On Fri, 9 Nov 2001, Ken Raeburn wrote:

> Bill Studenmund <wrstuden@netbsd.org> writes:
>
> > You should look specifically at racoon and isakmpd. I prefer racoon, but
> > these are the two programs (in pkgsrc) that handle key negotiation. I
> > *think* they can add and remove policies too.
>
> I have; that's where I found all the references to "put your
> pre-shared secret key here" type stuff that seems to assume a
> different setup than the one I have to talk to.  Maybe they just don't
> support this mode, but I am not familiar enough with IPsec yet to
> ascertain that with any confidence.

racoon might not support it now. I'm not sure.

Go digging into the racoon source. Its best documentation is its source
AFAICT.

> > I've had no problem with NAT and IPSec. But then I've used a different
> > form of tunneling. My setup has gif (IP in IP) tunnels on each end, and
> > ESP/transport mode policy set up between each end.
>
> That sounds like it'd be different (on the wire) from a direct IPsec
> tunnel; if so, I wouldn't be able to use it, since I don't control the
> other end of the link. :-(

It ends up being the same wire format (which was really confusing as I
figured it out), it's just a different security policy, so I don't think
the two ends would negotiate IKE successfully.

Take care,

Bill