Connecting Openswan ipsec implementation to Racoon ipsec implementation using X509 certs (GRE transport encapsulation)
Racoon side
racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk"; path certificate "/usr/local/etc/racoon/certs"; log info; listen { isakmp 89.x.x.x [500]; isakmp_natt 89.x.x.x [4500]; } padding { maximum_length 20; randomize on; strict_check off; exclusive_tail off; } timer { natt_keepalive 5 sec; } remote 46.x.x.x [500] { exchange_mode main; proposal_check strict; my_identifier asn1dn; peers_identifier asn1dn; lifetime time 1 hour; certificate_type x509 "A.crt" "A.key"; peers_certfile x509 "B.crt"; ca_type x509 "ca.crt"; verify_cert on; send_cert off; send_cr off; proposal { encryption_algorithm aes 256; hash_algorithm sha1; authentication_method rsasig; dh_group modp4096; } } sainfo (address 89.x.x.x gre address 46.x.x.x gre) { pfs_group modp4096; lifetime time 1 hour; encryption_algorithm aes 256; authentication_algorithm hmac_sha1; compression_algorithm deflate; }
Openswan side
ipsec.conf
... conn otherSide type=transport left=46.x.x.x leftid="C=DE, ......" leftprotoport=gre right=89.x.x.x rightid=%fromcert rightprotoport=gre rightcert=A.crt rightrsasigkey=%cert aggrmode=no phase2=esp ike=aes256-sha1;modp4096 phase2alg=aes256-sha1;modp4096 disablearrivalcheck=no ikelifetime=3600s keylife=3600s ## Doesn't work #####compress=yes authby=rsasig pfs=yes ## ####rekey=no auto=start auto=start