I'm trying to connect an FC5 laptop behind a firewall to an OpenBSD
4.0 VPN server running isakmpd. I already have things working with
Openswan but would like to get it working with racoon for our Mac OS
clients.
The OpenBSD /etc/ipsec.conf config:
ike passive esp from 192.168.1.0/24 to 192.168.6.0/24 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
srcid [vpn server FQDN] dstid [FC5 laptop FQDN]
My racoon.conf file:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote [vpn server IP] {
exchange_mode main;
my_identifier fqdn "[FC5 laptop FQDN]";
peers_identifier fqdn "[vpn server FQDN]";
certificate_type x509 "[FC5 laptop FQDN].crt"
"/etc/ipsec.d/private/local.key";
ca_type x509 "/etc/ipsec.d/cacerts/ca.crt";
verify_identifier on;
nat_traversal on;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
dh_group modp1024;
authentication_method rsasig;
}
}
sainfo address 192.168.6.0/24 any address 192.168.1.0/24 any {
encryption_algorithm aes, 3des, blowfish;
authentication_algorithm hmac_sha256, hmac_sha1;
compression_algorithm deflate;
}
Then I start racoon with:
# racoon -4 -F
and initiate the VPN connection on the laptop with:
# racoonctl vpn-connect [vpn server IP]
The phase 1 exchange goes ok but phase 2 does not:
...
2006-11-22 23:24:02: INFO: ISAKMP-SA established 192.168.6.244[4500]-<vpn
server ip>[4500] spi:daec8263785958bf:95fea98fde24c61b
Am I getting the sainfo section wrong in racoon.conf? With the sainfo
section, do I still need setkey?
--
albert chin ([EMAIL PROTECTED])
