|
|||
Ipsecctl not show ruleset
Hi
I do not understand that when loading the set of rules ipsec.conf. I run: Code:
ipsecctl -s all Isakmpd its run in rc.conf with flag "-k". My ruleset of ipsec.conf is very basic, LAN testing. Do not think we need to show. Thanks. |
|
||||
Hello, and welcome.
The output of # ipsecctl -s all shows SAs and Flows that have already been successfully established between systems. This requires successful key exchanges.After starting isakmpd with the -K option, the ipsec.conf ruleset must be loaded by ipsecctl with the -f option. It can take a few seconds for both sides to establish SAs and Flows, even if everything is correctly configured. If there is any problem establishing SAs and Flows, the result will be an empty set. Debugging key exchanges to discover what is happening requires restarting isakmpd with both the -K and the -v option. From isakmpd(8): Code:
-v Enables verbose logging. Normally, isakmpd is silent and outputs only messages when a warning or an error occurs. With verbose logging isakmpd reports successful completion of phase 1 (Main and Aggressive) and phase 2 (Quick) exchanges (Information and Transaction exchanges do not generate any additional status information). |
|
|||
Hello jggimi and thanks for the welcome.
And solve the problem, the from and to were not well reported, and seen by tcpdump the traffic and this encrypt. Rule: Code:
ike passive from "localnet" to "localnet" peer "localIP" psk "thekey" Regards. |
|
|||
Sorry fot two post foldowed.
The test in local Lan work, WAN not working, the rules: PC1: 192.168.1.0/24 Code:
ike passive esp from 192.168.1.0/24 to 192.168.2.0/24 peer "WAN adrees of PC2" psk "key" PC2: 192.168.2.0/24 Code:
ike active esp from 192.168.2.0/24 to 192.168.1.0/24 peer "WAN adrees of PC1" psk "key" PC1: Code:
FLOWS: flow esp in from 192.168.2.0/24 to 192.168.1.0/24 peer "WAN adrees PC2" srcid 192.168.1.130/32 dstid 192.168.2.102/32 type use flow esp out from 192.168.1.0/24 to 192.168.2.0/24 peer "WAN adrees PC2" srcid 192.168.1.130/32 dstid 192.168.2.102/32 type use SAD: esp tunnel from 192.168.1.130 to "WAN adrees PC2" spi 0x01010101 auth hmac-sha2-256 enc aes esp tunnel from "WAN adrees PC2" to 192.168.1.130 spi 0x02020202 auth hmac-sha2-256 enc aes Where is the problem? Display the origina SPI? Thanks again and sorry for my english. |
|
||||
With this typical VPN requirement:
Code:
[private net A] - [gateway A] - {internet} - [gateway B] - [private net B] Code:
ike esp from <gateway A> to <gateway B> ike esp from <private net A> to <private net B> peer <gateway B> Code:
ike esp from <gateway B> to <gateway A> ike esp from <private net B> to <private net A> peer <gateway A> ---- * It has been several years since I last used ipsec.conf, so I don't have an active working configuration to compare to yours. Last edited by jggimi; 11th April 2015 at 12:07 PM. Reason: added second ipsec.conf example |
|
|||
Hello
Another question, the PC2 i have not activated NAT for private adrees in router for ports {4500 500} could be a problem? Yes my browser also show a single line. Thanks again jggimi. |
|
|||
Hi again.
Established Flows and SAD, now the problem is that the connections are blocked, my pf is disable. Tcpdump with enc0 show the packets encrypted with its corresponding SPI, out packets, in packets are blocked, output packets only in enc0. Is the Router Firewall? Nat I had to turn on the PC1 passive mode. Regards and thanks for you time. |
|
||||
Quote:
I do not know enough about your configuration to answer your remaining questions. And, even if I had that information, I might not be able to assist. I am not currently using IPSec, and I have not used isakmpd(8), and ipsec.conf(5) in several years. You might consider posting to the misc@ mailing list, it is a much larger community. |
|
|||
Ok, thanks.
The connection stays SYN_SENT (TCP), the proto ICMP working, send and receive. Do not understand why I can not initiate a connection TCP. Thanks. |
|
||||
I don't have enough information about your environment to tell you why your ICMP traffic is working and TCP fails.
The enc(4) device can be used with tcpdump(8) to help diagnose IPSec operation. Traffic can be monitored both before and after encapsulation. An example is shown in the enc(4) man page. |
|
|||
Ok, and I will show the log when you have.
Sorry for the retard in answer. Regards. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Share your BSD story for the BSD Now Holiday show | ibara | News | 1 | 14th December 2014 06:22 PM |
Show default MySQL database | J65nko | Programming | 1 | 1st April 2014 09:56 PM |
Following Stable. Why uname does NOT show patch #6. | Greg_Morgan | OpenBSD Installation and Upgrading | 4 | 20th May 2009 06:21 AM |
mplayer do not show subtitle | mfaridi | OpenBSD Packages and Ports | 3 | 12th November 2008 05:41 AM |
Why does smartctl show my temperature threshold is 0? | PeterSteele | FreeBSD General | 0 | 25th August 2008 03:33 PM |