# setting IPSEC tunnel with ipsec-tools



## bored_to_death (Jun 2, 2010)

hi guys,

i'm trying to set up ipsec tunnel on 2 freebsd hosts and i'm having a problem. i installed ipsec-tools-0.7.3 on freebsd-8.0. i defined gif0 and loopback addresses on localhosts of on each one and set up all required routes and racoon configs etc...

my problem is: when i start racoon on my hosts at the same time, my ipsec tunnel sets up and works perfectly. but if i run racoon on one host and after 1 or 2 minute i start racoon on the other one, nothing happens and no packet from isakmp ports of any of them is being sent.

i started racoons in foreground mode, but no failure is being reported. the initiator racoon would say:


```
....
2010-06-02 15:08:14: DEBUG: policy.c:187:cmpspidxstrict(): sub:0xbfbfe2dc: 10.10.20.0/24[0] 10.10.10.0/24[0] proto=any dir=out
2010-06-02 15:08:14: DEBUG: policy.c:188:cmpspidxstrict(): db :0x28547148: 10.10.10.0/24[0] 10.10.20.0/24[0] proto=any dir=in
2010-06-02 15:08:17: DEBUG: grabmyaddr.c:676:update_myaddrs(): msg 1 not interesting
2010-06-02 15:08:17: DEBUG: grabmyaddr.c:676:update_myaddrs(): msg 1 not interesting
```
and when i start other racoon after a minute, nothing else is being reported.

can anyone help me? any hints would be appreciated.
thank you.


----------



## bored_to_death (Jun 3, 2010)

if anyone has any experience on setting up ipsec tunnels on freebsd, i would really appreciate to give me any hints. i'm stuck with this problem for quite a long time and i realy don't know why it happens. there sure has to be a configuration parameter of racoon to set this, but i tested everything and searched everywhere and nothing worked.

i thought it might help if i show you my racoon.conf:

```
path    pre_shared_key  "/usr/local/etc/racoon/psk.txt"; 
log     debug;

padding
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}
	
timer
{
        counter         5000;
        interval        20 sec;
        persend         1;
#       natt_keepalive  15 sec;
        phase1          30 sec;
        phase2          15 sec;
}

		
listen
{
        isakmp          192.168.10.1 [500];
}

remote  192.168.10.2 [500]
{
        exchange_mode   main,aggressive;
        doi             ipsec_doi;
        situation       identity_only;
        my_identifier   address 192.168.10.1;
        peers_identifier        address 192.168.10.2;
        lifetime        time 8 hour;
        passive         off;
        proposal_check  obey;
#       nat_traversal   off;
        generate_policy off;
		weak_phase1_check on;
        proposal {
                encryption_algorithm   des;
                hash_algorithm          md5;
                authentication_method   pre_shared_key;
                lifetime time           30 sec;
                dh_group                1;
        }
}

sainfo  (address 10.10.20.0/24 any address 10.10.10.0/24 any)
{
        pfs_group       1;
        lifetime        time    36000 sec;
        encryption_algorithm    3des,des;
        authentication_algorithm        hmac_md5;
        compression_algorithm   deflate;
}
```

and my setkey.conf is:

```
flush;
spdflush;
spdadd 10.10.20.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/192.168.10.1-192.168.10.2/use;
spdadd 10.10.10.0/24 10.10.20.0/24 any -P in ipsec esp/tunnel/192.168.10.2-192.168.10.1/use;
```

and this is my ifconfig:

```
eth1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=1bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4>
	ether 00:22:64:98:d6:38
	inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
	media: Ethernet autoselect (none)
	status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
	inet 10.10.20.1 netmask 0xffffff00 
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
	tunnel inet 192.168.10.1 --> 192.168.10.2
	inet 10.10.20.1 --> 10.10.10.1 netmask 0xffffff00 
	options=1<ACCEPT_REV_ETHIP_VER>
```

the other host has the exact same config, but of course just the ip addresses are reversed.


----------



## mohsen_alexy (Jun 4, 2010)

Hi ,

i have the same problem. i have tried to change all time related parameters of racoon.conf ("timer" section and lifetime in proposal) ,but without any success.

if i start racoon daemon in both freebsd boxes in same time, the tunnel will be created successfully but if one racoon is being started more than 10 secs after the other racoon,nothing happens.

any suggestions?

Regards,
Mohsen


----------



## beaute (Jun 4, 2010)

I don't know if this will be of any help, but try changing the setting from use to require in your setkey file. I have successfully created multiple tunnels using racoon and have no problems (at least, not that I'm aware of). At the beginning I was using "use" instead of require which was essentially establishing the secure connection but that's it, the rest of the communication was in the clear simply because it can be in the clear.

This is my setkey file if it helps:

```
flush;
spdflush;
# To the home network
#add 192.168.1.2 192.168.1.1 esp 12346 -E des-cbc 0x1212121212121212;
#add 192.168.1.1 192.168.1.2  esp 12345 -E des-cbc 0x1212121212121212;
spdadd 10.0.0.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/192.168.1.1-192.168.1.2/require;
spdadd 10.0.0.0/24 10.0.0.0/24 any -P in ipsec esp/tunnel/192.168.1.2-192.168.1.1/require;
spdadd 10.60.0.0/24 10.60.0.0/24 any -P out ipsec esp/tunnel/192.168.1.100-192.168.1.200/require;
spdadd 10.60.0.0/24 10.60.0.0/24 any -P in ipsec esp/tunnel/192.168.1.200-192.168.1.100/require;
spdadd 10.30.0.0/24 10.30.0.0/24 any -P out ipsec esp/tunnel/192.168.1.10-192.168.1.20/require;
spdadd 10.30.0.0/24 10.30.0.0/24 any -P in ipsec esp/tunnel/192.168.1.20-192.168.1.10/require;
```


----------



## mohsen_alexy (Jun 5, 2010)

hi beaute,

thank you for your response.
unfortunately changing the use keyword to require did not solve my problem.


----------



## beaute (Jun 7, 2010)

Hello Mohsen, 

I noticed you did not post your racoon.conf. Here is my racoon.conf contents, you can compare and see if something I did you're missing. I'm running three instances of racoon, one for each tunnel; the configuration below is just for one tunnel, the file is duplicated and altered to for the other two tunnels. I run setkey and racoon manually (i don't start them from rc.conf). 

Setkey:
[CMD="setkey -F && setkey -FP && setkey -f /path/to/setkey.conf"]setkey -F && setkey -FP && setkey -f /path/to/setkey.conf[/CMD]

racoon
[CMD="/usr/local/sbin/racoon -F -f /path/to/racoon.conf -l /path/to/racoon.log"]/usr/local/sbin/racoon -F -f /path/to/racoon.conf -l /path/to/racoon.log[/CMD]

I tried my settings again just to confirm, this time, i started the three instances of racoon on one machine, waiting 10 full minutes, then started the other three instances of racoon on the other machine. I monitored the traffic using tcpdump. I pinged from each host and vice versa, everything works perfectly. 


```
# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $

path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
log debug;

padding # options are not to be changed
{
        maximum_length  20;	# maximum padding length
        randomize       off;	# enable randomize length
        strict_check    off;	# enable strict check
        exclusive_tail  off;	# extract last one octet
}

listen  # address [port] that racoon will listening on
{
        isakmp          192.168.1.1 [500];
        #isakmp_natt     192.168.1.1 [4500];
}

timer   # timing options. change as needed
{
        counter         5;	# maximum trying count to send
        interval        20 sec;	# maximum interval to resend
        persend         1;	# the number of packets per a send

#       natt_keepalive  15 sec;
        phase1          60 sec;
        phase2          25 sec;
}

remote 192.168.1.2 [500]
{
	exchange_mode   aggressive,main;
        doi             ipsec_doi;
        situation       identity_only;

#	nonce_size 16;
#        my_identifier   address 192.168.1.1;
#        peers_identifier        address 192.168.1.2;
        lifetime        time 8 hour;
	initial_contact	on;
        passive         off;
        proposal_check  obey;
#       nat_traversal   off;
        generate_policy off;

	proposal {
		encryption_algorithm    blowfish;
		hash_algorithm          sha1;
		authentication_method   pre_shared_key;
		#lifetime time           300 sec;
		dh_group                5;
	}

}

# phase 2 proposal (for IPsec SA).
sainfo anonymous
#(address 10.0.0.0/24 any address 10.0.0.0/24 any)
{
        pfs_group       5;
        lifetime        time    36000 sec;
        encryption_algorithm    blowfish,3des,des;
        authentication_algorithm        hmac_md5,hmac_sha1;
        compression_algorithm   deflate;
}
```

finally, this is my rc.conf, just incase you missed something as well. Though if your settings is similar to that of the OP, then it should be correct. 


```
ifconfig_msk0="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_msk0_alias0="inet 192.168.1.10 netmask 255.255.255.255"
ifconfig_msk0_alias1="inet 192.168.1.100 netmask 255.255.0.0"

cloned_interfaces="gif0 gif1 gif2"
gif_interfaces="gif0 gif1 gif2"

gifconfig_gif0="192.168.1.1 192.168.1.2"
ifconfig_gif0="inet 10.0.0.1 10.0.0.2 netmask 255.255.255.0 mtu 1500"

gifconfig_gif1="192.168.1.10 192.168.1.20"
ifconfig_gif1="inet 10.30.0.1 10.30.0.2 netmask 255.255.255.0 mtu 1500"

gifconfig_gif2="192.168.1.100 192.168.1.200"
ifconfig_gif2="inet 10.60.0.1 10.60.0.2 netmask 255.255.255.0 mtu 1500"
```


Hope it helps!


----------

