Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 01-17-2005, 07:23 AM   #1
LQ Newbie
Registered: Nov 2004
Posts: 1

Rep: Reputation: 0
Problems w. Racoon/Pluto Interoperability

Hi !

I've got a problem making a vpn conenction between a linux roadwarrior runnig kame's racoon ike daemon with Linux Kernel 2.6 IPSEC stack and a Gateway with a dynamic IP-Adress using dyn dns. The gateway is runnig freeswan 2.04 on a 2.4 Kernel. It is productive since a year and running smmothly with windows 2000 and xp roadwarriors. So I think the configuration of my mandrake linux 10.1 is the problem. On the client machine I'm also runnig a windows xp installation from which I can connect to the vpn!

Here come the log messages of the client and the gateway when trying to establish a connection via a icmp echo request from roadwarrior to gateway:

Roadwarrior racoon.log:
client: INFO: @(#)ipsec-tools 0.5-rc1 (<url removed because of forums spam check>)
client: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (<url removed because of forums spam check>)
2005-01-14 16:04:32: INFO:[500] used as isakmp port (fd=6)
client: INFO:[500] used as isakmp port (fd=7)
client: INFO: ::1[500] used as isakmp port (fd=8)
client: INFO: fe80::211:2fff:fe13:f3f%eth0[500] used as isakmp port (fd=9)
client: INFO: IPsec-SA request for <gateway's ip> queued due to no phase1 found.
client: INFO: initiate new phase 1 negotiation:[500]<=>[500]
client: INFO: begin Identity Protection mode.
client: INFO: ISAKMP-SA established[500]-<gateway's ip>[500] spi:bff1bb588fe6b88d:1b1fecc2d8ebf346
client: INFO: initiate new phase 2 negotiation:[0]<=>[0]
client: ERROR: pfkey UPDATE failed: Protocol not available
client: ERROR: pfkey ADD failed: Protocol not available

Those two last error messages make me wondering which protocol may be missing. Strange thing is the freeswan server thinks the handshaking was succesfull and says the ipsec SA has been established. Fact is only the phase 1 of IKE is succesfull.

Log of freeswan gateway:
gateway"client-to-subnet_53"[1] #1: responding to Main Mode from unknown peer <clients router adress>
gateway: "client-to-subnet_53"[1] #1: Peer ID is ID_DER_ASN1_DN: <Zert_ASN_String>
gateway: "client-to-subnet_53"[1] #1: crl update is overdue since Nov 30 20:33:18 UTC 2004
gateway: "client-to-subnet_53"[1] #1: sent MR3, ISAKMP SA established
gateway: "client-to-subnet_53"[1] #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
gateway: "subnet-to-subnet_53"[1] #2: responding to Quick Mode
gateway: "subnet-to-subnet_53"[1] #2: IPsec SA established {ESP=>0x02552400 <0x20a747fa}
gateway: "client-to-subnet_53"[1] #1: received Delete SA payload: deleting ISAKMP State #1

I tried two different configurations fo the ipsec-tools with:

./configure --enable-natt --enable-adminport --with-kernel-headers=/usr/src/linux- --enable-gssapi --enable-hybrid --enable-frag --enable-dpd --enable-samode-unspec
make install


make install

and still the same behaviour.

I also checked that all needed cyphers and protocols are supported by my kernel. Well at least I think that I checked all .
3des, md5, sha1;ipsec;rsasig;hmac

I append the racoon and setkey config for further info:

setkey policies:
spdadd any -P out ipsec
esp/tunnel/<gateway's ip>/require;
spdadd any -P in ipsec
esp/tunnel/<gateway's ip>-;

path certificate "/etc/ssl/canorisCA";
remote <gateway's ip> {
exchange_mode main;

certificate_type x509 "zertificate-file" "decrypted_private_key_file";
verify_cert on;
verify_identifier on;
my_identifier asn1dn;
peers_identifier asn1dn <asn1 zert id>;

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
sainfo anonymous {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;

As you can see I'm using x509 certficates for authentification. Just to rule out the certs are not the problem:
They are the same I use for vpn connection on my windows xp installation. And phase 1 of IKE is succesfull. Something with the handshaking of the esp encryption goes wrong I think. Maybe there are some other points to deal with when interoperating freeswan and kame?

Help is very appreciated.

Thnks in advance.


P.S. Is there an elegant way to specify a gateway with dns name because the ip changes at least once a day? Or do I have to write a shellscript that gets the current ip, rewrites my config and restarts everything?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
thunderbird interoperability with other programs BCarey Slackware 2 11-01-2005 08:47 PM
Inkscape/Illustrator interoperability mykrob Linux - Software 1 10-30-2005 08:12 AM
problem with racoon nitinkhanna Linux - Security 0 10-28-2004 06:28 AM
Problems with 'racoon' and certificates ... sankeny Linux - Security 0 09-01-2004 05:29 PM
FreeSwan - Pluto Tarantismic Yak Linux - General 1 07-10-2001 07:41 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:26 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration