Subject: Using isakmpd between NetBSD and others...
To: None <>
From: Darren Reed <>
List: tech-net
Date: 08/12/2001 12:57:11
Is there anyone out there that is having a good time using isakmpd talking
to other boxes running it, including OpenBSD as well as Windows 2000 ?
Oh, I'm using transport mode, not tunnel...

I'm using NetBSD 1.5 with isakmpd from pkgsrc - will newer versions than
the one in pkgsrc work better with 1.5 ?

To summarize the problems I see:
* I cannot initiate an IPsec session between NetBSD 1.5 and either Windows
  2000(sp2) or OpenBSD 2.9 from the NetBSD box.  If I try, nothing happens
  and to set one up from the other end I need to flush the spd table and
  restart isakmpd.

* If one end gets "rebooted" (ie. Windows 2000 box) while it is able to
  talk to NetBSD using IPsec, then IPsec stops working and you need to
  restart it on NetBSD as well.  Or more accurately, you need to have
  the two ends do a synchronised restart of IPsec.  The same seems to
  also apply to isakmpd between NetBSD 1.5 and OpenBSD 2.9
* Negoitiation of which crypto/hashing to use fails between NetBSD 1.5 and
  Windows 2000.  I haven't dare try it between NetBSD 1.5 and OpenBSD 2.9.

Does anyone have any success stories on how to resolve some of the above
problems or tips on configuring isakmpd.conf ?  I'm particularly interested
in success stories about people configuring NetBSD firewalls/isakmpd servers
for "road warriors" with Windows on a laptop, using IPsec to tunnel across
the Internet.  So far the best I can say is "not ready yet" :-(