# [SOLVED] Racoon error after update

## Moreaulf

Hello all!

I had some problems configuring VPN a couple of months ago but thanks to Rob1n and massimo I got a few necessary pushes in the right direction.

A couple of days ago I updated the servers software and since then the Racoon service refuse to start... I've spent alot of time since the update trying to find out why but I can't seem to find any information relevant enough to work as a solution for me. Kernel upgrade was successfull and I have rebuild it with all (as far as I know) necessary modules for Ipsec.

All IP:s are translated to HOST1 and HOST2 where HOST1 is the machine I'm working on first (HOST2 has the same setup and I'm trying to setup a working VPN connection between these)

The "/etc/init.d/racoon start" command fails:

```
 * Loading ipsec policies from /etc/ipsec.conf.

 * Starting racoon ...                                                                                      [ !! ]
```

and this is the log presented:

```
2008-02-12 13:16:56: INFO: @(#)ipsec-tools 0.6.7 (http://ipsec-tools.sourceforge.net)

2008-02-12 13:16:56: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)

2008-02-12 13:16:57: DEBUG2: lifetime = 3600

2008-02-12 13:16:57: DEBUG2: lifebyte = 0

2008-02-12 13:16:57: DEBUG2: encklen=0

2008-02-12 13:16:57: DEBUG2: p:1 t:1

2008-02-12 13:16:57: DEBUG2: 3DES-CBC(5)

2008-02-12 13:16:57: DEBUG2: SHA(2)

2008-02-12 13:16:57: DEBUG2: 1024-bit MODP group(2)

2008-02-12 13:16:57: DEBUG2: pre-shared key(1)

2008-02-12 13:16:57: DEBUG2:

2008-02-12 13:16:57: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.

2008-02-12 13:16:57: DEBUG2: parse successed.

2008-02-12 13:16:57: DEBUG: open /var/lib/racoon/racoon.sock as racoon management.

2008-02-12 13:16:57: ERROR: failed to bind to address HOST2[500] (Cannot assign requested address).
```

Cannot assign requested address...?

Here are my configurations;

/etc/conf.d/racoon

```
RACOON_OPTS="-4 -l /var/log/racoon.log"

RACOON_CONF="/etc/racoon/racoon.conf"

RACOON_PSK_FILE="/etc/racoon/psk.txt"

SETKEY_CONF="/etc/ipsec.conf"

RACOON_RESET_TABLES="true"
```

/etc/ipsec.conf

```
#!/usr/sbin/setkey -f

flush;

spdflush;

add HOST1 HOST2 ah 0x200 -A hmac-md5

0x88dfd37ce0d4b0641f3c14fa9197301c;

add HOST2 HOST1 ah 0x300 -A hmac-md5

0x91bc25a6e4c1e8e592bd9d2cbd09ff0b;

add HOST1 HOST2 esp 0x201 -E rijndael-cbc

0x61272157401bf304177fa8ac0c38de4095992d06c0499cf7;

add HOST2 HOST1 esp 0x301 -E rijndael-cbc

0x49fce5b82ff7acc4d6aded691a0f5f9a65e18861ad4b66bf;

spdadd HOST1 HOST2 any -P out ipsec

       esp/transport//require

       ah/transport//require;

spdadd HOST2 HOST1 any -P in ipsec

       esp/transport//require

       ah/transport//require;
```

/etc/racoon/racoon.conf

```
path pre_shared_key "/etc/racoon/psk.txt";

log debug2;

listen {

        isakmp HOST2;

        strict_address;

}

remote anonymous {

        exchange_mode main;

        my_identifier address HOST1;

        lifetime time 24 hour;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                lifetime time 1 hour;

                dh_group 2;

        }

}

sainfo anonymous {

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

        lifetime time 1 hour;

}
```

Does anyone know why Racoon doesn't start since upgrade...?

Many thanks in advance,

/ThomasLast edited by Moreaulf on Wed Feb 20, 2008 1:31 pm; edited 1 time in total

----------

## elgato319

It looks like something is blocking port 500, so racoon can't bind to it.

```
ERROR: failed to bind to address HOST2[500] (Cannot assign requested address).
```

Could you check if there are other services running which might block this port? (netstat -l)

Is "HOST2" a local LAN adress or a public one?

Can you see it in ifconfig?

----------

## Moreaulf

Here's the result of netstat -l command

```
Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp        0      0 *:rsync                 *:*                     LISTEN

tcp        0      0 home.DOMAIN:3307 *:*                     LISTEN

tcp        0      0 home.DOMAIN:3308 *:*                     LISTEN

tcp        0      0 *:rsync                 *:*                     LISTEN

tcp        0      0 *:http                  *:*                     LISTEN

tcp        0      0 *:ftp                   *:*                     LISTEN

tcp        0      0 *:ssh                   *:*                     LISTEN

Active UNIX domain sockets (only servers)

Proto RefCnt Flags       Type       State         I-Node Path

unix  2      [ ACC ]     STREAM     LISTENING     7431   /dev/log

unix  2      [ ACC ]     STREAM     LISTENING     8093   /var/run/mysqld/mysqld.sock

unix  2      [ ACC ]     STREAM     LISTENING     8114   /var/run/mysqld/mysqld2.sock

unix  2      [ ACC ]     STREAM     LISTENING     8133   /var/run/mysqld/mysqld3.sock

unix  2      [ ACC ]     STREAM     LISTENING     8496   /var/run/proftpd/proftpd.sock

unix  2      [ ACC ]     STREAM     LISTENING     8352   /var/run/cgisock

unix  2      [ ACC ]     STREAM     LISTENING     8508   /var/run/proftpd/proftpd.sock
```

Doesn't seem to be anything here are there? (ports 3307 and 3308 are mysql network ports)

One thing I discovered was this though. If I'm running a tcpdump at HOST2 when pinging from HOST1 I'm getting this for result:

```
17:15:38.956664 IP HOST1 > HOST2: AH(spi=0x00000200,seq=0x6): ESP(spi=0x00000201,seq=0x6), length 104
```

This even although the machine is rebooted and not iptables nor Racoon services are started on NEITHER HOST1 or HOST2 (I'm not getting a reply). If I'm pinging from another host to HOST2 I get a reply as expected.

setkey -D results in this from HOST1

```
HOST2 HOST1

        esp mode=transport spi=769(0x00000301) reqid=0(0x00000000)

        E: aes-cbc  49fce5b8 2ff7acc4 d6aded69 1a0f5f9a 65e18861 ad4b66bf

        seq=0x00000000 replay=0 flags=0x00000000 state=mature

        created: Feb 12 13:23:45 2008   current: Feb 12 17:21:08 2008

        diff: 14243(s)  hard: 0(s)      soft: 0(s)

        last:                           hard: 0(s)      soft: 0(s)

        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)

        allocated: 0    hard: 0 soft: 0

        sadb_seq=1 pid=32027 refcnt=0

HOST1 HOST2

        esp mode=transport spi=513(0x00000201) reqid=0(0x00000000)

        E: aes-cbc  61272157 401bf304 177fa8ac 0c38de40 95992d06 c0499cf7

        seq=0x00000000 replay=0 flags=0x00000000 state=mature

        created: Feb 12 13:23:45 2008   current: Feb 12 17:21:08 2008

        diff: 14243(s)  hard: 0(s)      soft: 0(s)

        last: Feb 12 17:06:03 2008      hard: 0(s)      soft: 0(s)

        current: 744(bytes)     hard: 0(bytes)  soft: 0(bytes)

        allocated: 6    hard: 0 soft: 0

        sadb_seq=2 pid=32027 refcnt=0

HOST2 HOST1

        ah mode=transport spi=768(0x00000300) reqid=0(0x00000000)

        A: hmac-md5  91bc25a6 e4c1e8e5 92bd9d2c bd09ff0b

        seq=0x00000000 replay=0 flags=0x00000000 state=mature

        created: Feb 12 13:23:45 2008   current: Feb 12 17:21:08 2008

        diff: 14243(s)  hard: 0(s)      soft: 0(s)

        last:                           hard: 0(s)      soft: 0(s)

        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)

        allocated: 0    hard: 0 soft: 0

        sadb_seq=3 pid=32027 refcnt=0

HOST1 HOST2

        ah mode=transport spi=512(0x00000200) reqid=0(0x00000000)

        A: hmac-md5  88dfd37c e0d4b064 1f3c14fa 9197301c

        seq=0x00000000 replay=0 flags=0x00000000 state=mature

        created: Feb 12 13:23:45 2008   current: Feb 12 17:21:08 2008

        diff: 14243(s)  hard: 0(s)      soft: 0(s)

        last: Feb 12 17:06:03 2008      hard: 0(s)      soft: 0(s)

        current: 888(bytes)     hard: 0(bytes)  soft: 0(bytes)

        allocated: 6    hard: 0 soft: 0

        sadb_seq=0 pid=32027 refcnt=0
```

HOST2 is a server on a public IP which is not firewalled (otherwise than iptables that is). HOST1 is a NAT:ed server on a private network with a router that forwards IKE-port 500 to this host.

Racoon worked before the system upgrade, now it doesn't (but I guess you are onto something but I don't know why netstat doesn't show it).

/Thomas

----------

## elgato319

hmm

what exactly did you upgrade which could conflict with ipsec?

is it possible to boot up some older kernel?

----------

## Moreaulf

Here's a snip from the emerge.log:

```
Started emerge on: Feb 07, 2008 21:21:43

 *** emerge  sync

Started emerge on: Feb 07, 2008 21:46:07

 *** emerge  iproute2

 >>> emerge (1 of 1) sys-apps/iproute2-2.6.22.20070710 to /

 ::: completed emerge (1 of 1) sys-apps/iproute2-2.6.22.20070710 to /

Started emerge on: Feb 07, 2008 22:45:43

 *** emerge  unmerge coldplug

Started emerge on: Feb 07, 2008 22:46:26

 *** emerge  udev

Started emerge on: Feb 07, 2008 22:48:56

 *** emerge  unmerge baselayout

Started emerge on: Feb 07, 2008 22:52:54

 *** emerge  sysvinit

Started emerge on: Feb 07, 2008 22:55:52

 *** emerge --nodeps baselayout

 >>> emerge (1 of 1) sys-apps/baselayout-1.12.10-r5 to /

 ::: completed emerge (1 of 1) sys-apps/baselayout-1.12.10-r5 to /

Started emerge on: Feb 07, 2008 22:56:11

 *** emerge  baselayout

 >>> emerge (1 of 7) sys-apps/sysvinit-2.86-r10 to /

 ::: completed emerge (1 of 7) sys-apps/sysvinit-2.86-r10 to /

 >>> emerge (2 of 7) sys-libs/readline-5.2_p7 to /

 ::: completed emerge (2 of 7) sys-libs/readline-5.2_p7 to /

 >>> emerge (3 of 7) virtual/init-0 to /

 ::: completed emerge (3 of 7) virtual/init-0 to /

 >>> emerge (4 of 7) sys-apps/module-init-tools-3.4 to /

 ::: completed emerge (4 of 7) sys-apps/module-init-tools-3.4 to /

 >>> emerge (5 of 7) sys-apps/debianutils-2.28.2 to /

 ::: completed emerge (5 of 7) sys-apps/debianutils-2.28.2 to /

 >>> emerge (6 of 7) sys-apps/mktemp-1.5 to /

 ::: completed emerge (6 of 7) sys-apps/mktemp-1.5 to /

 >>> emerge (7 of 7) sys-apps/baselayout-1.12.10-r5 to /

 ::: completed emerge (7 of 7) sys-apps/baselayout-1.12.10-r5 to /

Started emerge on: Feb 07, 2008 23:03:09

 *** emerge --update gentoo-sources

 >>> emerge (1 of 6) sys-apps/sed-4.1.5 to /

 ::: completed emerge (1 of 6) sys-apps/sed-4.1.5 to /

 >>> emerge (2 of 6) sys-devel/binutils-2.18-r1 to /

 ::: completed emerge (2 of 6) sys-devel/binutils-2.18-r1 to /

 >>> emerge (3 of 6) sys-libs/ncurses-5.6-r2 to /

 ::: completed emerge (3 of 6) sys-libs/ncurses-5.6-r2 to /

 >>> emerge (4 of 6) sys-fs/udev-115-r1 to /

 ::: completed emerge (4 of 6) sys-fs/udev-115-r1 to /

 >>> emerge (5 of 6) sys-devel/make-3.81 to /

 ::: completed emerge (5 of 6) sys-devel/make-3.81 to /

 >>> emerge (6 of 6) sys-kernel/gentoo-sources-2.6.23-r6 to /

 ::: completed emerge (6 of 6) sys-kernel/gentoo-sources-2.6.23-r6 to /

Started emerge on: Feb 08, 2008 01:29:59

 *** emerge --update genkernel

 >>> emerge (1 of 5) sys-libs/com_err-1.40.4 to /

 ::: completed emerge (1 of 5) sys-libs/com_err-1.40.4 to /

 >>> emerge (2 of 5) app-arch/cpio-2.9-r1 to /

 ::: completed emerge (2 of 5) app-arch/cpio-2.9-r1 to /

 >>> emerge (3 of 5) sys-libs/ss-1.40.4 to /

 ::: completed emerge (3 of 5) sys-libs/ss-1.40.4 to /

 >>> emerge (4 of 5) sys-fs/e2fsprogs-1.40.4 to /

 ::: completed emerge (4 of 5) sys-fs/e2fsprogs-1.40.4 to /

 >>> emerge (5 of 5) sys-kernel/genkernel-3.4.9 to /

 ::: completed emerge (5 of 5) sys-kernel/genkernel-3.4.9 to /

Started emerge on: Feb 08, 2008 00:42:11

 *** emerge  libwww

 >>> emerge (1 of 1) net-libs/libwww-5.4.0-r7 to /

Started emerge on: Feb 08, 2008 00:43:07

 *** emerge --update libwww

 >>> emerge (1 of 13) dev-db/mysql-5.0.54 to /

 ::: completed emerge (1 of 13) dev-db/mysql-5.0.54 to /

 >>> emerge (2 of 13) dev-util/pkgconfig-0.22 to /

 ::: completed emerge (2 of 13) dev-util/pkgconfig-0.22 to /

 >>> emerge (3 of 13) sys-libs/zlib-1.2.3-r1 to /

 ::: completed emerge (3 of 13) sys-libs/zlib-1.2.3-r1 to /

 >>> emerge (4 of 13) app-misc/ca-certificates-20070303-r1 to /

 ::: completed emerge (4 of 13) app-misc/ca-certificates-20070303-r1 to /

 >>> emerge (5 of 13) dev-libs/openssl-0.9.8g to /

 ::: completed emerge (5 of 13) dev-libs/openssl-0.9.8g to /

 >>> emerge (6 of 13) app-admin/perl-cleaner-1.04.3 to /

 ::: completed emerge (6 of 13) app-admin/perl-cleaner-1.04.3 to /

 >>> emerge (7 of 13) sys-devel/autoconf-2.61-r1 to /

 ::: completed emerge (7 of 13) sys-devel/autoconf-2.61-r1 to /

 >>> emerge (8 of 13) sys-devel/libtool-1.5.24 to /

 ::: completed emerge (8 of 13) sys-devel/libtool-1.5.24 to /

 >>> emerge (9 of 13) perl-core/Test-Harness-2.64 to /

 ::: completed emerge (9 of 13) perl-core/Test-Harness-2.64 to /

 >>> emerge (10 of 13) perl-core/PodParser-1.35 to /

 ::: completed emerge (10 of 13) perl-core/PodParser-1.35 to /

 >>> emerge (11 of 13) sys-devel/libperl-5.8.8-r1 to /

 ::: completed emerge (11 of 13) sys-devel/libperl-5.8.8-r1 to /

 >>> emerge (12 of 13) dev-lang/perl-5.8.8-r4 to /

 ::: completed emerge (12 of 13) dev-lang/perl-5.8.8-r4 to /

 >>> emerge (13 of 13) net-libs/libwww-5.4.0-r7 to /

 ::: completed emerge (13 of 13) net-libs/libwww-5.4.0-r7 to /

Started emerge on: Feb 08, 2008 01:34:23

 *** emerge --update gentoolkit

 >>> emerge (1 of 3) dev-lang/python-2.4.4-r6 to /

 ::: completed emerge (1 of 3) dev-lang/python-2.4.4-r6 to /

 >>> emerge (2 of 3) sys-apps/grep-2.5.1a-r1 to /

 ::: completed emerge (2 of 3) sys-apps/grep-2.5.1a-r1 to /

 >>> emerge (3 of 3) app-portage/gentoolkit-0.2.3-r1 to /

 ::: completed emerge (3 of 3) app-portage/gentoolkit-0.2.3-r1 to /

Started emerge on: Feb 08, 2008 01:39:10

 *** emerge --deep --oneshot --verbose =sys-apps/file-4.12 =sys-libs/cracklib-2.8.9 =dev-libs/libxml2-2.6.20-r2 =dev-libs/libxslt-1.1.14-r2 =dev-python/python-fchksum-1.7.1 =app-admin/webapp-config-1.50.15 =media-libs/pdflib-6.0.3 =media-libs/lcms-1.14-r1

Started emerge on: Feb 08, 2008 01:39:34

 *** emerge  libwww

 >>> emerge (1 of 1) net-libs/libwww-5.4.0-r7 to /

 ::: completed emerge (1 of 1) net-libs/libwww-5.4.0-r7 to /

Started emerge on: Feb 08, 2008 02:01:16

 *** emerge --oneshot =sys-fs/e2fsprogs-1.40.4 =net-libs/libwww-5.4.0-r3

 >>> emerge (1 of 2) sys-fs/e2fsprogs-1.40.4 to /

Started emerge on: Feb 08, 2008 02:04:49

 *** emerge --oneshot =sys-fs/e2fsprogs-1.40.4

 >>> emerge (1 of 1) sys-fs/e2fsprogs-1.40.4 to /

Started emerge on: Feb 08, 2008 02:06:14

 *** emerge --oneshot =sys-fs/e2fsprogs-1.40.4

 >>> emerge (1 of 1) sys-fs/e2fsprogs-1.40.4 to /

Started emerge on: Feb 08, 2008 02:07:18

 *** emerge  com_err

 >>> emerge (1 of 1) sys-libs/com_err-1.40.4 to /

 ::: completed emerge (1 of 1) sys-libs/com_err-1.40.4 to /

Started emerge on: Feb 08, 2008 02:08:43

 *** emerge --oneshot =sys-fs/e2fsprogs-1.40.4

 >>> emerge (1 of 1) sys-fs/e2fsprogs-1.40.4 to /

Started emerge on: Feb 08, 2008 02:24:35

 *** emerge --oneshot =sys-fs/e2fsprogs-1.40.4

 >>> emerge (1 of 1) sys-fs/e2fsprogs-1.40.4 to /

Started emerge on: Feb 08, 2008 02:33:07

 *** emerge --oneshot =sys-fs/e2fsprogs-1.40.4

 >>> emerge (1 of 1) sys-fs/e2fsprogs-1.40.4 to /

Started emerge on: Feb 08, 2008 06:05:08

 *** emerge --update iptables

 >>> emerge (1 of 2) sys-kernel/linux-headers-2.6.23-r3 to /

 ::: completed emerge (1 of 2) sys-kernel/linux-headers-2.6.23-r3 to /

 >>> emerge (2 of 2) net-firewall/iptables-1.3.8-r3 to /

 ::: completed emerge (2 of 2) net-firewall/iptables-1.3.8-r3 to /
```

There's a problem with revdep-rebuild also, it wants to reinstall e2fsprogs but it fails (which is why the numerous attempts above) but I don't think that would interfere with IPSec. Of the packages above I don't know if any would conflict - do you?

I've used genkernels menuconfig and enabled all necessary items for this as modules. Might be a problem there.

I also changed the net config to module=("iproute2") (used ifconfig before, gentoo-wiki sayd this should be done).

I've tried setting up the same settings to a machine which is on the same network and it gives the same result - "ERROR: failed to bind to address HOST3[500] (Cannot assign requested address)."

Yes, I have yet not deleted the old kernel so I should be able to boot that one up. Is there anything I should do before I simply select the older kernel in GRUB?

Thank you!

/Thomas

----------

## elgato319

Could you change net config back to ifconfig if it's not too difficult?

Otherwise i would give the old kernel a shot. 

I don't see any packages that would cause a conflict with racoon/ipsec.

----------

## Moreaulf

I changed back to ifconfig and later on to the old kernel but neither helped...

I'm on the current net and kernel now and I've been going through the config files again. What I found and is a little confused about is the listen config in the racoon.conf file. Isn't this supposed to be listen on instead of listen to?

When I switched the IP from HOST2 to HOST1 in the listen section the Racoon service started! It seem logical but from what I learned earlier AND in the old config I could have whatever IP I wanted in the listen directive in racoon.conf. So then I thought it should be listen to.

I also made a fresh install on a new Hard drive just to see if the scenario was the same on this one, and it was. If I set listen to the server IP Racoon starts OK, if I set it to an IP not configured for the box it fails with the previous error.

Do you know if this is correct or if there is something wrong, perhaps in the ipsec-tool package?

Thank you!

----------

## elgato319

yes... the listen part of racoon is supposed to be listen on

so on your host1 there should be:

```
listen {

        isakmp HOST1;

        strict_address;

}
```

and on host2:

```
listen {

        isakmp HOST2;

        strict_address;

}
```

----------

## Moreaulf

Must have been a bug in the old version that accepted other IP:s as listens then...

Thank you very much elgato!

I have a followup questions that I've been trying to figure out but I'm gonna browse some more before I post it.

----------

