OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device

mottycruz
Hello,

I have a gateway machine OpenBSD 5.5 that won't not initiate connection
to peer. The one way to establish VPN tunnel is if peer ping IP in my
subnet.
in pf.conf
IpsecClients="{ 173.16.2.20/32, 139.19.10.51/32 }"
IpsecHosts="{ 192.16.38.24/27 }"

# IPSec VPN tunnel
pass  in  on $OUTSIDE inet proto udp from $IpsecClients to $IpsecHosts
port 500
pass  in  on $OUTSIDE inet proto esp from $IpsecClients to $IpsecHosts


isakmpd.conf
phase 1
139.19.10.51=         ISAKMP-peer-CORP1
phase 2
connections =  IPsec-CORP1-DataCenter1

#Phase 1 peers
## CORP1
[ISAKMP-peer-CORP1]
Phase=                  1
Transport=              udp
Address=                139.19.10.51
Configuration=          Default-main-mode3
Authentication=         psecret

# phase 2
[IPsec-CORP1-DataCenter1]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-CORP1
Configuration=          Default-quick-mode3
Local-ID=               Net-datacenter1
Remote-ID=              Net-corp1

[IPsec-CORP1-DataCenter2]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-CORP1
Configuration=          Default-quick-mode3
Local-ID=               Net-datacenter2
Remote-ID=              Net-corp2

any ideas?

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device

mottycruz
Thank you for your suggestion,

I already have connections to peers using isakmpd, am afraid to bring
those connections down to switch over to ipsec.

On 07/11/2015 05:02 PM, carlos albino garcia grijalba wrote:

> use ipsec.conf the new configuration are simple i have connections
> from cisco peers and the only problem were using
> wrong credentials
>
> > Date: Fri, 10 Jul 2015 12:59:56 -0700
> > From: [hidden email]
> > To: [hidden email]; [hidden email]
> > Subject: OpenBSD 5.5 won't initiate VPN (Ipsec
> site-to-site)connection to Cisco device
> >
> > Hello,
> >
> > I have a gateway machine OpenBSD 5.5 that won't not initiate connection
> > to peer. The one way to establish VPN tunnel is if peer ping IP in my
> > subnet.
> > in pf.conf
> > IpsecClients="{ 173.16.2.20/32, 139.19.10.51/32 }"
> > IpsecHosts="{ 192.16.38.24/27 }"
> >
> > # IPSec VPN tunnel
> > pass in on $OUTSIDE inet proto udp from $IpsecClients to $IpsecHosts
> > port 500
> > pass in on $OUTSIDE inet proto esp from $IpsecClients to $IpsecHosts
> >
> >
> > isakmpd.conf
> > phase 1
> > 139.19.10.51= ISAKMP-peer-CORP1
> > phase 2
> > connections = IPsec-CORP1-DataCenter1
> >
> > #Phase 1 peers
> > ## CORP1
> > [ISAKMP-peer-CORP1]
> > Phase= 1
> > Transport= udp
> > Address= 139.19.10.51
> > Configuration= Default-main-mode3
> > Authentication= psecret
> >
> > # phase 2
> > [IPsec-CORP1-DataCenter1]
> > Phase= 2
> > ISAKMP-peer= ISAKMP-peer-CORP1
> > Configuration= Default-quick-mode3
> > Local-ID= Net-datacenter1
> > Remote-ID= Net-corp1
> >
> > [IPsec-CORP1-DataCenter2]
> > Phase= 2
> > ISAKMP-peer= ISAKMP-peer-CORP1
> > Configuration= Default-quick-mode3
> > Local-ID= Net-datacenter2
> > Remote-ID= Net-corp2
> >
> > any ideas?

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device

Stuart Henderson
In reply to this post by mottycruz
On 2015-07-10, Motty Cruz <[hidden email]> wrote:
> Hello,
>
> I have a gateway machine OpenBSD 5.5 that won't not initiate connection
> to peer. The one way to establish VPN tunnel is if peer ping IP in my
> subnet.

isakmpd usually tries to bring up the connection as soon as it's configured,
but perhaps this negotiation is failing, maybe due to a firewall rule somewhere
on/near the cisco side?

Last time I setup a VPN with a cisco device, it only brought up the tunnel
from their side on-demand, so if the initiation from isakmpd side fails,
it might rely on network traffic from the peer's side to bring it up.