tech-net: Re: "racoon" doesn't initiate quick mode

Subject: Re: "racoon" doesn't initiate quick mode
To: None <tech-net@NetBSD.org>
From: Matthias Scheler <tron@zhadum.de>
List: tech-net
Date: 09/12/2005 10:16:12

On Sun, Sep 11, 2005 at 07:32:05PM -0400, Stephen Degler wrote:
> 1) Since the VPN client is dynamic you need to generate policy 
> dynamically on the client side.

Yes, of course. But that is not the issue because during our tests the
IP address of the dynamic client didn;t change.

> 2) you want to change
> 
> sainfo address 10.0.0.0/24 any address 10.0.24.0/23 any {
> 	lifetime time 1 hours;
> 	encryption_algorithm aes;
> 	authentication_algorithm hmac_sha1;
> 	compression_algorithm deflate;
> }
> 
> to be the *external* addresses of the tunnel.

I don't think so. "sainfo" defines the phase 2 ID payloads. And these
must contain the IP addresses you want to tunnel which are not the
external addresses.

> To deal with the dynamic aspect, you may want to just use "sainfo anonymous".

We've tried that first and it didn't work.

	Kind regards

-- 
Matthias Scheler                                  http://scheler.de/~matthias/