Thursday, January 19, 2006, 2:40:43 PM, you wrote:
> I'm trying to establish an ipsec tunnel from our FreeBSD 5.4 gateway to
> a remote Netscreen endpoint, which can be reached via two different
> routes, one which is our main line and goes thru a NAT, and another
> which is our backup line, on a completely different network provider,
> that goes directly. While the backup line setup was successful (using
> ipsec-tools HEAD from cvs), the main one isn't working, and I strongly
> suspect it's a question of NAT - I don't have access to the Netscreen
> endpoint, so I can't be sure, and there are timezone and language
> barriers making a detailed exam of the problem from there rather difficult.
Do you have racoon's log telling what's going on ? If racoon loops
without seeing any answer from the other side, yes, you probably have
some problems with NATT. Without any other info, I can't help you,
> My idea was to try with nat-t, which unfortunately isn't supported in
> freebsd5. I found a patch file in your cvs, but it's based on a very old
> release and won't apply - I tried changing the patch file till it
> successfully applied, but then the kernel build failed and as I'm not
> expert enough to fix it I just reverted the changes: is there an up to
> date patch ?
Alas, as far as I know (Yvan, stop me if I'm wrong ?), we won't be able
to support FBSD5. OTOH, there's active work to get it to work with 6
> Second ... the Netscreen endpoint uses pre shared key, extended
> authentication, as such I have to use the latest ipsec-tools from the
> HEAD branch. How robust is this at the moment, is there an official
> release coming soon that will support psk-xauth ?
We are going to branch a 0.7 version real soon now. The code has been
in HEAD for quite some time now, and it looks stable enough (quite a few
people are using it, I believe).
> And last point: I can't seem to use racoonctl, even if I compiled it
> with enable-adminport. I just get:
> send: Bad file descriptor
> Am I doing something wrong ?
The obvious : is racoon started ? Other than that, try to rm the socket
and start racoon again, and check the content of the constant
"ADMINSOCK_PATH" in src/racoon/admin.h : it looks like that, if racoon
can change the socket's path, racoonctl has it hardcoded.
(It seems that some work has begun to support a -s option to supply the
path on the command line, but it's not finished. Goes to my todo
list... :) )
"- Anyway, United Amalgamated Consolidated Holdings probably don't worry
about that sort of thing. They've probabbly got a Vice-President in
Charge of Being Cursed. - And he probably gets his secretary to deal
with it." (Terry Pratchett, Johnny and the Dead)