Connecting Openswan ipsec implementation to Racoon ipsec implementation using X509 certs (GRE transport encapsulation)
Racoon side
racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk";
path certificate "/usr/local/etc/racoon/certs";
log info;
listen {
isakmp 89.x.x.x [500];
isakmp_natt 89.x.x.x [4500];
}
padding {
maximum_length 20;
randomize on;
strict_check off;
exclusive_tail off;
}
timer {
natt_keepalive 5 sec;
}
remote 46.x.x.x [500] {
exchange_mode main;
proposal_check strict;
my_identifier asn1dn;
peers_identifier asn1dn;
lifetime time 1 hour;
certificate_type x509 "A.crt" "A.key";
peers_certfile x509 "B.crt";
ca_type x509 "ca.crt";
verify_cert on;
send_cert off;
send_cr off;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp4096;
}
}
sainfo (address 89.x.x.x gre address 46.x.x.x gre) {
pfs_group modp4096;
lifetime time 1 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Openswan side
ipsec.conf
... conn otherSide type=transport left=46.x.x.x leftid="C=DE, ......" leftprotoport=gre right=89.x.x.x rightid=%fromcert rightprotoport=gre rightcert=A.crt rightrsasigkey=%cert aggrmode=no phase2=esp ike=aes256-sha1;modp4096 phase2alg=aes256-sha1;modp4096 disablearrivalcheck=no ikelifetime=3600s keylife=3600s ## Doesn't work #####compress=yes authby=rsasig pfs=yes ## ####rekey=no auto=start auto=start
