Subject: Re: racoon: algorithm XYZ not supported
To: None <netbsd-help@netbsd.org>
From: David S. <davids@idiom.com>
List: netbsd-help
Date: 02/06/2002 13:17:28
>
> Sorry - I thought maybe it was something more fundamental (like "d'uh,
> you gotta have Foo installed but for $GoodReason the racoon-package
> doesn't say so"). Some debugging information below:
>
FWIW, the configuration file that I've used successfully on NetBSD 1.5.[12]
Sparc is below. It's a bit different from yours.
David S.
# $KAME: racoon.conf.sample,v 1.26 2001/08/16 06:33:40 itojun Exp $
# "path" affects "include" directive. "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
#path include "/etc/racoon" ;
#include "remote.conf" ;
# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/pkg/certs" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
log debug2;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
#exchange_mode main,aggressive,base;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
#my_identifier fqdn "server.kame.net";
#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;
nonce_size 16;
lifetime time 1 min; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
pfs_group 1;
lifetime time 36000 sec;
encryption_algorithm blowfish,rijndael,cast128,3des,des;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate ;
}