10.10.2.0/24" ike passive esp from $local_network to $remote_network peer $remote_ip ike passive esp from $local_ip to $remote_network peer $remote_ip ike passive esp from $local_ip to $remote_ip Site B: local_ip="5.6.7.8" local_network="10.10.2.0/24" remote_ip="1.2.3.4" remote_network="192.168.1.0/24" ike esp from $local_network to $remote_network peer $remote_ip srcid 5.6.7.8 dstid 1.2.3.4 ike esp from $local_ip to $remote_network peer $remote_ip srcid 5.6.7.8 dstid 1.2.3.4 ike esp from $local_ip to $remote_ip srcid 5.6.7.8 dstid 1.2.3.4 Site A: # isakmpd -KdD A=20 & [1] 3084 # 163327.982146 Default log_debug_cmd: log level changed from 0 to 20 for class 0 [priv] 163327.982627 Default log_debug_cmd: log level changed from 0 to 20 for class 1 [priv] 163327.982632 Default log_debug_cmd: log level changed from 0 to 20 for class 2 [priv] 163327.982639 Default log_debug_cmd: log level changed from 0 to 20 for class 3 [priv] 163327.982645 Default log_debug_cmd: log level changed from 0 to 20 for class 4 [priv] 163327.982651 Default log_debug_cmd: log level changed from 0 to 20 for class 5 [priv] 163327.982657 Default log_debug_cmd: log level changed from 0 to 20 for class 6 [priv] 163327.982663 Default log_debug_cmd: log level changed from 0 to 20 for class 7 [priv] 163327.982669 Default log_debug_cmd: log level changed from 0 to 20 for class 8 [priv] 163327.982675 Default log_debug_cmd: log level changed from 0 to 20 for class 9 [priv] 163327.982681 Default log_debug_cmd: log level changed from 0 to 20 for class 10 [priv] 163327.982687 Default isakmpd: starting [priv] 163328.066400 Misc 10 monitor_init: privileges dropped for child process 163328.136903 Misc 20 udp_make: transport 0x8096f200 socket 8 ip 127.0.0.1 port 500 163328.138081 Misc 20 udp_encap_make: transport 0x8096f440 socket 9 ip 127.0.0.1 port 4500 163328.139017 Misc 20 udp_make: transport 0x8096f3c0 socket 10 ip ::1 port 500 163328.139914 Misc 20 udp_encap_make: transport 0x8096f380 socket 11 ip ::1 port 4500 163328.140764 Misc 20 udp_make: transport 0x8096f100 socket 12 ip fe80:3::1 port 500 163328.141634 Misc 20 udp_encap_make: transport 0x8096f800 socket 13 ip fe80:3::1 port 4500 163328.142544 Misc 20 udp_make: transport 0x8096f7c0 socket 14 ip 192.168.1.200 port 500 163328.143391 Misc 20 udp_encap_make: transport 0x8096f580 socket 15 ip 192.168.1.200 port 4500 163328.144297 Misc 20 udp_make: transport 0x8096f8c0 socket 16 ip fe80:1::20c:29ff:fe03:c119 port 500 163328.145217 Misc 20 udp_encap_make: transport 0x8096f900 socket 17 ip fe80:1::20c:29ff:fe03:c119 port 4500 163328.146154 Misc 20 udp_make: transport 0x8096fa00 socket 18 ip 0.0.0.0 port 500 163328.146984 Misc 20 udp_encap_make: transport 0x8096f080 socket 19 ip 0.0.0.0 port 4500 163328.147902 Misc 20 udp_make: transport 0x8096f9c0 socket 20 ip :: port 500 163328.148795 Misc 20 udp_encap_make: transport 0x8096fb40 socket 21 ip :: port 4500 # ipsecctl -f /etc/ipsec.conf 163333.119487 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s # 163333.120293 Timr 10 timer_remove_event: removing event ui_conn_reinit(0x0) 163333.120606 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s 163333.120805 Timr 10 timer_remove_event: removing event ui_conn_reinit(0x0) 163333.121106 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s 163338.127294 Timr 10 timer_handle_expirations: event ui_conn_reinit(0x0) 163350.391022 Timr 10 timer_add_event: event exchange_free_aux(0x85e34800) added last, expiration in 120s 163350.391778 Exch 10 exchange_setup_p1: 0x85e34800 peer-5.6.7.8 phase1-peer-5.6.7.8 policy responder phase 1 doi 1 exchange 2 step 0 163350.392135 Exch 10 exchange_setup_p1: icookie 3bf0675c2a37c56e rcookie e7e8262cb1189387 163350.392450 Exch 10 exchange_setup_p1: msgid 00000000 163350.392736 Exch 10 check_vendor_openbsd: OpenBSD (OpenBSD-4.0) 163350.393058 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 163350.393356 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 163350.393678 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 163350.393982 Exch 10 dpd_check_vendor_payload: DPD capable peer detected 163350.394272 Negt 20 ike_phase_1_validate_prop: success 163350.394753 Misc 20 ipsec_decode_transform: transform 0 chosen 163350.395501 Timr 10 timer_add_event: event message_send_expire(0x85e33680) added before exchange_free_aux(0x85e34800), expiration in 7s 163350.511194 Mesg 20 message_free: freeing 0x85e33680 163350.511491 Timr 10 timer_remove_event: removing event message_send_expire(0x85e33680) 163350.511783 Exch 10 nat_t_exchange_check_nat_d: NAT detected, we're behind it 163350.512150 Mesg 20 message_free: freeing 0x85e33300 163350.528294 Timr 10 timer_add_event: event message_send_expire(0x85e33600) added before exchange_free_aux(0x85e34800), expiration in 7s 163350.647400 Mesg 20 message_free: freeing 0x85e33600 163350.647700 Timr 10 timer_remove_event: removing event message_send_expire(0x85e33600) 163350.650347 Mesg 20 message_free: freeing 0x85e33500 163350.650935 Misc 10 rsa_sig_encode_hash: no certificate to send for id ipv4/192.168.1.200 163350.687161 Mesg 10 virtual_send_message: enabling NAT-T encapsulation for this exchange 163350.688599 Exch 10 exchange_finalize: 0x85e34800 peer-5.6.7.8 phase1-peer-5.6.7.8 policy responder phase 1 doi 1 exchange 2 step 6 163350.688945 Exch 10 exchange_finalize: icookie 3bf0675c2a37c56e rcookie e7e8262cb1189387 163350.689263 Exch 10 exchange_finalize: msgid 00000000 163350.689676 Exch 10 exchange_finalize: phase 1 done: initiator id 5.6.7.8, responder id 192.168.1.200, src: 192.168.1.200 dst: 5.6.7.8 163350.690011 Timr 10 timer_add_event: event sa_soft_expire(0x85e34500) added last, expiration in 3250s 163350.690344 Timr 10 timer_add_event: event sa_hard_expire(0x85e34500) added last, expiration in 3600s Site B: # isakmpd -KdD A=20 & [1] 8000 # 163339.716208 Default log_debug_cmd: log level changed from 0 to 20 for class 0 [priv] 163339.716214 Default log_debug_cmd: log level changed from 0 to 20 for class 1 [priv] 163339.716220 Default log_debug_cmd: log level changed from 0 to 20 for class 2 [priv] 163339.716226 Default log_debug_cmd: log level changed from 0 to 20 for class 3 [priv] 163339.716232 Default log_debug_cmd: log level changed from 0 to 20 for class 4 [priv] 163339.716238 Default log_debug_cmd: log level changed from 0 to 20 for class 5 [priv] 163339.716244 Default log_debug_cmd: log level changed from 0 to 20 for class 6 [priv] 163339.716250 Default log_debug_cmd: log level changed from 0 to 20 for class 7 [priv] 163339.716256 Default log_debug_cmd: log level changed from 0 to 20 for class 8 [priv] 163339.716262 Default log_debug_cmd: log level changed from 0 to 20 for class 9 [priv] 163339.716268 Default log_debug_cmd: log level changed from 0 to 20 for class 10 [priv] 163339.716274 Default isakmpd: starting [priv] 163339.721586 Misc 10 monitor_init: privileges dropped for child process 163339.786856 Misc 20 udp_make: transport 0x8270f600 socket 8 ip 127.0.0.1 port 500 163339.787848 Misc 20 udp_encap_make: transport 0x8270f100 socket 9 ip 127.0.0.1 port 4500 163339.788727 Misc 20 udp_make: transport 0x8270f000 socket 10 ip ::1 port 500 163339.789578 Misc 20 udp_encap_make: transport 0x8270f440 socket 11 ip ::1 port 4500 163339.790447 Misc 20 udp_make: transport 0x8270f780 socket 12 ip fe80:3::1 port 500 163339.791318 Misc 20 udp_encap_make: transport 0x8270f340 socket 13 ip fe80:3::1 port 4500 163339.792190 Misc 20 udp_make: transport 0x8270f8c0 socket 14 ip 10.10.2.200 port 500 163339.793013 Misc 20 udp_encap_make: transport 0x8270f080 socket 15 ip 10.10.2.200 port 4500 163339.793913 Misc 20 udp_make: transport 0x8270f240 socket 16 ip fe80:1::20c:29ff:feeb:3115 port 500 163339.794815 Misc 20 udp_encap_make: transport 0x8270f740 socket 17 ip fe80:1::20c:29ff:feeb:3115 port 4500 163339.795699 Misc 20 udp_make: transport 0x8270f900 socket 18 ip 0.0.0.0 port 500 163339.796518 Misc 20 udp_encap_make: transport 0x8270f980 socket 19 ip 0.0.0.0 port 4500 163339.797425 Misc 20 udp_make: transport 0x8270fac0 socket 20 ip :: port 500 163339.798296 Misc 20 udp_encap_make: transport 0x8270f800 socket 21 ip :: port 4500 # ipsecctl -f /etc/ipsec.conf 163344.637548 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s # 163344.640457 Timr 10 timer_remove_event: removing event ui_conn_reinit(0x0) 163344.640797 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s 163344.641471 Timr 10 timer_remove_event: removing event ui_conn_reinit(0x0) 163344.642214 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s # 163349.644674 Timr 10 timer_handle_expirations: event ui_conn_reinit(0x0) 163349.645090 Timr 10 timer_add_event: event connection_checker(0x81981900) added last, expiration in 0s 163349.645433 Timr 10 timer_add_event: event connection_checker(0x819814f0) added last, expiration in 0s 163349.645895 Timr 10 timer_add_event: event connection_checker(0x81981740) added last, expiration in 0s 163349.646289 Timr 10 timer_handle_expirations: event connection_checker(0x81981900) 163349.646688 Timr 10 timer_add_event: event connection_checker(0x81981900) added last, expiration in 60s 163349.647019 Timr 10 timer_add_event: event exchange_free_aux(0x80c7e900) added last, expiration in 120s 163349.647397 Exch 10 exchange_establish_p1: 0x80c7e900 peer-1.2.3.4 phase1-peer-1.2.3.4 policy initiator phase 1 doi 1 exchange 2 step 0 163349.647782 Exch 10 exchange_establish_p1: icookie 3bf0675c2a37c56e rcookie 0000000000000000 163349.648097 Exch 10 exchange_establish_p1: msgid 00000000 163349.648644 Timr 10 timer_handle_expirations: event connection_checker(0x819814f0) 163349.648945 Timr 10 timer_add_event: event connection_checker(0x819814f0) added before exchange_free_aux(0x80c7e900), expiration in 60s 163349.649267 Timr 10 timer_handle_expirations: event connection_checker(0x81981740) 163349.649582 Timr 10 timer_add_event: event connection_checker(0x81981740) added before exchange_free_aux(0x80c7e900), expiration in 60s 163349.650214 Timr 10 timer_add_event: event message_send_expire(0x80c83000) added before connection_checker(0x81981900), expiration in 7s 163349.780186 Mesg 20 message_free: freeing 0x80c83000 163349.780873 Timr 10 timer_remove_event: removing event message_send_expire(0x80c83000) 163349.781198 Exch 10 check_vendor_openbsd: OpenBSD (OpenBSD-4.0) 163349.781559 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 163349.781910 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 163349.782232 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 163349.782555 Exch 10 dpd_check_vendor_payload: DPD capable peer detected 163349.782928 Negt 20 ike_phase_1_validate_prop: success 163349.783360 Misc 20 ipsec_decode_transform: transform 0 chosen 163349.799858 Timr 10 timer_add_event: event message_send_expire(0x80c83a00) added before connection_checker(0x81981900), expiration in 7s 163349.892658 Mesg 20 message_free: freeing 0x80c83a00 163349.893230 Timr 10 timer_remove_event: removing event message_send_expire(0x80c83a00) 163349.893730 Exch 10 nat_t_exchange_check_nat_d: NAT detected, we're behind it 163349.908940 Mesg 20 message_free: freeing 0x80c83900 163349.909642 Misc 10 rsa_sig_encode_hash: no certificate to send for id ipv4/5.6.7.8 163349.940068 Mesg 10 virtual_send_message: enabling NAT-T encapsulation for this exchange 163349.940399 Timr 10 timer_add_event: event message_send_expire(0x80c83880) added before connection_checker(0x81981900), expiration in 7s 163350.057676 Mesg 20 message_free: freeing 0x80c83880 163350.058382 Timr 10 timer_remove_event: removing event message_send_expire(0x80c83880) 163350.058716 Default ike_phase_1_recv_ID: received remote ID other than expected 1.2.3.4 163350.059087 Mesg 20 message_free: freeing 0x80c83000 163449.655169 Timr 10 timer_handle_expirations: event connection_checker(0x81981900) 163449.655590 Timr 10 timer_add_event: event connection_checker(0x81981900) added last, expiration in 60s 163449.655947 Timr 10 timer_handle_expirations: event connection_checker(0x819814f0) 163449.656319 Timr 10 timer_add_event: event connection_checker(0x819814f0) added last, expiration in 60s 163449.656662 Timr 10 timer_handle_expirations: event connection_checker(0x81981740) 163449.657001 Timr 10 timer_add_event: event connection_checker(0x81981740) added last, expiration in 60s 163549.655730 Timr 10 timer_handle_expirations: event exchange_free_aux(0x80c7e900) 163549.656126 Mesg 20 message_free: freeing 0x80c83e00 163549.656446 Exch 20 exchange_establish_finalize: finalizing exchange 0x80c7e900 with arg 0x8270f9c0 (from-10.10.2.0/24-to-192.168.1.0/24) & fail = 1 163549.656835 Exch 20 exchange_establish_finalize: finalizing exchange 0x80c7e900 with arg 0x8270f7c0 (from-5.6.7.8-to-192.168.1.0/24) & fail = 1 163549.657203 Exch 20 exchange_establish_finalize: finalizing exchange 0x80c7e900 with arg 0x8ad436c0 (from-5.6.7.8-to-1.2.3.4) & fail = 1 163549.657593 Exch 20 exchange_establish_finalize: finalizing exchange 0x80c7e900 with arg 0x8ad43000 (from-10.10.2.0/24-to-192.168.1.0/24) & fail = 1 163549.657962 Exch 20 exchange_establish_finalize: finalizing exchange 0x80c7e900 with arg 0x8ad43300 (from-5.6.7.8-to-192.168.1.0/24) & fail = 1 163549.658319 Exch 20 exchange_establish_finalize: finalizing exchange 0x80c7e900 with arg 0x8ad435c0 (from-5.6.7.8-to-1.2.3.4) & fail = 1 163549.658694 Timr 10 timer_handle_expirations: event connection_checker(0x81981900) 163549.659055 Timr 10 timer_add_event: event connection_checker(0x81981900) added last, expiration in 60s 163549.659415 Timr 10 timer_add_event: event exchange_free_aux(0x80c7e900) added last, expiration in 120s 163549.659862 Exch 10 exchange_establish_p1: 0x80c7e900 peer-1.2.3.4 phase1-peer-1.2.3.4 policy initiator phase 1 doi 1 exchange 2 step 0 163549.660228 Exch 10 exchange_establish_p1: icookie 156ffad03da4c6af rcookie 0000000000000000 163549.660579 Exch 10 exchange_establish_p1: msgid 00000000 163549.661406 Timr 10 timer_add_event: event message_send_expire(0x80c83580) added before connection_checker(0x81981900), expiration in 7s 163549.661775 Timr 10 timer_handle_expirations: event connection_checker(0x819814f0) 163549.662107 Timr 10 timer_add_event: event connection_checker(0x819814f0) added before exchange_free_aux(0x80c7e900), expiration in 60s 163549.662450 Timr 10 timer_handle_expirations: event connection_checker(0x81981740) 163549.662841 Timr 10 timer_add_event: event connection_checker(0x81981740) added before exchange_free_aux(0x80c7e900), expiration in 60s 163549.805667 Mesg 20 message_free: freeing 0x80c83580 163549.806394 Timr 10 timer_remove_event: removing event message_send_expire(0x80c83580) 163549.806775 Exch 10 check_vendor_openbsd: OpenBSD (OpenBSD-4.0) 163549.807136 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 163549.807462 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 163549.807836 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 163549.808158 Exch 10 dpd_check_vendor_payload: DPD capable peer detected 163549.808622 Negt 20 ike_phase_1_validate_prop: success 163549.808934 Misc 20 ipsec_decode_transform: transform 0 chosen 163549.824757 Timr 10 timer_add_event: event message_send_expire(0x80c83c80) added before connection_checker(0x81981900), expiration in 7s 163549.918014 Mesg 20 message_free: freeing 0x80c83c80 163549.918344 Timr 10 timer_remove_event: removing event message_send_expire(0x80c83c80) 163549.918676 Exch 10 nat_t_exchange_check_nat_d: NAT detected, we're behind it 163549.934340 Mesg 20 message_free: freeing 0x80c83a80 163549.934802 Misc 10 rsa_sig_encode_hash: no certificate to send for id ipv4/5.6.7.8 163549.964204 Mesg 10 virtual_send_message: enabling NAT-T encapsulation for this exchange 163549.964443 Timr 10 timer_add_event: event message_send_expire(0x80c83f00) added before connection_checker(0x81981900), expiration in 7s 163550.070935 Mesg 20 message_free: freeing 0x80c83f00 163550.071657 Timr 10 timer_remove_event: removing event message_send_expire(0x80c83f00) 163550.071978 Default ike_phase_1_recv_ID: received remote ID other than expected 1.2.3.4 163550.072365 Mesg 20 message_free: freeing 0x80c83a00
