On Thu, Nov 23, 2006 at 08:21:33AM -0600, Albert Chin wrote:
> I'm trying to connect an FC5 laptop behind a firewall to an OpenBSD
> 4.0 VPN server running isakmpd. I already have things working with
> Openswan but would like to get it working with racoon for our Mac OS
> clients.
>
> The OpenBSD /etc/ipsec.conf config:
> ike passive esp from 192.168.1.0/24 to 192.168.6.0/24 \
> main auth hmac-sha1 enc aes group modp1024 \
> quick auth hmac-sha1 enc aes \
> srcid [vpn server FQDN] dstid [FC5 laptop FQDN]
>
> ...
>
> Am I getting the sainfo section wrong in racoon.conf? With the sainfo
> section, do I still need setkey?
I've made some more changes but still cannot get it working. Looks
like I do need to use setkey. I modified the OpenBSD /etc/ipsec.conf
to:
ike passive esp from 192.168.10.0/24 to any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
srcid vpn-server.thewrittenword.com dstid [EMAIL PROTECTED]
and racoon.conf:
remote 67.95.107.100 {
exchange_mode main;
my_identifier user_fqdn "[EMAIL PROTECTED]";
peers_identifier fqdn "vpn-server.thewrittenword.com";
certificate_type x509 "[EMAIL PROTECTED]" "/etc/ipsec.d/private/local.key";
ca_type x509 "/etc/ipsec.d/cacerts/ca.crt";
nat_traversal on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
dh_group modp1024;
authentication_method rsasig;
}
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha256, hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
and /etc/racoon/ipsec.conf:
flush;
spdflush;
spdadd -4 192.168.6.1 192.168.10.0/24 any -P out ipsec
esp/tunnel/192.168.6.1-67.95.107.100/require;
spdadd -4 192.168.10.0/24 192.168.6.1 any -P in ipsec
esp/tunnel/67.95.107.100-192.168.6.1/require;
An ideas?
--
albert chin ([EMAIL PROTECTED])
