# Pure IPsec VPN (racoon) server

## streamkid

Hello,

I'm setting up a ipsec vpn server.

My current setup:

```
cat /etc/racoon/racoon.conf

path certificate "/etc/racoon/ssl/";

listen {

   isakmp 212.70.208.55 [500];

   isakmp_natt 212.70.208.55 [4500];

   adminsock disabled;

}

remote anonymous {

   exchange_mode main;

   ca_type x509 "ca.crt";

   certificate_type x509 "vpn.streamkid.net.crt" "vpn.streamkid.net.key";

   my_identifier asn1dn;

   passive on;

   generate_policy on;

   nat_traversal on;

   mode_cfg on;

   script "/etc/racoon/phase1-up.sh" phase1_up;

   script "/etc/racoon/phase1-down.sh" phase1_down;

   dpd_delay 20;

   ike_frag on;

   lifetime time 3600 sec;

   proposal_check strict;

   proposal {

      authentication_method xauth_rsa_server;

      encryption_algorithm_aes;

      hash_algorithm sha1;

      dh_group 2;

   }

}

mode_cfg {

   conf_source local;

   network4 192.168.2.1;

   netmask4 255.255.255.0;

   pool_size 100;

   auth_source system;

   auth_throttle 3;

   save_passwd on;

   dns4 192.168.1.1;

   default_domain "streamkid.net";

   split_dns "streamkid.net";

   pfs_group 2;

}

sainfo anonymous {

   pfs_group 2;

   lifetime time 3600 sec;

   encryption_algorithm aes;

   authentication_algorithm hmac_sha1;

   compression_algorithm deflate;

}

```

```
cat /etc/racoon/phase1-up.sh

#!/bin/bash

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

echo "

spdadd 192.168.1.0/24 ${INTERNAL_ADDR4}/24 any

   -P out ipsec esp/tunnel/${LOCAL_ADDR}[4500]-${REMOTE_ADDR}[4500]/require;

spdadd ${INTERNAL_ADDR4}/24 192.168.1.0/24 any

   -P in ipsec esp/tunnel/${REMOTE_ADDR}[4500]-${LOCAL_ADDR}[4500]/require;

" | setkey -c
```

```
cat /etc/racoon/phase1-down.sh

#!/bin/bash

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

echo "

deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;

deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;

spddelete 192.168.1.0/24[any] ${INTERNAL_ADDR4}[any] any

   -P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require;

spddelete  ${INTERNAL_ADDR4}[any] 192.168.1.0/24 [any] any

   -P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;

" | setkey -c
```

1) It would be better to use my dhcpd, and give out addresses (I want some to have static). Any chance to do that?

2) It would greatly help if I could create a (virtual) vpn0 interface and all vpn traffic goes thru there.

3) The idea to have some clients with certificates (192.168.2.0/24) that are routed over vpn (access the internet over vpn) and some others with psk (192.168.3.0/24) that only see my localnetwork. All of them are roadwarriors. How am I going to accomplish that?

Any ideas?

I don't have much experience with racoon, and I didn't come to a working state by reading manpages and trying..

Thanks

Edit:

I also have a problem, I cannot connect with the built-in ipsec client on OS X 10.6.4.  Racoon log following:

```
2010-09-16 12:13:48: INFO: respond new phase 1 negotiation: 212.70.208.55[500]<=>83.171.240.158[398]

2010-09-16 12:13:48: INFO: begin Identity Protection mode.

2010-09-16 12:13:48: INFO: received Vendor ID: RFC 3947

2010-09-16 12:13:48: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08

2010-09-16 12:13:48: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07

2010-09-16 12:13:48: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06

2010-09-16 12:13:48: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05

2010-09-16 12:13:48: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04

2010-09-16 12:13:48: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03

2010-09-16 12:13:48: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2010-09-16 12:13:48: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2010-09-16 12:13:48: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2010-09-16 12:13:48: INFO: received Vendor ID: CISCO-UNITY

2010-09-16 12:13:48: INFO: received Vendor ID: DPD

2010-09-16 12:13:48: INFO: Adding xauth VID payload.

2010-09-16 12:13:49: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=GR/ST=ATTICA/L=ATHENS/O=STREAMKID.NET/CN=iphone.streamkid.net/emailAddress=noc@streamkid.net

2010-09-16 12:13:49: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=GR/ST=ATTICA/L=ATHENS/O=STREAMKID.NET/CN=STREAMKID.NET CA/emailAddress=noc@streamkid.net

2010-09-16 12:13:49: INFO: Sending Xauth request

2010-09-16 12:13:49: INFO: ISAKMP-SA established 212.70.208.55[500]-83.171.240.158[398] spi:f087f2454173d228:1ceb437d5377d343

2010-09-16 12:13:49: ERROR: ignore information because the message is too short - 76 byte(s).

```

----------

## vonProteus

I have a very similar problem

```
alucard# cat /usr/local/etc/racoon/racoon.conf 

path certificate "/usr/local/etc/racoon/easy-rsa/myCA/myca" ;

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

log info;

 

listen {

   isakmp 192.168.0.130;

   isakmp_natt 192.168.0.130[4500];

}

 

timer

{

   counter 5;

   interval 20 sec;

   persend 1;

   phase1 30 sec;

   phase2 15 sec;

}

 

remote anonymous

{

   exchange_mode main;

   my_identifier asn1dn;

   certificate_type x509 "server.crt" "server.key" ;

   verify_cert on;

   proposal_check strict;

   passive on;

   support_proxy on;

   generate_policy on;

   nonce_size 16;

   dpd_delay 20;

   dpd_retry 5;

   dpd_maxfail 5;

 

   proposal {

      authentication_method xauth_rsa_server;

      encryption_algorithm aes;

      hash_algorithm sha1;

      dh_group 2; 

   }

}

 

sainfo anonymous

{

   pfs_group 2;

   lifetime time 10 hour;

   encryption_algorithm aes;

   authentication_algorithm hmac_sha1,hmac_md5;

   compression_algorithm deflate;

}

 

mode_cfg {

   auth_source pam;

   save_passwd on;

   pool_size 254;

   network4 10.0.0.1;  

   netmask4 255.255.255.0;

   dns4 208.67.222.222;

   default_domain "mydomain.com";

        banner "/usr/local/etc/racoon/motd";

   pfs_group 2;

}

```

log when connection with the iPhone

```
2011-01-25 11:12:32: INFO: respond new phase 1 negotiation: 192.168.0.130[500]<=>178.182.233.132[500]

2011-01-25 11:12:32: INFO: begin Identity Protection mode.

2011-01-25 11:12:32: INFO: received Vendor ID: RFC 3947

2011-01-25 11:12:32: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08

2011-01-25 11:12:32: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07

2011-01-25 11:12:32: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06

2011-01-25 11:12:32: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05

2011-01-25 11:12:32: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04

2011-01-25 11:12:32: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03

2011-01-25 11:12:32: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-01-25 11:12:32: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-01-25 11:12:32: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2011-01-25 11:12:32: INFO: received Vendor ID: CISCO-UNITY

2011-01-25 11:12:32: INFO: received Vendor ID: DPD

2011-01-25 11:12:32: INFO: Adding xauth VID payload.

2011-01-25 11:12:35: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.

2011-01-25 11:12:35: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=PL/ST=Faerun/O=Alucard Zerg vP/OU=Alucard VPN/CN=iPhone VPN@Alicard/emailAddress=xxx@xxx

2011-01-25 11:12:35: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=PL/ST=Faerun/L=Menzoberranzan/O=Alucard Zerg vP/CN=vonProteus/emailAddress=xxx@xxx

2011-01-25 11:12:35: INFO: Sending Xauth request

2011-01-25 11:12:35: INFO: ISAKMP-SA established 192.168.0.130[500]-178.182.233.132[500] spi:f1483c737cca6197:2b6044c531b020f3

2011-01-25 11:12:36: ERROR: ignore information because the message is too short - 76 byte(s).

```

----------

## segfoult

Hi,

for Mac OS X or iPhone clients change proposal and sainfo to these:

```

proposal {

                encryption_algorithm aes 256;

                hash_algorithm sha1;

                authentication_method xauth_rsa_server;

                dh_group 5;

                lifetime time 3600 sec;

        }

sainfo anonymous {

        encryption_algorithm aes 256;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

        lifetime time 3600 sec;

}

```

----------

## Alex5Anc

I also have a very similar problem, and it did not solve the problem

 *segfoult wrote:*   

> Hi,
> 
> for Mac OS X or iPhone clients change proposal and sainfo to these:
> 
> ```
> ...

 

----------

## salahx

What you probably want is to tunnel L2TP over IPSec. See my guide on how to do this: http://en.gentoo-wiki.com/wiki/IPsec_L2TP_VPN_server . 

Remember, however, Linux does not create virtual interfaces for IPSec (but the above technique will create a ppp interface for each client)

Also note: MacOS (and maybe iPhone) client are VERY picky about the server certificate: See the notes at the end of the article for the details.

----------

## chrroessner

Hi, there is nothing wrong with doing L2TP, but I would like to get a similar setup as described in the authors message above to be running.

I changed the proposal and sainfo as described. The iPhone does connect, but the Mac OS X 10.6 not.

```

2011-05-03 09:48:39: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04

2011-05-03 09:48:39: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03

2011-05-03 09:48:39: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-05-03 09:48:39: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2011-05-03 09:48:39: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2011-05-03 09:48:39: INFO: received Vendor ID: CISCO-UNITY

2011-05-03 09:48:39: INFO: received Vendor ID: DPD

2011-05-03 09:48:39: INFO: Selected NAT-T version: RFC 3947

2011-05-03 09:48:39: INFO: Adding xauth VID payload.

2011-05-03 09:48:39: INFO: Hashing 85.10.196.195[500] with algo #2 

2011-05-03 09:48:39: INFO: NAT-D payload #0 verified

2011-05-03 09:48:39: INFO: Hashing 109.91.218.68[500] with algo #2 

2011-05-03 09:48:39: INFO: NAT-D payload #1 doesn't match

2011-05-03 09:48:39: INFO: NAT detected: PEER

2011-05-03 09:48:39: INFO: Hashing 109.91.218.68[500] with algo #2 

2011-05-03 09:48:39: INFO: Hashing 85.10.196.195[500] with algo #2 

2011-05-03 09:48:39: INFO: Adding remote and local NAT-D payloads.

2011-05-03 09:48:39: INFO: NAT-T: ports changed to: 109.91.218.68[38702]<->85.10.196.195[4500]

2011-05-03 09:48:39: INFO: KA list add: 85.10.196.195[4500]->109.91.218.68[38702]

2011-05-03 09:48:39: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=DE/ST=Hessen/L=Giessen/O=Roessner-Network-Solutions/OU=IPsec/CN=rem01.roessner-net.de/emailAddress=c@g33k5.de

2011-05-03 09:48:39: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=DE/ST=Hessen/O=Roessner-Network-Solutions/OU=R.N.S. RootCA/CN=Certificate Authority/emailAddress=c@g33k5.de

2011-05-03 09:48:39: INFO: Sending Xauth request

2011-05-03 09:48:39: INFO: ISAKMP-SA established 85.10.196.195[4500]-109.91.218.68[38702] spi:aa1107c418b84a24:5e390c1a66ca1f17

2011-05-03 09:48:39: ERROR: ignore information because the message is too short - 76 byte(s).

2011-05-03 09:49:25: INFO: DPD: remote (ISAKMP-SA spi=aa1107c418b84a24:5e390c1a66ca1f17) seems to be dead.

2011-05-03 09:49:25: INFO: purging ISAKMP-SA spi=aa1107c418b84a24:5e390c1a66ca1f17.

2011-05-03 09:49:25: INFO: purged ISAKMP-SA spi=aa1107c418b84a24:5e390c1a66ca1f17.

2011-05-03 09:49:26: INFO: ISAKMP-SA deleted 85.10.196.195[4500]-109.91.218.68[38702] spi:aa1107c418b84a24:5e390c1a66ca1f17

2011-05-03 09:49:26: INFO: KA remove: 85.10.196.195[4500]->109.91.218.68[38702]

2011-05-03 09:49:26: INFO: unsupported PF_KEY message REGISTER

```

What does the "ERROR: ignore information because the message is too short - 76 byte(s)." mean?

Thanks in advance

Christian

----------

