Date: Mon, 28 Jul 2008 16:10:51 +0200 From: =?ISO-8859-1?Q?Torbj=F8rn?= <torbjorn@nextline.no> To: FreeBSD-questions@FreeBSD.org Subject: Racoon not identifying host specified in config file Message-ID: <488DD36B.8000300@nextline.no>
next in thread | raw e-mail | index | archive | help
Hello, everyone .. Some quick information about the software in use: Jul 28 15:51:42 fw0 racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net) Jul 28 15:51:42 fw0 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) I'm having a problem with my IPSec configuration. On one side, everything works out pretty nice. On the other side, racoon is making bad noises about not finding a correct configuration. "ERROR: couldn't find configuration." However, if I kill racoon, and run it in the foreground with debug output on, I get some more information. 2008-07-16 16:06:27: DEBUG: === 2008-07-16 16:06:27: DEBUG: 100 bytes message received from 81.167.211.58[57413] to 85.200.211.69[500] 2008-07-16 16:06:27: DEBUG: ba9d946f 3cf4cf90 00000000 00000000 01100200 00000000 00000064 0d000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c04b0 80010005 80030001 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100 2008-07-16 16:06:27: DEBUG: no remote configuration found. 2008-07-16 16:06:27: ERROR: couldn't find configuration. The configuration is pretty straight forward. # cat racoon.conf path pre_shared_key "/var/etc/psk.txt"; path certificate "/var/etc"; remote 81.167.211.58 { exchange_mode main; my_identifier address "85.200.211.69"; peers_identifier address 81.167.211.58; initial_contact on; support_proxy on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 2400 secs; } lifetime time 2400 secs; } sainfo address 85.200.211.64/29 any address 192.168.100.0/24 any { encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate; lifetime time 1200 secs; } Here is the weird thing; if I change that remote stanza to read remote anonymous { blah; } then everything works out nice, racoon even tells me it uses the anonymous stanza for that correct IP. 2008-07-16 16:11:06: DEBUG: anonymous configuration selected for 81.167.211.58. So, to me this seems really odd, how come racoon isn't picking up that stanza when configured for that specified IP ? Using the remote stanza is not what I really want .. So, does anyone have any ideas on what is going on here ? Using tcpdump I can see that it is in fact 81.167.211.58 that is coming through to racoon, on port 500/UDP. Thanks for a great product, by the way. -- Torbjørn / Nextline
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?488DD36B.8000300>