This document is derived from the KAME racoon FAQ. Some answers do not apply to ipsec-tools (they are obsolete or not up to date). They are tagged [KAME] Q: With what other IKE/IPsec implementation racoon is known to be interoperable? A: [KAME] See "IMPLEMENTATION" document supplied with KAME kit, or: http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION As we have tested/got test reports in the past, and our end and the other end may have changed their implemenations, we are not sure if we can interoperate with them today (we hope them to interoperate, but we are not sure). Also note that, IKE interoperability highly depends on configuration on both ends. You must configure both ends exactly the same. Q: How can I make racoon interoperate with ? A: Configure both ends exactly the same. With just a tiny little differnce, you will be in trouble. Q: How to build racoon on my platform? A: As usual: configure && make && make install ipsec-tools is also available as a package in the NetBSD pkgsrc Q: Describe me the options to "configure". A: --enable-adminport: Lets racoon to listen to racoon admin port, which is to be contacted by racoonctl(8). --enable-natt: Enable NAT-Traversal. This needs kernel support, which is available on Linux. On NetBSD, NAT-Traversal kernel support has not been integrated yet, you can get it from here: http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff If you live in a country where software patents are legal, using NAT-Traversal might infringe a patent. --enable-broken-natt: When ipsec-tools is built with --enable-natt, racoon sets IKE ports in SAD and SPD so that the kernel is able to ditinguish peers hidden behind the same NAT. Some kernel will not cope with that ports. Use that option to force the ports to 0 in SAD ans SPD. Of course this means that you cannot have multiple peers behind the same NAT. --enable-frag: Enable IKE fragmentation, which is a workaround for broken routers that drop fragmented packets --enable-hybrid: Enable hybrid authentication, and ISAKMP mode config and Xauth as well. Note that plain Xauth (without hybrid auth) is not implemented. --with-libradius: Enable the use of RADIUS with hybrid authentication on the server side. RADIUS is used for authentication, configuration and accounting. --with-libpam: Enable the use of PAM with hybrid authentication on the server side. PAM can be used for authentication and accounting. --enable-gssapi: Enable GSS-API, for Kerberos V support. --enable-stats: Enable statistics logging function. --enable-samode-unspec: Enable to use unspecified a mode of SA. --enable-ipv6: Enable IPv6 support. --with-kernel-headers: Supply the location of Linux kernel headers. --with-readline: Support readline input (yes by default). --with-openssl: Specify OpenSSL directory. --sysconfdir: Where racoon config file goes. Default is /etc, which means that racoon will look for /etc/racoon.conf --localstatedir: Where is the directory where racoon stores the control socket (when using --enable-adminport). Default is /var, which means racoon will use /var/racoon/racoon.sock --prefix: Where racoon gets installed. Q: How can I get help? A: Always identify your operating system platforms, the versions you are using (like "ipsec-tools-0.5"), and information to repeat the problem. The more revelant information you supply, the better your chances of getting help are. Useful informations include, depending of the problem: - version identification - trace from racoon, taken by "racoon -d 0xffffffff" (maximum debug level) - configuration file you are using - probabaly, tcpdump trace http://orange.kame.net/dev/send-pr.html has the guideline. If your question is not confidential, send your questions to: If your question is confidential, send your questions to: Q: Other documents to look at? A: http://www.netbsd.org/Documentation/network/ipsec/ http://www.kame.net/ http://www.kame.net/newsletter/