I have a Watchguard SOHO 6tc VPN appliance that uses it’s private subnet as it’s identifier (which works out to the the clients remote identifier). So if I don’t want my phase 1 negotiations to fail, I think I need something like this in my client’s racoon.conf:
peers_identifier address “192.168.0.0/24”;
a) is this possible with racoon?
b) Will VaporSec have an option for this someday?
Currently I can do the peer’s address (no good for an ID that’s a subnet) or the peer’s user_fqdn (no good for a subnet style ID either – I get “ipsecdoi_checkid1(): ID type mismatched” in the logs)
Alternately, I’d take some advice on how I can get VaporSec to not stomp on my racoon.conf file (again assuming that the ‘address’ ID type to peers_identifier will work with a subnet).
Well it looks like Watchguard invented this “IP Subnet” ID type. After some more research it looks like ‘peers_identifier address’ will not accept a subnet as it’s value. By the way, I just kill -HUP’ed racoon to get it to reread racoon.conf.
So it looks like VaporSec can’t really touch this issue, it is more of a Racoon/SDP/Whoever issue. I guess I’ll write them an email about this and see if their interested in implementing this ID type.
I hope this helps some other Watchguard user. Of course if you’re reading this and you’ve figured out something I’ve missed, I’d appreciate an email!
Comments are closed