Привет всем, уже запарился, а у самого не как не получается, трабл следующий:
Пытаюсь соединить OpenBSD с ISAKMPD и Linux с FreeS/WAN.
OpenBSD выступает в качестве CA и на ней и генерили все ключи и сертификаты. Для начало соденили OpenBSD c CA --- OpenBSD, все заработала.
Со следующим конфигом:

isakmpd.conf
[General]
Listen-on=              192.168.250.100
[X509-certificates]
CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/192.168.250.100.key
[Phase 1]
192.168.250.102=        ISAKMP-peer-east
[Phase 2]
Connections=            IPsec-west-east
[ISAKMP-peer-east]
Phase=                  1
Transport=              udp
Local-address=          192.168.250.100
Address=                192.168.250.101
Configuration=          Default-main-mode
#Authentication=        
#ID=                     Open-ID
#[Open-ID]
#ID-type=                IPV4_ADDR
#Name=                   192.168.250.100
[IPsec-west-east]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-east
Configuration=          Default-quick-mode
Local-ID=               Net-west
Remote-ID=              Net-east
[Net-west]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.1.1.0
Netmask=                255.255.255.0
[Net-east]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.1.2.0
Netmask=                255.255.255.0
[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA-RSA_SIG
[3DES-SHA-RSA_SIG]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         SHA
AUTHENTICATION_METHOD=  RSA_SIG
ENCAPSULATION_MODE=     TUNNEL
AUTHENTICATION_ALGORITHM=HMAC_SHA
[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-SHA-PFS-SUITE

isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees:"DN:/C=RU/ST=Region/L=City/O=Company/OU=VPN Auth/CN=CA/emailAddress=root@mail.net"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg != "null" -> "true";

После чего вместо OpenBSD(второй) соединяю Linux с конфигом:

ipsec.conf
config setup
    interfaces=чfaultroute
    klipsdebug=none
    plutodebug=none
    plutoload=%search
    plutostart=%search
    uniqueids=yes
conn чfault
    type=tunnel
    authby=rsasig
    auth=esp
    keyexchange=ike
    keyingtries=0
    disablearrivalcheck=no
    left=192.168.250.101
    leftsubnet=10.1.2.0/24
    leftrsasigkey=нrt
    leftcert=/etc/ipsec.d/cacerts/192.168.250.101.crt
    auto=add
conn Linux-Open
esp=3des-sha,3des-md5
right=192.168.250.100
    rightsubnet=10.1.1.0/24
    rightrsasigkey=нrt
    rightcert=/etc/ipsec.d/cacerts/192.168.250.100.crt
    compress=yes
    pfs=yes

ipsec.secrets
: RSA /etc/ipsec.d/private/192.168.250.101.key "pass"

на команду  ipsec auto --status следующие

[root@linux log]# ipsec auto --status
000 interface ipsec0/eth1 192.168.250.101
000
000 "Linux-Open": 10.1.2.0/24===192.168.250.101[C=RU, ST=Region, L=City, O=Company, OU=VPN Auth, CN=192.168.250.101, E=root@mail.net]...192.168.250.100[C=RU, ST=Region, L=City, O=Company, OU=VPN Auth, CN=192.168.250.100, E=root@mail.net]===10.1.1.0/24
000 "Linux-Open":   ike_life: 9000s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "Linux-Open":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface: eth1; unrouted
000 "Linux-Open":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000

В логах:

linux ipsec__plutorun: Starting Pluto subsystem...
linux Pluto[12825]: Starting Pluto (FreeS/WAN Version 1.96)
linux Pluto[12825]:   including X.509 patch (Version 0.9.9)
linux Pluto[12825]: Changing to directory '/etc/ipsec.d/cacerts'
linux Pluto[12825]:   loaded cacert file 'ca.crt' (936 bytes)
linux Pluto[12825]:   loaded cacert file '192.168.250.102.crt' (993 bytes)
linux Pluto[12825]:   loaded cacert file '192.168.250.101.crt' (993 bytes)
linux Pluto[12825]:   loaded cacert file '192.168.250.100.crt' (993 bytes)
linux Pluto[12825]: Changing to directory '/etc/ipsec.d/crls'
linux Pluto[12825]:   Warning: empty directory
linux Pluto[12825]:   loaded my X.509 cert file '/etc/x509cert.der' (649 bytes)
linux Pluto[12825]:   loaded host cert file '/etc/ipsec.d/cacerts/192.168.250.101.crt' (993 bytes)
linux Pluto[12825]:   loaded host cert file '/etc/ipsec.d/cacerts/192.168.250.100.crt' (993 bytes)
linux Pluto[12825]: added connection description "Linux-Open"
linux Pluto[12825]: listening for IKE messages
linux Pluto[12825]: adding interface ipsec0/eth1 192.168.250.101
linux Pluto[12825]: loading secrets from "/etc/ipsec.secrets"
linux Pluto[12825]:   loaded private key file '/etc/ipsec.d/private/192.168.250.101.key' (891 bytes)
linux Pluto[12825]: packet from 192.168.250.100:500: ignoring Vendor ID payload
linux last message repeated 3 times
linux Pluto[12825]: "Linux-Open" #1: responding to Main Mode
linux Pluto[12825]: "Linux-Open" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
linux Pluto[12825]: "Linux-Open" #1: Peer ID is ID_IPV4_ADDR: '192.168.250.100'
linux Pluto[12825]: "Linux-Open" #1: Issuer CRL not found
linux Pluto[12825]: "Linux-Open" #1: Issuer CRL not found
linux Pluto[12825]: "Linux-Open" #1: no suitable connection for peer '192.168.250.100'
linux Pluto[12825]: "Linux-Open" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
linux Pluto[12825]: "Linux-Open" #1: Peer ID is ID_IPV4_ADDR: '192.168.250.100'
linux Pluto[12825]: "Linux-Open" #1: Issuer CRL not found
linux Pluto[12825]: "Linux-Open" #1: Issuer CRL not found
linux Pluto[12825]: "Linux-Open" #1: no suitable connection for peer '192.168.250.100'
linux Pluto[12825]: packet from 192.168.250.100:500: ignoring informational payload, type INVALID_FLAGS
linux Pluto[12825]: packet from 192.168.250.100:500: received and ignored informational message
linux Pluto[12825]: packet from 192.168.250.100:500: ignoring informational payload, type INVALID_FLAGS
linux Pluto[12825]: packet from 192.168.250.100:500: received and ignored informational message
linux Pluto[12825]: "Linux-Open" #1: max number of retransmissions (2) reached STATE_MAIN_R2
linux Pluto[12825]: packet from 192.168.250.100:500: ignoring Vendor ID payload
linux last message repeated 3 times

НА OpenBSD
# isakmpd -d -DA=9
122655.410859 Default log_debug_cmd: log level changed from 0 to 9 for class 0 [priv]
122655.412708 Default log_debug_cmd: log level changed from 0 to 9 for class 1 [priv]
122655.413229 Default log_debug_cmd: log level changed from 0 to 9 for class 2 [priv]
122655.414065 Default log_debug_cmd: log level changed from 0 to 9 for class 3 [priv]
122655.414652 Default log_debug_cmd: log level changed from 0 to 9 for class 4 [priv]
122655.415113 Default log_debug_cmd: log level changed from 0 to 9 for class 5 [priv]
122655.415631 Default log_debug_cmd: log level changed from 0 to 9 for class 6 [priv]
122655.416074 Default log_debug_cmd: log level changed from 0 to 9 for class 7 [priv]
122655.416555 Default log_debug_cmd: log level changed from 0 to 9 for class 8 [priv]
122655.416981 Default log_debug_cmd: log level changed from 0 to 9 for class 9 [priv]
122655.417457 Default log_debug_cmd: log level changed from 0 to 9 for class 10 [priv]
122704.851774 Default message_recv: cleartext phase 1 message
122704.853094 Default dropped message from 192.168.250.101 port 500 due to notification type INVALID_FLAGS
122724.871151 Default message_recv: cleartext phase 1 message
122724.873079 Default dropped message from 192.168.250.101 port 500 due to notification type INVALID_FLAGS

Где грабли ???

• IPSEC ISAKMPD-FreeS/WAN + X509, azazela, 12:22 , 18-Ноя-05, (1)