# [SOLVED]  Can't get racoon going on client

## MickKi

Hi All,

I have been trying for some time now to set up a road warrior VPN client so that I can connect to my home router and administer machines on the LAN.

No matter what I've tried I cannot get a network configured via racoon.  Could some kind soul give me a nudge in troubleshooting this?

On the home router I have:

```
public IP:  123.456.78.9

LAN:  10.10.10.0/24

router LAN IP:  10.10.10.1

respond anymode

local-id fqdn router1_VPN

peer any

encryption aes-256-cbc

authentication pre-share

DH group 2

crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp-sha-hmac

mode tunnel
```

On the laptop, I have this in the racoon.conf:

EDIT:  I've added some comments in here from errors I discovered later on.

```
# Racoon IKE daemon configuration file.

# See 'man racoon.conf' for a description of the format and entries.

path pre_shared_key "/etc/racoon/psk.txt";

path certificate "/etc/racoon/certs";

path script "/etc/racoon";

listen {

       # socket used for communication between racoon and racoonctl

        adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660;

       }

remote 123.456.78.9 {

        exchange_mode aggressive;

        my_identifier fqdn "dell_xps_VPN";

        peers_identifier fqdn "router1_VPN";

        mode_cfg on;

        proposal_check obey;

#       nat_traversal on;

#       ike_frag on;

#       script "/etc/racoon/phase1_up_down.sh" phase1_up;

#       script "/etc/racoon/phase1_up_downdown.sh" phase1_down;

        proposal {

                encryption_algorithm aes;  <--This was wrong-should have aes 256 to match the router

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

                }

        }

sainfo anonymous {

        lifetime time 1 hour;  <--This was probably wrong-should have matched the router's setting

        encryption_algorithm aes;  <--This was wrong-should have aes 256 to match the router

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

        }
```

I connect to the Internet using my mobile and I get this from the ISP:

```
# netstat -rn

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

0.0.0.0         193.30.166.3    0.0.0.0         UG        0 0          0 ppp0

127.0.0.0       127.0.0.1       255.0.0.0       UG        0 0          0 lo

193.30.166.3    0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
```

Where 193.30.166.3 is the ISP's gateway.  The ppp0 ip address is 10.149.124.40:

```
# ifconfig 

lo        Link encap:Local Loopback  

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:252 errors:0 dropped:0 overruns:0 frame:0

          TX packets:252 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0 

          RX bytes:10678 (10.4 KiB)  TX bytes:10678 (10.4 KiB)

ppp0      Link encap:Point-to-Point Protocol  

          inet addr:10.149.124.40  P-t-P:193.30.166.3  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:5 errors:0 dropped:0 overruns:0 frame:0

          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:3 

          RX bytes:74 (74.0 B)  TX bytes:107 (107.0 B)
```

Now the problem is that upon starting racoon I do not see a tunnel being formed and indeed I cannot connect to machines in the LAN.  This from the log:[snip ...]

I've experimented with NAT on/off, etc, in racoon.conf but no joy.  No additional routes seem to be created and the router logs do not show anything attempting a connection.

I get this error in the log:

```
Nov 20 23:03:12 dell_xps racoon: DEBUG: pk_recv: retry[0] recv() 

Nov 20 23:03:12 dell_xps racoon: DEBUG: pk_recv: retry[0] recv() 

Nov 20 23:03:12 dell_xps racoon: DEBUG: get pfkey X_SPDDUMP message

Nov 20 23:03:12 dell_xps racoon: DEBUG: get pfkey X_SPDDUMP message

Nov 20 23:03:12 dell_xps racoon: DEBUG2: 

Nov 20 23:03:12 dell_xps racoon: DEBUG2: 

Nov 20 23:03:12 dell_xps 02120200 02000000 00000000 0f1d0000

Nov 20 23:03:12 dell_xps 02120200 02000000 00000000 0f1d0000

Nov 20 23:03:12 dell_xps 02120200 02000000 00000000 0f1d0000

Nov 20 23:03:12 dell_xps racoon: DEBUG: pfkey X_SPDDUMP failed: No such file or directory

Nov 20 23:03:12 dell_xps racoon: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
```

What does it mean?  Where should I look next?

EDIT:  This means that there is not tunnel.  The phase1-up script that I used did not work.  Later on I found the scripts installed with racoon for roadwarrior client machines.  However, they don't work either!    :Shocked: 

To get it working I had to manually set up routes in ipsec.conf and also set up the router VPN pool as a gateway in the client, to tunnel LAN addresses through.  Will write this up if I get time one day.

----------

## MickKi

[snip ...]

----------

## AngelKnight

 *MickKi wrote:*   

> OK, I've tried connecting from a different location.
> 
> I added these lines in /etc/ipsec.conf and it now seems to set the correct associations in the logs but the routing table still does not show anything
> 
> related to the VPN server or LAN, only the current ISP routing.  The previous "pfkey X_SPDDUMP failed" error is gone.

 

You won't see anything; on Linux, IPsec for IPv4 doesn't result in any additions or changes to the FIB.  All of the related adjustments appear in the Securiy Policy Database.

In your previous config you didn't supply a DH group for phase2; might be useful to explicitly set it there also.

----------

## MickKi

[snip ...]

----------

## MickKi

OK, I think I know what's the problem ...  routing is not being set up.

The phase_up_down.sh scripts are not working.

I also tried the scripts shown here:  http://en.gentoo-wiki.com/wiki/VPN_iPhone_IPSec but they do not work either.

Should something like echo ${INTERNAL_ADDR4} show something?  It returns nothing here.   :Sad: 

----------

## MickKi

OK, after searching around I discovered that ipsec-tools actually drops in some scripts (I wish an enotice told me so!!!)

Looking at /usr/share/doc I found just what I needed for my roardwarrior configuration:

```
$ ls -la /usr/share/doc/ipsec-tools-0.7.3-r1/samples/roadwarrior/client/

total 20

drwxr-xr-x 2 root root 4096 Nov 15 15:56 .

drwxr-xr-x 4 root root 4096 Nov 15 15:56 ..

-rw-r--r-- 1 root root  875 Nov 15 15:56 phase1-down.sh.bz2

-rw-r--r-- 1 root root  911 Nov 15 15:56 phase1-up.sh.bz2

-rw-r--r-- 1 root root  445 Nov 15 15:56 racoon.conf.bz2
```

Copied them in /etc/racoon/scripts/, unpacked them, removed the spdadd entries in my etc/ipsec.conf, and fired up /etc/init.d/racoon ...

```
Nov 30 21:00:02 dell_xps racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"

Nov 30 21:00:02 dell_xps racoon: DEBUG: call pfkey_send_register for AH

Nov 30 21:00:03 dell_xps racoon: DEBUG: call pfkey_send_register for ESP

Nov 30 21:00:03 dell_xps racoon: DEBUG: call pfkey_send_register for IPCOMP

Nov 30 21:00:03 dell_xps racoon: DEBUG: reading config file /etc/racoon/racoon.conf

Nov 30 21:00:03 dell_xps racoon: DEBUG2: lifetime = 28800

Nov 30 21:00:03 dell_xps racoon: DEBUG2: lifebyte = 0

Nov 30 21:00:03 dell_xps racoon: DEBUG2: encklen=256

Nov 30 21:00:03 dell_xps racoon: DEBUG2: p:1 t:1

Nov 30 21:00:03 dell_xps racoon: DEBUG2: AES-CBC(7)

Nov 30 21:00:03 dell_xps racoon: DEBUG2: SHA(2)

Nov 30 21:00:03 dell_xps racoon: DEBUG2: 1024-bit MODP group(2)

Nov 30 21:00:03 dell_xps racoon: DEBUG2: pre-shared key(1)

Nov 30 21:00:03 dell_xps racoon: DEBUG2: 

Nov 30 21:00:03 dell_xps racoon: DEBUG: hmac(modp1024)

Nov 30 21:00:03 dell_xps racoon: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.

Nov 30 21:00:03 dell_xps racoon: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0

Nov 30 21:00:03 dell_xps racoon: DEBUG: getsainfo pass #2

Nov 30 21:00:03 dell_xps racoon: DEBUG2: parse successed.

Nov 30 21:00:03 dell_xps racoon: DEBUG: open /var/lib/racoon/racoon.sock as racoon management.

Nov 30 21:00:03 dell_xps racoon: DEBUG: my interface: fe80::226:b9ff:fe20:b49c%eth0 (eth0)

Nov 30 21:00:03 dell_xps racoon: DEBUG: my interface: ::1 (lo)

Nov 30 21:00:03 dell_xps racoon: DEBUG: my interface: 10.10.10.7 (eth0)

Nov 30 21:00:03 dell_xps racoon: DEBUG: my interface: 127.0.0.1 (lo)

Nov 30 21:00:03 dell_xps racoon: DEBUG: configuring default isakmp port.

Nov 30 21:00:03 dell_xps racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports

Nov 30 21:00:03 dell_xps racoon: DEBUG: 8 addrs are configured successfully

Nov 30 21:00:03 dell_xps racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)

Nov 30 21:00:03 dell_xps racoon: INFO: 127.0.0.1[500] used for NAT-T

Nov 30 21:00:03 dell_xps racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=8)

Nov 30 21:00:03 dell_xps racoon: INFO: 127.0.0.1[4500] used for NAT-T

Nov 30 21:00:03 dell_xps racoon: INFO: 10.10.10.7[500] used as isakmp port (fd=9)

Nov 30 21:00:03 dell_xps racoon: INFO: 10.10.10.7[500] used for NAT-T

Nov 30 21:00:03 dell_xps racoon: INFO: 10.10.10.7[4500] used as isakmp port (fd=10)

Nov 30 21:00:03 dell_xps racoon: INFO: 10.10.10.7[4500] used for NAT-T

Nov 30 21:00:03 dell_xps racoon: INFO: ::1[500] used as isakmp port (fd=11)

Nov 30 21:00:03 dell_xps racoon: INFO: ::1[4500] used as isakmp port (fd=12)

Nov 30 21:00:03 dell_xps racoon: INFO: fe80::226:b9ff:fe20:b49c%eth0[500] used as isakmp port (fd=13)

Nov 30 21:00:03 dell_xps racoon: INFO: fe80::226:b9ff:fe20:b49c%eth0[4500] used as isakmp port (fd=14)

Nov 30 21:00:03 dell_xps racoon: DEBUG: pk_recv: retry[0] recv() 

Nov 30 21:00:03 dell_xps racoon: DEBUG: get pfkey X_SPDDUMP message

Nov 30 21:00:03 dell_xps racoon: DEBUG2: 

Nov 30 21:00:03 dell_xps racoon: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
```

What is the error "pfkey X_SPDDUMP failed: No such file or directory" about?  Is this because I have no spdadd entries in my ipsec.conf?  Aren't these meant to be created via mode_cfg?

EDIT:  Yes, they are meant to be created by the scripts, which however do not work as written.  I succeeded in getting this working after set up routes manually using ip route add <LAN subnet> via <VPN pool address> dev eth0

----------

