Hello,

I've got a VPN client running ipsec-tools 0.6.1 under NetBSD 3.0_BETA.
When the DSL link goes up it creates and loads a "ipsec.conf" like
this one:

spdadd 10.0.0.0/24 10.0.24.0/23 any -P out ipsec esp/tunnel/5.6.7.8-1.2.3.4/require;
spdadd 10.0.24.0/23 10.0.0.0/24 any -P in ipsec esp/tunnel/1.2.3.4-5.6.7.8/require;

10.0.0.0/24	local protected network
5.6.7.8		local public dynamically assigned IP address

10.0.24.0/23	remote protected network
1.2.3.4		remote public fixed IP address used by VPN peer

"racoon" is configured like this:

path pre_shared_key "/etc/racoon/psk.txt";

listen {
	adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
	isakmp 0.0.0.0 [500];
	isakmp_natt 0.0.0.0 [4500];
}

remote 1.2.3.4 {
	exchange_mode aggressive;
	my_identifier user_fqdn "foobar@domain.com";
	peers_identifier address 1.2.3.4;
	proposal_check obey;
	passive off;
	nat_traversal on;
	proposal {
		authentication_method pre_shared_key;
		encryption_algorithm aes;
		hash_algorithm sha256;
		dh_group 2;
		lifetime time 24 hours;
	}
}

sainfo address 10.0.0.0/24 any address 10.0.24.0/23 any {
	lifetime time 1 hours;
	encryption_algorithm aes;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}

Things which don't work:

1.) Phase 1 is not started when traffic is sent between the protected
    networks. The admin of the VPN client has to use "racoonctl vc 5.6.7.8"
    to start the phase 1 negotiation.

2.) After phase 1 is completed he's got a similar problem: the client
    doesn't start phase 2 negotiation. I have to create a policy on the
    VPN server (which is supposed to use racoon's policy generation feature)
    to get phase 2 started. Phase 2 completed succesfully afterwards and
    we can exchange traffic.

Any ideas what is going wrong?

	Kind regards

-- 
Matthias Scheler                                  http://scheler.de/~matthias/