From owner-freebsd-questions@FreeBSD.ORG Mon Jul 28 14:32:46 2008 Return-Path: Delivered-To: FreeBSD-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FEB91065671 for ; Mon, 28 Jul 2008 14:32:46 +0000 (UTC) (envelope-from torbjorn@nextline.no) Received: from mxmain.nextline.no (mxmain.nextline.no [82.134.6.40]) by mx1.freebsd.org (Postfix) with ESMTP id 1A5BB8FC1E for ; Mon, 28 Jul 2008 14:32:46 +0000 (UTC) (envelope-from torbjorn@nextline.no) Received: from [10.0.1.79] (gateway.nextline.no [82.134.6.100]) by mxmain.nextline.no (Postfix) with ESMTP id 388B9EAA34; Mon, 28 Jul 2008 16:10:45 +0200 (CEST) Message-ID: <488DD36B.8000300@nextline.no> Date: Mon, 28 Jul 2008 16:10:51 +0200 From: =?ISO-8859-1?Q?Torbj=F8rn?= User-Agent: Thunderbird 2.0.0.14 (X11/20080502) MIME-Version: 1.0 To: FreeBSD-questions@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: Subject: Racoon not identifying host specified in config file X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2008 14:32:46 -0000 Hello, everyone .. Some quick information about the software in use: Jul 28 15:51:42 fw0 racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net) Jul 28 15:51:42 fw0 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) I'm having a problem with my IPSec configuration. On one side, everything works out pretty nice. On the other side, racoon is making bad noises about not finding a correct configuration. "ERROR: couldn't find configuration." However, if I kill racoon, and run it in the foreground with debug output on, I get some more information. 2008-07-16 16:06:27: DEBUG: === 2008-07-16 16:06:27: DEBUG: 100 bytes message received from 81.167.211.58[57413] to 85.200.211.69[500] 2008-07-16 16:06:27: DEBUG: ba9d946f 3cf4cf90 00000000 00000000 01100200 00000000 00000064 0d000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c04b0 80010005 80030001 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100 2008-07-16 16:06:27: DEBUG: no remote configuration found. 2008-07-16 16:06:27: ERROR: couldn't find configuration. The configuration is pretty straight forward. # cat racoon.conf path pre_shared_key "/var/etc/psk.txt"; path certificate "/var/etc"; remote 81.167.211.58 { exchange_mode main; my_identifier address "85.200.211.69"; peers_identifier address 81.167.211.58; initial_contact on; support_proxy on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; lifetime time 2400 secs; } lifetime time 2400 secs; } sainfo address 85.200.211.64/29 any address 192.168.100.0/24 any { encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256; authentication_algorithm hmac_sha1,hmac_md5; compression_algorithm deflate; lifetime time 1200 secs; } Here is the weird thing; if I change that remote stanza to read remote anonymous { blah; } then everything works out nice, racoon even tells me it uses the anonymous stanza for that correct IP. 2008-07-16 16:11:06: DEBUG: anonymous configuration selected for 81.167.211.58. So, to me this seems really odd, how come racoon isn't picking up that stanza when configured for that specified IP ? Using the remote stanza is not what I really want .. So, does anyone have any ideas on what is going on here ? Using tcpdump I can see that it is in fact 81.167.211.58 that is coming through to racoon, on port 500/UDP. Thanks for a great product, by the way. -- Torbjørn / Nextline