# Racoon only listen on IPv6 Unicast addresses or segfaults

## bookwood

I'm connected at home via ipv6 and tunneld ipv4 dualstack infrastructure. I can reach my servers at home only via ipv6 from outside, so I want to connect my external server via ipsec-tools (racoon) with my internal server. 

In short, when I start racoon without the listen directive, racoon only listen on the local unicast addresses. When I use  the strict_address directive, racoon segfaults. When I use the isakmp directive, racoon listen on no address.

External server: 2a01:xx:xx:xx:xx:xx:xx:50c

Internal server: 2a02:xx:xx:xx:xx:xx:xx:ce19

ping6 works and every server can ping the other. At a first step I use the installed sampleconfig and exchange the ipv4 adresses with my ipv6 addresses in the default example.

My test config /etc/racoon/racoon.conf

```

# THIS IS A SAMPLE FILE!

#

# This is a sample file to test Gentoo's ipsec-tools out of the box.

# Do not use it in production.  See: http://www.ipsec-howto.org/

#

path pre_shared_key "/etc/racoon/psk.txt";

listen

{

        #isakmp 2a01:xx:xx:xx:xx:xx:xx:50c[500];

        strict_address;

}

log debug;

#

# Make sure to switch 2a01:xx:xx:xx:xx:xx:xx:50c <-> 2a02:xx:xx:xx:xx:xx:xx:ce19 on the peer

#

remote 2a02:xx:xx:xx:xx:xx:xx:ce19

#remote 2a01:xx:xx:xx:xx:xx:xx:50c

{

        exchange_mode main;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm md5;

                authentication_method pre_shared_key;

                dh_group modp1024;

        }

}

#

# Make sure to switch 2a01:xx:xx:xx:xx:xx:xx:50c <-> 2a02:xx:xx:xx:xx:xx:xx:ce19 on the peer

#

sainfo address 2a01:xx:xx:xx:xx:xx:xx:50c any address 2a02:xx:xx:xx:xx:xx:xx:ce19 any

#sainfo address 2a02:xx:xx:xx:xx:xx:xx:ce19 any address 2a01:xx:xx:xx:xx:xx:xx:50c any

{

        pfs_group modp768;

        encryption_algorithm 3des;

        authentication_algorithm hmac_md5;

        compression_algorithm deflate;

}

```

and my setkey-config:

```

#!/usr/sbin/setkey -f

#

# THIS IS A SAMPLE FILE!

#

# This is a sample file to test Gentoo's ipsec-tools out of the box.

# Do not use it in production.  See: http://www.ipsec-howto.org/

#

flush;

spdflush;

#

# Uncomment the following if you want to do manual keying, ie, you want to run IPsec without racoon.

# Do not switch 2a01:xx:xx:xx:xx:xx:xx:50c <-> 2a02:xx:xx:xx:xx:xx:xx:ce19 on the peer

#

#add 2a02:xx:xx:xx:xx:xx:xx:ce19 2a01:xx:xx:xx:xx:xx:xx:50c ah 0x200 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;

#add 2a01:xx:xx:xx:xx:xx:xx:50c 2a02:xx:xx:xx:xx:xx:xx:ce19 ah 0x300 -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;

#add 2a02:xx:xx:xx:xx:xx:xx:ce19 2a01:xx:xx:xx:xx:xx:xx:50c esp 0x201 -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;

#add 2a01:xx:xx:xx:xx:xx:xx:50c 2a02:xx:xx:xx:xx:xx:xx:ce19 esp 0x301 -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

#

# Make sure to switch 2a01:xx:xx:xx:xx:xx:xx:50c <-> 2a02:xx:xx:xx:xx:xx:xx:ce19 on the peer

#

spdadd -6 2a01:xx:xx:xx:xx:xx:xx:50c 2a02:xx:xx:xx:xx:xx:xx:ce19 any -P out ipsec esp/transport//require ah/transport//require;

spdadd -6 2a02:xx:xx:xx:xx:xx:xx:ce19 2a01:xx:xx:xx:xx:xx:xx:50c any -P in  ipsec esp/transport//require ah/transport//require;

#spdadd 2a02:xx:xx:xx:xx:xx:xx:ce19 2a01:xx:xx:xx:xx:xx:xx:50c any -P out ipsec esp/transport//require ah/transport//require;

#spdadd 2a01:xx:xx:xx:xx:xx:xx:50c 2a02:xx:xx:xx:xx:xx:xx:ce19 any -P in  ipsec esp/transport//require ah/transport//require;

```

The chrash with the strict_address directive:

```

v 29 11:xx:31 myserver02 racoon: INFO: unsupported PF_KEY message REGISTER

Nov 29 11:xx:31 myserver02 racoon: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)

Nov 29 11:xx:31 myserver02 racoon: INFO: @(#)This product linked OpenSSL 1.0.2j  26 Sep 2016 (http://www.openssl.org/)

Nov 29 11:xx:31 myserver02 racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"

Nov 29 11:xx:31 myserver02 racoon: INFO: unsupported PF_KEY message REGISTER

Nov 29 11:xx:31 myserver02 racoon: INFO: unsupported PF_KEY message REGISTER

Nov 29 11:xx:31 myserver02 racoon: INFO: unsupported PF_KEY message REGISTER

Nov 29 11:xx:31 myserver02 racoon: DEBUG: no check of compression algorithm; not supported in sadb message.

Nov 29 11:xx:31 myserver02 racoon: DEBUG: getsainfo params: loc='2a01:xx:xx:xx:xx:xx:xx:50c' rmt='2a02:xx:xx:xx:xx:xx:xx:ce19' peer='NULL' client='NULL' id=0

Nov 29 11:xx:31 myserver02 racoon: DEBUG: open /var/lib/racoon/racoon.sock as racoon management.

Nov 29 11:xx:31 myserver02 kernel: racoon[30807]: segfault at 0 ip 0808383a sp bffdf890 error 4 in racoon[8048000+84000]

Nov 29 11:xx:32 myserver02 /etc/init.d/racoon[30802]: start-stop-daemon: did not create a valid pid in `/var/run/racoon.pid'

Nov 29 11:xx:32 myserver02 /etc/init.d/racoon[30260]: ERROR: racoon failed to start

```

The lsof output without the listen block racoon only listen to the not route able unicast address 

```
fe80::xx:xx:xx:2082
```

 :

```

racoon     7409     root   16u  IPv6 30710837      0t0  UDP [fe80::xx:xx:xx:2082]:isakmp

racoon     7409     root   17u  IPv6 30710839      0t0  UDP [fe80::xx:xx:xx:2082]:ipsec-nat-t

apache2    7496   apache    7u  IPv6 29101741      0t0  TCP *:https (LISTEN)

apache2    7496   apache    9u  IPv6 29101747      0t0  TCP *:http (LISTEN)

apache2    7500   apache    7u  IPv6 29101741      0t0  TCP *:https (LISTEN)

apache2    7500   apache    9u  IPv6 29101747      0t0  TCP *:http (LISTEN)

apache2   12504   apache    7u  IPv6 29101741      0t0  TCP *:https (LISTEN)

apache2   12504   apache    9u  IPv6 29101747      0t0  TCP *:http (LISTEN)

apache2   12531   apache    7u  IPv6 29101741      0t0  TCP *:https (LISTEN)

apache2   12531   apache    9u  IPv6 29101747      0t0  TCP *:http (LISTEN)

apache2   12550   apache    7u  IPv6 29101741      0t0  TCP *:https (LISTEN)

apache2   12550   apache    9u  IPv6 29101747      0t0  TCP *:http (LISTEN)

apache2   12755   apache    7u  IPv6 29101741      0t0  TCP *:https (LISTEN)

apache2   12755   apache    9u  IPv6 29101747      0t0  TCP *:http (LISTEN)

apache2   12756   apache    7u  IPv6 29101741      0t0  TCP *:https (LISTEN)

apache2   12756   apache    9u  IPv6 29101747      0t0  TCP *:http (LISTEN)

postgres  13990 postgres    3u  IPv6     9972      0t0  TCP [::1]:postgresql (LISTEN)

postgres  13990 postgres    8u  IPv6     9985      0t0  UDP [::1]:33646->[::1]:33646

postgres  13993 postgres    8u  IPv6     9985      0t0  UDP [::1]:33646->[::1]:33646

postgres  13994 postgres    8u  IPv6     9985      0t0  UDP [::1]:33646->[::1]:33646

postgres  13995 postgres    8u  IPv6     9985      0t0  UDP [::1]:33646->[::1]:33646

postgres  13996 postgres    8u  IPv6     9985      0t0  UDP [::1]:33646->[::1]:33646

postgres  13997 postgres    8u  IPv6     9985      0t0  UDP [::1]:33646->[::1]:33646

dnscache  14082 dnscache    3u  IPv6    10136      0t0  UDP 127.0.0.2:domain

dnscache  14082 dnscache    4u  IPv6    10137      0t0  TCP 127.0.0.2:domain (LISTEN)

ntpd      14166      ntp   16u  IPv6    10489      0t0  UDP *:ntp

ntpd      14166      ntp   20u  IPv6    10501      0t0  UDP [::1]:ntp

ntpd      14166      ntp   21u  IPv6    10503      0t0  UDP [fe80::xx:xx:xx:2082]:ntp

ntpd      14166      ntp   26u  IPv6    13044      0t0  UDP [2a01:xx:xx:xx:xx:xx:xx:50c]:ntp

named     15075    named   22u  IPv6    13028      0t0  TCP [::1]:domain (LISTEN)

named     15075    named   23u  IPv6    13030      0t0  TCP [2a01:xx:xx:xx:xx:xx:xx:50c]:domain (LISTEN)

named     15075    named  513u  IPv6    13007      0t0  UDP [::1]:domain

named     15075    named  514u  IPv6    13029      0t0  UDP [2a01:xx:xx:xx:xx:xx:xx:50c]:domain

proftpd   15133   nobody    0u  IPv6    13178      0t0  TCP *:ftp (LISTEN)

/usr/sbin 15154     root    6u  IPv6    13291      0t0  TCP [::1]:783 (LISTEN)

spamd\x20 15180     root    6u  IPv6    13291      0t0  TCP [::1]:783 (LISTEN)

```

other services like named listen to the external ipv6 ip 2a01:xx:xx:xx:xx:xx:xx:50c.

I tested it with kernel 3.8.13-gentoo and the actual 4.4.26-gentoo. I found nothing about this problem in the internet.

I think I should file a bug. 

Thanks in advance.

----------

## bookwood

as described here https://bugs.gentoo.org/show_bug.cgi?id=518496, racoon only works with following listen directive under IPv6:

```

listen

{

        isakmp 2a01:xx:xx:xx:xx:xx:xx:50c[500];

        strict_address;

}

```

now my IPv6 tunnel runs fine.

RTFM saves much time  :Wink: 

I read in the man page of racoon.conf the following:

 *Quote:*   

> strict_address;
> 
> Requires that all addresses for ISAKMP be bound.  This statement will be ignored if you do not specify address definitions. When running in privilege separation mode, you need to restart racoon to have changes to the listen section taken into account.
> 
> 

 

But it is very strange that racoon binds per default only to the unrouteable unicast address under IPv6. It is also not normal that a service stops with a segmentation fault, if a wrong option combination is used in the configuration file. I add this detail to the bug.

----------

