LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-04-2008, 10:31 AM   #1
robalba
LQ Newbie
 
Registered: Dec 2008
Posts: 1

Rep: Reputation: 0
Question Linux to cisco IPsec problems using Racoon.


We are trying to connect a linux server to a cisco router with ipsec using Racoon. We see the tunnel is established and from the cisco side we see packets coming in and ou but they are not making it to the linux serve. Here is the output from the cisco side.

local ident (addr/mask/prot/port): (xx/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (xx/255.255.255.255/0/0)
current_peer xx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 131, #pkts encrypt: 131, #pkts digest: 131
#pkts decaps: 188, #pkts decrypt: 188, #pkts verify: 188
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: xx, remote crypto endpt.: xx
path mtu 1500, ip mtu 1500
current outbound spi: 0xBE7F6BD(199751357)

inbound esp sas:
spi: 0x3180D2BE(830526142)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2017, flow_id: SW:17, crypto map: VPNPROD
sa timing: remaining key lifetime (k/sec): (4411488/3445)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xBE7F6BD(199751357)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2010, flow_id: SW:10, crypto map: VPNPROD
sa timing: remaining key lifetime (k/sec): (4411495/3445)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

We want to enable packet logging on our side as the other side is limited to what they can do to troubleshoot this but the command we have tried to turn logging on seems to not be working. (see below). Apparently the more -d's you have the more logging you get out of it.

It is not logging the packets but does show the tunnel being estabalished. Once the tunnel is estabalished the logging stops.

racoon -d -d -d -d -v -f /etc/racoon/racoon.conf -l /var/log/racoon.log

I guess getting the logging to continue after the tunnel is up would show why traffic is not flowing in the turnnel.

Here is the linux racoon.conf



# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug2;

listen { isakmp xxx.xxx.xxx.xx ; }


remote xxx.xxx.xxx.xx {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo address xxx.xxx.xxx.xx any address xxx.xxx.xxx.xx any {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

Setkey.conf

#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;


# Create policies for racoon
spdadd xxx.xxx.xxx.xx xxx.xxx.xxx.xx any -P out ipsec
esp/tunnel/ xxx.xxx.xxx.xx - xxx.xxx.xxx.xx /require;

spdadd xxx.xxx.xxx.xx xxx.xxx.xxx.xx any -P in ipsec
esp/tunnel/ xxx.xxx.xxx.xx - xxx.xxx.xxx.xx /require;

psk.txt

xxx.xxx.xxx.xxx key
 
Old 12-05-2008, 08:25 AM   #2
farslayer
Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,231
Blog Entries: 5

Rep: Reputation: 189Reputation: 189
I'm going to request a relocation of your topic to the Networking forum, where it will get better exposure to those that might be able to assist.
 
Old 12-05-2008, 03:43 PM   #3
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,965
Blog Entries: 11

Rep: Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865Reputation: 865
Moved: This thread is more suitable in <Linux-neworking> and has been moved accordingly to help your thread/question get the exposure it deserves.
 
  


Reply

Tags
centos5, ipsec, linux, vpn, vpnclient


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Remote Access VPN with Racoon to Cisco ASA kuksi Linux - Security 1 07-19-2008 12:27 AM
IPSec w/ RHEL4- Racoon throwing error messages s0n|k Linux - Security 2 03-30-2007 04:34 PM
racoon as a server to Cisco VPN client etzvetanov Linux - Networking 0 02-01-2007 07:08 AM
Need help creating an IPSec/Racoon script s0n|k Linux - Networking 0 01-19-2007 09:09 AM
IPsec : Problem with racoon HaPagan Linux - Security 1 11-30-2005 12:23 AM


All times are GMT -5. The time now is 10:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration