# VPN and racoon



## rafalj (Jun 18, 2010)

Hi, I try to configure VPN but it dont want to work.

This is scheme:

```
10.10.1.90 <--> externalIP1 <--> MY external IP
```

My /etc/ipsec.conf where I type setkey -f

```
cat /etc/ipsec.conf 
flush;
spdflush;
spdadd MY_EXTERNAL_IP 10.10.1.0/24 any -P out ipsec esp/tunnel/MY_EXTERNAL_IP-EXTERNAL_IP1/require;
spdadd 10.10.1.0/24 MY_EXTERNAL_IP any -P in ipsec esp/tunnel/EXTERNAL_IP1-MY_EXTERNAL_IP/require;
```

My racoon.conf:

```
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;

padding
{
    maximum_length 20;      # maximum padding length.
    randomize off;          # enable randomize length.
    strict_check off;       # enable strict check.
    exclusive_tail off;     # extract last one octet.
}

listen
{
    isakmp MY_EXTERNAL_IP [500];
}

timer
{
    counter 5;              # maximum trying count to send.
    interval 20 sec;        # maximum interval to resend.
    persend 1;              # the number of packets per a send.
    phase1 30 sec;
    phase2 15 sec;
}

remote EXTERNAL_IP1
{
    exchange_mode main, aggressive;
    doi			ipsec_doi;
    my_identifier address;
    nonce_size 16;
    lifetime time 8 hour;   # sec,min,hour
    initial_contact on;
    proposal_check obey;    # obey, strict or claim
    
    proposal {
	encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group 2 ;
        lifetime time		28800 sec;
    }
}

sainfo anonymous
{
    pfs_group 2;
    lifetime time 3600 sec;
    
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate ;
}
```

And results:

```
$setkey -D
No SAD entries.

$setkey -DP
10.10.1.0/24[any] MY_EXTERNAL_IP/24[any] any
	in ipsec
	esp/tunnel/EXTERNAL_IP1-MY_EXTERNAL_IP/require
	created: Jun 18 11:25:26 2010  lastused: Jun 18 11:25:26 2010
	lifetime: 0(s) validtime: 0(s)
	spid=16415 seq=1 pid=70379
	refcnt=1
MY_EXTERNAL_IP/24[any] 10.10.1.0/24[any] any
	out ipsec
	esp/tunnel/MY_EXTERNAL_IP-EXTERNAL_IP1/require
	created: Jun 18 11:25:26 2010  lastused: Jun 18 11:25:26 2010
	lifetime: 0(s) validtime: 0(s)
	spid=16414 seq=0 pid=70379
	refcnt=1
```

pings dont show anything - all packets are lost.

And part of racoon.log

```
2010-06-18 11:45:00: DEBUG: pk_recv: retry[0] recv() 
2010-06-18 11:45:00: DEBUG: get pfkey ACQUIRE message
2010-06-18 11:45:00: DEBUG: suitable outbound SP found: MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out.
2010-06-18 11:45:00: DEBUG: sub:0x7fffffffe450: 10.10.1.0/24[0] 7MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:00: DEBUG: db :0x5a8610: 10.10.1.0/24[0] MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:00: DEBUG: suitable inbound SP found: 10.10.1.0/24[0] 78.133.158.218/32[0] proto=any dir=in.
2010-06-18 11:45:00: DEBUG: new acquire MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out
2010-06-18 11:45:00: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:00: DEBUG: getsainfo params: loc='MY_EXTERNAL_IP', rmt='10.10.1.0/24', peer='NULL', id=0
2010-06-18 11:45:00: DEBUG: getsainfo pass #2
2010-06-18 11:45:00: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:00: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:00: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2010-06-18 11:45:00: DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-md5)
2010-06-18 11:45:00: DEBUG: in post_acquire
2010-06-18 11:45:00: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:00: INFO: IPsec-SA request for EXTERNAL_IP1 queued due to no phase1 found.
2010-06-18 11:45:00: ERROR: unknown AF: 0
2010-06-18 11:45:00: DEBUG: ===
2010-06-18 11:45:00: INFO: initiate new phase 1 negotiation: MY_EXTERNAL_IP[500]<=>95.130.250.98[500]
2010-06-18 11:45:00: INFO: begin Identity Protection mode.
2010-06-18 11:45:00: DEBUG: new cookie:
1057cf78f6df7c03 
2010-06-18 11:45:00: DEBUG: add payload of len 48, next type 13
2010-06-18 11:45:00: DEBUG: add payload of len 16, next type 0
2010-06-18 11:45:00: DEBUG: 100 bytes from MY_EXTERNAL_IP[500] to EXTERNAL_IP1[500]
2010-06-18 11:45:00: DEBUG: sockname MY_EXTERNAL_IP[500]
2010-06-18 11:45:00: DEBUG: send packet from MY_EXTERNAL_IP[500]
2010-06-18 11:45:00: DEBUG: send packet to EXTERNAL_IP1[500]
2010-06-18 11:45:00: DEBUG: 1 times of 100 bytes message will be sent to EXTERNAL_IP1[500]
2010-06-18 11:45:00: DEBUG: 
1057cf78 f6df7c03 00000000 00000000 01100200 00000000 00000064 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc
77570100
2010-06-18 11:45:00: DEBUG: resend phase1 packet 1057cf78f6df7c03:0000000000000000
2010-06-18 11:45:12: DEBUG: pk_recv: retry[0] recv() 
2010-06-18 11:45:12: DEBUG: get pfkey ACQUIRE message
2010-06-18 11:45:12: DEBUG: Zombie ph2 found, expiring it
2010-06-18 11:45:12: INFO: phase2 sa expired MY_EXTERNAL_IP-EXTERNAL_IP1
2010-06-18 11:45:12: DEBUG: suitable outbound SP found: MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out.
2010-06-18 11:45:12: DEBUG: sub:0x7fffffffe450: 10.10.1.0/24[0] MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:12: DEBUG: db :0x5a8610: 10.10.1.0/24[0] MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:12: DEBUG: suitable inbound SP found: 10.10.1.0/24[0] 78.133.158.218/32[0] proto=any dir=in.
2010-06-18 11:45:12: DEBUG: new acquire MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out
2010-06-18 11:45:12: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:12: DEBUG: getsainfo params: loc='MY_EXTERNAL_IP', rmt='10.10.1.0/24', peer='NULL', id=0
2010-06-18 11:45:12: DEBUG: getsainfo pass #2
2010-06-18 11:45:12: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:12: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:12: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2010-06-18 11:45:12: DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-md5)
2010-06-18 11:45:12: DEBUG: in post_acquire
2010-06-18 11:45:12: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:12: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
2010-06-18 11:45:13: INFO: phase2 sa deleted MY_EXTERNAL_IP-EXTERNAL_IP1
2010-06-18 11:45:13: DEBUG: an undead schedule has been deleted.
2010-06-18 11:45:20: DEBUG: 100 bytes from MY_EXTERNAL_IP[500] to EXTERNAL_IP1[500]
2010-06-18 11:45:20: DEBUG: sockname MY_EXTERNAL_IP[500]
2010-06-18 11:45:20: DEBUG: send packet from MY_EXTERNAL_IP[500]
2010-06-18 11:45:20: DEBUG: send packet to EXTERNAL_IP1[500]
2010-06-18 11:45:20: DEBUG: 1 times of 100 bytes message will be sent to EXTERNAL_IP1[500]
2010-06-18 11:45:20: DEBUG: 
1057cf78 f6df7c03 00000000 00000000 01100200 00000000 00000064 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc
77570100
```

What I do wrong and how can I fix it?
I use FreeBSD 6.3


----------

