racoon2 FAQ

General

Q. I'd like to contact to the racoon2 developer.
A. We have a mailing list. Its address is "racoon2-users AT racoon2.wide.ad.jp". Anyway you should read README at least once.
Q. It is slightly hard to read racoon2 output with dump binaries in the syslog.
A. Because syslog replaces "new line" to "space", we can not fix it. Please use direct file output instead of syslog.
Q. spmd does not work when there is no directory /var/run/racoon.
A. Do you probably launch it before you installed it ? The install script must make the directory. If you want to debug the racoon2 program in the directory that you made them, you have to make the directory by your self.
Q. What does racoon2 differ from racoon ?
A. It is completely different implementation. Racoon2 supports both IKEv2 and KINK as well as IKEv1, on Linux and BSD variants. See also README.

Error Messages

Q. I have an error like this on the initiator side. How can I make iked establish IPsec SAs?
Aug 10 19:00:35 localhost iked: [PROTO_ERR]: ikev2.c:
2367:initiator_ike_sa_auth_recv(): 1:2001:200:1b0:2033::1[500] -
2001:200:1b0:2033::2[500]:0x80aff20:message lacks IDr payload 
A. Most likely it is caused by an authentication failure. You should check the pre-shared key on the both end. Racoon2 uses the whole contents (including newlines) of a file as a psk.
Q. I have an error like this on the responder side. How can I make iked establish IPsec SAs?
2008-03-11 14:45:59 [PROTO_ERR]: ikev2_auth.c:615:ikev2_verify(): 2:192.168.1.68[500] - 192.168.1.67[500]:0x80e9390:authentication failure
A. Most likely it is caused by an authentication failure. You should check the pre-shared key on the both end. Racoon2 uses the whole contents (including newlines) of a file as a psk.
Q. Occasionally I get a warning like this.
Nov 11 17:02:51 maui iked: [PROTO_WARN]:
ikev2.c:814:ikev2_check_new_request(): 0:192.168.201.2[500] -
192.168.202.2[500]:0x817c1f0:message to a nonexistent ike_sa
A. It might be a result that both sides of nodes performed deletion at once. If it doesn't persist, you can ignore it.

Compiling

Q. When compiling kinkd, my compiler emits warning messages like this. Is it OK?
bbkk_mit.c: In function `krb5e_force_get_key':
bbkk_mit.c:1119: warning: implicit declaration of function \
`decode_krb5_ap_req'
bbkk_mit.c:1183: warning: implicit declaration of function \
`decode_krb5_authenticator'
A. This is because kinkd is touching the internal of libkrb5. This is a bad thing but there is currently no other way.
Q. I can not compile iked on my debian(3.1) system, my compiler displays the following error message.
ikev1/ikev1_natt.c: In function `natt_fill_options':
ikev1/ikev1_natt.c:243: error: `UDP_ENCAP_ESPINUDP_NON_IKE' undeclared (first use in this function)
ikev1/ikev1_natt.c:243: error: (Each undeclared identifier is reported only once
ikev1/ikev1_natt.c:243: error: for each function it appears in.)
make[1]: *** [ikev1/ikev1_natt.o] Error 1
make[1]: Leaving directory `/home/mk/work/ipsec/racoon2/racoon2.cvs/iked'
make: *** [build-recursive] Error 1
A. Please add the following line in ikev1/ikev1_natt.c , /usr/include/linux/udp.h, or another appropriate file.
#define UDP_ENCAP_ESPINUDP_NON_IKE      1 

Configuration

Q. A string defined by "setval" directive can not work in "include" directive.
A. You can not use any string defined by "setval" directive. Please use an environment value instead.

Negotiation

Q. IPsec does not work on my system.
A. That is very ambigous question. Please be more specific.
Q. The negotiation looks successful. There are SAs on both system, but the peer does not respond to my ping.
A. Reconfirm the routing information to the peer.

Developer

Q. I can not create a configure script in each sub directory.
A. First, use autoconf-2.13, and use it with the option "-l .." in each sub directory to enable the aclocal.m4 placed at the top directory.
Q. How can I debug the racoon2 system on my local PC only.
A. Please check samples/local-test.conf.

Front page   Diff Backup   List of pages Search Recent changes   Help   RSS of recent changes
Last-modified: 2008-03-17 (Mon) 11:09:55