Connecting Openswan ipsec implementation to Racoon ipsec implementation using X509 certs (GRE transport encapsulation)

Racoon side

racoon.conf

path    pre_shared_key  "/usr/local/etc/racoon/psk";
path    certificate     "/usr/local/etc/racoon/certs";
log     info;

listen {
	isakmp          89.x.x.x [500];
	isakmp_natt     89.x.x.x [4500];
}

padding {
	maximum_length  20;
	randomize       on;
	strict_check    off;
	exclusive_tail  off;
}

timer {
	natt_keepalive   5 sec;
}

remote 46.x.x.x [500] {
	exchange_mode           main;
	proposal_check          strict;
	my_identifier           asn1dn;
	peers_identifier        asn1dn;
	lifetime                time 1 hour;
	certificate_type        x509 "A.crt" "A.key";
	peers_certfile          x509 "B.crt";
	ca_type                 x509 "ca.crt";
	verify_cert             on;
	send_cert               off;
	send_cr                 off;

	proposal {
		encryption_algorithm    aes 256;
		hash_algorithm          sha1;
		authentication_method   rsasig;
		dh_group                modp4096;
	}
}

sainfo (address 89.x.x.x gre address 46.x.x.x gre) {
	pfs_group                       modp4096;
	lifetime                        time 1 hour;
	encryption_algorithm            aes 256;
	authentication_algorithm        hmac_sha1;
	compression_algorithm           deflate;
}

Openswan side

ipsec.conf

...
conn otherSide
  type=transport
  left=46.x.x.x
  leftid="C=DE, ......"
  leftprotoport=gre
  right=89.x.x.x
  rightid=%fromcert
  rightprotoport=gre
  rightcert=A.crt
  rightrsasigkey=%cert
  aggrmode=no
  phase2=esp
  ike=aes256-sha1;modp4096
  phase2alg=aes256-sha1;modp4096
  disablearrivalcheck=no
  ikelifetime=3600s
  keylife=3600s
  ## Doesn't work
  #####compress=yes
  authby=rsasig
  pfs=yes
  ## 
  ####rekey=no
  auto=start
  auto=start
openswan/2racoon.txt · Last modified: 2013/01/23 20:40 by a
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready