Hello, everyone ..
Some quick information about the software in use:
Jul 28 15:51:42 fw0 racoon: INFO: @(#)ipsec-tools 0.7
(http://ipsec-tools.sourceforge.net)
Jul 28 15:51:42 fw0 racoon: INFO: @(#)This product linked OpenSSL
0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
I'm having a problem with my IPSec configuration.
On one side, everything works out pretty nice.
On the other side, racoon is making bad noises about not finding a
correct configuration.
"ERROR: couldn't find configuration."
However, if I kill racoon, and run it in the foreground with debug
output on, I get some more information.
2008-07-16 16:06:27: DEBUG: ===
2008-07-16 16:06:27: DEBUG: 100 bytes message received from
81.167.211.58[57413] to 85.200.211.69[500]
2008-07-16 16:06:27: DEBUG:
ba9d946f 3cf4cf90 01100200 0064 0d34
0001 0001 0028 01010001 0020 0101 800b0001 800c04b0
80010005 80030001 80020002 80040002 0014 afcad713 68a1f1c9 6b8696fc
77570100
2008-07-16 16:06:27: DEBUG: no remote configuration found.
2008-07-16 16:06:27: ERROR: couldn't find configuration.
The configuration is pretty straight forward.
# cat racoon.conf
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
remote 81.167.211.58 {
exchange_mode main;
my_identifier address "85.200.211.69";
peers_identifier address 81.167.211.58;
initial_contact on;
support_proxy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 2400 secs;
}
lifetime time 2400 secs;
}
sainfo address 85.200.211.64/29 any address 192.168.100.0/24 any {
encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
lifetime time 1200 secs;
}
Here is the weird thing; if I change that remote stanza to read
remote anonymous {
blah;
}
then everything works out nice, racoon even tells me it uses the
anonymous stanza for that correct IP.
2008-07-16 16:11:06: DEBUG: anonymous configuration selected for
81.167.211.58.
So, to me this seems really odd, how come racoon isn't picking up that
stanza when configured for that specified IP ?
Using the remote stanza is not what I really want ..
So, does anyone have any ideas on what is going on here ?
Using tcpdump I can see that it is in fact 81.167.211.58 that is coming
through to racoon, on port 500/UDP.
Thanks for a great product, by the way.
-- Torbjørn / Nextline
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"