# Stale racoon SAD entry preventing road warrior to reconnect VPN



## ronjns (Feb 3, 2015)

I upgraded my box to FreeBSD 9.1-RELEASE-p11 #2 sometime ago and very recently security/ipsec-tools and net/mpd5 to ipsec-tools-0.8.1_7 and mpd5-5.7_1after which VPN connection from my iPhone worked fine just once but failed subsequently until I restarted racoon daemon. Having restarted racoon, it worked again only once but again failed unless I restarted racoon (It worked if I reconnect immediately but if I wait for say 2 mins and try to connect from the same IP address, it failed).

FYI it was working flawlessly until those upgrades.

After days of troubleshooting and googling, it appears the culprit is a stale SA Database entry:

```
# setkey -Da
x.x.x.x[racoon box] y.y.y.y[iPhone]
    esp mode=transport spi=160981142(0x09986096) reqid=16386(0x00004002)
    E: rijndael-cbc  2b4aad27 6ff97ddc d1525a51 71628bc2 890044eb 6b26861c 0794b4f7 c24867bf
    A: hmac-sha1  bde920e7 2dcdc954 1622f681 5e7b1e41 db3249de
    seq=0x0000000f replay=4 flags=0x00000000 state=mature
    created: Feb  3 21:36:32 2015    current: Feb  3 22:19:06 2015
    diff: 2554(s)    hard: 3600(s)    soft: 2880(s)
    last: Feb  3 21:37:38 2015    hard: 0(s)    soft: 0(s)
    current: 2120(bytes)    hard: 0(bytes)    soft: 0(bytes)
    allocated: 15    hard: 0    soft: 0
    sadb_seq=0 pid=2752 refcnt=2
```
This SAD (racoon box <> iPhone pair) is always stuck there whereas the reverse pair (i.e. iPhone <> racoon box) got flushed no problem after my iPhone disconnect the VPN connection.

As I mentioned, restarting racoon or flushing the stale SAD entry with `# setkey -DF` allowed my iPhone to connect again but just once.

Any pointer toward a solution is much appreciated.


----------



## getopt (Feb 3, 2015)

As you upgraded to an unsupported version of FreeBSD please read
https://forums.freebsd.org/threads/topics-about-unsupported-freebsd-versions.40469/
http://www.freebsd.org/security/index.html#sup


----------



## obsigna (Feb 3, 2015)

A while back, when I was on FreeBSD 9.x-RELEASE + security/ipsec-tools + net/mpd5, I had a similar issue with L2TP/IPsec-VPN connections. At that time I solved this by using a tear-down.sh shell script (s. below):

`nano /usr/local/etc/racoon/tear_down.sh`

```
#!/bin/sh

REMOTE_NAT="`echo $REMOTE_ADDR | /usr/bin/sed "s/\./\\\\\./g"`\[$REMOTE_PORT\]"
REMOTE_SPI="`/usr/local/sbin/setkey -D | /usr/bin/sed -n "N;/.*$REMOTE_NAT.*spi=/{s///;s/(.*//;p;}"`"

while [ "$REMOTE_SPI" != "" ] ; do

echo "tear down SA: delete $REMOTE_ADDR[$REMOTE_PORT] $LOCAL_ADDR[$LOCAL_PORT] esp-udp $REMOTE_SPI;" >> /var/log/racoon.log
echo "delete $REMOTE_ADDR[$REMOTE_PORT] $LOCAL_ADDR[$LOCAL_PORT] esp-udp $REMOTE_SPI;" | /usr/local/sbin/setkey -c

REMOTE_SPI="`/usr/local/sbin/setkey -D | /usr/bin/sed -n "N;/.*$REMOTE_NAT.*spi=/{s///;s/(.*//;p;}"`"

done
```
`chmod ugo+x /usr/local/etc/racoon/tear_down.sh`

Then in /usr/local/etc/racoon/racoon.conf I added the two script entries:

```
...
remote anonymous
{
   ...
   script "/usr/local/etc/racoon/tear_down.sh" phase1_down;
   script "/usr/local/etc/racoon/tear_down.sh" phase1_dead;
   ...
```
This takes care of any stale SA after connections have been taken down.

*HOWEVER*, as matter of fact, you won't need this, if you would upgrade your system to FreeBSD 10.1-RELEASE and substitute security/ipsec-tools by security/strongswan. On my blog I wrote an article about this setup, it is in German language, however using an online translation tool it should be possible to understand the essential parts in other languages.

[FONT=Georgia]http://blog.obsigna.net/?p=520[/FONT]


----------



## ronjns (Feb 4, 2015)

Thanks getops and obsigna for your replies.

Unfortunately doing a major version upgrade to FreeBSD 10.1-RELEASE is not feasible at the moment as it is a production box. So I upgraded the box to FreeBSD 9.3-RELEASE-p9 #3.

I tried the script with security/ipsec-tools but the stale SAD is still in the system, only `#setkey -DF` will flush it.

I also tried security/strongswan but after trying the whole day stuck at:

```
Feb  4 16:51:56 moon ipsec: 15[IKE] <L2TP/IPsec-PSK|1> no matching CHILD_SA config found
```
Any further pointer to make either work is appreciated.


----------



## obsigna (Feb 4, 2015)

There was a change in strongswan (v5.2.0 to v5.2.1) which requires that transport mode is indicated in the configuration.

Add the following line to the L2TP/IPsec-PSK configuration section of the file /usr/local/etc/ipsec.conf:

```
conn L2TP/IPsec-PSK
   type = transport
   ...
```
My BLog post was written when strongswan v5.2.0 was the current version.


----------



## ronjns (Feb 4, 2015)

Works like a charm, danke schön!


----------

