netbsd-help: Re: racoon: algorithm XYZ not supported

Subject: Re: racoon: algorithm XYZ not supported
To: None <netbsd-help@netbsd.org>
From: Jan Schaumann <jschauma@netbsd.org>
List: netbsd-help
Date: 02/06/2002 15:45:02
--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

"David S." <davids@idiom.com> wrote:

> > What gives?
> 
> Kind of hard to tell without seeing your configuration file and error
> logs.

Sorry - I thought maybe it was something more fundamental (like "d'uh,
you gotta have Foo installed but for $GoodReason the racoon-package
doesn't say so").  Some debugging information below:

# uname -a
NetBSD kilkenny.cs.stevens-tech.edu 1.5.1_ALPHA NetBSD 1.5.1_ALPHA
(IRISH) #1: Wed Feb  6 14:21:46 EST 2002
root@st-ides.cs.stevens-tech.edu:/usr/src/sys/arch/sparc/compile/IRISH
sparc
# /usr/pkg/sbin/racoon -F
Foreground mode.
2002-02-06 15:43:03: INFO: main.c:153:main(): @(#)racoon 20001216
sakane@ydc.co.jp
2002-02-06 15:43:03: INFO: main.c:154:main(): @(#)This product linked
software developed by the OpenSSL Project for use in the OpenSSL
Toolkit. (http://www.openssl.org/)
2002-02-06 15:43:03: ERROR: pfkey.c:2078:pk_checkalg(): Must get
supported algorithms list first.
2002-02-06 15:43:03: ERROR: cftoken.l:477:yyerror():
/etc/racoon/racoon.conf:56: "," algorithm BLOWFISH not supported
2002-02-06 15:43:03: ERROR: cfparse.y:1570:cfparse(): fatal parse
failure (1 errors)
2002-02-06 15:43:03: ERROR: main.c:169:main(): failed to parse
configuration file.
#

-Jan

-- 
finger jschauma@netmeister.org

--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="racoon.conf"

# $KAME: racoon.conf.sample,v 1.22 2000/12/19 08:07:33 sakane Exp $

# "path" affects "include" directive.  "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
#path include "/etc/racoon" ;
#include "remote.conf" ;

# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/etc/racoon/psk.txt" ;

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "/usr/pkg/certs" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
#log debug;

remote anonymous
{
	#exchange_mode main,aggressive,base;
	exchange_mode aggressive,main,base;

	#my_identifier fqdn "server.kame.net";
	#certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;

	lifetime time 24 hour ;	# sec,min,hour

	#initial_contact off

	# phase 1 proposal (for ISAKMP SA)
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key ;
		dh_group 2 ;
	}

	# the configuration makes racoon (as a responder) to obey the
	# initiator's lifetime and PFS group proposal.
	# this makes testing so much easier.
	proposal_check obey;
}

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
	pfs_group 2;
	lifetime time 6 hour ;
	lifetime byte 500 MB ;
	encryption_algorithm blowfish, rijndael, 3des ;
	authentication_algorithm non_auth ;
	compression_algorithm deflate ;
}

--Q68bSM7Ycu6FN28Q--