Re: Connecting to OpenBSD 4.0 isakmpd with racoon on FC5

Thu, 23 Nov 2006 23:30:10 -0800 

On Fri, Nov 24, 2006 at 12:38:46AM -0600, Albert Chin wrote:
> On Thu, Nov 23, 2006 at 08:21:33AM -0600, Albert Chin wrote:
> > I'm trying to connect an FC5 laptop behind a firewall to an OpenBSD
> > 4.0 VPN server running isakmpd. I already have things working with
> > Openswan but would like to get it working with racoon for our Mac OS
> > clients.
> > 
> > The OpenBSD /etc/ipsec.conf config:
> >   ike passive esp from 192.168.1.0/24 to 192.168.6.0/24 \
> >     main auth hmac-sha1 enc aes group modp1024 \
> >     quick auth hmac-sha1 enc aes \
> >     srcid [vpn server FQDN] dstid [FC5 laptop FQDN]
> > 
> > ...
> > 
> > Am I getting the sainfo section wrong in racoon.conf? With the sainfo
> > section, do I still need setkey?
> 
> I've made some more changes but still cannot get it working. Looks
> like I do need to use setkey. I modified the OpenBSD /etc/ipsec.conf
> to:
>   ike passive esp from 192.168.10.0/24 to any \
>     main auth hmac-sha1 enc aes group modp1024 \
>     quick auth hmac-sha1 enc aes \
>     srcid vpn-server.thewrittenword.com dstid [EMAIL PROTECTED]
> 
> and racoon.conf:
>   remote 67.95.107.100 {
>     exchange_mode main;
>     my_identifier user_fqdn "[EMAIL PROTECTED]";
>     peers_identifier fqdn "vpn-server.thewrittenword.com";
>     certificate_type x509 "[EMAIL PROTECTED]" 
> "/etc/ipsec.d/private/local.key";
>     ca_type x509 "/etc/ipsec.d/cacerts/ca.crt";
> 
>     nat_traversal on;
> 
>     proposal {
>       encryption_algorithm aes;
>       hash_algorithm sha1;
>       dh_group modp1024;
>       authentication_method rsasig;
>     }
>   }
> 
>   sainfo anonymous {
>     pfs_group 2;
>     encryption_algorithm aes, 3des, blowfish;
>     authentication_algorithm hmac_sha256, hmac_sha1, hmac_md5;
>     compression_algorithm deflate;
>   }
> 
> and /etc/racoon/ipsec.conf:
>   flush;
>   spdflush;
> 
>   spdadd -4 192.168.6.1 192.168.10.0/24 any -P out ipsec
>     esp/tunnel/192.168.6.1-67.95.107.100/require;
>   spdadd -4 192.168.10.0/24 192.168.6.1 any -P  in ipsec
>     esp/tunnel/67.95.107.100-192.168.6.1/require;

Ok, this actually does work. On Linux, the SAs don't get authenticated
until after you issue a network connection to the remote end. Ugh! So,
with the above, "ping 192.168.10.13" x2 gets past Phase 2.

-- 
albert chin ([EMAIL PROTECTED])

Reply via email to