# IPSec/Racoon Woes

## EddieOfTheRocks

I've been stuck for a few days on an IPSec/Racoon issue. I can't seem to get my machine to actually send out a negotiation request to my server. I set up all my routes, get racoon started, try a ping and nothing. Looking through the log files it seems as though racoon is making some level of effort, but while running wireshark I can see that it isn't actually sending out any ISAKMP whatsoever. There is zero activity on all network interfaces whatsoever.

An interesting tidbit is that if I run a "racoonctl vpn-connect 123.456.789.123", it successfully completes the negotiation and connects. It just isn't usable.

Below are all the necessary details.

/etc/racoon/racoon.conf

```
path certificate "/etc/ssl/certs";

log debug;

remote 123.456.789.123 {

   exchange_mode main;

   certificate_type x509 "/etc/ssl/certs/dorado.crt" "/etc/ssl/private/dorado.key";

   ca_type x509 "/etc/ssl/certs/example-ca.crt";

   peers_certfile x509 "/etc/ssl/certs/whiskey.crt";

   verify_cert on;

   my_identifier fqdn "dorado.example.org";

   peers_identifier fqdn "whiskey.example.org";

   nat_traversal on;

   proposal {

      encryption_algorithm aes;

      hash_algorithm sha256;

      authentication_method rsasig;

      dh_group modp1024;

   }

}

sainfo address 10.0.13.64 any address 10.0.13.0/26 any from fqdn "whiskey.example.org" {

   pfs_group modp1024;

   encryption_algorithm aes;

   authentication_algorithm hmac_sha256;

   compression_algorithm deflate;

}
```

/etc/ipsec-tools.conf

```
flush;

spdflush;

spdadd 10.0.13.64 10.0.13.0/26 any -P out ipsec

   esp/tunnel/0.0.0.0-123.456.789.123/require;

spdadd 10.0.13.0/26 10.0.13.64 any -P in ipsec

   esp/tunnel/123.456.789.123-0.0.0.0/require;
```

/etc/conf.d/net (relevant part)

```
config_dummy0="10.0.13.64 netmask 255.255.255.255 broadcast 10.0.13.64"

routes_dummy0="-host 10.0.13.1

   10.0.13.0/26 via 10.0.13.1"

modules_dummy0="!ifplugd"
```

Racoon Output

This follows from doing a ping 10.0.13.1. Note, as I said before. Wireshark shows zero activity on all network interfaces.

```
2013-09-07 11:37:20: DEBUG: pk_recv: retry[0] recv() 

2013-09-07 11:37:20: DEBUG: got pfkey ACQUIRE message

2013-09-07 11:37:20: DEBUG: suitable outbound SP found: 10.0.13.64/32[0] 10.0.13.0/26[0] proto=any dir=out.

2013-09-07 11:37:20: DEBUG: sub:0x7fffdb00c640: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=in

2013-09-07 11:37:20: DEBUG: db :0x1c96ec0: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=fwd

2013-09-07 11:37:20: DEBUG: sub:0x7fffdb00c640: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=in

2013-09-07 11:37:20: DEBUG: db :0x1c97140: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=in

2013-09-07 11:37:20: DEBUG: suitable inbound SP found: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=in.

2013-09-07 11:37:20: DEBUG: new acquire 10.0.13.64/32[0] 10.0.13.0/26[0] proto=any dir=out

2013-09-07 11:37:20: [123.456.789.123] DEBUG: configuration "123.456.789.123[500]" selected.

2013-09-07 11:37:20: DEBUG: getsainfo params: loc='10.0.13.64' rmt='10.0.13.0/26' peer='NULL' client='NULL' id=0

2013-09-07 11:37:20: DEBUG: evaluating sainfo: loc='10.0.13.64', rmt='10.0.13.0/26', peer='whiskey.example.org', id=0

2013-09-07 11:37:20: DEBUG: check and compare ids : values matched (ANONYMOUS)

2013-09-07 11:37:20: DEBUG: check and compare ids : values matched (IPv4_address)

2013-09-07 11:37:20: DEBUG: cmpid target: '10.0.13.64'

2013-09-07 11:37:20: DEBUG: cmpid source: '10.0.13.64'

2013-09-07 11:37:20: DEBUG: check and compare ids : values matched (IPv4_subnet)

2013-09-07 11:37:20: DEBUG: cmpid target: '10.0.13.0/26'

2013-09-07 11:37:20: DEBUG: cmpid source: '10.0.13.0/26'

2013-09-07 11:37:20: DEBUG: selected sainfo: loc='10.0.13.64', rmt='10.0.13.0/26', peer='whiskey.example.org', id=0

2013-09-07 11:37:20: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)

2013-09-07 11:37:20: DEBUG:   (trns_id=AES encklen=128 authtype=hmac-sha256)

2013-09-07 11:37:20: DEBUG: in post_acquire

2013-09-07 11:37:20: [123.456.789.123] DEBUG: configuration "123.456.789.123[500]" selected.

2013-09-07 11:37:20: INFO: IPsec-SA request for 123.456.789.123 queued due to no phase1 found.

2013-09-07 11:37:20: DEBUG: ===

2013-09-07 11:37:20: INFO: initiate new phase 1 negotiation: 0.0.0.0[500]<=>123.456.789.123[500]

2013-09-07 11:37:20: INFO: begin Identity Protection mode.

2013-09-07 11:37:20: DEBUG: new cookie:

f74640cd78778e1f 

2013-09-07 11:37:20: DEBUG: add payload of len 52, next type 13

2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 13

2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 13

2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 13

2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 13

2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 0

2013-09-07 11:37:20: ERROR: phase1 negotiation failed due to send error. f74640cd78778e1f:0000000000000000

2013-09-07 11:37:20: ERROR: failed to begin ipsec sa negotication.
```

----------

