Fun with IPSEC and racoon - 5.2.1

Wed Apr 7 18:40:18 PDT 2004

Hi

I've been having some fun with IPSEC, owing to the need to put in a VPN
between two offices.  At the far end, they've got a PIX, and I was pretty
sure I could do this end with one of out FreeBSD boxen.  As an experiment,
I set up IPSEC (with keying provided by Racoon) between my (linux) desktop
and that FreeBSD machine.  That worked Just Fine.

The problem comes in when I look at upgrading said BSD system, because
it's running 5.0 (which doesn't get security patches any more).  I
installed a 5.2.1 system onto another box and tried setting up IPSEC with
that.  If I use fixed keys, it just goes, but I want to use IKE.  I set up
Racoon, copied the configuration files from the 5.0 system (just changing
the IP addresses, where necessary, in /etc/ipsec.conf and
/usr/local/etc/racoon/psk.txt - I'm using "remote anonymous" and "sainfo
anonymous" for the policy side), and it all falls apart.

Racoon on the FreeBSD box is seeing the requests from the Linux box, and
is even trying to reply (it finds the psk fine, and has matching
policies... I just didn't want to send a 200kB message to the list):

2004-04-08 13:03:22: DEBUG: isakmp.c:233:isakmp_handler(): ===
2004-04-08 13:03:22: DEBUG: isakmp.c:234:isakmp_handler(): 248 bytes message received from 192.168.64.11[500]
2004-04-08 13:03:22: DEBUG: plog.c:193:plogdump():
f0d2ae69 5ade7e65 00000000 00000000 01100400 00000000 000000f8 04000038
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c0708
80010003 800e0080 80030001 80020002 80040002 0a000084 90b40fd2 73a3bde7
0acda739 d25f5e4f 2de19c28 8706b90e 003124a8 a79f623a 2e8b4e87 0f530078
a764c19f da248b1a 7ca14ee2 d69eea3e 704ae549 ba5bf17c e500f3b4 d6d276a1
2d28113d 15126a7c d5c88dae 51677cc0 a9163f94 ab85e40c 07018d52 5a26e94e
bb907a98 60a2ce4e d650041e 7ba4f24b 8d04162f ecadc334 05000014 e8b263da
7af58acd 53483a50 a1eeac28 0000000c 011101f4 c0a8400b
2004-04-08 13:03:22: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.64.57[500]
2004-04-08 13:03:22: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.64.57[500]
2004-04-08 13:03:22: DEBUG: sockmisc.c:425:sendfromto(): send packet to 192.168.64.11[500]
2004-04-08 13:03:22: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 292 bytes message will be sent to 192.168.64.11[500]
2004-04-08 13:03:22: DEBUG: plog.c:193:plogdump():
f0d2ae69 5ade7e65 3985e317 abd11318 01100400 00000000 00000124 04000038
00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c0708
80010003 800e0080 80030001 80020002 80040002 0a000084 9768f72c 8fde3908
8d3be8f3 40dc9a91 7b325db4 c01b86d1 716c9204 00f8de18 889d4e17 b3bafb06
e78464e7 3069fdb7 205a1b00 ffc2723e 71041732 aac71674 e7a912bc 100e8085
d76a68c3 b37b726e eda22ef9 970816fa 74ada197 f75ea520 0c07ccc9 6e5d0f18
02f62bc1 09b04085 e96e14ec d1cb304b 1debaa26 c419177d 05000014 9cd6bc28
574b425c 3b81d9ba 9e82df8c 0800000c 011101f4 c0a84039 0d000018 114f7a51
920f11e0 a2615a22 2ba6d7c2 5fdbfedc 00000014 7003cbc1 097dbe9c 2600ba69
83bc8b35
2004-04-08 13:03:22: NOTIFY: isakmp.c:267:isakmp_handler(): the packet is retransmitted by 192.168.64.11[500].

The problem is that the reply packet never gets onto the wire - tcpdump on
the FreeBSD box shows absolutely nothing going back out again.  My
firewall configuration is "open":

gaspra: ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any

I just installed Racoon from ports this morning, so that's recent, at
least:

/usr/ports/distfiles/racoon-20040401a.tar.gz

Is there another part of this brick wall I should be bashing my head
against?  Can anyone enlighten me, or is there perhaps a better place to
ask questions about the KAME side of things?

Many thanks

Richard

-- 
Richard Stevenson