From: Jason Haag To: "'misc at the nospam openbsd.org'" Subject: How-To: 2.8-stable *and* isakmpd Date: Tue, 24 Apr 2001 12:24:37 -0400 This text describes how to get ISAKMPD working with 2.8-stable (should also apply to 2.8-release, but why would one do that?). AFAIK, isakmpd was broken in 2.8-release, and the bugfixes are not yet in -stable (should be merged in a few weeks though, according to Hakan). Symptoms of the broken isakmpd are: - The gateways *do* negotiate successfully - You get 3 "in" and 1 "out" flows from "netstat -nrf encap" - The gateways can't communicate, neither public nor private (!) (e.g. no ping). The last symptom is especially annoying since you can't ssh to the remote machine directly - you need to find a third box (with a different public IP!) from which you can do that and reset the VPN (i.e. kill isakmpd and do "ipsecadm flush"). But, there is a way to get it all working! 1) Get the -stable sources and rebuild your system as described in various FAQs (e.g. http://www.openbsd.org/stable.html) 2) Get the -current (!) sources for isakmpd only: # cd /usr/src/sbin/isakmpd # cvs -q update -PAd # make cleandir # make obj # make depend # make # make install 3) IPF rules (Part 1: My own stupidity): Don't accidentally "block in quick" your private network range (anti-spoofing rules) before you allow the VPN traffic. 4) IPF rules (Part 2: VPN test rules): # use these as a starting point and close them down as you need them # i.e. replacing "any" with the IPs of your gateways/networks. # pass in quick on [public-if] proto udp from any to any port = 500 pass out quick on [public-if] proto udp from any to any port = 500 pass in quick on [public-if] proto esp from any to any pass out quick on [public-if] proto esp from any to any pass in quick on enc0 all pass out quick on enc0 all Acknowledgements: An immeasurable amount of thanks to Hakan Olsson for providing me with all the necessary pointers and step-by-step instructions to overcome my tunnel vision syndrome in this matter. Any comments welcome, Jason