Subject: IPsec tunnel with IKE/racoon
To: None <>
From: Andreas Priebe <>
List: netbsd-users
Date: 08/06/2002 10:56:25

I'm using 1.5.2 wih racoon-20011215a.
I want to build an encrypted tunnel (tunnel between
hosts VPN-A and VPN-B) for connections between hosts
Host-A and Host-B in the following way:

[unencrypted ip traffic]
[encrypted tunnel]
[unencrypted ip traffic]

My /etc/ipsec.conf (on host VPN-A)

spdadd <IP-Host-A> <IP-Host-B> any -P out ipsec esp/tunnel/<IP-VPN-A>-<IP-VPN-B>/require;
spdadd <IP-Host-B> <IP-Host-A> any -P in ipsec esp/tunnel/<IP-VPN-B>-<IP-VPN-A>/require;

My /etc/racoon/racoon.conf (on host VPN-A):

path pre_shared_key "/etc/racoon/psk.txt" ;
log debug;
remote <IP-VPN-B>
        exchange_mode main;
        lifetime time 24 hour ; # sec,min,hour
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        proposal_check obey;
sainfo address <IP-VPN-A> any address <IP-VPN-B> any
        pfs_group modp1024;
        lifetime time 12 hour ;
        encryption_algorithm 3des, des ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;

These parameters are not yet perfect :-), but the main problem is:
I see the packets for Host-B arriving on VPN-A from Host-A, but racoon takes
NO actions (as seen from racoon -d -F) - it should initiate the IKE
dialog with VPN-B via 500/udp, right?

Whats wrong with my setup? The other end is supposed to be a Checkpoint firewall.