Bluetrait (Program)
                IBM N2200 8363

Wed, 27 Sep 2006 6:45 PM

Racoon to Netscreen VPN (dialup)

Michael Dale
So last night Bryn's sister's boyfriend (Josh) and I setup a VPN between our two houses. Josh is currently running Gentoo, while I'm using a Netscreen 5GT.


My Place
  • Netscreen 5GT running ScreenOS 5.4.0r1 (Should be the same process for any netscreen running ScreenOS 5.x)
  • Local Network of ( -
  • External Address of
Josh's Place
  • Gentoo running Racoon (I think it was installed through the command emerge ipsec)
  • Local Network of ( -
  • Dynamic IP Address (we setup a dyndns address as the Netscreen supports pointing to a hostname)
So I'll go through the process of setting up the dial-up VPN first.

Dial-up VPN (Single PC at Josh's Place accessing my network)

Step 1)

The first step is to setup a dial-up vpn on the Netscreen. I've covered this process here (only do Setting up the Netscreen).

Step 2)

Install racoon on the linux/bsd box (I'm not going to cover this as it is a different process for almost every distro, although most distros have some form of package management).

Step 3)

Setup racoon.conf. Now for this process we used a combination of:
So our config looks like:

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/ipsec.conf";

maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.

# Specification of default various timer.
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.

# timer for waiting to complete each phase.
phase1 30 sec;
phase2 30 sec;

remote {
exchange_mode aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier fqdn "Test.User";
peers_identifier address;
verify_identifier off;
lifetime time 28800 seconds;
initial_contact on;
passive off;
proposal_check obey;
support_mip6 on;
generate_policy off;
nonce_size 16;
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;

sainfo address any address any {
pfs_group modp1024;
lifetime time 3600 seconds;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;

listen {

log debug2;

Things to note:
  • remote (The ip address of the external interface on my netscreen)
  • exchange_mode aggressive (Remember we set the Netscreen Phase 1 to aggressive)
  • my_identifier fqdn "Test.User" (The IKE Identity)
  • lifetime time 28800 seconds (Phase 1 lifetime)
  • encryption_algorithm des (Phase 1 DES encryption)
  • hash_algorithm md5 (Phase 1 MD5)
  • authentication_method pre_shared_key (We're using a preshared key)
  • dh_group modp1024 (On the netscreen DH Group 2)
  • sainfo address any address (From Josh's Internal Linux PC ip address to my network. Remember that the dial-up vpn is just for one pc on Josh's side)
  • pfs_group modp1024 (Again DH Group 2)
  • lifetime time 3600 seconds (Phase 2 lifetime)
  • encryption_algorithm des (Phase 2 encryption)
  • authentication_algorithm hmac_md5 (Phase 2 MD5)
Step 4)

Setup ipsec.conf

So our config looks like:

#!/usr/sbin/setkey -f
spdadd any
-P out ipsec esp/tunnel/;

spdadd any
-P in ipsec esp/tunnel/;

You'll just need to change the IP addresses to suit your setup.

Step 5)

Setup psk.txt.

So our config looks like: our_preshared_key

So change the ip address to your netscreen external interface and change the preshared key to the one used when setting up the netscreen

Step 6)

Test. Use both ends to debug and test.


On Sat, 02 Dec 2006 at 6:31 AM, Anonymous wrote How do you actually initiate the connection from the linux box? Do you use racoonctl? 1: Comment Link

On Sat, 02 Dec 2006 at 4:27 PM, Michael Dale (of wrote Pinging the remote network should automatically bring up the link. 2: Comment Link


HTML allowed: <a href="" title="" rel=""></a> <b></b> <blockquote cite=""></blockquote> <em></em> <i></i> <strike></strike> <strong></strong> <li></li> <ol></ol> <ul></ul>
ie: <b>bold</b>

Your comment may need to be reviewed before it is published.



Email (not shown)

WWW (optional)

Allow contact form email

Remember details