[Vpn-help] Shrew 2.1.0-alpha4 on Ubuntu Feisty against Sidewinder VPN

mgrooms mgrooms at shrew.net
Mon Dec 24 02:21:37 CST 2007


On Sun, 23 Dec 2007 18:33:26 -0600, "Don Seiler" <don at seiler.us> wrote:
> Am I supposed to launch iked before running ikea?  If I don't, I get
> an error in ikec about failing to connect to the key daemon.  However,
> I don't know what to put in iked.conf, so I just copied the
> iked.conf.sample into /etc.
> 

Yes. The iked program is similar to racoon and handles the ike
communications. The ikec program is similar to the racoon control program
in that it talks to iked and requests that a connection be initiated. The
sample iked.conf file used by iked contains the minimal settings required
for client based communications. It can also handle site to site
connections as well but this requires that a more detailed configuration
file be created. For more information, please see the iked.conf man page.

> I've tried using ikea as both my own user and through sudo (had to
> soft-link my ~/.ike into /root) but both behave the same way.
> 

The iked process must be run with root privileges but the ikra/ikec
programs can be run as any local user. If ikea has problems reading/writing
settings from the ~/.ike directory, it is possible that you first ran it as
the user under sudo. It will initialize ./~ike and subdirectories but may
have done so with the wrong user permissions. I can tell you that many
people have tested this under Ubuntu and it works fine. You can try
removing any ~/.ike directories and start over using a normal user account.

As for the RSA authentication failing, I don't have a good answer for you
at the moment. If it works in racoon, it should also work with iked. They
pretty much use the same openssl libcrypto functions to handle the
authentication and it has been tested with several different vendor
implementations. Are you sure you specified the correct file as the "Server
Certificate Authority File" under the site configuration / authentication /
credentials tab? The contents of this file would be used by iked to
validate the signed hash during authentication. Please feel free to send me
the debug level log output from iked privately and I will be happy to take
a look at it for you.

Thanks,

-Matthew




More information about the vpn-help mailing list