[Openswan Users] Racoon + FC3 tunneling problem
paul at xelerance.com
Sat Jan 22 15:48:24 CET 2005
On Sat, 22 Jan 2005, DurgaPrasad Adusumalli wrote:
> I have inserted the required modules and set ip forwarding.
> My ipsec.conf file(on right gateway) is as follows
> spdadd 10.0.2.0/24 10.0.1.0/24 any -P out ipsec
That is not a real 'ipsec.conf' from openswan, but a script to
manually setup kernel internals for NETKEY,
> exchange_mode aggressive;
If you do linux - linux, you should not use aggressive mode.
You should also not be using pre shared secrets, because you will
never change those again on a regular basis. You should use IKE and
use rsa keys (either raw, from dns or from X.509 certs)
> Jan 22 17:16:54 test racoon: INFO: unsupported PF_KEY message REGISTER
> Jan 22 17:16:54 test racoon: NOTIFY: no in-bound policy found:
> 172.16.1.2/32 172.16.1.1/32 proto=any dir=in
I have no idea how to fix this setkey-racoon interop issue. I find
the process of injecting kernel internals into the kernel by a sysadmin
just the Wrong Approach[tm]. A sysadmin should not need to know what an
spi or spd is. He just wants a VPN tunnel from host A to host B.
In openswan, your config would simply be:
And Openswan will handle IKE and kernel configuration for you.
"At best it is a theory, at worst a fantasy" -- Michael Crichton
More information about the Users