# FreeBSD 10 + racoon + IPSec encryption does not work



## satans (Oct 14, 2014)

Hello community, please help me fix problem. I have 2 servers FreeBSD 10 with gif(4) interface, racoon (IPSec tools). Configured with help https://www.freebsd.org/doc/handbook/ipsec.html
When I'm done, I run tcpdump(8) for external interface and I do not see ESP packets. Instead of external address, for simple, I use names david and goliath.

david tcpdump

```
root@david:~ # tcpdump -nn -i rl1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl1, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
11:55:42.524675 IP goliath > david: IP 192.168.10.174 > 192.168.167.2: ICMP echo request, id 10, seq 5007, length 40 (ipip-proto-4)
11:55:42.525208 IP david > goliath: IP 192.168.167.2 > 192.168.10.174: ICMP echo reply, id 10, seq 5007, length 40 (ipip-proto-4)
11:55:43.524688 IP goliath > david: IP 192.168.10.174 > 192.168.167.2: ICMP echo request, id 10, seq 5008, length 40 (ipip-proto-4)
11:55:43.525213 IP david > goliath: IP 192.168.167.2 > 192.168.10.174: ICMP echo reply, id 10, seq 5008, length 40 (ipip-proto-4)
11:55:44.526164 IP goliath > david: IP 192.168.10.174 > 192.168.167.2: ICMP echo request, id 10, seq 5009, length 40 (ipip-proto-4)
```

goliath tcpdump

```
root@goliath:~ # tcpdump -nn -i xl1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xl1, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
11:56:00.572504 IP goliath > david: IP 192.168.10.174 > 192.168.167.2: ICMP echo request, id 10, seq 5006, length 40 (ipip-proto-4)
11:56:00.588811 IP david > goliath: IP 192.168.167.2 > 192.168.10.174: ICMP echo reply, id 10, seq 5006, length 40 (ipip-proto-4)
11:56:01.573397 IP goliath > david: IP 192.168.10.174 > 192.168.167.2: ICMP echo request, id 10, seq 5007, length 40 (ipip-proto-4)
11:56:01.589700 IP david > goliath: IP 192.168.167.2 > 192.168.10.174: ICMP echo reply, id 10, seq 5007, length 40 (ipip-proto-4)
11:56:02.573399 IP goliath > david: IP 192.168.10.174 > 192.168.167.2: ICMP echo request, id 10, seq 5008, length 40 (ipip-proto-4)
```

Config file my server

*David*

/etc/rc.conf

```
hostname="david"
gateway_enable="YES"
cloned_interfaces="gif0"
ifconfig_gif0="inet 192.168.167.1 192.168.10.108 netmask 255.255.252.0 tunnel david goliath"
ifconfig_rl0="inet 192.168.167.1 netmask 255.255.255.0"
ifconfig_rl1="inet david netmask 255.255.255.252"
defaultrouter="A.A.A.A"
static_routes="net1"
route_net1="-net 192.168.8.0/22 192.168.167.1 -ifp gif0"
sshd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pfcfg/pf.conf"
pf_program="/sbin/pfctl"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pf.log"
pflog_program="/sbin/pflogd"
pflog_flags=""
pfsync_enable="NO"
pfsync_syncdev=""
pfsync_ifconfig=""
ipsec_enable="YES"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
racoon_enable="YES"
racoon_flags=""
```

/usr/local/etc/racoon/setkey.conf

```
#!/sbin/setkey -f
spdflush;
flush;
spdadd 192.168.167.0/24 192.168.8.0/22 any -P out ipsec esp/tunnel/david-goliath/use;
spdadd 192.168.8.0/22 192.168.167.0/24 any -P in ipsec esp/tunnel/goliath-david/use;
```

/usr/local/etc/racoon/psk.txt

```
goliath Eft857Mvnbj67
```

/usr/local/etc/racoon/racoon.conf

```
path    pre_shared_key  "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log     warning;        #log verbosity setting: set to 'notify' when testing and debugging is complete

padding # options are not to be changed
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer   # timing options. change as needed
{
        counter         5;
        interval        20 sec;
        persend         1;
#       natt_keepalive  15 sec;
        phase1          30 sec;
        phase2          15 sec;
}

listen  # address [port] that racoon will listen on
{
        isakmp          david [500];
        isakmp_natt     david [4500];
}

remote  goliath [500]
{
        exchange_mode   main;
        doi             ipsec_doi;
        situation       identity_only;
        my_identifier   address david;
        peers_identifier        address goliath;
        lifetime        time 8 hour;
        passive         off;
        proposal_check  obey;
#       nat_traversal   off;
        generate_policy off;

                        proposal {
                                encryption_algorithm    3des;
                                hash_algorithm          md5;
                                authentication_method   pre_shared_key;
                                lifetime time           30 sec;
                                dh_group                1;
                        }
}

sainfo  (address 192.168.167.0/24 any address 192.168.8.0/22 any)       # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
{                                                               # $network must be the two internal networks you are joining.
        pfs_group       modp1024;
        lifetime        time    28800 sec;
        encryption_algorithm    aes;
        authentication_algorithm        hmac_sha1;
        compression_algorithm   deflate;
}
```

setkey

```
root@david:~ # setkey -D
david goliath
        esp mode=tunnel spi=245415421(0x0ea0bdfd) reqid=0(0x00000000)
        E: rijndael-cbc  24f97abd a101ab74 c61595e9 eb7a0462
        A: hmac-sha1  858df010 c7f8f304 0d436541 ac2c1ceb 433270cd
        seq=0x00000016 replay=4 flags=0x00000000 state=mature
        created: Oct 14 11:39:35 2014   current: Oct 14 12:08:56 2014
        diff: 1761(s)   hard: 28800(s)  soft: 23040(s)
        last: Oct 14 12:05:03 2014      hard: 0(s)      soft: 0(s)
        current: 2992(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 22   hard: 0 soft: 0
        sadb_seq=1 pid=3786 refcnt=2
goliath david
        esp mode=tunnel spi=218330869(0x0d0376f5) reqid=0(0x00000000)
        E: rijndael-cbc  17ca9d9d b5d4ccb1 58a288f2 a0776d03
        A: hmac-sha1  ea955cb8 289590f8 f408f01b f4e86852 11ed34b4
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Oct 14 11:39:35 2014   current: Oct 14 12:08:56 2014
        diff: 1761(s)   hard: 28800(s)  soft: 23040(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=3786 refcnt=1
```


```
root@david:~ # setkey -DP
192.168.8.0/22[any] 192.168.167.0/24[any] any
        in ipsec
        esp/tunnel/goliath-david/use
        spid=4 seq=1 pid=3791
        refcnt=1
192.168.167.0/24[any] 192.168.8.0/22[any] any
        out ipsec
        esp/tunnel/david-goliath/use
        spid=3 seq=0 pid=3791
        refcnt=1
```


*Goliath*

/etc/rc.conf

```
hostname="goliath"
gateway_enable="YES"
cloned_interfaces="gif0"
ifconfig_gif0="inet 192.168.10.108 192.168.167.1 netmask 255.255.255.0 tunnel goliath david"
ifconfig_xl0="inet 192.168.10.108 netmask 255.255.252.0"
ifconfig_xl1="inet goliath netmask 255.255.255.224"
defaultrouter="B.B.B.B"
static_routes="net1"
route_net1="-net 192.168.167.0/24 192.168.10.108 -ifp gif0"
pf_enable="YES"
pf_rules="/etc/pfcfg/pf.conf"
pf_program="/sbin/pfctl"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pf.log"
pflog_program="/sbin/pflogd"
pflog_flags=""
pfsync_enable="NO"
pfsync_syncdev=""
pfsync_ifconfig=""
ipsec_enable="YES"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
dumpdev="AUTO"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon4.log"
sshd_enable="YES"
ntpd_enable="NO"
```

/usr/local/etc/racoon/setkey.conf

```
#!/sbin/setkey -f
spdflush;
flush;
spdadd 192.168.8.0/22 192.168.167.0/24 any -P out ipsec esp/tunnel/goliath-david/use;
spdadd 192.168.167.0/24 192.168.8.0/22 any -P in ipsec esp/tunnel/david-goliath/use;
```

/usr/local/etc/racoon/psk.txt

```
david Eft857Mvnbj67
```

/usr/local/etc/racoon/racoon.conf

```
path    pre_shared_key  "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log     warning;  #log verbosity setting: set to 'notify' when testing and debugging is complete

padding # options are not to be changed
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer   # timing options. change as needed
{
        counter         5;
        interval        20 sec;
        persend         1;
#       natt_keepalive  15 sec;
        phase1          30 sec;
        phase2          15 sec;
}

listen  # address [port] that racoon will listen on
{
        isakmp          goliath [500];
        isakmp_natt     goliath [4500];
}

remote  david [500]
{
        exchange_mode   main;
        doi             ipsec_doi;
        situation       identity_only;
        my_identifier   address goliath;
        peers_identifier        address david;
        lifetime        time 8 hour;
        passive         off;
        proposal_check  obey;
#       nat_traversal   off;
        generate_policy off;

                        proposal {
                                encryption_algorithm    3des;
                                hash_algorithm          md5;
                                authentication_method   pre_shared_key;
                                lifetime time           30 sec;
                                dh_group                1;
                        }
}

sainfo  (address 192.168.8.0/22 any address 192.168.167.0/24 any)       # address $network/$netmask $type address $network/$netmas
{                                                               # $network must be the two internal networks you are joining.
        pfs_group       modp1024;
        lifetime        time    28800 sec;
        encryption_algorithm    aes;
        authentication_algorithm        hmac_sha1;
        compression_algorithm   deflate;
}
```

setkey

```
root@goliath:~ # setkey -D
goliath david
        esp mode=tunnel spi=218330869(0x0d0376f5) reqid=0(0x00000000)
        E: rijndael-cbc  17ca9d9d b5d4ccb1 58a288f2 a0776d03
        A: hmac-sha1  ea955cb8 289590f8 f408f01b f4e86852 11ed34b4
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Oct 14 11:39:54 2014   current: Oct 14 12:31:30 2014
        diff: 3096(s)   hard: 28800(s)  soft: 23040(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=3895 refcnt=1
david goliath
        esp mode=tunnel spi=245415421(0x0ea0bdfd) reqid=0(0x00000000)
        E: rijndael-cbc  24f97abd a101ab74 c61595e9 eb7a0462
        A: hmac-sha1  858df010 c7f8f304 0d436541 ac2c1ceb 433270cd
        seq=0x0000002a replay=4 flags=0x00000000 state=mature
        created: Oct 14 11:39:54 2014   current: Oct 14 12:31:30 2014
        diff: 3096(s)   hard: 28800(s)  soft: 23040(s)
        last: Oct 14 12:29:56 2014      hard: 0(s)      soft: 0(s)
        current: 4032(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 42   hard: 0 soft: 0
        sadb_seq=0 pid=3895 refcnt=1
```


```
root@sr-vpn-e:~ # setkey -DP
192.168.167.0/24[any] 192.168.8.0/22[any] any
        in ipsec
        esp/tunnel/david-goliath/use
        spid=4 seq=1 pid=3907
        refcnt=1
192.168.8.0/22[any] 192.168.167.0/24[any] any
        out ipsec
        esp/tunnel/goliath-david/use
        spid=3 seq=0 pid=3907
        refcnt=1
```

Please help me, thanks.


----------

