[Ipsec-tools-devel] empty policies & general help

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi All,

I've been trying to get ipsec w/2.6 working and have a few questions...

I've tried 5.1 and 6.0-beta

1. Should the command "racoonctl vc w.x.y.z" complete and return to the
prompt? It never does, however "racoonctl vd w.x.y.z" will.

2. If I use manual keying with transport mode, everything seems to work,
however, I simply cannot get racoon to work either transport or tunnel.

3. Using the roadwarrior sample configs (no changes except for ip addr in
client racoon.conf and x509 cert names)

I only see empty policies....

[root@vpn ipsec-tools-0.6.beta1]# setkey -DP
(per-socket policy)
        in none
        created: Apr 19 07:47:54 2005  lastused: Apr 19 07:57:26 2005
        lifetime: 0(s) validtime: 0(s)
        spid=3D443 seq=3D1 pid=3D4250
        refcnt=3D1
(per-socket policy)
        out none
        created: Apr 19 07:47:54 2005  lastused: Apr 19 07:57:26 2005
        lifetime: 0(s) validtime: 0(s)
        spid=3D452 seq=3D0 pid=3D4250
        refcnt=3D1

4. The client racoon output shows the public ip addrs, not the stuff from
mode_cfg as I expected..

2005-04-19 14:29:57: DEBUG: encrypted.
2005-04-19 14:29:57: DEBUG: 92 bytes from 64.17.y.z[500] to 216.154.a.b[5=
00]
2005-04-19 14:29:57: DEBUG: sockname 64.17.y.z[500]
2005-04-19 14:29:57: DEBUG: send packet from 64.17.y.z[500]
2005-04-19 14:29:57: DEBUG: send packet to 216.154.a.b[500]
2005-04-19 14:29:57: DEBUG: src4 64.17.y.z[500]
2005-04-19 14:29:57: DEBUG: dst4 216.154.a.b[500]
2005-04-19 14:29:57: DEBUG: 1 times of 92 bytes message will be sent to
64.17.y.z[50]2005-04-19 14:29:57: DEBUG:
627d5e9e 6fb44147 e457a3c9 f54762fb 08100501 bc3468e0 0000005c f68b1d17
9a5eda02 1b86a31d 87397b0b fadf3e12 bb288d65 00c4df7d 7534986c abb81b9d
dfd1f9c5 86462e61 74e854e3 88822b84 fe976d97 5a3d49f1 75b044da
2005-04-19 14:29:57: DEBUG: sendto Information notify.
2005-04-19 14:29:57: DEBUG: received a valid R-U-THERE, ACK sent
2005-04-19 14:29:57: DEBUG: notification message 36136:36136, doi=3D1
proto_id=3D1 spi=3D627d5.

5. Should there also be pseudo devices on each end to define the tunnel?
Must I add them? What about the additions of the routes?

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

In the end, I hope to accomplish something like the following:

  +----------+           +--------+           +-----------+
  | linux    |           | linux  |           | client    |
  | w/ ppp   | <=3D=3D=3D=3D=3D=3D=3D=3D>| vpn gw | <=3D=3D=3D=3D=3D=3D=3D=
> | win/linux |
  | to isp   |    pub    |________|    pub    |           |
  +----------+    ip     +--------+    ip     +-----------+

with the vpn gateway routing/bridging client(s) to mobile linux host(s).

Possible with native ipsec?  I have this running with openvpn, but don't
like the lack of interop.

Thanks very much for any help provided...

Mark Lucia