[ previous ] [ next ] [ threads ]
 
 From:  sylikc <sylikc at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall IPSec "not acceptable Agressive Mode"
 Date:  Thu, 22 Jul 2004 15:43:29 -0700 
Justin,

Well I haven't hacked around with m0n0wall much outside of using it,
this is a first.  I executed the sequence of commands remotely and
when I got to the last step (restarting racoon) I got a parse error:

$ /usr/local/sbin/racoon -d -f /var/etc/racoon.conf
racoon: failed to parse configuration file.

However, it's strange, everything is correct, I added the line

nat_traversal on;

in different places in the anonymous { } section, but as long as it
was specified, there was a parse error.  If I removed it, racoon can
start again.  But as long as it was somewhere in the anonymous {}
section, racoon wouldn't start.

I can't figure out how to get the version of racoon installed either
(maybe it's not a config directive for the current version in m0n0?
[only the 0.3.x branch supports NAT-T, the 0.2.x branch doesn't]). 
I'm going to try playing more with the configuration to see if there's
more combinations to try.  I downloaded the latest ipsec-tools-0.3.3
and will be using /src/racoon/samples/racoon.conf.sample-natt hoping
to see if there's something that needs to be tweaked.

Thanks for the suggestions, if you have any more ideas on how I can
hack around with the config or what not, I'm interested ;)


/sylikc


On Thu, 22 Jul 2004 16:48:28 -0500, Justin Ellison
<justin at techadvise dot com> wrote:
> I figured so...
> 
> How daring are you?  NAT-T is supported by default, but I don't know if
> Manuel or anyone else removed the support for it.  If you go to
> exec.php, and download /var/etc/racoon.conf to your computer, open it in
> notepad, and add:
> 
> nat_traversal=on;
> 
> somewhere after the relevant "remote" section and before the "proposal"
> section.  Save that file, go back to exec.php, upload the new file, then
> run "cp /tmp/racoon.conf /var/etc/racoon.conf" from there.  Now, go
> create a WAN rule that allow UDP packets on port 4500.
> 
> Finally, go to exec.php, and issue a "ps ax".  Find the pid for racoon,
> and issue a "kill -9 12345" where 12345 is the pid from the previous
> step.  Last, issue a "/usr/local/sbin/racoon -d -f
> /var/etc/racoon.conf".
> 
> Try reconnecting through the NAT.  If it works, let me know, I'll build
> the functionality into the webgui.  If it doesn't, check the system logs
> under diagnostics and let me know the results.
> 
> Justin
> 
> 
> -- 
> 
> 
> Justin Ellison <justin at techadvise dot com>
> 
> 
>