VPN with Cisco routers
- From: "bioch" <pipp@xxxxxxx>
- Date: Wed, 27 Dec 2006 12:56:59 +0100
Hi to all
I've the following problem setting up a VPN between two Cisco router and an
OpenBSD boxes ver 3.9.
The vpn came up only if the connection is initialized from remote site. I've
googled around to find a solution but any of the mailing list has suggest me
the right way, also if they spoken about my same problem.
I've tryed all the solution proposed but nothing of them solved the
question. I premit that I've already set up another firewall in another
place to work in failover mode, not in load balancing, with a vpn with a
sonicwall and everythings works fine.
My Openbsd boxes are configured to work in load balancing using pfsync carp
and sasyncd, is it possible that the load balancing configuration don't
allow a Vpn to works as needed?
Trying to ping a remote site frommy lan and tcpdumping on enc0 I cannot see
any packet, making isakmpd -d -DA=99 I can see that the exchange is
established but any SA is putting up.
Here below my config file for isakmpd
ISAKMPD.CONF
[General]
Retransmits= 5
Exchange-max.time= 120
Listen-on= xxx.xxx.xxx.2
Default-phase-1-lifetime= 3600,60:86400
Default-phase-2-lifetime= 1200,60:86400
[Phase 1]
yyy.yyy.yyy.126= ROMA
zzz.zzz.zzz.105= MILANO
[Phase 2]
Connections= Napoli-Roma,Napoli-Milano
[ROMA]
Phase= 1
Local-address= xxx.xxx.xxx.2
Address= yyy.yyy.yyy.126
Configuration= Default-main-mode
Authentication= mypassword
[MILANO]
Phase= 1
Local-address= xxx.xxx.xxx.2
Address= zzz.zzz.zzz.105
Configuration= Default-main-mode
Authentication= mypassword
[Napoli-Roma]
Phase= 2
ISAKMP-peer= ROMA
Configuration= Default-quick-mode
Local-ID= Net-Napoli
Remote-ID= Net-Roma
[Napoli-Milano]
Phase= 2
ISAKMP-peer= MILANO
Configuration= Default-quick-mode
Local-ID= Net-Napoli
Remote-ID= Net-Milano
[Net-Napoli]
ID-type= IPV4_ADDR_SUBNET
Network= 172.16.1.0
Netmask= 255.255.255.0
[Net-Roma]
ID-type= IPV4_ADDR_SUBNET
Network= 172.29.128.96
Netmask= 255.255.255.224
[Net-Milano]
ID-type= IPV4_ADDR_SUBNET
Network= 172.20.43.192
Netmask= 255.255.255.224
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-GRP2
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites=
QM-ESP-3DES-SHA-PFS-GRP2-SUITE,QM-ESP-3DES-MD5-PFS-GRP2-SUITE,QM-ESP-3DES-SHA-PFS-XF-GRP2-SUITE
ISAKMPD.POLICY
KeyNote-Version: 2
Comment: Policy che accetta chi utilizza la password
Authorizer: "POLICY"
Condition: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
And here are the cisco router config from one of the router.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key mypassword address xxx.xxx.xxx.2
crypto map CMAP_1 3 ipsec-isakmp
description Tunnel to xxx.xxx.xxx.2
set peer xxx.xxx.xxx.2
set security-association lifetime seconds 1200
set transform-set ESP-3DES-SHA
Hope that this can be usefull to understand the probem.
Thank in advance to everyone can help me or address me to fix the problem.
I 'm really desperate and don't know what other thing try or think to solve
the problem.
TIA
--
Bioch
.
- Prev by Date: Core 2 Duo / DG965RY crashes when booting bsd.mp
- Next by Date: usb devices
- Previous by thread: Core 2 Duo / DG965RY crashes when booting bsd.mp
- Next by thread: usb devices
- Index(es):
Relevant Pages
|
