Hi,

How should racoon.conf  looks? Does racoon supports having multiple remote sections inside racoon.conf for the same remote with different proposals? 

How racoon will identify which is the correct remote section  from racoon.conf. for a particular tunnel ?

Following is the racoon.conf  on peer1  for racoon.conf with  psk.txt same as mentioned by you. 
With this configuration i am not able to achieve intended behavior i.e not able to establish both the tunnels with peer as initiator.

Is this configuration correct ? Could you please clarify what is the correct configuration

# cat racoon.conf
#!/usr/local/6bin/racoon
# FlexiPlatform Racoon configuration file

# This file is automatically created, DO NOT EDIT THIS!
path pre_shared_key "/root/secret.psk";
path certificate "/etc/ipsec/certs/ipsec.d/";
remote 44.0.0.2
{
        exchange_mode main;
        my_identifier address 44.0.0.1;
        nat_traversal off ;
        script "/etc/ipsec/scripts/phase1-up.sh" phase1_up;
        script "/etc/ipsec/scripts/phase1-down.sh" phase1_down;
        lifetime time 1200 secs;
        # phase 1 proposal (for ISAKMP SA)
        proposal {
                encryption_algorithm aes;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo subnet 33.0.0.0/24 1 subnet 33.0.0.0/24 1
{
        lifetime time 600 secs;
        encryption_algorithm aes;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
        encapdscp on;
}

remote 44.0.0.2
{
        exchange_mode main;
        my_identifier address 44.0.0.3;
        nat_traversal off ;
        script "/etc/ipsec/scripts/phase1-up.sh" phase1_up;
        script "/etc/ipsec/scripts/phase1-down.sh" phase1_down;
        lifetime time 2400 secs;
        # phase 1 proposal (for ISAKMP SA)
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo subnet 55.0.0.0/24 1 subnet 55.0.0.0/24 1
{
        lifetime time 1200 secs;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
        encapdscp on;
}

listen {
        adminsock "/etc/ipsec/0/ike1/.racoon_admin";
        isakmp 44.0.0.1 [500];
        isakmp 44.0.0.3 [500];
}




Thanks,
Reshma


On Wed, Jun 27, 2012 at 5:14 PM, Rainer Weikusat <rweikusat@mobileactivedefense.com> wrote:
Reshma Begam <reshma.begam@gmail.com> writes:
>  Could some one please help me in  understanding how should be the
> racoon.conf and psk.txt configuration for following tunnel scenario.
>
>  Scenario: I have couple of  tunnels between 2 peers  each tunnel having
> their own  peer1 end  point but same peer2 end.
>
>             Peer1                                Peer2
>     A1 (1.1.1.1)(PSK:Secret1)<------------> B1(1.1.1.3)  (Tunnel 1)
> (PSK:Secret1)              -------------> both these tunnels have their own
> secrets. Secret1 and Secret2.
>     A2 (1.1.1.2)(PSK:Secret2)<------------->B1(1.1.1.3)  (Tunnel 2)
> (PSK:Secret2)
>
> Does this kind of scenario supported by racoon, what happens  if we
> initiate traffics from traffic selectors of both tunnels? Will negotiations
> succeed?
> Please provide if some example configurations exists for these kind of
> scenarios.

On the 'Peer1' machines, you would have a psk.txt with

       1.1.1.3 Secret1

and

       1.1.1.3 Secret2

On Peer2, this would be

       1.1.1.1 Secret1
       1.1.1.2 Secret2




--
 
Regards,
Reshma




--
 
Regards,
Reshma