From owner-freebsd-questions@FreeBSD.ORG Wed Sep 24 13:41:44 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0949616A4B3 for ; Wed, 24 Sep 2003 13:41:44 -0700 (PDT) Received: from transit.bitstream.net (transit.bitstream.net [216.243.134.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02FBC43FF3 for ; Wed, 24 Sep 2003 13:41:39 -0700 (PDT) (envelope-from efk@bitstream.net) Received: (from hump@localhost) by transit.bitstream.net (8.11.2/8.11.2) id h8OKfZO15599; Wed, 24 Sep 2003 15:41:35 -0500 X-Authentication-Warning: transit.bitstream.net: hump set sender to efk@bitstream.net using -f Date: Wed, 24 Sep 2003 15:41:35 -0500 From: Eric Humphries To: freebsd-questions@freebsd.org Message-ID: <20030924204135.GA15196@bitstream.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline cc: efk@bitstream.net Subject: racoon/tunnel problems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Sep 2003 20:41:44 -0000 I've attempted to setup a vpn between two of my freebsd boxes, and while everything appeared to go fine, something I've done just isn't working. I'm looking for an ESP/tunnel so I can connect my home network to my work network. Here is all the (I think) relelvant information: http://marley.bitstream.net/~hump/racoonwoes.txt If you need more info, let me know, however, I'm stuck. Both machines are FreeBSD 5.1 REELASE boxes, with a fresh copy of racoon built last night from current ports. When I try to ping the local address on the other host I get "No Route To Host" errors. I put the remove host in the foreground with "racoon -F -v -f /path/to/config/racoon.conf" so I can watch whats going on. Foreground mode. 2003-09-24 14:53:09: INFO: main.c:172:main(): @(#)package version freebsd-20030711a 2003-09-24 14:53:09: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net 2003-09-24 14:53:09: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7b 10 Apr 2003 (http://www.openssl.org/) 2003-09-24 14:53:09: INFO: isakmp.c:1358:isakmp_open(): 10.10.10.1[500] used as isakmp port (fd=5) 2003-09-24 14:53:09: INFO: isakmp.c:1358:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=6) 2003-09-24 14:53:09: INFO: isakmp.c:1358:isakmp_open(): 1.2.3.136[500] used as isakmp port (fd=7) So far so good, now I'll try pinging the remote ip address. Locally: eric# ping 10.10.10.1 PING 10.10.10.1 (10.10.10.1): 56 data bytes ping: sendto: No route to host ping: sendto: No route to host ping: sendto: No route to host ping: sendto: No route to host ^C --- 10.10.10.1 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss And racoon on the remote host displays the following when I start the ping: 2003-09-24 14:53:56: INFO: isakmp.c:894:isakmp_ph1begin_r(): respond new phase 1 negotiation: 1.2.3.136[500]<=>5.6.7.34[500] 2003-09-24 14:53:56: INFO: isakmp.c:899:isakmp_ph1begin_r(): begin Aggressive mode. 2003-09-24 14:53:56: NOTIFY: oakley.c:2040:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. 2003-09-24 14:53:57: INFO: isakmp.c:2412:log_ph1established(): ISAKMP-SA established 1.2.3.136[500]-5.6.7.34[500] spi:0bd222feeabce882:e023df163786922d 2003-09-24 14:53:57: INFO: isakmp.c:1049:isakmp_ph2begin_r(): respond new phase 2 negotiation: 1,2,3.136[0]<=>5.6.7.34[0] 2003-09-24 14:53:57: INFO: pfkey.c:1134:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 5.6.7.34->1.2.3.136 spi=127877288(0x79f40a8) 2003-09-24 14:53:57: INFO: pfkey.c:1357:pk_recvadd(): IPsec-SA established: ESP/Tunnel 1.2.3.136->5.6.7.34 spi=262084508(0xf9f179c) When I stop everything, it then cleans up after itself: 2003-09-24 14:55:34: INFO: isakmp.c:1049:isakmp_ph2begin_r(): respond new phase 2 negotiation: 1.2.3.136[0]<=>5.6.7.34[0] 2003-09-24 14:55:35: INFO: pfkey.c:1134:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 5.6.7.34->1.2.3.136 spi=259247885(0xf73cf0d) 2003-09-24 14:55:35: INFO: pfkey.c:1357:pk_recvadd(): IPsec-SA established: ESP/Tunnel 1,2,3.136->5.6.7.34 spi=101275198(0x609563e) 2003-09-24 14:55:57: INFO: isakmp.c:1516:isakmp_ph1expire(): ISAKMP-SA expired 1.2.3.136[500]-5.6.7.34[500] spi:0bd222feeabce882:e023df163786922d 2003-09-24 14:55:57: INFO: isakmp.c:1600:isakmp_ph2expire(): phase2 sa expired 1.2.3.136-5.6.7.34 2003-09-24 14:55:58: INFO: isakmp.c:1564:isakmp_ph1delete(): ISAKMP-SA deleted 1.2.3.136[500]-5.6.7.34[500] spi:0bd222feeabce882:e023df163786922d 2003-09-24 14:55:58: INFO: isakmp.c:1631:isakmp_ph2delete(): phase2 sa deleted 1.2.3.136-5.6.7.34 I know there is something I'm missing. I've yet to have a working vpn with racoon (which is probably obvious), but its hard to dig in further when it doesn't work. ;) If you're having formatting problems with my email, go here: http://marley.bitstream.net/~hump/freebsd-questions.txt for an online web copy that you can view in your browser. HOSTa uname -a: FreeBSD maryj.somedomain.net 5.1-RELEASE-p3 FreeBSD 5.1-RELEASE-p3 #0: Tue Sep 23 22:30:39 CDT 2003 efk@maryj.somedomain.net:/usr/src/sys/i386/compile/VPN2 i386 HOSTb uname -a: FreeBSD eric.someotherdomain.net 5.1-RELEASE FreeBSD 5.1-RELEASE #0: Wed Sep 24 00:29:20 CDT 2003 efk@eric.someotherdomain.net:/usr/src/sys/i386/compile/VPN i386 Thanks in advance, Eric