[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd, but no flows

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: isakmpd, but no flows
From: Cameron Schaus <cam_(_at_)_cds_(_dot_)_realcase_(_dot_)_com>
Date: Tue, 24 Oct 2000 23:29:57 -0600 (MDT)

I am trying to setup a VPN between 2 machines that are running
isakmpd.  I have poured over the faq, and all the man pages, but I
can't find out what I am doing wrong.

First:
- both machines are running a stock 2.7 installation
- both private networks are not internet routable (10.x.x.x)
  (I don't know if this matters with isakmpd)
- a manually keyed vpn (with rc.vpn) works just fine between these 2
  machines

When I run '/sbin/isakmpd -d', I do not see any error messages, but
not all the flows get setup correctly.

I think I need 3 more flows for the vpn to work properly.  I thought
isakmpd took care of all this for me.

Do I have to do anything else?  

Any help would be greatly appreciated.


Here is all I get:
--------------------
# netstat -nr -f encap
Routing tables

Encap:
Source             Port  Destination        Port  Proto SA(Address/SPI/Proto) 
10.0.1/24          0     10.0.0/24          0     0     11.22.33.44/20901f05/50
--------------------


Here is my isakpmd.conf file for one machine:
--------------------
[Phase 1]
11.22.33.44=		ISAKMP-peer-east

[Phase 2]
Connections=		IPsec-east-west

[ISAKMP-peer-east]
Phase=			1
Transport=		udp
Address=		11.22.33.44
Configuration=		Default-main-mode
Authentication=		mekmitasdigoat

[IPsec-east-west]
Phase=			2
ISAKMP-peer=		ISAKMP-peer-east
Configuration=		Default-quick-mode
Local-ID=		Net-west
Remote-ID=		Net-east

[Net-west]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.0.1.0
Netmask=		255.255.255.0

[Net-east]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.0.0.0
Netmask=		255.255.255.0

[Default-main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		3DES-SHA

[Default-quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-3DES-SHA-PFS-SUITE
--------------------

And now the policy file:
--------------------
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees: "passphrase:mekmitasdigoat"
Conditions: app_domain == "IPsec policy" &&
	    esp_present == "yes" -> "true";
--------------------


-- 
Cam Schaus
cam_(_at_)_cds_(_dot_)_realcase_(_dot_)_com

Prev by Date: Re: Security part two
Next by Date: 2.8-pre (Oct 24) vs. Toshiba Satellite 220CDS -- no pcic found
Previous by thread: 2.8 + libcurses + tru64 unix
Next by thread: 2.8-pre (Oct 24) vs. Toshiba Satellite 220CDS -- no pcic found
Index(es):
- Date
- Thread

Visit your host, monkey.org