# ipsec phase two has been completed but no traffic through

## ASPLP

Hello

Ингнорируются политики IPSec

Сообщение ASPLP » 2014-05-14 11:45:23

Привет

Суть такова

10.20.10.83(host)<->216.193.93.179(remote gw)<--->Internet<--->193.148.246.66(gentoo gw)<->172.16.10.0/24(network)

im using racoon and seems like traffic ignores ipsec tunnel rules

```
Sun ~ # setkey -DP

    10.20.10.83[any] 172.16.10.0/24[any] 255

       in prio def ipsec

       esp/tunnel/216.193.93.179-193.148.246.66/require

       created: May 14 08:49:57 2014  lastused:                     

       lifetime: 0(s) validtime: 0(s)

       spid=4440 seq=26 pid=28964

       refcnt=1

    172.16.10.0/24[any] 10.20.10.83[any] 255

       out prio def ipsec

       esp/tunnel/193.148.246.66-216.193.93.179/require

       created: May 14 08:49:57 2014  lastused: May 14 08:55:28 2014

       lifetime: 0(s) validtime: 0(s)

       spid=4433 seq=0 pid=28964

       refcnt=2

```

```
Sun ~ # setkey -D

    193.148.246.66 216.193.93.179

       esp mode=tunnel spi=2208704428(0x83a627ac) reqid=0(0x00000000)

       E: 3des-cbc  7ad70d0e 59d077f2 13c2734b f08037ee 7003fed7 8961777f

       A: hmac-md5  e1e157bd 53ed8edf b1b101c4 0e78f1eb

       seq=0x00000000 replay=4 flags=0x00000000 state=mature

       created: May 14 08:50:43 2014   current: May 14 09:01:59 2014

       diff: 676(s)   hard: 28800(s)   soft: 23040(s)

       last:                        hard: 0(s)   soft: 0(s)

       current: 0(bytes)   hard: 0(bytes)   soft: 0(bytes)

       allocated: 0   hard: 0   soft: 0

       sadb_seq=1 pid=29030 refcnt=0

    216.193.93.179 193.148.246.66

       esp mode=tunnel spi=3314345(0x003292a9) reqid=0(0x00000000)

       E: 3des-cbc  588a57b6 9be43f4f 8c6b5c7d 612d2601 17f617a8 bff38eb0

       A: hmac-md5  a7f6d395 c2acc243 287ed0fc b863d8f2

       seq=0x00000000 replay=4 flags=0x00000000 state=mature

       created: May 14 08:50:43 2014   current: May 14 09:01:59 2014

       diff: 676(s)   hard: 28800(s)   soft: 23040(s)

       last:                        hard: 0(s)   soft: 0(s)

       current: 0(bytes)   hard: 0(bytes)   soft: 0(bytes)

       allocated: 0   hard: 0   soft: 0

       sadb_seq=0 pid=29030 refcnt=0

```

```
  Sun ~ # cat /etc/racoon/racoon.conf

    path pre_shared_key "/etc/racoon/psk.txt";

    remote 216.193.93.179

    {

       nat_traversal on;

       exchange_mode main;

       proposal_check claim;

       lifetime time 86400 sec;

       proposal {

          encryption_algorithm 3des;

          hash_algorithm md5;

          authentication_method pre_shared_key;

          dh_group 5;

       }

    }

    sainfo address 172.16.10.0/24 any address 10.20.10.83/32 any

    {

       pfs_group 5;

       lifetime time 86400 sec;

       encryption_algorithm 3des;

       authentication_algorithm hmac_md5;

       compression_algorithm deflate;

    }

```

```
Sun ~ # cat /etc/ipsec-tools.conf

    #!/usr/sbin/setkey -f

    flush;

    spdflush;

    spdadd 172.16.10.0/24 10.20.10.83 any -P out ipsec esp/tunnel/193.148.246.66-216.193.93.179/require;

    spdadd 10.20.10.83 172.16.10.0/24 any -P in  ipsec esp/tunnel/216.193.93.179-193.148.246.66/require;
```

log file

```
May 14 08:49:57 Sun racoon: INFO: 172.16.10.1[500] used for NAT-T

    May 14 08:49:57 Sun racoon: INFO: 172.16.10.1[500] used as isakmp port (fd=12)

    May 14 08:49:57 Sun racoon: INFO: 172.16.10.1[4500] used for NAT-T

    May 14 08:49:57 Sun racoon: INFO: 172.16.10.1[4500] used as isakmp port (fd=13)

    May 14 08:49:57 Sun racoon: INFO: 193.148.246.66[500] used for NAT-T

    May 14 08:49:57 Sun racoon: INFO: 193.148.246.66[500] used as isakmp port (fd=18)

    May 14 08:49:57 Sun racoon: INFO: 193.148.246.66[4500] used for NAT-T

    May 14 08:49:57 Sun racoon: INFO: 193.148.246.66[4500] used as isakmp port (fd=19)

    May 14 08:50:42 Sun racoon: INFO: IPsec-SA request for 216.193.93.179 queued due to no phase1 found.

    May 14 08:50:42 Sun racoon: INFO: initiate new phase 1 negotiation: 193.148.246.66[500]<=>216.193.93.179[500]

    May 14 08:50:42 Sun racoon: INFO: begin Identity Protection mode.

    May 14 08:50:42 Sun racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

    May 14 08:50:42 Sun racoon: INFO: received broken Microsoft ID: FRAGMENTATION

    May 14 08:50:42 Sun racoon: [216.193.93.179] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02

    May 14 08:50:42 Sun racoon: [216.193.93.179] INFO: Hashing 216.193.93.179[500] with algo #1

    May 14 08:50:42 Sun racoon: [193.148.246.66] INFO: Hashing 193.148.246.66[500] with algo #1

    May 14 08:50:42 Sun racoon: INFO: Adding remote and local NAT-D payloads.

    May 14 08:50:42 Sun racoon: INFO: received Vendor ID: CISCO-UNITY

    May 14 08:50:42 Sun racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

    May 14 08:50:42 Sun racoon: [193.148.246.66] INFO: Hashing 193.148.246.66[500] with algo #1

    May 14 08:50:42 Sun racoon: INFO: NAT-D payload #0 verified

    May 14 08:50:42 Sun racoon: [216.193.93.179] INFO: Hashing 216.193.93.179[500] with algo #1

    May 14 08:50:42 Sun racoon: INFO: NAT-D payload #1 verified

    May 14 08:50:42 Sun racoon: INFO: NAT not detected

    May 14 08:50:42 Sun racoon: INFO: received Vendor ID: DPD

    May 14 08:50:42 Sun racoon: WARNING: port 500 expected, but 0

    May 14 08:50:42 Sun racoon: INFO: ISAKMP-SA established 193.148.246.66[500]-216.193.93.179[500] spi:d4308f00f105e919:30df322a74ba9f4d

    May 14 08:50:43 Sun racoon: INFO: initiate new phase 2 negotiation: 193.148.246.66[500]<=>216.193.93.179[500]

    May 14 08:50:43 Sun racoon: INFO: received RESPONDER-LIFETIME: 28800 seconds

    May 14 08:50:43 Sun racoon: INFO: IPsec-SA established: ESP/Tunnel 193.148.246.66[500]->216.193.93.179[500] spi=3314345(0x3292a9)

    May 14 08:50:43 Sun racoon: INFO: IPsec-SA established: ESP/Tunnel 193.148.246.66[500]->216.193.93.179[500] spi=2208704428(0x83a627ac)
```

as a result i see this

```
   09:31:06.722808 IP 193.148.246.66 > 10.20.10.83: ICMP echo request, id 32391, seq 2413, length 64

    09:31:07.730926 IP 193.148.246.66 > 10.20.10.83: ICMP echo request, id 32391, seq 2414, length 64

    09:31:08.732133 IP 193.148.246.66 > 10.20.10.83: ICMP echo request, id 32391, seq 2415, length 64

    09:31:09.738854 IP 193.148.246.66 > 10.20.10.83: ICMP echo request, id 32391, seq 2416, length 64

    09:31:10.746983 IP 193.148.246.66 > 10.20.10.83: ICMP echo request, id 32391, seq 2417, length 64
```

and this

```
Sun ~ # tcpdump -i eth1 host 216.183.93.178

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes

23:11:24.955969 IP 216.183.93.178.isakmp > 193.138.246.66.isakmp: isakmp: phase 1 ? ident

23:11:24.956322 IP 193.138.246.66 > 216.183.93.178: ICMP 193.138.246.66 udp port isakmp unreachable, length 164

23:11:28.446245 IP 193.138.246.66.isakmp > 216.183.93.178.isakmp: isakmp: phase 1 I ident

23:11:28.592275 IP 216.183.93.178.isakmp > 193.138.246.66.isakmp: isakmp: phase 1 R ident

23:11:30.132599 IP 216.183.93.178.ipsec-nat-t > 193.138.246.66.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]

23:11:30.132773 IP 193.138.246.66.ipsec-nat-t > 216.183.93.178.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]

23:11:32.956681 IP 216.183.93.178.isakmp > 193.138.246.66.isakmp: isakmp: phase 1 ? ident

23:11:35.383959 IP 193.138.246.66.ipsec-nat-t > 216.183.93.178.ipsec-nat-t: isakmp-nat-keep-alive

23:11:36.585266 IP 216.183.93.178.isakmp > 193.138.246.66.isakmp: isakmp: phase 1 R ident

23:11:38.588043 IP 193.138.246.66.isakmp > 216.183.93.178.isakmp: isakmp: phase 1 I ident

23:11:38.733409 IP 216.183.93.178.isakmp > 193.138.246.66.isakmp: isakmp: phase 1 R ident

23:11:46.724827 IP 216.183.93.178.isakmp > 193.138.246.66.isakmp: isakmp: phase 1 R ident

23:11:50.130288 IP 216.183.93.178.ipsec-nat-t > 193.138.246.66.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]

23:11:50.130456 IP 193.138.246.66.ipsec-nat-t > 216.183.93.178.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]
```

Thanks for help!

----------

