On Mon, Jun 07 2010 at 10:18, rh...@hushmail.com wrote: > Actually, thinking about this again, I see from "netstat -an" that > isakmpd listens on all ports by default. Therefore needing to > specify in isakmpd.conf should be unnecessary, no ?
My bad, normally the "local" directive in ipsec.conf should be ok. Binding on a specific address was necessary for my case because I had more than 255 local addresses (*lots* of vlan...). > The precise errors I am seeing at present are : > Default rsa_sig_decode_hash: no public key found > Default dropped message from 10.0.0.2 port 500 due to notification > type INVALID_ID_INFORMATION > > I have reduced configs to minimal levels: > > ike esp from 10.0.0.2 to 10.0.0.1 local 10.0.0.1 peer 10.0.0.2 \ > psk ******* > > ike esp from 10.0.0.1 to 10.0.0.2 local 10.0.0.2 peer 10.0.0.1 \ > psk ******* > > > I can ping 10.0.0.2/10.0.0.1 from each other. Here is the configuration I used between 2 peers : ike esp tunnel \ from 10.10.10.6 to 10.10.10.5 \ main auth hmac-sha1 enc aes group grp5 \ quick auth hmac-sha1 enc aes group grp5 \ psk OpenBSD As stated, juste adding the "local" keyword should suffice. Claer