Subject: Re: racoon -- AUTH must be present for ESP
To: None <itojun@iijlab.net>
From: Jay Nelson <jnelson@newsstand.com>
List: current-users
Date: 10/21/2003 18:29:47
On Tue, Oct 21, 2003 at 07:35:25AM +0900, itojun@iijlab.net wrote:
> >> 	would you please post your racoon.conf as well as setkey(8) settings
> >> 	(ipsec.conf), confidential info removed (like secret keys)?
> >> 
> >> 	basically, the error here is that your racoon (or the IKE peer)
> >> 	requesting ESP without encryption, without authentication.
> >serkey settings and rcoon conf are created on the fly by the ip-up ppp
> >scripts. essentially setkey is configured by:
> >
> >pdadd 10.10.10.2/32 192.168.1.0/24[any] any -P out ipsec esp/tunnel/${myaddr}-2
> >09.163.140.4/require ;
> >spdadd 192.168.1.0/24 10.10.10.2/32[any] any -P in ipsec esp/tunnel/209.163.140.
> >4-${myaddr}/require ;
> >
> >EOF
> >
> >and the completed racoon.conf (anonymous SA selected) looks like this:
> 
> 	try removing "non_auth" from "sainfo" clause in racoon.conf.
> 	if it fixes the issue, it is a racoon problem (it should skip the
> 	combination of no-esp and no-auth).
> 
> itojun

That solved the problem, but now raises the question, "is the
connection encrypted?" I guess I'll have to do a little digging.
Thanks for your help.

-- jay