I recently had a problem that looked similar.
I would try to bring up the tunnels configured in ipsec.conf.
No Phase 2
A dump on the external iface revealed that we were sending Phase 1
initiation. Their end was configured for a different encryption scheme,
than ours ( even though we had agreed on one ). Since they were
showing up with a vlaid PSK we accepted the values they proposed,
whereas they rejected our proposal's.
tcpdump -nvs1400 port 500
Christoph Leser wrote:
Are you sure that obsd does not try to initiate the connection at least once?
I have noticed the following problem with cisco:
Some Cisco models delete the security association after an inactivity timeout,
they call it "Cisco IPSec Security Association Idle Timers".
When this happens, openBSDs drop the information for this tunnel and is unable
to recreate it. Cisco keeps the information and can reestablish the connection
when someone pings or otherwise addresses the remote end.
I had a short conversation about this with Hans-Jvrg Hvxer, but cannot say
whether this behaviour is desired or considered a bug.
I would try to delete the tunnel complete and configure it again while running
tcpdump on the external interface ( or enable isakmpd packet capture, see the
-L switch of isakmpd ).
This will at least answer the question, whether openBSD attempts to establish
the connection when the tunnel is defined for the first time.
Regards
Christoph
-----Urspr|ngliche Nachricht-----
Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
Im Auftrag von Chris Bullock
Gesendet: Dienstag, 17. November 2009 15:45
An: misc@openbsd.org
Betreff: isakmpd will not initiate connection to Cisco ASA
We have many tunnels and for some reason I just set up a
tunnel with a Cisco ASA and we can not initiate the
connection from the OpenBSD side. If the Cisco side pings a
device on the OpenBSD side the tunnel comes up. On the Cisco
side they have bidirectional enabled, and they are not seeing
the OpenBSD try to initiate the tunnel. Any help would be
appreciated, Regards, Chris Bullock
