[linux] IPSec Linux<-->Vigor2700

[Mike]

Zdravim,

Snazim sa urobit tunel medzi dvoma sietami, na jednej strane je linux,
na druhej je len ADSL router Draytek Vigor 2700. Nasiel som v archive
konfery, ze ste niekto mali rozbehany IPSec tunel na uvedeny router, ale
neboli tam detaily. Viete mi niekto pomoct s nastavenim ?

Nepouzivam certifikaty , iba PSK. Bohuzial tusim zradu skor na strane
Vigoru, ale k tomu je dost zla dokumentacia.

Aktualny stav konfigurakov v linuxe pri ktorych sa zhodnu sifry a hash
algoritmy:

racoon.conf:
remote x.x.x.x
{
        exchange_mode main;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 1;
        }
}
sainfo address 10.1.1.0/24 any address 192.168.90.0/24 any {
        lifetime time 3600sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
        pfs_group 1;
}

setkey.conf:

#!/sbin/setkey -f
flush;
spdflush;
spdadd 10.1.1.0/24 192.168.90.0/24 any -P out ipsec
           esp/tunnel/y.y.y.y-x.x.x.x/require;

spdadd 192.168.90.0/24 10.1.1.0/24  any -P in ipsec
           esp/tunnel/x.x.x.x-y.y.y.y/require;

racoon -F -v vypise nasledujuci vypis (okrem uvodnych hlaseni):

INFO: initiate new phase 1 negotiation: y.y.y.y[500]<=>x.x.x.x[500]
INFO: begin Identity Protection mode.
INFO: received Vendor ID: DPD
WARNING: ignore INITIAL-CONTACT notification, because it is only
accepted after phase1.
INFO: ISAKMP-SA established y.y.y.y[500]-x.x.x.x[500]
spi:00fbc99a964f43c2:b7e1bd14fbd6176a
INFO: initiate new phase 2 negotiation: y.y.y.y[0]<=>x.x.x.x[0]
INFO: IPsec-SA expired: ESP/Tunnel x.x.x.x->y.y.y.y spi=32255224(0x1ec2cf8)
WARNING: the expire message is received but the handler has not been
established.
ERROR: x.x.x.x give up to get IPsec-SA due to time up to wait.

---
Mike