# Racoon road Warrior Mode

## lordkur

Hi gang: 

 I've been trying to setup  a VPN connection from my gentoo (which is natted) box to a remote site (VPN SERVER - Fortigate). Without success. This is the schema:

|Gentoo BOX  | -----LAN------|    GW    | -----------Internet---------------| Fortigate  |                             

Gentoo Box= it has a private address (192.168.0.5)  

GW = It has a public address 

Fortigate:  (public address) / private (10.10.33.3) 

Even When I dont have control of the GW on my side I know that its not configured to block ipsec traffic.  I am using racoon nat mode. I got a buch of errors trying to establish phase1

```

May 11 17:00:40 pbx racoon: DEBUG: 344 bytes from 192.168.0.5[500] to fortigatepubIP[500]

May 11 17:00:40 pbx racoon: DEBUG: sockname 192.168.0.5[4500]

May 11 17:00:40 pbx racoon: DEBUG: send packet from 192.168.0.5[500]

May 11 17:00:40 pbx racoon: DEBUG: send packet to fortigatepubIP[500]

May 11 17:00:40 pbx racoon: DEBUG: src4 192.168.0.5[500]

May 11 17:00:40 pbx racoon: DEBUG: dst4 fortigatepubIP[500]

May 11 17:00:40 pbx racoon: DEBUG: 1 times of 344 bytes message will be sent to fortigatepubIP[500]

May 11 17:00:40 pbx racoon: DEBUG:  26b5ff7d 250ecc69 00000000 00000000 01100400 00000000 00000158 04000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c708080010005 80030001 80020001 80040002 0a000084 c5e86a86 49bce442 6a382510 4071f725 debf6bab 637bc46b 74f7986d 95611148 5a03d78e 725825ba 17d2e8a6 9ef652fb e99fad17 5ed026f4 3f045fd57a771804 a09ec567 995621b4 061be8ac 3dc1da11 84c16820 8e25f2d3 3d7e6199 48b7324f dcc5c2c1 ee02fbd9 1439fb10 dc615ca4 13707cca 279711ef b9883648 b8c00ccd 05000014 bce3ce32 42d9a7e7ebc69f09 cd6e6b13 0d00000c 011101f4 c0a80005 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 00000014 afcad713 68a1f1c9 6b8696fc 77570100

May 11 17:00:40 pbx racoon: DEBUG: resend phase1 packet 26b5ff7d250ecc69:0000000000000000

May 11 17:00:40 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.

May 11 17:00:40 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.

May 11 17:00:40 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found

May 11 17:00:41 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.

May 11 17:00:41 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.

May 11 17:00:41 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found

May 11 17:00:42 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.

May 11 17:00:42 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.

May 11 17:00:42 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found

May 11 17:00:43 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.

May 11 17:00:43 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.

May 11 17:00:43 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found

May 11 17:00:44 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.

May 11 17:00:44 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.

May 11 17:00:44 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found

May 11 17:00:45 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.

May 11 17:00:45 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.

May 11 17:00:45 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found

May 11 17:00:46 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.

May 11 17:00:46 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.

May 11 17:00:46 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found

May 11 17:00:47 pbx racoon: DEBUG2: CHKPH1THERE: extract_port.

May 11 17:00:47 pbx racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.

May 11 17:00:47 pbx racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found

```

tcpdump

```

16:42:57.384025 IP 192.168.0.5.ipsec-nat-t > fortigatepubIP.isakmp: isakmp: phase 1 I agg

16:42:57.418894 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 1 R agg

16:43:01.526216 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 1 R agg

16:43:07.382147 IP 192.168.0.5.ipsec-nat-t > fortigatepubIP.isakmp: isakmp: phase 1 I agg

16:43:07.431404 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 1 R agg

16:43:17.380286 IP 192.168.0.5.ipsec-nat-t > fortigatepubIP.isakmp: isakmp: phase 1 I agg

16:43:17.413990 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 1 R agg

16:43:17.525521 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 1 R agg

16:43:27.378448 IP 192.168.0.5.ipsec-nat-t > fortigatepubIP.isakmp: isakmp: phase 1 I agg

16:43:27.413383 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 1 R agg

16:43:49.519748 IP fortigatepubIP.isakmp > 192.168.0.5.ipsec-nat-t: isakmp: phase 2/others R inf

```

This my config:

ipsec.conf

```

pbx ~ # cat /etc/ipsec.conf

flush;

spdflush;

spdadd 10.10.33.3/32 192.168.0.5/32 any -P in ipsec esp/tunnel/fortigatepubIP-192.168.0.5/require;

spdadd 192.168.0.5/32 10.10.33.3/32 any -P out ipsec esp/tunnel/192.168.0.5-fortigatepubIP/require;

```

racoon.conf

```

pbx ~ # cat /etc/racoon/racoon.conf

path pre_shared_key "/etc/racoon/psk.txt";

log debug2;

listen {

isakmp_natt 192.168.0.5 [4500];

}

timer  {

       natt_keepalive 10sec;

              }

remote fortigatepubIP

{

        exchange_mode aggressive;

        nat_traversal on;

        my_identifier address;

        lifetime time 28800 seconds;

        initial_contact on;

        proposal_check exact;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm md5;

                authentication_method pre_shared_key ;

                dh_group 2;

        }

}

#sainfo anonymous

sainfo address 192.168.0.5/32 any address 10.10.33.3/32 any

{

        pfs_group 2;

        encryption_algorithm 3des;

        lifetime time 1800 seconds ;

        authentication_algorithm hmac_md5;

        compression_algorithm deflate;

```

I have the config from the fortigate too. I think that the parameters are equal in both sides:

```

config vpn ipsec phase1

    edit "MY_VPN"

        set type dynamic

        set interface "wan1"

        set dpd disable

        set nattraversal enable

        set dhgrp 2

        set proposal 3des-md5

        set mode aggressive

        set psksecret mysecretword

    next

end

config vpn ipsec phase2

    edit "my_def"

        set dhgrp 2

        set dst-addr-type ip

        set keepalive enable

        set pfs enable

        set phase1name "MY_VPN"

        set proposal 3des-md5

        set src-addr-type ip

        set dst-start-ip 192.168.0.5

        set src-start-ip 10.10.33.3

    next

end

```

What can be wrong?   :Sad: 

Thanks in advance

----------

