From: <ml...@lu...> - 2005-04-19 17:20:46
|
Hi All, I've been trying to get ipsec w/2.6 working and have a few questions... I've tried 5.1 and 6.0-beta 1. Should the command "racoonctl vc w.x.y.z" complete and return to the prompt? It never does, however "racoonctl vd w.x.y.z" will. 2. If I use manual keying with transport mode, everything seems to work, however, I simply cannot get racoon to work either transport or tunnel. 3. Using the roadwarrior sample configs (no changes except for ip addr in client racoon.conf and x509 cert names) I only see empty policies.... [root@vpn ipsec-tools-0.6.beta1]# setkey -DP (per-socket policy) in none created: Apr 19 07:47:54 2005 lastused: Apr 19 07:57:26 2005 lifetime: 0(s) validtime: 0(s) spid=3D443 seq=3D1 pid=3D4250 refcnt=3D1 (per-socket policy) out none created: Apr 19 07:47:54 2005 lastused: Apr 19 07:57:26 2005 lifetime: 0(s) validtime: 0(s) spid=3D452 seq=3D0 pid=3D4250 refcnt=3D1 4. The client racoon output shows the public ip addrs, not the stuff from mode_cfg as I expected.. 2005-04-19 14:29:57: DEBUG: encrypted. 2005-04-19 14:29:57: DEBUG: 92 bytes from 64.17.y.z[500] to 216.154.a.b[5= 00] 2005-04-19 14:29:57: DEBUG: sockname 64.17.y.z[500] 2005-04-19 14:29:57: DEBUG: send packet from 64.17.y.z[500] 2005-04-19 14:29:57: DEBUG: send packet to 216.154.a.b[500] 2005-04-19 14:29:57: DEBUG: src4 64.17.y.z[500] 2005-04-19 14:29:57: DEBUG: dst4 216.154.a.b[500] 2005-04-19 14:29:57: DEBUG: 1 times of 92 bytes message will be sent to 64.17.y.z[50]2005-04-19 14:29:57: DEBUG: 627d5e9e 6fb44147 e457a3c9 f54762fb 08100501 bc3468e0 0000005c f68b1d17 9a5eda02 1b86a31d 87397b0b fadf3e12 bb288d65 00c4df7d 7534986c abb81b9d dfd1f9c5 86462e61 74e854e3 88822b84 fe976d97 5a3d49f1 75b044da 2005-04-19 14:29:57: DEBUG: sendto Information notify. 2005-04-19 14:29:57: DEBUG: received a valid R-U-THERE, ACK sent 2005-04-19 14:29:57: DEBUG: notification message 36136:36136, doi=3D1 proto_id=3D1 spi=3D627d5. 5. Should there also be pseudo devices on each end to define the tunnel? Must I add them? What about the additions of the routes? =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D In the end, I hope to accomplish something like the following: +----------+ +--------+ +-----------+ | linux | | linux | | client | | w/ ppp | <=3D=3D=3D=3D=3D=3D=3D=3D>| vpn gw | <=3D=3D=3D=3D=3D=3D=3D= > | win/linux | | to isp | pub |________| pub | | +----------+ ip +--------+ ip +-----------+ with the vpn gateway routing/bridging client(s) to mobile linux host(s). Possible with native ipsec? I have this running with openvpn, but don't like the lack of interop. Thanks very much for any help provided... Mark Lucia |