[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Kernel 2.6 racoon <--> Sonicwall VPN

Greetings all,

  If this is the wrong list for this question please advise where I should go.

  I have a Debian stable box running kernel 2.4 with the FreeSWAN patches. 
This configuration has been working for quite some time. I now have a need to 
move to kernel 2.6 and would like to use the native ipsec stack and racoon 
ike daemon.

  I installed 2.6.12-1-k7, ipsec-tools, and racoon. I created a config that 
matched my FreeSwan config using shared keys. I am unable to get the tunnels 

My racoon log shows the connection fails at phase 1. Here is a snippet:
005-11-22 10:03:02: INFO: request for establishing IPsec-SA was queued due to 
no phase1 found.
2005-11-22 10:03:06: INFO: respond new phase 1 negotiation:
2005-11-22 10:03:06: INFO: begin Identity Protection mode.
2005-11-22 10:03:06: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2005-11-22 10:03:06: ERROR: no suitable proposal found.
2005-11-22 10:03:06: ERROR: failed to get valid proposal.
2005-11-22 10:03:06: ERROR: failed to process packet.

My ipsec-tools.conf:
#!/usr/sbin/setkey -f

# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.

## Flush the SAD and SPD

spdadd any -P out ipsec
spdadd any -P in ipsec

My racoon.conf:
# NOTE: This file will not be used if you use racoon-tool(8) to manage your
# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead
# of this file.
# Simple racoon.conf
# Please look in /usr/share/doc/racoon/examples for
# examples that come with the source.
# Please read racoon.conf(5) for details, and alsoread setkey(8).
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

log notify; # or notify,debug,debug2
# "padding" defines some parameter of padding.  You should not touch these.
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.

# if no listen directive is specified, racoon will listen to all
# available interface addresses.
        isakmp [500];

# Specification of default various timer.
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;

# Cherrydale to corp
        lifetime time 24 hours;
        exchange_mode main;
        send_cr off;
        send_cert off;
        proposal {
                #encryption_algorithm blowfish;
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
                lifetime time 300 seconds;

# local net to remote net
sainfo address any address any {
        lifetime time 12 hours;
        pfs_group 2;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm   deflate;
# End Cherrydale to corp

My SonincWall config:
Phase 1:
	Exchange: Main Mode
	DH Group: Group 2
	Encryption: 3DES
	Authentication: SHA1

Phase 2
	Protocol: ESP
	Encryption: 3DES
	Authentication: SHA1

Any idea what I am missing?


James Crow
Ultratan, Inc.

Reply to: