# IPsec Routing Issue



## cohoe (Oct 28, 2011)

I am trying to setup a client(s)->server IPsec VPN using Racoon (from security/ipsec-tools). I compiled my kernel with IPSEC, IPSEC_NAT_T, and crypto per the FreeBSD Handbook. 

My /usr/local/etc/racoon/racoon.conf file looks like this:

```
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log     debug;

     remote anonymous
     {
             exchange_mode aggressive,main,base;
             lifetime time 24 hour;
                   mode_cfg on;
             proposal {
                     encryption_algorithm aes;
                     hash_algorithm md5;
                     authentication_method xauth_psk_server;
                     dh_group 2;
             }
                   verify_identifier off;
                   generate_policy on;
     }


sainfo anonymous
     {
             pfs_group 2;
             lifetime time 12 hour ;
             encryption_algorithm 3des, blowfish 448 ;
             authentication_algorithm hmac_sha1, hmac_md5 ;
             compression_algorithm deflate ;
     }

mode_cfg {
        auth_source radius;
        accounting radius;
        network4 10.120.100.1;
        netmask4 255.255.255.0;
        pool_size 200;
        split_network include 10.120.100.0/24;
        save_passwd on;
        banner "/etc/racoon/banner";
        pfs_group 1;
}

radiuscfg {
        auth "MYAUTHSERVERGOESHERE" 1812 "MYSECRETGOESHERE";
        acct "MYAUTHSERVERGOESHERE" 1813 "MYSECRETGOESHERE";
}
```

And my /usr/local/etc/racoon/setkey.conf

```
#!/usr/local/sbin/setkey -f

flush;
spdflush;
spdadd 10.120.100.254 0.0.0.0 any -P out ipsec
        esp/tunnel/IPv4_OF_THE_SERVER-0.0.0.0/require;
spdadd 0.0.0.0 10.120.100.0/24 any -P in ipsec
        esp/tunnel/0.0.0.0-IPv4_OF_THE_SERVER/require;
```

And lastly, the relevant portions of my /etc/rc.conf

```
ipsec_enable="YES"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
static_routes="vpn"
route_vpn="-net 10.120.100.0/24 IPv4_OF_THE_SERVER"
```

I have my re0 interface configured with an alias address of 10.120.100.254.

I have enabled the following in my /etc/sysctl.conf and rebooted:

```
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
```

I am using the built-in Cisco IPsec client in Mac OSX to do my testing. I can connect to the server fine. I get prompted for my credentials (which I enter) and it associates and hands me an IP address out of the pool (10.120.100.1-10.120.100.200) that I configured in my racoon.conf. 

So here is the problem:
I cannot ping 10.120.100.254 from my client (10.120.100.1). tcpdump shows me the ESP packets coming in from the remote host, but I do not believe they are being processed by the system and decoded. It's interesting because the same setup & configuration on Debian Linux (minus the RADIUS authentication) works just fine. Can anyone help me understand what might be going on here? Thanks in advance!


----------

