On Thu, Nov 23, 2006 at 08:21:33AM -0600, Albert Chin wrote: > I'm trying to connect an FC5 laptop behind a firewall to an OpenBSD > 4.0 VPN server running isakmpd. I already have things working with > Openswan but would like to get it working with racoon for our Mac OS > clients. > > The OpenBSD /etc/ipsec.conf config: > ike passive esp from 192.168.1.0/24 to 192.168.6.0/24 \ > main auth hmac-sha1 enc aes group modp1024 \ > quick auth hmac-sha1 enc aes \ > srcid [vpn server FQDN] dstid [FC5 laptop FQDN] > > ... > > Am I getting the sainfo section wrong in racoon.conf? With the sainfo > section, do I still need setkey?
I've made some more changes but still cannot get it working. Looks like I do need to use setkey. I modified the OpenBSD /etc/ipsec.conf to: ike passive esp from 192.168.10.0/24 to any \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ srcid vpn-server.thewrittenword.com dstid [EMAIL PROTECTED] and racoon.conf: remote 67.95.107.100 { exchange_mode main; my_identifier user_fqdn "[EMAIL PROTECTED]"; peers_identifier fqdn "vpn-server.thewrittenword.com"; certificate_type x509 "[EMAIL PROTECTED]" "/etc/ipsec.d/private/local.key"; ca_type x509 "/etc/ipsec.d/cacerts/ca.crt"; nat_traversal on; proposal { encryption_algorithm aes; hash_algorithm sha1; dh_group modp1024; authentication_method rsasig; } } sainfo anonymous { pfs_group 2; encryption_algorithm aes, 3des, blowfish; authentication_algorithm hmac_sha256, hmac_sha1, hmac_md5; compression_algorithm deflate; } and /etc/racoon/ipsec.conf: flush; spdflush; spdadd -4 192.168.6.1 192.168.10.0/24 any -P out ipsec esp/tunnel/192.168.6.1-67.95.107.100/require; spdadd -4 192.168.10.0/24 192.168.6.1 any -P in ipsec esp/tunnel/67.95.107.100-192.168.6.1/require; An ideas? -- albert chin ([EMAIL PROTECTED])