Subject: Re: IPSec w. IPv4 Wierdness
To: None <,,>
From: Alex Barclay <>
List: tech-net
Date: 01/01/2001 19:17:16
> I'm going to continue attempting to get racoon working instead of isakmpd
> as it may be a better fit with netbsd.

So I got racoon working. To establish the security policy I did:
#! /bin/sh
route -n add -net
setkey -c << EOF
spdadd any -P out ipsec
spdadd any -P in ipsec

The racoon config was:
# $KAME: racoon.conf.sample,v 1.20 2000/11/03 15:08:03 sakane Exp $

path pre_shared_key "/etc/racoon/psk.txt" ;

remote anonymous
        exchange_mode aggressive;

        proposal {
                encryption_algorithm des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 1;

sainfo anonymous
        pfs_group 1;
        encryption_algorithm 3des, blowfish, des, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate;

The psk.txt file is my little secret :-)

This appears to work in both directions correctly for telnet, X11. I'll
let you know in the next couple of weeks how is works for other stuff like
H.323, MGCP and SIP which are my day job.

As I had already said the other end of this is a Cisco 2600 running
IOS 12.0.7 single DES

This also appears to be reproducable. I can clear the routes and SPD
entries and restart them a number of times.

I'd like to thank the kame folks for a great job.