Hi This is a little OT for debian-user but i hope here are some with the native kernel 2.5/2.6 implementation of IPSec
Im not sure if i got the real purpose of racoon. I have here debian unstable with kernel 2.6.0-test8 and ipsec-tools 0.2.2 installed. I'd like to establish a VPN connection to my University via the native Ipsec stack and the kame tools. The university providides a CISCO VPN userspace programm to do that. This vpnclient doesn not work with Kernel 2.5/2.6 My question: Are the KAME tools (especially racoon) able to do the same thing as "vpnclient" from cisco? I red many guides and tried many configs but never got it worked. I even never got racoon to try to establish a ipsec connection. Is racoon only here to do vpn between 2 racoons or also "normal" VPN connections like "vpnclient" from CISCO? The only info i have from my Univerity are the vpn-servername, my username and my password. There are no certs or such stuff. I'll append my config files. racoon.out holds the output of "racoon -F" As you can see there is no error but i can ping "vpn-cluster.ethz.ch" as long as i want racoon does nothing... ipsec is a script wich sets the security policies. cheers, Raffaele -- Raffaele Sandrini <[EMAIL PROTECTED]> Annoyed about M$ Windows? Don't worry. Try Linux! (www.linux.org)
#!/usr/sbin/setkey -f flush; spdflush; spdadd uranos vpn-cluster.ethz.ch any -P out ipsec esp/transport//require; spdadd vpn-cluster.ethz.ch localhost any -P in ipsec esp/transport//require;
129.132.99.163 <password> <username>@ethz.ch <password>
path include "/etc/racoon" ; path pre_shared_key "/etc/racoon/psk.txt" ; path certificate "/etc/racoon/cert" ; log debug; remote anonymous { exchange_mode aggressive,main,base; lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; lifetime time 12 hour ; encryption_algorithm 3des, blowfish 448, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; }
2003-10-26 11:19:31: INFO: main.c:174:main(): @(#)racoon 20001216 20001216 [EMAIL PROTECTED] 2003-10-26 11:19:31: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7c 30 Sep 2003 (http://www.openssl.org/) 2003-10-26 11:19:31: DEBUG: algorithm.c:610:alg_oakley_dhdef(): hmac(modp1024) 2003-10-26 11:19:31: DEBUG: pfkey.c:2246:pk_checkalg(): compression algorithm can not be checked because sadb message does n't support it. 2003-10-26 11:19:31: DEBUG: grabmyaddr.c:389:grab_myaddrs(): my interface: 127.0.0.1 (lo) 2003-10-26 11:19:31: DEBUG: grabmyaddr.c:389:grab_myaddrs(): my interface: 192.168.20.50 (eth0) 2003-10-26 11:19:31: DEBUG: grabmyaddr.c:676:autoconf_myaddrsport(): configuring default isakmp port. 2003-10-26 11:19:31: DEBUG: grabmyaddr.c:698:autoconf_myaddrsport(): 2 addrs are configured successfully 2003-10-26 11:19:31: INFO: isakmp.c:1362:isakmp_open(): 192.168.20.50[500] used as isakmp port (fd=6) 2003-10-26 11:19:31: INFO: isakmp.c:1362:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=7) 2003-10-26 11:19:31: DEBUG: pfkey.c:194:pfkey_handler(): get pfkey X_SPDDUMP message 2003-10-26 11:19:31: DEBUG: pfkey.c:194:pfkey_handler(): get pfkey X_SPDDUMP message 2003-10-26 11:19:31: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbffff750: 127.0.0.1/32[0] 129.132.99.163/32[0] proto=any dir=out 2003-10-26 11:19:31: DEBUG: policy.c:184:cmpspidxstrict(): db :0x809e3b0: 129.132.99.163/32[0] 127.0.0.1/32[0] proto=any d ir=in