ipsec-tools/racoon/Documents/FAQ

   1 This document is derived from the KAME racoon FAQ. Some answers do not
   2 apply to ipsec-tools (they are obsolete or not up to date). They are
   3 tagged [KAME]
   4
   5 Q: With what other IKE/IPsec implementation racoon is known to be interoperable?
   6
   7 A: [KAME]
   8         See "IMPLEMENTATION" document supplied with KAME kit, or:
   9         http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION
  10         As we have tested/got test reports in the past, and our end and
  11         the other end may have changed their implemenations, we are not sure
  12         if we can interoperate with them today (we hope them to interoperate,
  13         but we are not sure).
  14         Also note that, IKE interoperability highly depends on configuration
  15         on both ends.  You must configure both ends exactly the same.
  16
  17 Q: How can I make racoon interoperate with <IKE/IPsec implementation>?
  18
  19 A:
  20         Configure both ends exactly the same.  With just a tiny little
  21         differnce, you will be in trouble.
  22
  23 Q: How to build racoon on my platform?
  24
  25 A:
  26         As usual: configure && make && make install
  27         ipsec-tools is also available as a package in the NetBSD pkgsrc
  28
  29 Q: Describe me the options to "configure".
  30
  31 A:
  32         --enable-adminport:
  33                 Lets racoon to listen to racoon admin port, which is to
  34                 be contacted by racoonctl(8).
  35         --enable-natt:
  36                 Enable NAT-Traversal. This needs kernel support, which is
  37                 available on Linux. On NetBSD, NAT-Traversal kernel support
  38                 has not been integrated yet, you can get it from here:
  39                 http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff
  40                 If you live in a country where software patents are legal,
  41                 using NAT-Traversal might infringe a patent.
  42         --enable-frag:
  43                 Enable IKE fragmentation, which is a workaround for
  44                 broken routers that drop fragmented packets
  45         --enable-hybrid:
  46                 Enable hybrid authentication, and ISAKMP mode config and
  47                 Xauth as well. Note that plain Xauth (without hybrid auth)
  48                 is not implemented.
  49         --with-libradius:
  50                 Enable the use of RADIUS with hybrid authentication on the
  51                 server side. RADIUS is used for authentication, configuration
  52                 and accounting.
  53         --with-libpam:
  54                 Enable the use of PAM with hybrid authentication on the
  55                 server side. PAM can be used for authentication and accounting.
  56         --enable-gssapi:
  57                 Enable GSS-API, for Kerberos V support.
  58         --enable-stats:
  59                 Enable statistics logging function.
  60         --enable-samode-unspec:
  61                 Enable to use unspecified a mode of SA.
  62         --enable-ipv6:
  63                 Enable IPv6 support.
  64         --with-kernel-headers:
  65                 Supply the location of Linux kernel headers.
  66         --with-readline:
  67                 Support readline input (yes by default).
  68         --with-openssl:
  69                 Specify OpenSSL directory.
  70         --sysconfdir:
  71                 Where racoon config file goes. Default is /etc, which means
  72                 that racoon will look for /etc/racoon.conf
  73         --localstatedir:
  74                 Where is the directory where racoon stores the control socket
  75                 (when using --enable-adminport). Default is /var, which
  76                 means racoon will use /var/racoon/racoon.sock
  77         --prefix:
  78                 Where racoon gets installed.
  79
  80 Q: How can I get help?
  81
  82 A:
  83         Always identify your operating system platforms, the versions you are
  84         using (like "ipsec-tools-0.5"), and information to repeat the
  85         problem.  The more revelant information you supply, the better your
  86         chances of getting help are. Useful informations include, depending
  87         of the problem:
  88         - version identification
  89         - trace from racoon, taken by "racoon -d 0xffffffff"
  90                 (maximum debug level)
  91         - configuration file you are using
  92         - probabaly, tcpdump trace
  93         http://orange.kame.net/dev/send-pr.html has the guideline.
  94
  95         If your question is not confidential, send your questions to:
  96         <ipsec-tools-devel@lists.sourceforge.net>
  97
  98         If your question is confidential, send your questions to:
  99         <ipsec-tools-core@lists.sourceforge.net>
 100
 101 Q: Other documents to look at?
 102
 103 A:
 104         http://www.netbsd.org/Documentation/network/ipsec/
 105         http://www.kame.net/
 106         http://www.kame.net/newsletter/