These pages are out of date and presented here for historical purposes only.

Please follow this link for the current pages.

Troubleshooting

Sometimes (well, it has happened to all of us) things doesn't quite work as we expect them to. Here is some pointers were you should start your troubleshooting.

Things to look out for

• file permissions on isakmpd.conf and isakmpd.policy files. They need to be owned by root and only readable by root. 'chmod 600 /etc/isakmod/isakmpd*' will take care of that for us.
• Only one isakmpd can run at a time. If you get a startup message saying "can not bind udp port 500" or something like that. You most likely already have an isakmpd running. Check with 'ps -ax | grep isakmpd' and kill accordingly.
• A real caveat is that sometimes you get whitespaces (spaces) after your pre-shared key in isakmpd.conf and then the space will get counted as part of the pre-shared key. Open up isakmpd.conf in your favourite editor and make sure that there is no spaces after your pre-shared secret.
• Ip forwarding is not enabled on you isakmpd.conf. Your tunnel gets negotiated and you can't seem to get your packet through. Check your /etc/sysctl.conf and 'sysctl net.inet.ip.forwarding' is enabled.
• Proxy Arp is not enabled (Virtual ID setups only). If you enable virtual id you need to make sure that your OpenBSD machine will answer arp requests for the virtual ip. 'ifconfig interface alias virtual_ip 255.255.255.255' is the easiest way to enable proxy arp (exchange interface for your interface name (fxp0, xl0,...) and virtual_ip to the virtual ip in the ifconfig command. Also edit your /etc/hostname.if to make your changes permanent (check 'man hostname.if to learn how to do that).

Further Analysis

'isakmpd -d'
Start isakmpd with 'isakmpd -d'. Isakmpd will output things like wrong file permissions and typos in the configuration file. On connect you might see things like "NO PROPOSAL CHOOSEN" which can either mean that your configuration parameters between the client and the server doesn't match, or that you have typed the wrong pre-shared key.

'isakmpd -L' and 'tcpdump -avs 1440 -r /var/run/isakmpd.pcap'
This one is really nice to check if your configurations between the client and the server match and also to learn howto create isakmpd.conf files for new clients. With 'isakmpd -L' isakmpd will dump, in tcpdump format, everything it sends and recieves to /var/run/isakmpd.pcap. You then check what happened with 'tcpdump -avs 1440 -r /var/run/isakmpd.pcap'. Look here for an example output of isakmpd -L and tcpdump. This output is typically what you want to send to the mailing list when you want help with something if the above doesn't help you.

Example output from isakmpd -L