# Trouble with Ipsec (Racoon)

## SimbioS

Hi all.

I have a problem with setup "racoon" for my mobile clients (like iPhone)

My conf:

setkey.conf

```

spdflush;

spdadd 0.0.0.0/0 78.46.79.232/27 any -P out ipsec esp/tunnel/78.46.79.232-0.0.0.0/require;

spdadd 78.46.79.232/27 0.0.0.0/0 any -P in ipsec esp/tunnel/0.0.0.0-78.46.79.232/require;

```

racoon.conf

```

path include "/etc/racoon";

path pre_shared_key "/etc/racoon/psk.txt";

log notify;

padding

{

        maximum_length 20;      # maximum padding length.

        randomize off;          # enable randomize length.

        strict_check off;       # enable strict check.

        exclusive_tail off;     # extract last one octet.

}

listen

{

        isakmp 78.46.79.232 [500];

        isakmp_natt 78.46.79.232 [4500];

        adminsock disabled;

}

timer

{

        counter 5;              # maximum trying count to send.

        interval 20 sec;        # maximum interval to resend.

        persend 1;              # the number of packets per send.

        phase1 30 sec;

        phase2 15 sec;

}

remote anonymous

{

        exchange_mode main,aggressive;

        doi ipsec_doi;

        situation identity_only;

        my_identifier address 78.46.79.232;

        peers_identifier fqdn "elastix.flexicam.com";

        nonce_size 16;

        lifetime time 3600 sec;

        ### lifetime time 24 hour;

        initial_contact on;

        proposal_check obey;    # obey, strict, or claim

        proposal {

                encryption_algorithm 3des;

                ### hash_algorithm md5;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

                lifetime time 3600 sec;

        }

}

sainfo anonymous

{

        pfs_group 2;

        lifetime time 3600 sec;

        ### lifetime time 24 hour;

        encryption_algorithm 3des;

        ### authentication_algorithm hmac_md5;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

}

```

psk.txt

```

pizdec.net      password

```

After start racoon in debug mode, i see next:

2011-06-08 13:57:02: ERROR: no policy found: 10.71.10.71/32[0] 78.46.79.232/32[0] proto=any dir=in

2011-06-08 13:57:02: ERROR: failed to get proposal for responder.

2011-06-08 13:57:02: ERROR: failed to pre-process packet.

Where 10.71.10.71 IP adress my local PC. I tested from PC (IPsec client "TheGreenBow IPSec VPN Client").

Many thanks for your help

----------

## AngelKnight

 *SimbioS wrote:*   

> Hi all.
> 
> I have a problem with setup "racoon" for my mobile clients (like iPhone)
> 
> My conf:
> ...

 

Racoon's debug has told you exactly: the policy it tried to negotiate was for 10.71.10.71/32 on one end and 78.46.79.232/32 on the racoon end.  The Security Policy Database doesn't behave like a routing lookup at all.  I think there are a large number of misunderstandings in your approach.

If you're trying to make the racoon box be a VPN concentrator for dynamic clients, then you need racoon to add the Security Policy Database entries dynamically.

----------

