Re: [Ipsec-tools-devel] Fwd: question about racoon

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Jun Yin wrote:
>  I just upgrade my fedora core from 6 to 9, then I can see the version is:
> [root@pc02 env_repository]# rpm -q ipsec-tools
> ipsec-tools-0.7-13.fc9.i386
> Don't know if it's enable hybrid or not.

You will get an error message that "hybrid mode not enabled" if you
have the relevant configuration, but the racoon was not compiled with
that feature. Thus your racoon is compiled with it.

> I'm using cisco IOS router works as vpn gateway right now, and I already
> tried to use openswan againest that cisco IOS to verify IOS worksok. then I
> changed openswan to racoon. racoon always got problem.
> 
>>From cisco debug, it show " unknown attribute 16384", but they ignore it.
> I'm thinking if I can force racoon not sending out the gss_id attribute.

The problem is that the specifications say:
#define OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I	65001
#define OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB	65001

Thus the decision to use gssapi or xauth is done depending on the rest
of the configuration.

Apparently you are lacking some configuration for the remote to trigger
using Xauth. Make sure the right "remote" block is used. And that
xauth_login is specified there. Could you also tell how you trigger the
initiation of the connection?

> In racoon's configuration, if I use "authentication_method
> xauth_psk_client", then it always send out gss_id attribute, and racoon's
> debugshows :
> 2008-07-11 10:52:31: INFO: received Vendor ID:
> draft-ietf-ipsra-isakmp-xauth-06.txt
> 2008-07-11 10:52:31: ERROR: No SIG was passed, hybrid auth is enabled, but
> peer is no Xauth compliant
> 2008-07-11 10:52:31: ERROR: ignore information because ISAKMP-SAhas not been
> established yet.

Since you are initiator and did not announce xauth, the responder does
not announce either xauth, but still tries to use it (which is faulty imho).

> I tried to change authentication_method to pre_shared_key, then it does not
> send out gss_id attribute, but still got problem. racoon debugshows:
> 2008-07-11 10:59:58: WARNING: Ignored short attribute INTERNAL_IP4_SUBNET
> 2008-07-11 10:59:58: WARNING: Ignored attribute 17
> 2008-07-11 10:59:58: WARNING: Ignored attribute SUPPORTED_ATTRIBUTES
> 2008-07-11 10:59:58: WARNING: Ignored attribute INTERNAL_IP6_SUBNET

Yes, that disables xauth / mode_cfg and this is expected.

Cheers,
  Timo