We are trying to connect a linux server to a cisco router with ipsec using Racoon. We see the tunnel is established and from the cisco side we see packets coming in and ou but they are not making it to the linux serve. Here is the output from the cisco side.

local ident (addr/mask/prot/port): (xx/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (xx/255.255.255.255/0/0)
current_peer xx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 131, #pkts encrypt: 131, #pkts digest: 131
#pkts decaps: 188, #pkts decrypt: 188, #pkts verify: 188
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: xx, remote crypto endpt.: xx
path mtu 1500, ip mtu 1500
current outbound spi: 0xBE7F6BD(199751357)

inbound esp sas:
spi: 0x3180D2BE(830526142)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2017, flow_id: SW:17, crypto map: VPNPROD
sa timing: remaining key lifetime (k/sec): (4411488/3445)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xBE7F6BD(199751357)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2010, flow_id: SW:10, crypto map: VPNPROD
sa timing: remaining key lifetime (k/sec): (4411495/3445)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

We want to enable packet logging on our side as the other side is limited to what they can do to troubleshoot this but the command we have tried to turn logging on seems to not be working. (see below). Apparently the more -d's you have the more logging you get out of it.

It is not logging the packets but does show the tunnel being estabalished. Once the tunnel is estabalished the logging stops.

racoon -d -d -d -d -v -f /etc/racoon/racoon.conf -l /var/log/racoon.log

I guess getting the logging to continue after the tunnel is up would show why traffic is not flowing in the turnnel.

Here is the linux racoon.conf



# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug2;

listen { isakmp xxx.xxx.xxx.xx ; }


remote xxx.xxx.xxx.xx {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo address xxx.xxx.xxx.xx any address xxx.xxx.xxx.xx any {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

Setkey.conf

#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;


# Create policies for racoon
spdadd xxx.xxx.xxx.xx xxx.xxx.xxx.xx any -P out ipsec
esp/tunnel/ xxx.xxx.xxx.xx - xxx.xxx.xxx.xx /require;

spdadd xxx.xxx.xxx.xx xxx.xxx.xxx.xx any -P in ipsec
esp/tunnel/ xxx.xxx.xxx.xx - xxx.xxx.xxx.xx /require;

psk.txt

xxx.xxx.xxx.xxx key

I'm going to request a relocation of your topic to the Networking forum, where it will get better exposure to those that might be able to assist.

Moved: This thread is more suitable in <Linux-neworking> and has been moved accordingly to help your thread/question get the exposure it deserves.