# Help with configuring Racoon roadwarrior

## MickKi

Hi All,

I have managed to set up a roadwarrior configuration which sort of works when I run /etc/init.d/racoon start, but only after I set up routes manually.

However, I noticed that neither the phase1-up.sh scripts provided by ipsec-tools, nor racoonctl work with my configuration.

In particular, when I run the phase1-up.sh script no routes are being set up and the only address shown is that of the local gateway ${DEFAULT_GW}.  /etc/resolve.conf is not being edited with the DNS resolver of the VPN gateway.

Running racoon-ctl returns this error:

# racoonctl reload-config

send: Bad file descriptor

# racoonctl show-sa isakmp

send: Bad file descriptor

I raised a bug but this was closed by the dev, because he was not getting such errors when racoon was configured correctly.  So I thought of asking here for some help with my configuration.

This is my network topology:

```
[Roadwarrior]-10.211.48.75 =====[ISP's gateway]-XXX.XXX.XX.X=====Internet=====YYY.YYY.YY.Y-[My VPN gateway]-10.10.10.254-----10.10.10.0/24-[LAN boxen]
```

The tunnel is created between my laptop, which is configured as a roadwarrior and my router.  The router is configured to send mode_cfg parameters to my laptop.  In particular, the LAN pool of addresses allocated to the roadwarrior is 172.16.1.0/24 and the DNS resolver for the VPN is the router itself at 10.10.10.254.

So, starting from the top this is my /etc/racoon/racoon.conf:

```
# Racoon IKE daemon configuration file.

# See 'man racoon.conf' for a description of the format and entries.

path certificate "/etc/racoon/certs";

path pre_shared_key "/etc/racoon/psk.txt";

path script "/etc/racoon/scripts";

listen {

        adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;

}

remote YYY.YYY.YY.Y {

        exchange_mode aggressive;

        certificate_type x509 "RW_cert.pem" "RW_key.pem";

        ca_type x509 "cacert.pem";

        my_identifier  asn1dn ;

        peers_identifier address "YYY.YYY.YY.Y";

        peers_certfile x509 "router_VPN.pem";

        verify_identifier on;

        nat_traversal on;

        ike_frag on;

        mode_cfg on;

        proposal_check obey;

        script "/etc/racoon/scripts/phase1-up.sh" phase1_up;

        script "/etc/racoon/scripts/phase1-down.sh" phase1_down;

        passive off;

        proposal {

                encryption_algorithm aes 256;

                lifetime time 7080 seconds;

                hash_algorithm sha1;

                authentication_method rsasig;

                dh_group 2;

        }

}

sainfo anonymous {

        pfs_group 2;

        lifetime time 28800 seconds;

        encryption_algorithm aes 256;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate ;

}
```

The scripts are unadulterated as provided by ipsec-tools in /usr/share/doc/ipsec-tools-0.8.0-r1/samples/roadwarrior/client/phase1-up.sh.bz2 and phase1-down.sh.bz2:

```
# ls -la /etc/racoon/scripts/

total 16

drwxr-x--- 2 root root 4096 Mar  6 18:46 .

drwxr-xr-x 4 root root 4096 Mar  6 18:54 ..

-rwxr-xr-- 1 root root 2107 Feb 13 14:25 phase1-down.sh

-rwxr-xr-- 1 root root 2255 Feb 13 14:24 phase1-up.sh
```

The /etc/racoon/ipsec.conf contains this:

```
#!/usr/sbin/setkey -f

# Flush SAD and SPD

flush;

spdflush;

#SP for racoon

spdadd 10.10.10.0/24 172.16.1.0/24 any -P in ipsec esp/tunnel/YYY.YYY.YY.Y-10.211.48.75/unique;

spdadd 172.16.1.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/10.211.48.75-YYY.YYY.YY.Y/unique;

The scripts fail to set up any routes, or pick up any addresses (local/remote/internal) but as I mentioned when I ran it by hand to see what gives, it manages to pick up the default GW.  All other addresses are blank.
```

To set up a tunnel I have to run manually:

```
ifconfig wlan0:1:0 172.16.1.1

ip route add 10.10.10.0/24 via 172.16.1.1 dev wlan0
```

After that I can ping a box inside the LAN and a connection is eventually established.

Can you see anything amiss with my configuration that explains why the routes are not being established and racoonctl barfs?

----------

## blueness

I reproduced the problem and found the solution.  Your listen paragraph in racoon.conf should be:

```

listen {

        adminsock "/var/lib/racoon/racoon.sock" "root" "operator" 0660;

}

```

Note your path is "/var/racoon/racoon.sock" which is not legit.  racoon then crashes and you get the "send: Bad file descriptor"

If that solves it, post back.  Although about a problem you had, this is a nice little howto on setting up RoadWarrior.

----------

## MickKi

Thanks blueness!

I have used the listen directive that is provided in /usr/share/doc/ipsec-tools-0.8.0-r1/samples/roadwarrior/client/racoon.conf.bz2:

 *Quote:*   

> path certificate "/etc/openssl/certs";
> 
> path pre_shared_key "/etc/racoon/psk.txt";
> 
> listen {
> ...

 

Are you saying that this is incorrect as provided by upstream, only applies to *BSDs, or is Gentoo doing it differently?  Should I add this to the bug I raised?

Anyway, I changed the path to the one you suggest and now the racoonctl command does not produce an error.  Thanks!   :Smile: 

```
racoonctl show-sa isakmp

Destination            Cookies                           Created

YYY.YYY.YY.Y.4500     f22ccaf15ecb23c4:7bb843c9fae819e0 2012-03-07 12:07:58
```

However, I am not out of the woods yet as far as the phase1-up.sh script and setting up routes are concerned.  The script only shows local gateway like so, when I run it in a terminal, even after I have established a tunnel and phase 2 has been completed:

```
# /etc/racoon/scripts/phase1-up.sh phase1_up

phase1_up

LOCAL_ADDR = 

LOCAL_PORT = 

REMOTE_ADDR = 

REMOTE_PORT = 

DEFAULT_GW = 10.110.63.254

INTERNAL_ADDR4 = 

INTERNAL_NETMASK4 = 

INTERNAL_DNS4 =
```

It will set no routes - I must manually do that with ifconfig and ip.  I must also add policies in /etc/racoon/ipsec.conf (that's the path I use for racoon's ipsec.conf) or nothing much gets configured when racoon is launched.  This is a pain because I have to edit ipsec.conf every time I connect to a different network.  Isn't the idea of these scripts that the routing and policies are set up automatically when /etc/init.d/racoon start is run and /etc/racoon/racoon.conf is loaded?  I am not clear I guess how much of establishing a VPN tunnel is manual effort and how much is scripts doing it for you.

----------

## planckscnst

I have the same problem; I'm pretty sure it's a bug in Racoon. We recently upgraded our Racoon version and the phase1_up script stopped working; phase1_down still works. We're not using Gentoo, so it's not a Gentoo packaging error.

----------

## MickKi

Thanks planckscnst, 

What distro are you using?

I've seen people running CentOS/RHL systems having no problem setting up routes with the scripts provided.

----------

## planckscnst

I'm compiling from source using Buildroot. I've also seen someone else with the problem who posted to the ipsec-tools-users list.

I had my collegue post on ipsec-tools-devel list about this bug. I haven't yet had time to dive in to the source and see what's happening.

Are you sure that users of CentOS/RHEL are using 0.8? The bug did not exist in previous versions. CentOS 5 came with ipsec-tools 0.6.5; CentOS 6 doesn't have an ipsec-tools package at all.

----------

## planckscnst

This morning, I took a look at the source. The script is called potentially from three different places - twice in isakmp_cfg.c (if mode config is requested - one path for initiator, another for the responder) and once in isakmp.c (if mode config is not requested). It looks like if you are using mode config, it only calls the script if you are using an authentication_method of either xauth_rsa_server, xauth_rsa_client, xauth_psk_server or xauth_psk_client. If you are not using mode config, it calls the script unless your authentication_method is xauth_psk_server, xauth_rsa_server, or hybrid_rsa_server.

I looked through the commit messages in the revision history of those files and didn't see anything that would change the behavior since 0.7.2, so I'm still investigating.

----------

## MickKi

Hi planckscnst,

It took me some time to get back to this.  I have been using StrongSwan, because it sets up the routes automatically (although it fails to set up DNS).  I would still be interested to find out why tje Racoon scripts are not working.

I am using mod_cfg, as you can see from my racoon.conf, but I am not using xauth.  However I don't understand, why would the code only run the up/down scripts if xauth is used?

----------

