Re: Problems with second ipsec(ctl) tunnel

2007-04-24 Thread Steven Surdock
Stuart Henderson wrote: > On 2007/04/24 15:49, Steven Surdock wrote: >> Steven Surdock wrote: ... > > Are auth/encryption the same for both tunnels? I believe that may be > necessary for main mode. > > You can check that ipsec.conf is being parsed how you expect with > 'ipsecctl -nvf /etc/ipsec.con

Re: Problems with second ipsec(ctl) tunnel

2007-04-24 Thread Stuart Henderson
On 2007/04/24 15:49, Steven Surdock wrote: > Steven Surdock wrote: > > Greetings, I recently converted from isakmpd.conf to ipsec.conf and I > > seem to be having problem bringing up a second tunnel to a PIX. It > > _appears_ that the OBSD side is trying to use the default hmac > > (sha2_256) even

Re: Problems with second ipsec(ctl) tunnel

2007-04-24 Thread Steven Surdock
Steven Surdock wrote: > Greetings, I recently converted from isakmpd.conf to ipsec.conf and I > seem to be having problem bringing up a second tunnel to a PIX. It > _appears_ that the OBSD side is trying to use the default hmac > (sha2_256) even though it is configured to use md5 for the second >

Re: Problems with second ipsec(ctl) tunnel

2007-04-23 Thread Prabhu Gurumurthy
Steven Surdock wrote: Prabhu Gurumurthy wrote: Steven Surdock wrote: Prabhu Gurumurthy wrote: Steven Surdock wrote: ... Yes, thanks but that was a typo.. sorry for the confusion, still the tunnel does not come up. What does your ACL "VPN_ACL" look like? How about the output from a "debug

Re: Problems with second ipsec(ctl) tunnel

2007-04-23 Thread Steven Surdock
Prabhu Gurumurthy wrote: > Steven Surdock wrote: >> Prabhu Gurumurthy wrote: >>> Steven Surdock wrote: >> ... > > Yes, thanks but that was a typo.. sorry for the confusion, still the > tunnel does not come up. > What does your ACL "VPN_ACL" look like? How about the output from a "debug crypto isa

Re: Problems with second ipsec(ctl) tunnel

2007-04-23 Thread Prabhu Gurumurthy
Steven Surdock wrote: Prabhu Gurumurthy wrote: Steven Surdock wrote: ... I too have the same problem. I have a Lan 2 Lan tunnel with pfsync, carp, sasync and it works flawlessly with another OpenBSD system as the peer. I tried to enable OpenBSD to PIX tunnel (PIX 501, OS: 6.3(5)) I defined "

Re: Problems with second ipsec(ctl) tunnel

2007-04-23 Thread Steven Surdock
Prabhu Gurumurthy wrote: > Steven Surdock wrote: ... > > I too have the same problem. > I have a Lan 2 Lan tunnel with pfsync, carp, sasync and it > works flawlessly with > another OpenBSD system as the peer. > > I tried to enable OpenBSD to PIX tunnel (PIX 501, OS: 6.3(5)) > > I defined "quick aut

Re: Problems with second ipsec(ctl) tunnel

2007-04-23 Thread Prabhu Gurumurthy
Steven Surdock wrote: Greetings, I recently converted from isakmpd.conf to ipsec.conf and I seem to be having problem bringing up a second tunnel to a PIX. It _appears_ that the OBSD side is trying to use the default hmac (sha2_256) even though it is configured to use md5 for the second tunnel.

Problems with second ipsec(ctl) tunnel

2007-04-23 Thread Steven Surdock
Greetings, I recently converted from isakmpd.conf to ipsec.conf and I seem to be having problem bringing up a second tunnel to a PIX. It _appears_ that the OBSD side is trying to use the default hmac (sha2_256) even though it is configured to use md5 for the second tunnel. Oddly, the first tunnel