# racoon status



## j4ck (Apr 27, 2013)

Hi

After running racoon, is there any way to find out whether a tunnel has been established or not? Or checking racoon status? Besides investigating the racoon log file.


----------



## Anonymous (Apr 27, 2013)

j4ck said:
			
		

> Hi
> After running racoon, are there any ways to find out whether tunnel had been established or not? Or checking racoon status? Besides investigating the racoon log file.



Have a look at setkey(8)() whether it serves your needs.

Examples:

`# /usr/local/sbin/setkey -D`

This will dump a list of Security Associations.

`# /usr/local/sbin/setkey -DP`

This will dump the Security Policies, which depending on the racoon configuration might be dynamic.

Note, that FreeBSD got also a system /sbin/setkey command. However, you might want to use the one that has been installed by security/ipsec-tools.

In addition, ifconfig(8)() can be used to list the active interfaces, the tunnel interface should be among them.


----------



## j4ck (May 1, 2013)

rolfheinrich said:
			
		

> Have a look at setkey(8)() whether it serves your needs.
> 
> Examples:
> 
> ...



Thanks. Would you please explain each field and what information it shows? e.g. hard and soft fields?


----------



## Anonymous (May 1, 2013)

j4ck said:
			
		

> Thanks. Would you please explain each field and what information it shows? e.g. hard and soft fields?



Here is an output of `# /usr/local/sbin/setkey -D` right after I initiated a L2TP/IPsec session from my iPhone to the FreeBSD 9.1 server. (using imaginary example IP addresses)


```
192.168.0.1[4500] 179.229.99.144[4500] 
	esp-udp mode=transport spi=253776086(0x0f2050d6) reqid=1(0x00000001)
	NAT OAi=179.80.100.10
	NAT OAr=179.229.99.144
	E: aes-cbc  fe2f107d 3d0b25fd b5edb87b 1b70190f a06fb02e 38c21488 fb28e081 25b70447
	A: hmac-sha1  2940a792 2dcd73c1 12f6d17f 34cdd45e 61dd62d4
	seq=0x00000025 replay=4 flags=0x00000000 state=mature 
	created: May  1 11:48:34 2013	current: May  1 11:49:17 2013
	diff: 43(s)	hard: 3600(s)	soft: 2880(s)
	last: May  1 11:48:46 2013	hard: 0(s)	soft: 0(s)
	current: 9320(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 37	hard: 0	soft: 0
	sadb_seq=1 pid=21130 refcnt=2
179.229.99.144[4500] 192.168.0.1[4500] 
	esp-udp mode=transport spi=122323115(0x074a80ab) reqid=1(0x00000001)
	NAT OAi=179.229.99.144
	NAT OAr=179.80.100.10
	E: aes-cbc  018e9585 5ca333d6 3b3cd4da 9727aad0 48372e8e 3c6c8e7c dd624281 e814e49e
	A: hmac-sha1  c53392b4 7d608259 71694ded b6d83498 87f6a741
	seq=0x0000002f replay=4 flags=0x00000000 state=mature 
	created: May  1 11:48:34 2013	current: May  1 11:49:17 2013
	diff: 43(s)	hard: 3600(s)	soft: 2880(s)
	last: May  1 11:48:46 2013	hard: 0(s)	soft: 0(s)
	current: 4026(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 47	hard: 0	soft: 0
	sadb_seq=0 pid=21130 refcnt=1
```

The SA lifetime can be expressed in (s) = seconds or (bytes). In this respect, a limit of 0 means no limit. When reaching the hard limit, the SA will be unconditionally purged. When reaching the soft limit, the key management will be informed, so that it can negotiate a new SA with the remote host before the hard limit expires.

So, in the above example, the two SAs have consumed 43 s of the total lifetime of 3600 s. At an age of 2880 s, racoon would start negotiation for new SAs with the remote host.


----------



## j4ck (May 2, 2013)

Is it right to suppose create time as the establishment time of the tunnel?


----------



## Anonymous (May 2, 2013)

j4ck said:
			
		

> Is it right to suppose create time as the establishment time of the tunnel?



Actually, it is the time once the respective SA has been created, and in the example SAs in my last post, the time matches indeed the logged time of the establishment of the IPsec connection.


```
...
2013-05-01 11:48:34: INFO: IPsec-SA established: ESP/Transport 192.168.0.1[500]->179.229.99.144[500] spi=122323115(0x74a80ab)
2013-05-01 11:48:34: INFO: IPsec-SA established: ESP/Transport 192.168.0.1[500]->179.229.99.144[500] spi=253776086(0xf2050d6)
...
```

However, once the lifetime expires and the key management succeeds re-negotiating new SAs, there might be new create times that would match the time of the re-establishment of the connection.


----------



## j4ck (May 4, 2013)

Thanks. Why do you have two entries in your SAD but I have four of them? Here is `setkey -D` modified report:

```
192.168.100.1 172.221.10.2 
	esp mode=tunnel spi=53644524(0x03328cec) reqid=0(0x00000000)
	created: May  4 08:34:01 2013	current: May  4 08:37:07 2013
        sadb_seq=3 pid=24340 refcnt=1
192.168.100.1 172.221.10.2 
	esp mode=tunnel spi=39375239(0x0258d187) reqid=0(0x00000000)
	created: May  4 08:34:00 2013	current: May  4 08:37:07 2013
        sadb_seq=2 pid=24340 refcnt=1
172.221.10.2  192.168.100.1 
	esp mode=tunnel spi=199300376(0x0be11518) reqid=0(0x00000000)
	created: May  4 08:34:01 2013	current: May  4 08:37:07 2013
        sadb_seq=1 pid=24340 refcnt=1   
172.221.10.2  192.168.100.1 
	esp mode=tunnel spi=32297398(0x01ecd1b6) reqid=0(0x00000000)
	created: May  4 08:34:00 2013	current: May  4 08:37:07 2013
        sadb_seq=0 pid=24340 refcnt=1
```


----------



## Anonymous (May 4, 2013)

j4ck said:
			
		

> Thanks. Why do you have two entries in your SAD but I have four of them?



Hard to say, without knowing anything about your configuration. I can only say, that two SAs for each connection is correct and that my VPN connection is working.


----------

