Re: [Ipsec-tools-devel] racoon plus shrewsoft | cisco vpn client

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Igor Smitran wrote:
> Can anyone help me with this:
> 
> server setup:
> 
> public ip 217.xxx.xxx.5
> local ip 192.168.200.1
> 
> racoon.conf:
> path certificate "/etc/racoon/certs";
> #option of controlling racoon by racoonctl tool is disabled
> listen {
>         adminsock disabled;
> }
> #remote section . anonymous address of roadwarrior client
> remote anonymous {
>         exchange_mode aggressive,main;
>         my_identifier asn1dn;
>         certificate_type x509 "key.pem" "key-dec.key";
>         proposal_check obey;
>         generate_policy on;
>         verify_cert on;
>         nat_traversal on;
>         dpd_delay 20;
>         ike_frag on;
>         initial_contact on;
>         proposal {
>                 encryption_algorithm aes;
>                 hash_algorithm md5;
>                 authentication_method hybrid_rsa_server;
>                 dh_group 2;
>         }
> }
> mode_cfg {
>         pool_size 253;
>         auth_source radius;             # login validated against RADIUS
>         conf_source radius;             # IPv4 address obtained by RADIUS
>         accounting radius;              # RADIUS accounting
>         dns4 192.168.200.1;
>         wins4 192.168.200.1;
>         #banner "/etc/racoon/motd";
>         save_passwd on;
> }
> sainfo anonymous {
>         pfs_group 2;
>         lifetime time 2147483 seconds;
>         encryption_algorithm aes;
>         authentication_algorithm hmac_md5;
>         compression_algorithm deflate;
> }
> 
> clients get ip address from radius and it is from 192.168.201.0/24
> 
> i am able to connect with cisco vpn client and to ping internal LAN. But, i 
> am losing internet connection, i can't make split tunnel with cisco vpn 
> client. Does anyone know how to tell cisco vpn client to use ipsec tunnel 
> only for some addresses and for the rest to use default gateway? I know this 
> is less secure, but i have to do it that way :(
> 
> Second problem:
> i am able to connect to server with shrewsoft latest beta (also tried with 
> 1.1.0 stable) but i can't ping ipsec server. I think it is because of 
> security policies but i have tried lot of combinations and nothing works. 
> Can anyone tell me some magic? :)
> 
> I am connectiing from NATed computer, but i have also tried connecting from 
> public ip and it is the same :(
> 
> Thank you,
> Igor 
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ips...@li...
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel