Home | History | Annotate | Download | only in doc 
      1 This document is derived from the KAME racoon FAQ. Some answers do not
      2 apply to ipsec-tools (they are obsolete or not up to date). They are
      3 tagged [KAME]
      4 
      5 Q: With what other IKE/IPsec implementation racoon is known to be interoperable?
      6 
      7 A: [KAME]
      8 	See "IMPLEMENTATION" document supplied with KAME kit, or:
      9 	http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION
     10 	As we have tested/got test reports in the past, and our end and
     11 	the other end may have changed their implemenations, we are not sure
     12 	if we can interoperate with them today (we hope them to interoperate,
     13 	but we are not sure).
     14 	Also note that, IKE interoperability highly depends on configuration
     15 	on both ends.  You must configure both ends exactly the same.
     16 
     17 Q: How can I make racoon interoperate with <IKE/IPsec implementation>?
     18 
     19 A:
     20 	Configure both ends exactly the same.  With just a tiny little
     21 	differnce, you will be in trouble.
     22 
     23 Q: How to build racoon on my platform?
     24 
     25 A: 
     26 	As usual: configure && make && make install
     27 	ipsec-tools is also available as a package in the NetBSD pkgsrc
     28 
     29 Q: Describe me the options to "configure".
     30 
     31 A:
     32 	--enable-adminport:
     33 		Lets racoon to listen to racoon admin port, which is to
     34 		be contacted by racoonctl(8).
     35 	--enable-natt:
     36 		Enable NAT-Traversal. This needs kernel support, which is
     37 		available on Linux. On NetBSD, NAT-Traversal kernel support
     38 		has not been integrated yet, you can get it from here:
     39 		http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff
     40 		If you live in a country where software patents are legal,
     41 		using NAT-Traversal might infringe a patent. 
     42 	--enable-broken-natt:
     43 		When ipsec-tools is built with --enable-natt, racoon 
     44 		sets IKE ports in SAD and SPD so that the kernel is 
     45 		able to ditinguish peers hidden behind the same NAT.
     46 		Some kernel will not cope with that ports. Use that
     47 		option to force the ports to 0 in SAD ans SPD. Of 
     48 		course this means that you cannot have multiple peers
     49 		behind the same NAT.
     50 	--enable-frag:
     51 		Enable IKE fragmentation, which is a workaround for 
     52 		broken routers that drop fragmented packets
     53 	--enable-hybrid:
     54 		Enable hybrid authentication, and ISAKMP mode config and
     55 		Xauth as well. Note that plain Xauth (without hybrid auth)
     56 		is not implemented.
     57 	--with-libradius:
     58 		Enable the use of RADIUS with hybrid authentication on the
     59 		server side. RADIUS is used for authentication, configuration
     60 		and accounting.
     61 	--with-libpam:
     62 		Enable the use of PAM with hybrid authentication on the 
     63 		server side. PAM can be used for authentication and accounting.
     64 	--enable-gssapi:
     65 		Enable GSS-API, for Kerberos V support.
     66 	--enable-stats:	
     67 		Enable statistics logging function.
     68 	--enable-samode-unspec:	
     69 		Enable to use unspecified a mode of SA.
     70 	--enable-ipv6:
     71 		Enable IPv6 support.
     72 	--with-kernel-headers:
     73 		Supply the location of Linux kernel headers.
     74 	--with-readline:
     75 		Support readline input (yes by default).
     76 	--with-openssl:
     77 		Specify OpenSSL directory.
     78 	--sysconfdir:
     79 		Where racoon config file goes. Default is /etc, which means
     80 		that racoon will look for /etc/racoon.conf
     81 	--localstatedir:
     82 		Where is the directory where racoon stores the control socket
     83 		(when using --enable-adminport). Default is /var, which 
     84 		means racoon will use /var/racoon/racoon.sock
     85 	--prefix:
     86 		Where racoon gets installed. 
     87 
     88 Q: How can I get help?
     89 
     90 A: 
     91 	Always identify your operating system platforms, the versions you are
     92 	using (like "ipsec-tools-0.5"), and information to repeat the
     93 	problem.  The more revelant information you supply, the better your 
     94 	chances of getting help are. Useful informations include, depending
     95 	of the problem: 
     96 	- version identification
     97 	- trace from racoon, taken by "racoon -d 0xffffffff"
     98 		(maximum debug level)
     99 	- configuration file you are using
    100 	- probabaly, tcpdump trace
    101 	http://orange.kame.net/dev/send-pr.html has the guideline.
    102 
    103 	If your question is not confidential, send your questions to:
    104 	<ipsec-tools-devel (a] lists.sourceforge.net>
    105 
    106 	If your question is confidential, send your questions to:
    107 	<ipsec-tools-core (a] lists.sourceforge.net>
    108 
    109 Q: Other documents to look at?
    110 
    111 A:
    112 	http://www.netbsd.org/Documentation/network/ipsec/
    113 	http://www.kame.net/
    114 	http://www.kame.net/newsletter/
    115