[Linux 2.6] racoon questions
Hi
This is a little OT for debian-user but i hope here are some with the native
kernel 2.5/2.6 implementation of IPSec
Im not sure if i got the real purpose of racoon.
I have here debian unstable with kernel 2.6.0-test8 and ipsec-tools 0.2.2
installed. I'd like to establish a VPN connection to my University via the
native Ipsec stack and the kame tools.
The university providides a CISCO VPN userspace programm to do that. This
vpnclient doesn not work with Kernel 2.5/2.6
My question: Are the KAME tools (especially racoon) able to do the same thing
as "vpnclient" from cisco?
I red many guides and tried many configs but never got it worked. I even never
got racoon to try to establish a ipsec connection.
Is racoon only here to do vpn between 2 racoons or also "normal" VPN
connections like "vpnclient" from CISCO?
The only info i have from my Univerity are the vpn-servername, my username and
my password. There are no certs or such stuff.
I'll append my config files. racoon.out holds the output of "racoon -F" As you
can see there is no error but i can ping "vpn-cluster.ethz.ch" as long as i
want racoon does nothing... ipsec is a script wich sets the security
policies.
cheers,
Raffaele
--
Raffaele Sandrini <rasa@gmx.ch>
Annoyed about M$ Windows? Don't worry. Try Linux! (www.linux.org)
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd uranos vpn-cluster.ethz.ch any -P out ipsec
esp/transport//require;
spdadd vpn-cluster.ethz.ch localhost any -P in ipsec
esp/transport//require;
129.132.99.163 <password>
<username>@ethz.ch <password>
path include "/etc/racoon" ;
path pre_shared_key "/etc/racoon/psk.txt" ;
path certificate "/etc/racoon/cert" ;
log debug;
remote anonymous
{
exchange_mode aggressive,main,base;
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
2003-10-26 11:19:31: INFO: main.c:174:main(): @(#)racoon 20001216 20001216 sakane@kame.net
2003-10-26 11:19:31: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7c 30 Sep 2003 (http://www.openssl.org/)
2003-10-26 11:19:31: DEBUG: algorithm.c:610:alg_oakley_dhdef(): hmac(modp1024)
2003-10-26 11:19:31: DEBUG: pfkey.c:2246:pk_checkalg(): compression algorithm can not be checked because sadb message does n't support it.
2003-10-26 11:19:31: DEBUG: grabmyaddr.c:389:grab_myaddrs(): my interface: 127.0.0.1 (lo)
2003-10-26 11:19:31: DEBUG: grabmyaddr.c:389:grab_myaddrs(): my interface: 192.168.20.50 (eth0)
2003-10-26 11:19:31: DEBUG: grabmyaddr.c:676:autoconf_myaddrsport(): configuring default isakmp port.
2003-10-26 11:19:31: DEBUG: grabmyaddr.c:698:autoconf_myaddrsport(): 2 addrs are configured successfully
2003-10-26 11:19:31: INFO: isakmp.c:1362:isakmp_open(): 192.168.20.50[500] used as isakmp port (fd=6)
2003-10-26 11:19:31: INFO: isakmp.c:1362:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=7)
2003-10-26 11:19:31: DEBUG: pfkey.c:194:pfkey_handler(): get pfkey X_SPDDUMP message
2003-10-26 11:19:31: DEBUG: pfkey.c:194:pfkey_handler(): get pfkey X_SPDDUMP message
2003-10-26 11:19:31: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbffff750: 127.0.0.1/32[0] 129.132.99.163/32[0] proto=any dir=out
2003-10-26 11:19:31: DEBUG: policy.c:184:cmpspidxstrict(): db :0x809e3b0: 129.132.99.163/32[0] 127.0.0.1/32[0] proto=any d ir=in
Reply to: