View Single Post
  #2   (View Single Post)  
Old 10th March 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
Join Date: Mar 2012
Posts: 73

After all this time and no "hello welcome" message let alone support

Nevermind..... <siiiiiigggghhhhh>

Here's the solution incase anyone needs it in the future:

Becasue Cisco ISR routers are primarily meant to be connected to the network WAN edge as gateway or other edge devices it seems that the IOS product groups didn't decide to implament a way to be able to manipulate or alter the ISAKMP Phase-2 header or initiator ID field within the crypto packets.

So using a quick crash-course in Engineering Psych 101; using the P2 header of "ANY to ANY" seemed more efficient and less troublesome.

This means for interoperability that other manufacturers need to have the same ISAKMP implementation mentality or a way to be able to manipulate or adjust the P2 header in order to be able to sync-up with the ISR range.

Since OpenBSD isn't a product but instead a very powerful operating system this feature should definitely be implemented!!

By using the /etc/ipsec.conf configuration parameter string of:

ike esp from to peer main auth hmac-md5 enc 3des group modp1536 \
quick auth hmac-md5 enc 3des psk "secret"
Coupled with the Cisco Crypto Map stated above in my initial post the P2 headers are a 100% match.

Just for justification purposes; the P2 headers are defined by the "from" and "to" statements.

Once that has been issued the connection then establishes without any further ado!

Please see the attached images for confirmation
Attached Images
File Type: jpg Hammersmith and Fulham-20120309-00020.jpg (158.0 KB, 136 views)
File Type: png Screenshot at 2012-03-08 15:35:00.png (72.9 KB, 112 views)
File Type: png Screenshot at 2012-03-08 15:27:53.png (93.5 KB, 79 views)
File Type: png Screenshot at 2012-03-08 15:26:28.png (77.3 KB, 83 views)

Last edited by ocicat; 10th March 2012 at 04:59 PM. Reason: corrected formatting
Reply With Quote