FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 11-20-2011, 03:06 PM
Mick
 
Default Can't get racoon IPSec going on the client machine

Hi All,

I have been trying for some time now to set up a road warrior VPN client so
that I can connect to my home router and administer machines on the LAN.

However, my understanding of IPSec is poor and consequently my configuration of
racoon is not working. There are other apps out there like strongswan, but
would really like to learn to do it using the vanilla racoon and kernel set up
first rather than apply another layer of software to it.

Could some kind soul give me a nudge in troubleshooting this?


On the home router I have:

public IP: 123.456.78.9
LAN: 10.10.10.0/24
router LAN IP: 10.10.10.1
respond anymode
local-id fqdn router1_VPN
peer any
encryption aes-256-cbc
authentication pre-share
DH group 2

crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp-
sha-hmac
mode tunnel


On the laptop, I have this in the racoon.conf:
===========================
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon";

listen {
# socket used for communication between racoon and racoonctl
adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660;
}

remote 123.456.78.9 {
exchange_mode aggressive;
my_identifier fqdn "dell_xps_VPN";
peers_identifier fqdn "router1_VPN";
mode_cfg on;
proposal_check obey;
# nat_traversal on;
# ike_frag on;
# script "/etc/racoon/phase1_up_down.sh" phase1_up;
# script "/etc/racoon/phase1_up_downdown.sh" phase1_down;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo anonymous {
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
===========================


I connect to the Internet using my mobile and I get this from the ISP:

# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 193.30.166.3 0.0.0.0 UG 0 0 0 ppp0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
193.30.166.3 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0

Where 193.30.166.3 is the ISP's gateway. The ppp0 ip address is
10.149.124.40:

# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:252 errors:0 dropped:0 overruns:0 frame:0
TX packets:252 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10678 (10.4 KiB) TX bytes:10678 (10.4 KiB)

ppp0 Link encap:Point-to-Point Protocol
inet addr:10.149.124.40 P-t-P:193.30.166.3 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:74 (74.0 B) TX bytes:107 (107.0 B)


Now the problem is that upon starting racoon I do not see a tunnel being
formed and indeed I cannot connect to machines in the LAN. This from the log:

==========================================
Nov 20 13:40:59 dell_xps racoon: INFO: Reading configuration from
"/etc/racoon/racoon.conf"
Nov 20 13:40:59 dell_xps racoon: NOTIFY: NAT-T is enabled, autoconfiguring
ports
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=7)
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[500] used for NAT-T
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[4500] used as isakmp port
(fd=8)
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[4500] used for NAT-T
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[500] used as isakmp port
(fd=9)
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[500] used for NAT-T
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[4500] used as isakmp port
(fd=10)
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[4500] used for NAT-T
Nov 20 13:40:59 dell_xps racoon: INFO: ::1[500] used as isakmp port (fd=11)
Nov 20 13:40:59 dell_xps racoon: INFO: ::1[4500] used as isakmp port (fd=12)
==========================================

Why is it not showing the public router address 123.456.78.9 or the router LAN
address and shows the loopback instead?

I tried including this up/down script but it made no odds:
==================================
#!/bin/bash

#
# manipulate IPSec SA database on behalf of the racoon daemon
# Gabriel Somlo <somlo at cmu edu>, 08/27/2007
#

#FIXME: read this from, e.g., /etc/sysconfig/racoon
NAT_T="yes"


shopt -s nocasematch
umask 0022

PATH=/bin:/sbin:/usr/bin:/usr/sbin

# set up NAT-T
case "${NAT_T}" in
yes|true|on|enable*|1)
LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]"
REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]"
;;
*)
LOCAL="${LOCAL_ADDR}"
REMOTE="${REMOTE_ADDR}"
;;
esac

# determine interface and next-hop for our default route
DFLT_RT=$(ip route list | awk '($1 == "default"){print $3 ";" $5}')
DFLT_IF=${DFLT_RT#*;}
DFLT_GW=${DFLT_RT%;*}


# bring up phase1
phase1_up() {
# check if VPN address already set up on default interface (dupe script
call)
ip addr list ${DFLT_IF} | grep -q "${INTERNAL_ADDR4}/32" && {
echo "p1_up_down: phase1_up has already run !!!"
exit 4
}

# save current resolv.conf and create new one based on info from VPN server
[ -f /etc/resolv.conf.prevpn ] || cp /etc/resolv.conf
/etc/resolv.conf.prevpn
{
echo "# Generated by racoon on $(date)"
echo "search ${DEFAULT_DOMAIN}"
for NS in ${INTERNAL_DNS4_LIST}; do
echo "nameserver ${NS}"
done
} > /etc/resolv.conf

# add VPN address to default interface
ip addr add dev ${DFLT_IF} ${INTERNAL_ADDR4}/32
# set up host route to VPN server
ip route add ${REMOTE_ADDR} via ${DFLT_GW} dev ${DFLT_IF}

if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then
# split tunnel: keep existing default, insert specific tunnel routes
for N in ${SPLIT_INCLUDE_CIDR}; do
ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4}
done
else
# full tunnel: set up any applicable exceptions
for N in ${SPLIT_LOCAL_CIDR}; do
ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF}
done
# ... then replace default route with vpn tunnel
ip route del default
ip route add default via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4}
fi

# update SA database
setkey -c << EOT
spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec
esp/tunnel/${LOCAL}-${REMOTE}/require;
spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec
esp/tunnel/${REMOTE}-${LOCAL}/require;
EOT
}

# bring down phase1
phase1_down() {
# restore previous resolv.conf
[ -f /etc/resolv.conf.prevpn ] && mv /etc/resolv.conf.prevpn
/etc/resolv.conf

if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then
# split tunnel: remove specific tunnel routes
for N in ${SPLIT_INCLUDE_CIDR}; do
ip route del ${N}
done
else
# full tunnel: remove any applicable exceptions
for N in ${SPLIT_LOCAL_CIDR}; do
ip route del ${N}
done
# ... then restore original default route
ip route del default
ip route add default via ${DFLT_GW} dev ${DFLT_IF}
fi

# remove host route to VPN server
ip route del ${REMOTE_ADDR}
# remove VPN address from default interface
ip addr del dev ${DFLT_IF} ${INTERNAL_ADDR4}/32

# clean up SA database
setkey -c << EOT
spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec
esp/tunnel/${LOCAL}-${REMOTE}/require;
spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec
esp/tunnel/${REMOTE}-${LOCAL}/require;
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;
# deleteall still broken on Linux, using 'flush esp' as workaround:
flush esp;
EOT
}


# print out parameters we received
echo "p1_up_down: $1 starting..."
echo "p1_up_down: LOCAL_ADDR = ${LOCAL_ADDR}"
echo "p1_up_down: LOCAL_PORT = ${LOCAL_PORT}"
echo "p1_up_down: REMOTE_ADDR = ${REMOTE_ADDR}"
echo "p1_up_down: REMOTE_PORT = ${REMOTE_PORT}"
echo "p1_up_down: DFLT_GW = ${DFLT_GW}"
echo "p1_up_down: DFLT_IF = ${DFLT_IF}"
echo "p1_up_down: INTERNAL_ADDR4 = ${INTERNAL_ADDR4}"
echo "p1_up_down: INTERNAL_DNS4 = ${INTERNAL_DNS4}"
echo "p1_up_down: DEFAULT_DOMAIN = ${DEFAULT_DOMAIN}"
echo "p1_up_down: SPLIT_INCLUDE_CIDR = ${SPLIT_INCLUDE_CIDR}"
echo "p1_up_down: SPLIT_LOCAL_CIDR = ${SPLIT_LOCAL_CIDR}"

# check for valid VPN address
echo ${INTERNAL_ADDR4} | grep -q '[0-9]' || {
echo "p1_up_down: error: invalid INTERNAL_ADDR4."
exit 1
}

# check for valid default nexthop
echo ${DFLT_GW} | grep -q '[0-9]' || {
echo "p1_up_down: error: invalid DFLT_GW."
exit 2
}

# main "program"
case "$1" in
phase1_up)
phase1_up
;;
phase1_down)
phase1_down
;;
*)
echo "p1_up_down: error: must be called by racoon w. arg=phase1_[up|down]"
exit 3
;;
esac

echo "p1_up_down: $1 completed successfully."
exit 0
==================================

I've experimented with NAT on/off, etc, in racoon.conf but no joy.

Where should I start?
--
Regards,
Mick
 
Old 11-21-2011, 11:24 AM
Mick
 
Default Can't get racoon IPSec going on the client machine

On 20 November 2011 16:06, Mick <michaelkintzios@gmail.com> wrote:
> Hi All,
>
> I have been trying for some time now to set up a road warrior VPN client so
> that I can connect to my home router and administer machines on the LAN.
>
> However, my understanding of IPSec is poor and consequently my configuration of
> racoon is not working. *There are other apps out there like strongswan, but
> would really like to learn to do it using the vanilla racoon and kernel set up
> first rather than apply another layer of software to it.
>
> Could some kind soul give me a nudge in troubleshooting this?
>
>
> On the home router I have:
>
> public IP: *123.456.78.9
> LAN: *10.10.10.0/24
> router LAN IP: *10.10.10.1
> respond anymode
> local-id fqdn router1_VPN
> peer any
> encryption aes-256-cbc
> authentication pre-share
> DH group 2
>
> crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp-
> sha-hmac
> mode tunnel
>
>
> On the laptop, I have this in the racoon.conf:
> ===========================
> # Racoon IKE daemon configuration file.
> # See 'man racoon.conf' for a description of the format and entries.
>
> path pre_shared_key "/etc/racoon/psk.txt";
> path certificate "/etc/racoon/certs";
> path script "/etc/racoon";
>
> listen {
> * * * # socket used for communication between racoon and racoonctl
> * * * *adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660;
> * * * }
>
> remote 123.456.78.9 {
> * * * *exchange_mode aggressive;
> * * * *my_identifier fqdn "dell_xps_VPN";
> * * * *peers_identifier fqdn "router1_VPN";
> * * * *mode_cfg on;
> * * * *proposal_check obey;
> # * * * nat_traversal on;
> # * * * ike_frag on;
> # * * * script "/etc/racoon/phase1_up_down.sh" phase1_up;
> # * * * script "/etc/racoon/phase1_up_downdown.sh" phase1_down;
> * * * *proposal {
> * * * * * * * *encryption_algorithm aes;
> * * * * * * * *hash_algorithm sha1;
> * * * * * * * *authentication_method pre_shared_key;
> * * * * * * * *dh_group 2;
> * * * * * * * *}
> * * * *}
>
> sainfo anonymous {
> * * * *lifetime time 1 hour;
> * * * *encryption_algorithm aes;
> * * * *authentication_algorithm hmac_sha1;
> * * * *compression_algorithm deflate;
> * * * *}
> ===========================
>
>
> I connect to the Internet using my mobile and I get this from the ISP:
>
> # netstat -rn
> Kernel IP routing table
> Destination * * Gateway * * * * Genmask * * * * Flags * MSS Window *irtt Iface
> 0.0.0.0 * * * * 193.30.166.3 * *0.0.0.0 * * * * UG * * * *0 0 * * * * *0 ppp0
> 127.0.0.0 * * * 127.0.0.1 * * * 255.0.0.0 * * * UG * * * *0 0 * * * * *0 lo
> 193.30.166.3 * *0.0.0.0 * * * * 255.255.255.255 UH * * * *0 0 * * * * *0 ppp0
>
> Where 193.30.166.3 is the ISP's gateway. *The ppp0 ip address is
> 10.149.124.40:
>
> # ifconfig
> lo * * * *Link encap:Local Loopback
> * * * * *inet addr:127.0.0.1 *Mask:255.0.0.0
> * * * * *inet6 addr: ::1/128 Scope:Host
> * * * * *UP LOOPBACK RUNNING *MTU:16436 *Metric:1
> * * * * *RX packets:252 errors:0 dropped:0 overruns:0 frame:0
> * * * * *TX packets:252 errors:0 dropped:0 overruns:0 carrier:0
> * * * * *collisions:0 txqueuelen:0
> * * * * *RX bytes:10678 (10.4 KiB) *TX bytes:10678 (10.4 KiB)
>
> ppp0 * * *Link encap:Point-to-Point Protocol
> * * * * *inet addr:10.149.124.40 *P-t-P:193.30.166.3 *Mask:255.255.255.255
> * * * * *UP POINTOPOINT RUNNING NOARP MULTICAST *MTU:1500 *Metric:1
> * * * * *RX packets:5 errors:0 dropped:0 overruns:0 frame:0
> * * * * *TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
> * * * * *collisions:0 txqueuelen:3
> * * * * *RX bytes:74 (74.0 B) *TX bytes:107 (107.0 B)
>
>
> Now the problem is that upon starting racoon I do not see a tunnel being
> formed and indeed I cannot connect to machines in the LAN. *This from the log:
>
> ==========================================
> Nov 20 13:40:59 dell_xps racoon: INFO: Reading configuration from
> "/etc/racoon/racoon.conf"
> Nov 20 13:40:59 dell_xps racoon: NOTIFY: NAT-T is enabled, autoconfiguring
> ports
> Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[500] used as isakmp port
> (fd=7)
> Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[500] used for NAT-T
> Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[4500] used as isakmp port
> (fd=8)
> Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[4500] used for NAT-T
> Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[500] used as isakmp port
> (fd=9)
> Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[500] used for NAT-T
> Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[4500] used as isakmp port
> (fd=10)
> Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[4500] used for NAT-T
> Nov 20 13:40:59 dell_xps racoon: INFO: ::1[500] used as isakmp port (fd=11)
> Nov 20 13:40:59 dell_xps racoon: INFO: ::1[4500] used as isakmp port (fd=12)
> ==========================================
>
> Why is it not showing the public router address 123.456.78.9 or the router LAN
> address and shows the loopback instead?
>
> I tried including this up/down script but it made no odds:
> ==================================
> #!/bin/bash
>
> #
> # manipulate IPSec SA database on behalf of the racoon daemon
> # Gabriel Somlo <somlo at cmu edu>, 08/27/2007
> #
>
> #FIXME: read this from, e.g., /etc/sysconfig/racoon
> NAT_T="yes"
>
>
> shopt -s nocasematch
> umask 0022
>
> PATH=/bin:/sbin:/usr/bin:/usr/sbin
>
> # set up NAT-T
> case "${NAT_T}" in
> *yes|true|on|enable*|1)
> * *LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]"
> * *REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]"
> * *;;
> **)
> * *LOCAL="${LOCAL_ADDR}"
> * *REMOTE="${REMOTE_ADDR}"
> * *;;
> esac
>
> # determine interface and next-hop for our default route
> DFLT_RT=$(ip route list | awk '($1 == "default"){print $3 ";" $5}')
> DFLT_IF=${DFLT_RT#*;}
> DFLT_GW=${DFLT_RT%;*}
>
>
> # bring up phase1
> phase1_up() {
> *# check if VPN address already set up on default interface (dupe script
> call)
> *ip addr list ${DFLT_IF} | grep -q "${INTERNAL_ADDR4}/32" && {
> * *echo "p1_up_down: phase1_up has already run !!!"
> * *exit 4
> *}
>
> *# save current resolv.conf and create new one based on info from VPN server
> *[ -f /etc/resolv.conf.prevpn ] || cp /etc/resolv.conf
> /etc/resolv.conf.prevpn
> *{
> * *echo "# Generated by racoon on $(date)"
> * *echo "search ${DEFAULT_DOMAIN}"
> * *for NS in ${INTERNAL_DNS4_LIST}; do
> * * *echo "nameserver ${NS}"
> * *done
> *} > /etc/resolv.conf
>
> *# add VPN address to default interface
> *ip addr add dev ${DFLT_IF} ${INTERNAL_ADDR4}/32
> *# set up host route to VPN server
> *ip route add ${REMOTE_ADDR} via ${DFLT_GW} dev ${DFLT_IF}
>
> *if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then
> * *# split tunnel: keep existing default, insert specific tunnel routes
> * *for N in ${SPLIT_INCLUDE_CIDR}; do
> * * *ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4}
> * *done
> *else
> * *# full tunnel: set up any applicable exceptions
> * *for N in ${SPLIT_LOCAL_CIDR}; do
> * * *ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF}
> * *done
> * *# ... then replace default route with vpn tunnel
> * *ip route del default
> * *ip route add default via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4}
> *fi
>
> *# update SA database
> *setkey -c << EOT
> spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec
> * * * esp/tunnel/${LOCAL}-${REMOTE}/require;
> spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec
> * * * esp/tunnel/${REMOTE}-${LOCAL}/require;
> EOT
> }
>
> # bring down phase1
> phase1_down() {
> *# restore previous resolv.conf
> *[ -f /etc/resolv.conf.prevpn ] && mv /etc/resolv.conf.prevpn
> /etc/resolv.conf
>
> *if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then
> * *# split tunnel: remove specific tunnel routes
> * *for N in ${SPLIT_INCLUDE_CIDR}; do
> * * *ip route del ${N}
> * *done
> *else
> * *# full tunnel: remove any applicable exceptions
> * *for N in ${SPLIT_LOCAL_CIDR}; do
> * * *ip route del ${N}
> * *done
> * *# ... then restore original default route
> * *ip route del default
> * *ip route add default via ${DFLT_GW} dev ${DFLT_IF}
> *fi
>
> *# remove host route to VPN server
> *ip route del ${REMOTE_ADDR}
> *# remove VPN address from default interface
> *ip addr del dev ${DFLT_IF} ${INTERNAL_ADDR4}/32
>
> *# clean up SA database
> *setkey -c << EOT
> spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec
> * * * * *esp/tunnel/${LOCAL}-${REMOTE}/require;
> spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec
> * * * * *esp/tunnel/${REMOTE}-${LOCAL}/require;
> deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
> deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;
> # deleteall still broken on Linux, using 'flush esp' as workaround:
> flush esp;
> EOT
> }
>
>
> # print out parameters we received
> echo "p1_up_down: $1 starting..."
> echo "p1_up_down: LOCAL_ADDR = ${LOCAL_ADDR}"
> echo "p1_up_down: LOCAL_PORT = ${LOCAL_PORT}"
> echo "p1_up_down: REMOTE_ADDR = ${REMOTE_ADDR}"
> echo "p1_up_down: REMOTE_PORT = ${REMOTE_PORT}"
> echo "p1_up_down: DFLT_GW = ${DFLT_GW}"
> echo "p1_up_down: DFLT_IF = ${DFLT_IF}"
> echo "p1_up_down: INTERNAL_ADDR4 = ${INTERNAL_ADDR4}"
> echo "p1_up_down: INTERNAL_DNS4 = ${INTERNAL_DNS4}"
> echo "p1_up_down: DEFAULT_DOMAIN = ${DEFAULT_DOMAIN}"
> echo "p1_up_down: SPLIT_INCLUDE_CIDR = ${SPLIT_INCLUDE_CIDR}"
> echo "p1_up_down: SPLIT_LOCAL_CIDR = ${SPLIT_LOCAL_CIDR}"
>
> # check for valid VPN address
> echo ${INTERNAL_ADDR4} | grep -q '[0-9]' || {
> *echo "p1_up_down: error: invalid INTERNAL_ADDR4."
> *exit 1
> }
>
> # check for valid default nexthop
> echo ${DFLT_GW} | grep -q '[0-9]' || {
> *echo "p1_up_down: error: invalid DFLT_GW."
> *exit 2
> }
>
> # main "program"
> case "$1" in
> *phase1_up)
> * *phase1_up
> * *;;
> *phase1_down)
> * *phase1_down
> * *;;
> **)
> * *echo "p1_up_down: error: must be called by racoon w. arg=phase1_[up|down]"
> * *exit 3
> * *;;
> esac
>
> echo "p1_up_down: $1 completed successfully."
> exit 0
> ==================================
>
> I've experimented with NAT on/off, etc, in racoon.conf but no joy.
>
> Where should I start?

I tried connecting from another location.

Adding these lines in /etc/ipsec.conf seems to setup the correct
associations, but the routing table still does not show anything
related to the VPN server or LAN.
==================================
#!/usr/sbin/setkey -f

# Flush SAD and SPD

flush;

spdflush;

#SP for racoon
spdadd 0.0.0.0 123.456.78.9 any -P out ipsec
esp/tunnel/0.0.0.0-123.456.78.9/require;

spdadd 123.456.78.9 0.0.0.0 any -P in ipsec
esp/tunnel/123.456.78.9-0.0.0.0/require;
==================================
--
Regards,
Mick
 

Thread Tools




All times are GMT. The time now is 08:54 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org