If the "backup" machine is intended to be a replacement for the primary gateway, it should have the same network provisioning. IPSec has more provisioning requirements than files located in
/etc/isakmpd/.
Two possible differences you may have already considered, are IP addressing and PF configuration. Perhaps your "backup" machine is using the same IP address as the primary gateway. I would not know. Perhaps your "backup" machine is using the same PF configuration. I would not know.
Why wouldn't I know? Because you have not mentioned them. All I am able to understand about your problem is the information you decide to post.
As an example, I can only guess you are using one of the many ways to deploy IKEv1, since you mentioned
/etc/isakmpd/, but at the moment that is all I know. "My tunnel didn't connect" is insufficient information for me to provide any real assistance.
I am not an IPSec expert. I have previously been an IPSec user, but am not a user now. When I used it, I deployed both IKEv1 and IKEv2. However, when I deployed IKEv1 I did not provision any files in
/etc/isakmpd/, instead I used ipsecctl(8) and ipsec.conf(5).
Without knowing anything about your problem other than likely IKEv1 and your "tunnel didn't connect," all I can recommend is the following.
- Ensure your IP configuration is identical.
- Ensure your PF configuration is identical, and passing all IPSec related traffic, such as ESP and AH protocols as applicable, IKE key exchange traffic via UDP, and encapsulation traffic.
- Log isakmpd(8) messages with -v so you can determine which IKEv1 phase may be failing.