On Mon, Jun 07 2010 at 10:18, [email protected] wrote:
> Actually, thinking about this again, I see from "netstat -an" that
> isakmpd listens on all ports by default. Therefore needing to
> specify in isakmpd.conf should be unnecessary, no ?
My bad, normally the "local" directive in ipsec.conf should be ok.
Binding on a specific address was necessary for my case because I had
more than 255 local addresses (*lots* of vlan...).
> The precise errors I am seeing at present are :
> Default rsa_sig_decode_hash: no public key found
> Default dropped message from 10.0.0.2 port 500 due to notification
> type INVALID_ID_INFORMATION
>
> I have reduced configs to minimal levels:
>
> ike esp from 10.0.0.2 to 10.0.0.1 local 10.0.0.1 peer 10.0.0.2 \
> psk *******
>
> ike esp from 10.0.0.1 to 10.0.0.2 local 10.0.0.2 peer 10.0.0.1 \
> psk *******
>
>
> I can ping 10.0.0.2/10.0.0.1 from each other.
Here is the configuration I used between 2 peers :
ike esp tunnel \
from 10.10.10.6 to 10.10.10.5 \
main auth hmac-sha1 enc aes group grp5 \
quick auth hmac-sha1 enc aes group grp5 \
psk OpenBSD
As stated, juste adding the "local" keyword should suffice.
Claer
