# racoon/IPsec problems after updating

## Vogi

Hi there,

I have racoon/IPsec running for about a year now and no problems in all the time.

I use it primary to connect my iPhone with my homeserver (roadwarrior setup).

After updating my Gentoo system today, I have problems with my VPN.

I can connect but I dont get any network connection into my home net anymore.

As there were more than 100 packages I can't even tell which one is the reason.

What I can say:

kernel 2.6.30-r6 -> 2.6.31-r6

linux headers form 2.6.29 -> 2.6.30

ipsec-tools still the same 0.7.2

Here is my racoon.conf:

```
log warning;

path certificate "/etc/racoon/certs";

path pre_shared_key "/etc/racoon/psk.txt";

listen {

isakmp 192.168.6.253 [500];                   #IP of gentoo box

isakmp_natt 192.168.6.253 [4500];

adminsock disabled;

}

remote anonymous {

exchange_mode main,aggressive;

my_identifier fqdn "vpn.knoeferl.dyndns.org";

verify_identifier on;

certificate_type x509 "ipsecserver.crt" "ipsecserver.key";

ike_frag on;                                   # use IKE fragmentation

#esp_frag 552;                                    # use ESP fragmentation at 552 bytes

proposal_check claim;

passive on;

support_proxy on;

generate_policy on;                              # automatically generate IPsec policies

nat_traversal force;                           # always use NAT-T

dpd_delay 20;                                  # DPD poll every 20 seconds

proposal {

encryption_algorithm aes;

hash_algorithm md5;

authentication_method xauth_rsa_server;

dh_group 2;

}

}

sainfo anonymous {

pfs_group 2;

lifetime time 1 hour;

encryption_algorithm aes;

authentication_algorithm hmac_sha1,hmac_md5;

compression_algorithm deflate;

}

mode_cfg {

auth_source pam;                               # validate logins against PAM

pool_size 20;                                    # size of the VPN IP pool: 254 addresses

network4 192.168.8.1;                           # 1st address of VPN IPv4 pool

netmask4 255.255.255.0;

dns4 192.168.6.1;                               # IPv4 DNS server

wins4 192.168.6.253;                           # IPv4 WINS server

default_domain "home.net";

banner "/etc/racoon/motd";

pfs_group 2;

save_passwd on;

}
```

Only difference I can see in the log is the missing FWD policy:

log when everything was fine:

```
2009-10-12 16:53:23: ERROR: such policy does not already exist: "192.168.8.1/32[0] 0.0.0.0/0[0] proto=any dir=in"

2009-10-12 16:53:23: ERROR: such policy does not already exist: "192.168.8.1/32[0] 0.0.0.0/0[0] proto=any dir=fwd"

2009-10-12 16:53:23: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.8.1/32[0] proto=any dir=out"
```

log today:

```
2009-12-17 01:50:17: ERROR: such policy does not already exist: "192.168.8.1/32[0] 0.0.0.0/0[0] proto=any dir=in"

2009-12-17 01:50:17: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.8.1/32[0] proto=any dir=out"
```

I thougt the config-parameter "generate_policy on" is responsible for all iptable settings.

But why is the FWD rule missing?

I would be happy about any hints,.. been trying now for 4,5 hours...

Thanks,

Vogi

----------

## Vogi

Okey... got it working again.

I went back to kernel 2.6.30-r6 and changed the symlink usr/src/linux to the old version

re-emerged racoon. Now as it is compiled against the 3.6.30-r6 sorces, it works like before

log shows now:

```
2009-12-17 10:32:57: ERROR: such policy does not already exist: "192.168.8.1/32[0] 0.0.0.0/0[0] proto=any dir=in"

2009-12-17 10:32:57: ERROR: such policy does not already exist: "192.168.8.1/32[0] 0.0.0.0/0[0] proto=any dir=fwd"

2009-12-17 10:32:57: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.168.8.1/32[0] proto=any dir=out"

```

But why isn't forward not working with 6.2.31-r6 kernel.

I copied my kernel-config to the new directory and did an "make oldconfig"

I searched for differences in the config files - but cannot see anything new or changed that sounds like netfilter or so...

Is this a bug?

----------

## ezubillaga

I got this same problem fixed updating to the latest ipsec-tools version (0.7.3-r1). The new ebuild solve some problems with the configure options and checks with newer kernel versions.

HTH

----------

