[Openswan Users] Racoon + FC3 tunneling problem

Paul Wouters paul at xelerance.com
Sat Jan 22 15:48:24 CET 2005

On Sat, 22 Jan 2005, DurgaPrasad Adusumalli wrote:

> I have inserted the required modules and set ip forwarding.
> My ipsec.conf file(on right gateway) is as follows
> spdadd any -P out ipsec

That is not a real 'ipsec.conf' from openswan, but a script to
manually setup kernel internals for NETKEY,

>        exchange_mode aggressive;

If you do linux - linux, you should not use aggressive mode.
You should also not be using pre shared secrets, because you will
never change those again on a regular basis. You should use IKE and
use rsa keys (either raw, from dns or from X.509 certs)

> Jan 22 17:16:54 test racoon: INFO: unsupported PF_KEY message REGISTER
> Jan 22 17:16:54 test racoon: NOTIFY: no in-bound policy found:
>[0][0] proto=any dir=in


I have no idea how to fix this setkey-racoon interop issue. I find
the process of injecting kernel internals into the kernel by a sysadmin
just the Wrong Approach[tm]. A sysadmin should not need to know what an
spi or spd is. He just wants a VPN tunnel from host A to host B.

In openswan, your config would simply be:

conn yourtunnel

And Openswan will handle IKE and kernel configuration for you.


"At best it is a theory, at worst a fantasy" -- Michael Crichton

More information about the Users mailing list