Jason Dixon wrote:
On Jan 4, 2006, at 9:32 AM, Hekan Olsson wrote:
On 4 jan 2006, at 05.57, Jason Dixon wrote:
After some gentle persuading by Adrian Close, I dropped ipsecadm and
went back to automatic key exchange with isakmpd. A quick
configuration based on the east/west and all is good. Same PF
configuration, no changes there except for the addition of ISAKMP
traffic. Don't know what the problem was, although I'm sure it was
user related.
Your manual setup only included one SA (SPI 0x100a), and you always
need atleast two, as an SA is unidirectional.
I tried that too before moving over to ISAKMP. It was still behaving
the same, but it was probably user error.
Thanks,
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Here is the most simple manual keying setup I could make:
I can create a manually keyed host to host vpn with two lines in
/etc/ipsec.conf
On the other host, just make sure to swap the IPs, spi numbers and the
auth and enc keys. They key values are for testing only.
flow esp from 192.168.71.129 to 192.168.71.128
esp from 192.168.71.129 to 192.168.71.128 spi 0x1000:0x1001 authkey
0x0000000000000000000000000000000000000000000000000000000000000000:0x0000000000000000000000000000000000000000000000000000000000000001
enckey
0x0000000000000000000000000000000000000000:0x0000000000000000000000000000000000000001
