So 1st server got this rules:
_______________________________________

# traffic to/from crypto server unencrypted

spdadd 0.0.0.0/0 10.0.0.1 any -P in none;
spdadd 10.0.0.1 0.0.0.0/0 any -P out none;

spdadd 0.0.0.0/0 1.1.1.1 any -P in none;
spdadd 1.1.1.1 0.0.0.0/0 any -P out none;

# all other traffic encrypted

spdadd 0.0.0.0/0 0.0.0.0/0 any -P in ipsec esp/tunnel/1.1.1.1-1.1.1.2/require;
spdadd 0.0.0.0/0 0.0.0.0/0 any -P out ipsec esp/tunnel/1.1.1.2-1.1.1.1/require;
_______________________________________


So it's SPD in /etc/ipsec-tools.conf. But What should I write in /etc/racoon/racoon.conf?


Just this:
_______________________________________

listen {
    isakmp 1.1.1.1 [500];
}

remote 1.1.1.2 {
    exchange_mode aggressive;
    lifetime time 1 hour;
    proposal {
        encryption_algorithm rijndael 128;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}

sainfo subnet 0.0.0.0/0 any subnet 0.0.0.0/0 any {
    pfs_group 2;
    encryption_algorithm rijndael 128;
    authentication_algorithm non_auth;
    compression_algorithm deflate;
    lifetime time 1 hour;
}
_______________________________________

?

2010/5/18 c0re <nr1c0re@gmail.com>
Thank you, Yvan!
I'll try it in a week.

2010/5/18 VANHULLEBUS Yvan <vanhu@free.fr>

On Tue, May 18, 2010 at 04:35:04PM +0400, c0re wrote:
> Hello everyone!

Hi.


> I'm tried to make a configuration of setkey and racoon to encrypt all
> traffic.
>
> many networks <------> |server| <----> L2channel <-----> |server| <------->
> many networks
>
>
> So I want to encrypt all traffic that passing between those 2 servers except
> those traffic that originates to servers or originates from servers.
>
> how can I do it? What configuration will allow me to do it? Some examples?

Just set up some "none" entries in your SPD, to say that traffic
between servers themselves must NOT be encrypted, then set up a single
SPD rule like 0.0.0.0/0 <-> 0.0.0.0/0 -> IPsec.

The main issue with that specific configuration is that packets from
one side to the same side must NOT be seen by gate, otherwise gate
will send them to it's IPsec peer....


Yvan.

------------------------------------------------------------------------------

_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel