[CentOS] OT: Racoon with virtual ip (roadwarrior client)

Thu May 24 17:53:03 UTC 2007
mike.redan at bell.ca <mike.redan at bell.ca>

Could you also send along how you are starting up racoon, and any error
messages you are getting on the command line, and in the log files?
(make sure you are starting with verbose/debug at full so you can see
exactly what is going on)

(some comments embedded)


> > 
> > Would you be able to post your racoon configuration, maybe 
> which version
> > of ipsec-tools you are using, and maybe some error messages?
> > 
> > It can be pretty easy to make little mistakes which will 
> make this not
> > work. 
> > 
> > 
> > Cheers,
> > Mike
> 192.168.2.1 needs to be my virtual ip to connect to internal 
> customer network. 
> 172.25.50.28 it is my laptop's ip that I use on my job's 
> network. I am using 
> CentOS 5 and ipsec-tools version 0.6.5-8.el5. I have tried to 
> use dummy driver 
> to assign me 192.168.2.1 virtual ip without luck.
> 

You can do something like:
ifconfig eth0:0 add 192.168.2.1



> 
> My racoon.conf:
> 
> path certificate "/etc/racoon/certs";
> 
> listen
> {
>      adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660;
> }
> 
> remote 1.1.1.1
> {
>      exchange_mode main;

If you are setup as a 'road warrior' then you would want exchange_mode
aggressive; not main.

>      certificate_type x509 "user.pem" "user.key";
>      verify_cert on;
>      my_identifier asn1dn;
>      peers_identifier fqdn "fwcust.domain.com";
>      ca_type x509 "custca.pem";
>      verify_identifier on;
>      proposal_check obey;
>      nat_traversal on;
>      proposal {
>          encryption_algorithm 3des;
>          hash_algorithm sha1;
>          authentication_method rsasig;
>          dh_group 2;
>      }
> }
> 
> sainfo address 192.168.2.1/32 any address 172.17.47.0/27 any
> {
>      pfs_group 2;
>      lifetime time 12 hour;
>      encryption_algorithm aes;
>      authentication_algorithm hmac_sha256;
>      compression_algorithm deflate;
> }
> 
> sainfo address 172.17.47.0/27 any address 192.168.2.1/32 any
> {
>      pfs_group 2;
>      lifetime time 12 hour;
>      encryption_algorithm aes;
>      authentication_algorithm hmac_sha256;
>      compression_algorithm deflate;
> }
> sainfo address 172.25.50.28/32 any address 1.1.1.1/32 any
> {
>      pfs_group 2;
>      lifetime time 12 hour;
>      encryption_algorithm aes;
>      authentication_algorithm hmac_sha256;
>      compression_algorithm deflate ;
> }
> 
> sainfo address 1.1.1.1/32 any address 172.25.50.28/32 any
> {
>      pfs_group 2;
>      lifetime time 12 hour;
>      encryption_algorithm 3des;
>      authentication_algorithm hmac_sha256;
>      compression_algorithm deflate;
> }
> 
> --