misc@, after working on this for a while, I've decided that I'm definately doing something wrong. I'm trying to setup a very basic IPSec tunnel between two hosts, but am not getting anywhere.
hostA is 192.168.1.5, hostB is 192.168.1.6 -- they are connected via a crossover cable. I can ping, use nc, connect via SSH just fine. they are both brand new OpenBSD 4.0 installs, patches applied, running GENERIC kernel. hostA /etc/ipsec.conf --------------------- ike passive esp from 192.168.1.5 to 192.168.1.6 hostB /etc/ipsec.conf --------------------- ike esp from 192.168.1.6 to 192.168.1.5 hostA's local.pub is on hostB @ /etc/isakmpd/pubkeys/ipv4/192.168.1.5 hostB's local.pub is on hostA @ /etc/isakmpd/pubkeys/ipv4/192.168.1.6 output of '/sbin/isakmpd -SKvd' give no output on either host. pf is disabled on both hosts. hostA 'ipsecctl -vf /etc/ipsec.conf' output ------------------------------------------- C set [Phase 1]:192.168.1.6=peer-192.168.1.6 force C set [peer-192.168.1.6]:Phase=1 force C set [peer-192.168.1.6]:Address=192.168.1.6 force C set [peer-192.168.1.6]:Configuration=mm-192.168.1.6 force C set [mm-192.168.1.6]:EXCHANGE_TYPE=ID_PROT force C add [mm-192.168.1.6]:Transforms=AES-SHA-RSA_SIG force C set [IPsec-192.168.1.5-192.168.1.6]:Phase=2 force C set [IPsec-192.168.1.5-192.168.1.6]:ISAKMP-peer=peer-192.168.1.6 force C set [IPsec-192.168.1.5-192.168.1.6]:Configuration=qm-192.168.1.5-192.168.1.6 force C set [IPsec-192.168.1.5-192.168.1.6]:Local-ID=lid-192.168.1.5 force C set [IPsec-192.168.1.5-192.168.1.6]:Remote-ID=rid-192.168.1.6 force C set [qm-192.168.1.5-192.168.1.6]:EXCHANGE_TYPE=QUICK_MODE force C set [qm-192.168.1.5-192.168.1.6]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force C set [lid-192.168.1.5]:ID-type=IPV4_ADDR force C set [lid-192.168.1.5]:Address=192.168.1.5 force C set [rid-192.168.1.6]:ID-type=IPV4_ADDR force C set [rid-192.168.1.6]:Address=192.168.1.6 force C add [Phase 2]:Passive-Connections=IPsec-192.168.1.5-192.168.1.6 hostA 'ipsecctl -vf /etc/ipsec.conf' output ------------------------------------------- C set [Phase 1]:192.168.1.5=peer-192.168.1.5 force C set [peer-192.168.1.5]:Phase=1 force C set [peer-192.168.1.5]:Address=192.168.1.5 force C set [peer-192.168.1.5]:Configuration=mm-192.168.1.5 force C set [mm-192.168.1.5]:EXCHANGE_TYPE=ID_PROT force C add [mm-192.168.1.5]:Transforms=AES-SHA-RSA_SIG force C set [IPsec-192.168.1.6-192.168.1.5]:Phase=2 force C set [IPsec-192.168.1.6-192.168.1.5]:ISAKMP-peer=peer-192.168.1.5 force C set [IPsec-192.168.1.6-192.168.1.5]:Configuration=qm-192.168.1.6-192.168.1.5 force C set [IPsec-192.168.1.6-192.168.1.5]:Local-ID=lid-192.168.1.6 force C set [IPsec-192.168.1.6-192.168.1.5]:Remote-ID=rid-192.168.1.5 force C set [qm-192.168.1.6-192.168.1.5]:EXCHANGE_TYPE=QUICK_MODE force C set [qm-192.168.1.6-192.168.1.5]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force C set [lid-192.168.1.6]:ID-type=IPV4_ADDR force C set [lid-192.168.1.6]:Address=192.168.1.6 force C set [rid-192.168.1.5]:ID-type=IPV4_ADDR force C set [rid-192.168.1.5]:Address=192.168.1.5 force C add [Phase 2]:Connections=IPsec-192.168.1.6-192.168.1.5 and so I get nothing, not even the slightest output from /sbin/isakmpd even when I turn the debugging way up via '-D A=50'. it's almost like neither host is even attempting to send out a connection attempt. just to be extra sure I've also tried just about every permutation of IKE modes -- both active, both dynamic, taking turns as passive -- to no avail. I'm pretty sure there is some glaringly obvious step or configuration that I've missed. from what I've gathered, this should have been really easy to do...I just think I'm to that point where even if there was something really wrong staring back at me I wouldn't see it because I've been looking at the same stuff for too long now. please help. ryanc -- Ryan Corder <[EMAIL PROTECTED]> Systems Engineer, NovaSys Health LLC. 501-219-4444 ext. 646 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
