[vpn-help] -12 against ipsec-tools 0.6.6

[Matthew Grooms]

Peter Eisch wrote:
>  
> How about I go little different direction and put the server on a different
> LAN where no servers linger?  I moved it to 10.1.101.26.  All other
> config/environment information remains the same.
> 

The servers wan/lan address has little to no bearing on the client 
operating correctly. For the client to work, it needs to know what 
traffic to pass across the tunnel. This is the equivalent of an SPD 
entry on *nix ( ie setkey ... ). There are several ways to accomplish this.

1) You have the server describe which networks to tunnel. This is split 
include (strongly recommended). The server must have "split_network 
include" in racoon mode_cfg section.

2) You have the server describe which networks not to tunnel. This is 
split exclude. The server can optionally have "split_network local_lan" 
in racoon mode_cfg section.

3) You manually define the include or exclude information in the client.

Here is the current situation. The client is connecting properly but has 
no idea what traffic to forward across the tunnel. Its requesting a 
network list from the server via modecfg. Racoon receives the request 
but has no split networks defined in its mode_cfg section. For this 
reason it can't reply with the information the client needs to operate.

I understand that the cisco client is working. When it receives no split 
network list from the server, it falls back to option (2) which is 
tunnel everything with no exclusions ( except possibly local lan traffic ).

The shrew soft client is much more highly configurable which is a double 
edged sword in this case. I suppose we could adopt the cisco client 
methodology here but my preference would be to make it break with useful 
debug feedback ( missing at the moment ) than have it work with a 
mismatched configuration.

Again, thanks for your efforts testing the client out. You have already 
helped identify two bugs so far. Very much appreciated!

-Matthew