Home / Browse / IPsec Tools / Mail / Archive

IPsec Tools

Email Archive: ipsec-tools-users (read-only)

2005:	_Jan	_Feb	_Mar	_Apr	_May (16)	_Jun (25)	_Jul (22)	_Aug (15)	_Sep (21)	_Oct (24)	_Nov (24)	_Dec (41)
2006:	_Jan (23)	_Feb (39)	_Mar (22)	_Apr (11)	_May (23)	_Jun (17)	_Jul (12)	_Aug (11)	_Sep (27)	_Oct (30)	_Nov (17)	_Dec (16)
2007:	_Jan (10)	_Feb (38)	_Mar (15)	_Apr (32)	_May (29)	_Jun (15)	_Jul (21)	_Aug (32)	_Sep (17)	_Oct (21)	_Nov (12)	_Dec (10)
2008:	_Jan (7)	_Feb (22)	_Mar (40)	_Apr (26)	_May (18)	_Jun (25)	_Jul (35)	_Aug (21)	_Sep (25)	_Oct (66)	_Nov (40)	_Dec (77)
2009:	_Jan (52)	_Feb (29)	_Mar (71)	_Apr (77)	_May (146)	_Jun (94)	_Jul (65)	_Aug (37)	_Sep (29)	_Oct (38)	_Nov (21)	_Dec (21)
2010:	_Jan (9)	_Feb (14)	_Mar (30)	_Apr (55)	_May (68)	_Jun (67)	_Jul (54)	_Aug (50)	_Sep (28)	_Oct (5)	_Nov	_Dec (5)
2011:	_Jan (5)	_Feb (4)	_Mar (8)	_Apr (3)	_May (10)	_Jun (5)	_Jul (6)	_Aug (17)	_Sep (12)	_Oct (9)	_Nov (4)	_Dec (12)
2012:	_Jan (22)	_Feb (20)	_Mar (16)	_Apr (17)	_May (1)	_Jun (7)	_Jul (10)	_Aug (10)	_Sep	_Oct (5)	_Nov (5)	_Dec (4)
2013:	_Jan (3)	_Feb (1)	_Mar (21)	_Apr (5)	_May (5)	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec


S	M	T	W	T	F	S
						1

2	3	4	5	6	7	8

9	10	11	12	13	14	15
			(1)
16	17	18	19	20	21	22
		(6)		(1)
23	24	25	26	27	28	29
		(1)	(1)		(1)
30

[Ipsec-tools-users] unanimity

From: Hugh Stone <bojcx@ca...> - 2006-04-28 05:31

Attachments: Message as HTML Message as HTML

[Ipsec-tools-users] split_network

From: PREVOSTO, Laurent <Laurent.PREVOSTO@ne...> - 2006-04-26 14:58

Attachments: Message as HTML

Hi,

i am connecting to racoon (hybrid mode) using a Cisco VPN client.
It works fine but i would like to setup split tunneling.

It looks like the split tunneling code exists in the racoon CVS tree =
(split_network clause) but it is not present in the current release =
branch.
Is there an alternate tarball or a patch to apply in order to be able to =
use split_network ?

Regards

Laurent

[Ipsec-tools-users] Weird CISCO - Linux

From: Adrian Vasile <yoyo@vo...> - 2006-04-25 08:38

Hi list,

I have configured a tunnel between my border (a SUSE 9.1 machine :( )
and a CISCO ASXXXX, no problems, I actually found racoon to be very
flexible, and I'm very pleased with it.

The tunnel works ok, but after a period of inactivity it dies with:
2006-04-21 13:04:07: INFO: purged IPsec-SA proto_id=ESP spi=1843005719.
2006-04-21 13:04:07: DEBUG: purged SAs.
2006-04-21 13:04:07: DEBUG: get pfkey DELETE message
2006-04-21 13:04:07: DEBUG: DELETE message is not interesting because
the message was originated by me.
2006-04-21 13:15:37: DEBUG: get pfkey EXPIRE message
2006-04-21 13:15:37: INFO: IPsec-SA expired: ESP/Tunnel <remote
cisco>-><my border> spi=246760999(0xeb54627)
2006-04-21 13:15:37: DEBUG: no such a SA found: ESP/Tunnel <remote
cisco>-><my border> spi=246760999(0xeb54627)

I might have mised something in my conf, or maybe a timer problem, i
don't really understand.
Here is the conf :

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";

listen
{
        isakmp <my border> [500];
}

timer
{
    # These value can be changed per remote node.
    counter 3;        # maximum trying count to send.
    interval 30 sec;    # maximum interval to resend.
    persend 1;        # the number of packets per a send.

    # timer for waiting to complete each phase.
    phase1 90 sec;
    phase2 90 sec;

}

sainfo address <my host>/32 any address <remote host>/32 any
{
        pfs_group modp1536;
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

remote <remote cisco>
{
        exchange_mode main;
        my_identifier address <my border>;
        lifetime time 1 hour;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1536;
        }

        proposal_check obey;
}


TIA,
-- 
Adrian Vasile <yoyo@...>

[Ipsec-tools-users] cisco to ipsec vpn problem compression algorithm

From: Dennis Matotek <tu2bgone@gm...> - 2006-04-20 08:11

Hi List,

I am running the current version of ipsec-tools-0.6.5-1mdk.  The
client is running Cisco PIX 6.0.3.  I can get IPSEC SA established but
he is getting malformed phase2 errors at his end when I send pings
down the tunnel.  This is probably due to the compression algorithm
since his software doesn't support it.  However I can't turn it off in
racoon without racoon having a parse error and refusing to start.

What are my options?  This is the first VPN I have tried to establish
outside linux to linux and I don't have control at the other end.

Regards,

Den

[Ipsec-tools-users] forcing a new phase 1 reneg

From: Mike Tancsa <mike@se...> - 2006-04-18 14:33

Hi,
         While working with a PIX remote, I am running into one small 
annoying problem where if the remote dies (e.g power failure), the 
ipsectools version of racoon is not detecting that its gone.  My only 
way to currently work around it is by restarting racoon, or logging 
on to a remote device and initiating traffic from there.  However, 
the later is not always possible.  Restarting racoon always works, 
but its obtrusive as it kills all my other associations.


Here is host A's inside address trying to ping Host B (the PIX) after 
Host B has rebooted as seen by the router in the middle (i.e. the 
public traffic). The PIX does not have any associations.


10:14:58.426228 IP 10.10.10.10 > 20.20.20.20: ESP(spi=0x43f1db44,seq=0x50)
10:15:03.250024 IP 10.10.10.10 > 20.20.20.20: ESP(spi=0x43f1db44,seq=0x51)
10:15:36.473624 IP 10.10.10.10 > 20.20.20.20: ESP(spi=0x43f1db44,seq=0x52)
10:15:50.514338 IP 10.10.10.10 > 20.20.20.20: ESP(spi=0x43f1db44,seq=0x53)
10:16:07.556660 IP 10.10.10.10 > 20.20.20.20: ESP(spi=0x43f1db44,seq=0x54)

On host A, I delete the SADB entries, and now I see

10:17:56.429578 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 
2/others ? oakley-quick[E]

going out.  But how do I force a phase 1 to reneg ?

setkey -D does not show any associations



remote 20.20.20.20
{
         exchange_mode main;
         doi ipsec_doi;
         situation identity_only;

         my_identifier address;
         peers_identifier address;
         verify_identifier on;
         dpd_delay 20;

         nonce_size 16;
         lifetime time 86400 sec;        # sec,min,hour
         initial_contact on;
         support_mip6 on;
         proposal_check obey;    # obey, strict or claim

         proposal {
                 encryption_algorithm 3des;
                 hash_algorithm sha1;
                 authentication_method pre_shared_key ;
                 dh_group 2 ;
         }
}




#pix test  box
sainfo address 192.168.44.0/28 any address 172.25.1.0/24 any
{
         lifetime time 86400 sec;
         encryption_algorithm 3des ;
         authentication_algorithm hmac_sha1;
         compression_algorithm deflate ;
}

# pix test  box
sainfo address 172.25.1.0/24 any address 192.168.44.0/28 any
{
         lifetime time 86400 sec;
         encryption_algorithm 3des ;
         authentication_algorithm hmac_sha1;
         compression_algorithm deflate ;
}

The only way I am able to work around it, is by killing racoon and 
restarting it or initiating the connection from the other side.


e.g. I kill racoon, and then do the same ping from the inside address of host A

10:22:58.521353 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 1 I ident
10:22:59.063439 IP 20.20.20.20.500 > 10.10.10.10.500: isakmp: phase 1 R ident
10:22:59.083771 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 1 I ident
10:22:59.636884 IP 20.20.20.20.500 > 10.10.10.10.500: isakmp: phase 1 R ident
10:22:59.664524 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 1 
I ident[E]
10:22:59.686713 IP 20.20.20.20.500 > 10.10.10.10.500: isakmp: phase 1 
R ident[E]
10:22:59.688701 IP 20.20.20.20.500 > 10.10.10.10.500: isakmp: phase 
2/others R inf[E]
10:22:59.704500 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 
2/others I inf[E]
10:23:00.574227 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 
2/others I oakley-quick[E]
10:23:01.199468 IP 20.20.20.20.500 > 10.10.10.10.500: isakmp: phase 
2/others R oakley-quick[E]
10:23:01.254232 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 
2/others I oakley-quick[E]
10:23:07.133308 IP 10.10.10.10 > 20.20.20.20: ESP(spi=0x85b123c3,seq=0x1)
10:23:07.159598 IP 20.20.20.20 > 10.10.10.10: ESP(spi=0x06f84f76,seq=0x1)

Other than restarting racoon, is there a way to force it to restart 
its phase 1 negotiations ?

It also doesnt seem to neg DPD ?

access-list secret permit ip 192.168.44.0 255.255.255.248 172.25.1.0 
255.255.255.0

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address secret
crypto map outside_map 20 set peer 10.10.10.10
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 10.10.10.10 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 3
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400


         ---Mike







--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike@...
Providing Internet since 1994                    http://www.sentex.net
Cambridge, Ontario Canada                         http://www.sentex.net/mike

Re: [Ipsec-tools-users] forcing a new phase 1 reneg

From: Mike Tancsa <mike@se...> - 2006-04-18 15:10

At 10:32 AM 18/04/2006, Mike Tancsa wrote:

>On host A, I delete the SADB entries, and now I see


Forgot to mention, this is FreeBSD RELENG_5 with the latest version 
of ipsectools.  And by deleteing, I mean I do

# setkey -c
deleteall 10.10.10.10 20.20.20.20 esp;
deleteall 20.20.20.20 10.10.10.10 esp;
^D




>10:17:56.429578 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 
>2/others ? oakley-quick[E]
>
>going out.  But how do I force a phase 1 to reneg ?
>
>setkey -D does not show any associations
>
>
>
>remote 20.20.20.20
>{
>         exchange_mode main;
>         doi ipsec_doi;
>         situation identity_only;
>
>         my_identifier address;
>         peers_identifier address;
>         verify_identifier on;
>         dpd_delay 20;
>
>         nonce_size 16;
>         lifetime time 86400 sec;        # sec,min,hour
>         initial_contact on;
>         support_mip6 on;
>         proposal_check obey;    # obey, strict or claim
>
>         proposal {
>                 encryption_algorithm 3des;
>                 hash_algorithm sha1;
>                 authentication_method pre_shared_key ;
>                 dh_group 2 ;
>         }
>}
>
>
>
>
>#pix test  box
>sainfo address 192.168.44.0/28 any address 172.25.1.0/24 any
>{
>         lifetime time 86400 sec;
>         encryption_algorithm 3des ;
>         authentication_algorithm hmac_sha1;
>         compression_algorithm deflate ;
>}
>
># pix test  box
>sainfo address 172.25.1.0/24 any address 192.168.44.0/28 any
>{
>         lifetime time 86400 sec;
>         encryption_algorithm 3des ;
>         authentication_algorithm hmac_sha1;
>         compression_algorithm deflate ;
>}
>
>The only way I am able to work around it, is by killing racoon and 
>restarting it or initiating the connection from the other side.
>
>
>e.g. I kill racoon, and then do the same ping from the inside 
>address of host A
>
>10:22:58.521353 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 1 I ident
>10:22:59.063439 IP 20.20.20.20.500 > 10.10.10.10.500: isakmp: phase 1 R ident
>10:22:59.083771 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 1 I ident
>10:22:59.636884 IP 20.20.20.20.500 > 10.10.10.10.500: isakmp: phase 1 R ident
>10:22:59.664524 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 
>1 I ident[E]
>10:22:59.686713 IP 20.20.20.20.500 > 10.10.10.10.500: isakmp: phase 
>1 R ident[E]
>10:22:59.688701 IP 20.20.20.20.500 > 10.10.10.10.500: isakmp: phase 
>2/others R inf[E]
>10:22:59.704500 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 
>2/others I inf[E]
>10:23:00.574227 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 
>2/others I oakley-quick[E]
>10:23:01.199468 IP 20.20.20.20.500 > 10.10.10.10.500: isakmp: phase 
>2/others R oakley-quick[E]
>10:23:01.254232 IP 10.10.10.10.500 > 20.20.20.20.500: isakmp: phase 
>2/others I oakley-quick[E]
>10:23:07.133308 IP 10.10.10.10 > 20.20.20.20: ESP(spi=0x85b123c3,seq=0x1)
>10:23:07.159598 IP 20.20.20.20 > 10.10.10.10: ESP(spi=0x06f84f76,seq=0x1)
>
>Other than restarting racoon, is there a way to force it to restart 
>its phase 1 negotiations ?
>
>It also doesnt seem to neg DPD ?
>
>access-list secret permit ip 192.168.44.0 255.255.255.248 172.25.1.0 
>255.255.255.0
>
>sysopt connection permit-ipsec
>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
>crypto map outside_map 20 ipsec-isakmp
>crypto map outside_map 20 match address secret
>crypto map outside_map 20 set peer 10.10.10.10
>crypto map outside_map 20 set transform-set ESP-3DES-SHA
>crypto map outside_map interface outside
>isakmp enable outside
>isakmp key ******** address 10.10.10.10 netmask 255.255.255.255
>isakmp identity address
>isakmp keepalive 10 3
>isakmp policy 20 authentication pre-share
>isakmp policy 20 encryption 3des
>isakmp policy 20 hash sha
>isakmp policy 20 group 2
>isakmp policy 20 lifetime 86400
>
>
>         ---Mike
>
>
>
>
>
>
>
>--------------------------------------------------------------------
>Mike Tancsa,                                      tel +1 519 651 3400
>Sentex Communications,                            mike@...
>Providing Internet since 1994                    http://www.sentex.net
>Cambridge, Ontario Canada                         http://www.sentex.net/mike
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>_______________________________________________
>Ipsec-tools-users mailing list
>Ipsec-tools-users@...
>https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users

Re: [Ipsec-tools-users] forcing a new phase 1 reneg

From: Pawel Jakub Dawidek <pjd@Fr...> - 2006-04-18 15:34

Attachments: Message as HTML

On Tue, Apr 18, 2006 at 10:32:46AM -0400, Mike Tancsa wrote:
+> Hi,
+>         While working with a PIX remote, I am running into one small ann=
oying problem where if the remote dies (e.g power failure), the ipsectools =
version of racoon is not=20
+> detecting that its gone.  My only way to currently work around it is by =
restarting racoon, or logging on to a remote device and initiating traffic =
=66rom there.  However, the=20
+> later is not always possible.  Restarting racoon always works, but its o=
btrusive as it kills all my other associations.
+>=20
+>=20
+> Here is host A's inside address trying to ping Host B (the PIX) after Ho=
st B has rebooted as seen by the router in the middle (i.e. the public traf=
fic). The PIX does not=20
+> have any associations.
[...]
+> remote 20.20.20.20
+> {
+>         exchange_mode main;

Hi Mike. AFAIK DPD is not implemented in 'main' mode. DPD implementation
for 'base' mode is buggy. The only working DPD (where also was bug, iirc
when compiled on FreeBSD) is for 'aggressive' mode.
Could you try 'aggressive' mode and see if that helps?

--=20
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@...                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

Re: [Ipsec-tools-users] forcing a new phase 1 reneg

From: Mike Tancsa <mike@se...> - 2006-04-18 17:17

At 11:33 AM 18/04/2006, Pawel Jakub Dawidek wrote:
>On Tue, Apr 18, 2006 at 10:32:46AM -0400, Mike Tancsa wrote:
>+> Hi,
>+>         While working with a PIX remote, I am running into one 
>small annoying problem where if the remote dies (e.g power failure), 
>the ipsectools version of racoon is not
>+> detecting that its gone.  My only way to currently work around it 
>is by restarting racoon, or logging on to a remote device and 
>initiating traffic from there.  However, the
>+> later is not always possible.  Restarting racoon always works, 
>but its obtrusive as it kills all my other associations.
>+>
>+>
>+> Here is host A's inside address trying to ping Host B (the PIX) 
>after Host B has rebooted as seen by the router in the middle (i.e. 
>the public traffic). The PIX does not
>+> have any associations.
>[...]
>+> remote 20.20.20.20
>+> {
>+>         exchange_mode main;
>
>Hi Mike. AFAIK DPD is not implemented in 'main' mode. DPD implementation
>for 'base' mode is buggy. The only working DPD (where also was bug, iirc
>when compiled on FreeBSD) is for 'aggressive' mode.
>Could you try 'aggressive' mode and see if that helps?

Hi,
         Thanks for the tip!  It sort of works, but the SAs keep 
renegotiating and getting out of sync.  I am going to move my test 
PIX to a different end point as debugging with multiple clients on a 
server is difficult.

e.g.
Apr 18 13:14:01 new-dw2 racoon-dpd: DEBUG: sendto Information notify.
Apr 18 13:14:01 new-dw2 racoon-dpd: DEBUG: received a valid R-U-THERE, ACK sent
Apr 18 13:14:02 new-dw2 racoon-dpd: DEBUG: msg 1 not interesting
Apr 18 13:14:36 new-dw2 racoon-dpd: DEBUG: msg 1 not interesting
Apr 18 13:15:03 new-dw2 racoon-dpd: DEBUG: msg 1 not interesting
Apr 18 13:15:05 new-dw2 racoon-dpd: DEBUG: msg 1 not interesting

its not clear whose message is "not interesting"

         ---Mike

Re: [Ipsec-tools-users] forcing a new phase 1 reneg

From: VANHULLEBUS Yvan <vanhu@fr...> - 2006-04-18 17:30

On Tue, Apr 18, 2006 at 05:33:02PM +0200, Pawel Jakub Dawidek wrote:
[....]
> Hi Mike. AFAIK DPD is not implemented in 'main' mode. DPD implementation
> for 'base' mode is buggy. The only working DPD (where also was bug, iirc
> when compiled on FreeBSD) is for 'aggressive' mode.
> Could you try 'aggressive' mode and see if that helps?

DPD is implemented and does work for both Main and Aggressive modes.

If it does not works for you, please send me more informations to
track the problem.

Yvan.

[Ipsec-tools-users] cinder self-defeating

From: Connie Pineda <inay@ge...> - 2006-04-18 13:26

Attachments: Message as HTML Message as HTML

[Ipsec-tools-users] tunnelling in only one direction

From: Marcus Wu <riptide@di...> - 2006-04-12 22:02

I've set up a tunnel, and it works, but only in one direction(net behind 
gateway2 works going to net behind gateway1, but not vice versa... I've 
shown the configs for gateway1 and gateway2 below).

I was reading the checklist at: 
http://ipsec-tools.sourceforge.net/checklist.html
Everything checked out except for the next to last item on the 
checklist: "tcpdump shows plain text traffic"

running a ping from the net behind gateway1 to the net behind gateway2 
and a tcpdump at gateway2's external interface yields:
16:56:55.691654 IP zzz.zzz.204.14 > yyy.yyy.187.82: 
ESP(spi=0x016c1afb,seq=0xc490870), length 116
16:56:55.699641 IP zzz.zzz.204.14 > yyy.yyy.187.82: 
ESP(spi=0x016c1edc,seq=0x8680871), length 116
16:56:56.695580 IP zzz.zzz.204.14 > yyy.yyy.187.82: 
ESP(spi=0x016c1afb,seq=0xc490872), length 116
16:56:56.699743 IP zzz.zzz.204.14 > yyy.yyy.187.82: 
ESP(spi=0x016c1edc,seq=0x8680873), length 116
16:56:57.695800 IP zzz.zzz.204.14 > yyy.yyy.187.82: 
ESP(spi=0x016c1afb,seq=0xc490874), length 116

while a ping from the net behind gateway2 to the net behind gateway1 and 
a tcpdump at gateway1's external interface yields:
18:10:09.172292 IP yyy.yyy.187.82 > zzz.zzz.204.14: 
ESP(spi=0x002c6061,seq=0x9)
18:10:09.172292 IP 10.9.11.250 > 192.168.0.132: icmp 64: echo request seq 1
18:10:09.173341 IP zzz.zzz.204.14 > yyy.yyy.187.82: 
ESP(spi=0x016c2744,seq=0x953)
18:10:10.173011 IP yyy.yyy.187.82 > zzz.zzz.204.14: 
ESP(spi=0x002c6061,seq=0xa)
18:10:10.173011 IP 10.9.11.250 > 192.168.0.132: icmp 64: echo request seq 2
18:10:10.174144 IP zzz.zzz.204.14 > yyy.yyy.187.82: 
ESP(spi=0x016c2744,seq=0x954)
18:10:11.175198 IP yyy.yyy.187.82 > zzz.zzz.204.14: 
ESP(spi=0x002c6061,seq=0xb)
18:10:11.175198 IP 10.9.11.250 > 192.168.0.132: icmp 64: echo request seq 3
18:10:11.176176 IP zzz.zzz.204.14 > yyy.yyy.187.82: 
ESP(spi=0x016c2744,seq=0x955)

So it seems that the encrypted packets aren't being picked up and 
decrypted... or something like that.  I get the problem, but the 
checklist doesn't really say what to do about it.  Any suggestions?

gateway1:
path pre_shared_key "/etc/racoon/psk2.txt";

remote yyy.yyy.187.82 {
        exchange_mode main;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}
 
sainfo address 192.168.0.0/24 any address 10.9.11.0/24 any {
        pfs_group modp1024;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
------------
#!/usr/sbin/setkey -f

flush;
spdflush;

spdadd 192.168.0.0/24 10.9.11.0/24 any -P out ipsec
        esp/tunnel/zzz.zzz.204.14-yyy.yyy.187.82/unique;

spdadd 10.9.11.0/24 192.168.0.0/24 any -P in ipsec
        esp/tunnel/yyy.yyy.187.82-zzz.zzz.204.14/unique;

gateway2:
path pre_shared_key "/etc/racoon/psk2.txt";

remote zzz.zzz.204.14 {
        exchange_mode main;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}
 
sainfo address 10.9.11.0/24 any address 192.168.0.0/24 any {
        pfs_group modp1024;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
---------
#!/usr/sbin/setkey -f

flush;
spdflush;

spdadd 10.9.11.0/24 192.168.0.0/24 any -P out ipsec
        esp/tunnel/yyy.yyy.187.82-zzz.zzz204.14/unique;

spdadd 192.168.0.0/24 10.9.11.0/24 any -P in ipsec
        esp/tunnel/zzz.zzz.204.14-yyy.yyy.187.82/unique;
---------------