On 2007/06/11 18:18, Christopher Vance wrote: > > Before I struggle too much longer trying to configure racoon to do the > right thing, or give in to using a package not in the OpenBSD base > system, is there someone out there actually running IPSEC with MacOSX > on one end and OpenBSD on the other, using racoon to do it? I'd > really appreciate it if you could share working config.
Not with racoon myself, but it's probably more generally useful to know how to work out what's going wrong. Sometimes tcpdump gives enough clues to work things out, and is quite easy to read, so I usually try that first. If there's a problem with phase 1, run it on the physical interface: # tcpdump -ni<phys_iface> -vvs1500 for phase 2, get isakmpd to log plaintext packets and try to bring up the connection, then read that file. # echo p on > /var/run/isakmpd.fifo # tcpdump -nr /var/run/isakmpd.pcap -vvs1500 If that doesn't help, turn up isakmpd logging, e.g. 'echo D A 70 > /var/run/isakmpd.fifo', this usually gives a more explicit reason for the failure (by default in /var/log/daemon) but can be harder to read. > Failing the above, if you've chosen between openvpn, poptop, or other > non-base packages, which worked out best for you? I'd keep at it with ipsec a bit longer, it's probably something relatively straightforward. It sounds like you've got the basics with ipsec, it sucks less than the third-party software for most uses, and it definitely sucks less than providing the same service using in-tree software for some users and third-party code for others...
