Hi Stuart,
That's not how DPD works, it should just pull down the SA when it
can't
contact the other side. This would happen at both sides, the
dynamic side
would see the SA is down, then try and reconnect when it gets another
packet that should traverse the vpn.
The static side (i.e. OpenBSD) should be configured passive without
listing the peer address, something like this:
okay - this was the main thing i was wrong .... :/
ike passive esp \
from 192.168.64.0/21 to any \
main auth hmac-sha1 enc aes group grp2 \
quick auth hmac-sha1 enc aes group grp2 \
tag ipsec-$id
"to any" didn't work with the draytek vigor 2700, but this hier did
work:
ike passive esp from 192.168.0.0/16 to 192.168.XX.0/24 local my-
address peer hishost.ath.cx \
main auth hmac-sha1 enc 3des group modp1024\
quick auth hmac-sha1 enc aes \
srcid myID dstid hisID \
psk 12345
sometimes it works without the "peer hishost.ath.cx", sometimes not:
--snip--
Jul 5 16:31:15 openbsd isakmpd[11169]: dropped message from
84.186.224.71 port 500 due to notification type INVALID_PAYLOAD_TYPE
Jul 5 16:31:20 openbsd isakmpd[11169]: message_parse_payloads:
reserved field non-zero: 6f
Jul 5 16:31:20 openbsd isakmpd[11169]: dropped message from
84.186.224.71 port 500 due to notification type PAYLOAD_MALFORMED
Jul 5 16:31:23 openbsd isakmpd[11169]: message_parse_payloads:
reserved field non-zero: 6f
--snap--
is this a bug in vigor's IPSec-Stack?
("to any" is magic). If you use PSK rather than public-key, specify
it here (same psk for all dynamic endpoints).
the dyndns-name of the draytek does not have a correct reverse
lookup.
You don't need dyndns for this (though it may be useful for other
things).
Yours,
Georg Buschbeck
Information Technology
THOMAS DAILY GmbH
Adlerstra_e 19
79098 Freiburg
Deutschland
T + 49 761 3 85 59 170
F + 49 761 3 85 59 550
E [EMAIL PROTECTED]
www.thomas-daily.de
Geschdftsf|hrer/Managing Directors:
Wendy Thomas, Susanne Larbig
Handelsregister Freiburg i.Br., HRB 3947
