LARTC - Oct 2004 - IPSec tunnel mode with IKE daemon

Hi all.

The IPSec part of the LARTC howto is great, but I''ve hit a problem in 
7.3. IPSEC tunnels. The example given is for manual keying:

add 10.0.0.216 10.0.0.11 esp 34501
	-m tunnel
	-E 3des-cbc "123456789012123456789012";

How does one setup "tunnel mode" using racoon?



Trying to setup an ipsec tunnel between two subnets: 10.10.42.0/24 and 
10.1.1.0/24 using a cisco router "ned" and a linux box
"phaedrus".

ned has external IP 192.168.1.250
phaedrus has external IP 192.168.1.42

10.10.42.0/24[ned]192.168.1.250 <==> 192.168.1.42[phaedrus]10.1.1.0/24


setkey on phaedrus:

flush;
spdflush;

spdadd 10.10.42.0/24 10.1.1.0/24 any -P in ipsec
         esp/tunnel/192.168.1.250-192.168.1.42/require
         ah/tunnel/192.168.1.250-192.168.1.42/require;

spdadd 10.1.1.0/24 10.10.42.0/24 any -P out ipsec
         esp/tunnel/192.168.1.42-192.168.1.250/require
         ah/tunnel/192.168.1.42-192.168.1.250/require;

racoon.conf on phaedrus:

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote 192.168.1.250
{
         exchange_mode aggressive,main;
         doi ipsec_doi;
         situation identity_only;

         my_identifier address;

         lifetime time 2 min;   # sec,min,hour
         initial_contact on;
         proposal_check obey;    # obey, strict or claim

         proposal {
                 encryption_algorithm 3des;
                 hash_algorithm sha1;
                 authentication_method pre_shared_key;
                 dh_group 2;
         }
}

sainfo anonymous
{
         pfs_group 2;
         lifetime time 2 min;
         encryption_algorithm 3des;
         authentication_algorithm hmac_sha1;
         compression_algorithm deflate;
}


relevant ios config on ned:

hostname ned
!
crypto isakmp policy 10
  encryption 3des
  hash sha
  authentication pre-share
  group 2
!
crypto isakmp key 123456asdf address 192.168.1.42 no-xauth
!
crypto ipsec transform-set phaedrus_transform ah-sha-hmac esp-3des 
esp-sha-hmac
  mode tunnel
!
crypto map vpnmap 10 ipsec-isakmp
  set peer 192.168.1.42
  set transform-set phaedrus_transform
  match address 110
!
access-list 110 permit ip 10.10.42.0 0.0.0.255 10.1.1.0 0.0.0.255
!
interface ethernet 1
  ip address 192.168.1.250 255.255.255.0
  crypto map vpnmap
!

When I try to ping between the two subnets, from either direction, the 
packets go out via the routers'' respective default routes instead of
via
the VPN.

Zach.