[apple/ipsec.git] / ipsec-tools / racoon / Documents / FAQ

This document is derived from the KAME racoon FAQ. Some answers do not
apply to ipsec-tools (they are obsolete or not up to date). They are
tagged [KAME]

Q: With what other IKE/IPsec implementation racoon is known to be interoperable?

A: [KAME]
	See "IMPLEMENTATION" document supplied with KAME kit, or:
	http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION
	As we have tested/got test reports in the past, and our end and
	the other end may have changed their implemenations, we are not sure
	if we can interoperate with them today (we hope them to interoperate,
	but we are not sure).
	Also note that, IKE interoperability highly depends on configuration
	on both ends.  You must configure both ends exactly the same.

Q: How can I make racoon interoperate with <IKE/IPsec implementation>?

A:
	Configure both ends exactly the same.  With just a tiny little
	differnce, you will be in trouble.

Q: How to build racoon on my platform?

A: 
	As usual: configure && make && make install
	ipsec-tools is also available as a package in the NetBSD pkgsrc

Q: Describe me the options to "configure".

A:
	--enable-adminport:
		Lets racoon to listen to racoon admin port, which is to
		be contacted by racoonctl(8).
	--enable-natt:
		Enable NAT-Traversal. This needs kernel support, which is
		available on Linux. On NetBSD, NAT-Traversal kernel support
		has not been integrated yet, you can get it from here:
		http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff
		If you live in a country where software patents are legal,
		using NAT-Traversal might infringe a patent. 
	--enable-frag:
		Enable IKE fragmentation, which is a workaround for 
		broken routers that drop fragmented packets
	--enable-hybrid:
		Enable hybrid authentication, and ISAKMP mode config and
		Xauth as well. Note that plain Xauth (without hybrid auth)
		is not implemented.
	--with-libradius:
		Enable the use of RADIUS with hybrid authentication on the
		server side. RADIUS is used for authentication, configuration
		and accounting.
	--with-libpam:
		Enable the use of PAM with hybrid authentication on the 
		server side. PAM can be used for authentication and accounting.
	--enable-gssapi:
		Enable GSS-API, for Kerberos V support.
	--enable-stats:	
		Enable statistics logging function.
	--enable-samode-unspec:	
		Enable to use unspecified a mode of SA.
	--enable-ipv6:
		Enable IPv6 support.
	--with-kernel-headers:
		Supply the location of Linux kernel headers.
	--with-readline:
		Support readline input (yes by default).
	--with-openssl:
		Specify OpenSSL directory.
	--sysconfdir:
		Where racoon config file goes. Default is /etc, which means
		that racoon will look for /etc/racoon.conf
	--localstatedir:
		Where is the directory where racoon stores the control socket
		(when using --enable-adminport). Default is /var, which 
		means racoon will use /var/racoon/racoon.sock
	--prefix:
		Where racoon gets installed. 

Q: How can I get help?

A: 
	Always identify your operating system platforms, the versions you are
	using (like "ipsec-tools-0.5"), and information to repeat the
	problem.  The more revelant information you supply, the better your 
	chances of getting help are. Useful informations include, depending
	of the problem: 
	- version identification
	- trace from racoon, taken by "racoon -d 0xffffffff"
		(maximum debug level)
	- configuration file you are using
	- probabaly, tcpdump trace
	http://orange.kame.net/dev/send-pr.html has the guideline.

	If your question is not confidential, send your questions to:
	<ipsec-tools-devel@lists.sourceforge.net>

	If your question is confidential, send your questions to:
	<ipsec-tools-core@lists.sourceforge.net>

Q: Other documents to look at?

A:
	http://www.netbsd.org/Documentation/network/ipsec/
	http://www.kame.net/
	http://www.kame.net/newsletter/
Commit	Line	Data
52b7d2ce A	1	This document is derived from the KAME racoon FAQ. Some answers do not
	2	apply to ipsec-tools (they are obsolete or not up to date). They are
	3	tagged [KAME]
	4
	5	Q: With what other IKE/IPsec implementation racoon is known to be interoperable?
	6
	7	A: [KAME]
	8	See "IMPLEMENTATION" document supplied with KAME kit, or:
	9	http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION
	10	As we have tested/got test reports in the past, and our end and
	11	the other end may have changed their implemenations, we are not sure
	12	if we can interoperate with them today (we hope them to interoperate,
	13	but we are not sure).
	14	Also note that, IKE interoperability highly depends on configuration
	15	on both ends. You must configure both ends exactly the same.
	16
	17	Q: How can I make racoon interoperate with <IKE/IPsec implementation>?
	18
	19	A:
	20	Configure both ends exactly the same. With just a tiny little
	21	differnce, you will be in trouble.
	22
	23	Q: How to build racoon on my platform?
	24
	25	A:
	26	As usual: configure && make && make install
	27	ipsec-tools is also available as a package in the NetBSD pkgsrc
	28
	29	Q: Describe me the options to "configure".
	30
	31	A:
	32	--enable-adminport:
	33	Lets racoon to listen to racoon admin port, which is to
	34	be contacted by racoonctl(8).
	35	--enable-natt:
	36	Enable NAT-Traversal. This needs kernel support, which is
	37	available on Linux. On NetBSD, NAT-Traversal kernel support
	38	has not been integrated yet, you can get it from here:
	39	http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff
	40	If you live in a country where software patents are legal,
	41	using NAT-Traversal might infringe a patent.
	42	--enable-frag:
	43	Enable IKE fragmentation, which is a workaround for
	44	broken routers that drop fragmented packets
	45	--enable-hybrid:
	46	Enable hybrid authentication, and ISAKMP mode config and
	47	Xauth as well. Note that plain Xauth (without hybrid auth)
	48	is not implemented.
	49	--with-libradius:
	50	Enable the use of RADIUS with hybrid authentication on the
	51	server side. RADIUS is used for authentication, configuration
	52	and accounting.
	53	--with-libpam:
	54	Enable the use of PAM with hybrid authentication on the
	55	server side. PAM can be used for authentication and accounting.
	56	--enable-gssapi:
	57	Enable GSS-API, for Kerberos V support.
	58	--enable-stats:
	59	Enable statistics logging function.
	60	--enable-samode-unspec:
	61	Enable to use unspecified a mode of SA.
	62	--enable-ipv6:
	63	Enable IPv6 support.
	64	--with-kernel-headers:
65	Supply the location of Linux kernel headers.
66	--with-readline:
67	Support readline input (yes by default).
68	--with-openssl:
69	Specify OpenSSL directory.
70	--sysconfdir:
71	Where racoon config file goes. Default is /etc, which means
72	that racoon will look for /etc/racoon.conf
73	--localstatedir:
74	Where is the directory where racoon stores the control socket
75	(when using --enable-adminport). Default is /var, which
76	means racoon will use /var/racoon/racoon.sock
77	--prefix:
78	Where racoon gets installed.
79
80	Q: How can I get help?
81
82	A:
83	Always identify your operating system platforms, the versions you are
84	using (like "ipsec-tools-0.5"), and information to repeat the
85	problem. The more revelant information you supply, the better your
86	chances of getting help are. Useful informations include, depending
87	of the problem:
88	- version identification
89	- trace from racoon, taken by "racoon -d 0xffffffff"
90	(maximum debug level)
91	- configuration file you are using
92	- probabaly, tcpdump trace
93	http://orange.kame.net/dev/send-pr.html has the guideline.
94
95	If your question is not confidential, send your questions to:
96	<ipsec-tools-devel@lists.sourceforge.net>
97
98	If your question is confidential, send your questions to:
99	<ipsec-tools-core@lists.sourceforge.net>
100
101	Q: Other documents to look at?
102
103	A:
104	http://www.netbsd.org/Documentation/network/ipsec/
105	http://www.kame.net/
106	http://www.kame.net/newsletter/