[Openswan Users] Racoon + FC3 tunneling problem
Paul Wouters
paul at xelerance.com
Sat Jan 22 15:48:24 CET 2005
On Sat, 22 Jan 2005, DurgaPrasad Adusumalli wrote:
> I have inserted the required modules and set ip forwarding.
> My ipsec.conf file(on right gateway) is as follows
>
> spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
That is not a real 'ipsec.conf' from openswan, but a script to
manually setup kernel internals for NETKEY,
> exchange_mode aggressive;
If you do linux - linux, you should not use aggressive mode.
You should also not be using pre shared secrets, because you will
never change those again on a regular basis. You should use IKE and
use rsa keys (either raw, from dns or from X.509 certs)
> Jan 22 17:16:54 test racoon: INFO: unsupported PF_KEY message REGISTER
> Jan 22 17:16:54 test racoon: NOTIFY: no in-bound policy found:
> 172.16.1.2/32[0] 172.16.1.1/32[0] proto=any dir=in
[etc]
I have no idea how to fix this setkey-racoon interop issue. I find
the process of injecting kernel internals into the kernel by a sysadmin
just the Wrong Approach[tm]. A sysadmin should not need to know what an
spi or spd is. He just wants a VPN tunnel from host A to host B.
In openswan, your config would simply be:
conn yourtunnel
left=172.16.1.2
leftsubnet=10.0.2.0/24
leftrsasigkey=........
right=172.16.1.1
rightsubnet=10.0.1.0/24
rightrsasigkey=........
auto=start
And Openswan will handle IKE and kernel configuration for you.
Paul
--
"At best it is a theory, at worst a fantasy" -- Michael Crichton
More information about the Users
mailing list