A tunnel between two 5.2-CURRENT laptops with IPsec + racoon

Radek Kozlowski radek at raadradd.com
Tue May 18 09:47:04 PDT 2004


I'm trying to set up a tunnel between two laptops running 5.2-CURRENT, 
connected with crossed cable, that have and 
addresses respectively.

Here's how I configured the boxes:

[kernel on both]:
options         IPSEC
options         IPSEC_ESP
options         IPSEC_DEBUG

[rc.conf on both]:

[/etc/ipsec.conf on]:
spdadd any -P in ipsec 
spdadd any -P out ipsec 

[/etc/ipsec.conf on]:
spdadd any -P in ipsec 
spdadd any -P out ipsec 

I also installed the latest version of racoon from ports. Here's how the 
configuration files look like:

[psk.txt on]:     mypassword

[psk.txt on]:	mypassword

[racoon.conf on both]:
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
#log debug;
         maximum_length 20;      # maximum padding length.
         randomize off;          # enable randomize length.
         strict_check off;       # enable strict check.
         exclusive_tail off;     # extract last one octet.
         isakmp [500]; # on the second box
         counter 5;              # maximum trying count to send.
         interval 20 sec;        # maximum interval to resend.
         persend 1;              # the number of packets per a send.
         phase1 30 sec;
         phase2 15 sec;
remote anonymous
         exchange_mode aggressive,main;
         doi ipsec_doi;
         situation identity_only;
         my_identifier address; # on 2nd box
         peers_identifier address; # on 2nd box
         nonce_size 16;
         lifetime time 24 hour;  # sec,min,hour
         initial_contact on;
         support_mip6 on;
         proposal_check obey;    # obey, strict or claim
         proposal {
                 encryption_algorithm 3des;
                 hash_algorithm sha1;
                 authentication_method pre_shared_key ;
                 dh_group 2 ;
sainfo anonymous
         pfs_group 1;
         lifetime time 12 hour;
         encryption_algorithm 3des ;
         authentication_algorithm hmac_sha1;
         compression_algorithm deflate ;

I run setkey -f /etc/ipsec.conf and start racoon -F -v on each box, and 
try to ping one box from another. And that's where I'm stuck:


# racoon -F -v
Foreground mode.
2004-05-18 18:36:43: INFO: main.c:172:main(): @(#)package version 
2004-05-18 18:36:43: INFO: main.c:174:main(): @(#)internal version 
20001216 sakane at kame.net
2004-05-18 18:36:43: INFO: main.c:175:main(): @(#)This product linked 
OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
2004-05-18 18:36:43: WARNING: cftoken.l:514:yywarn(): 
/usr/local/etc/racoon/racoon.conf:67: "support_mip6" it is obsoleted. 
use "support_proxy".
2004-05-18 18:36:43: INFO: isakmp.c:1368:isakmp_open():[500] 
used as isakmp port (fd=5)
2004-05-18 18:36:53: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new 
phase 1 negotiation:[500]<=>[500]
2004-05-18 18:36:53: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin 
Aggressive mode.
2004-05-18 18:36:53: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't 
find the proper pskey, try to get one by the peer's address.
2004-05-18 18:36:53: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA 
2004-05-18 18:36:53: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond 
new phase 2 negotiation:[0]<=>[0]
2004-05-18 18:36:53: ERROR: isakmp_quick.c:2030:get_proposal_r(): no 
policy found:[0][0] proto=any dir=in
2004-05-18 18:36:53: ERROR: isakmp_quick.c:1071:quick_r1recv(): failed 
to get proposal for responder.
2004-05-18 18:36:53: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to 
pre-process packet.

I'd appreciate any pointers. Thanks in advance.


More information about the freebsd-questions mailing list