Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 10-24-2014, 01:08 AM   #1
LQ Newbie
Registered: Mar 2007
Location:, Virginia, USA
Distribution: OpenSuSE & Gentoo (Primarily)
Posts: 15

Rep: Reputation: 2
Question Troubleshooting INET Routing - Linux IPsec (Racoon) HQ to Cisco Router Remote Site

I have two devices. I have a Cisco 29xx series router with datak9 and securityk9 enabled. I also have a Linux machine acting as a server at the main location running shorewall.

I am trying to configure the remote location (with the Cisco router) to connect to the Linux server in order to communicate across the two LAN segments. I also would like to have all internet traffic routed from the remote location through the main location and through a firewall.

I modified /etc/iproute2/rt_tables and added a separate line with: 1002 IPsec and configured an IP route and ip rules for this new table so that the IPsec traffic should use it.

#Configure IP Rules for Remote
ip rule add from table 1002

#Configure IP Routes for Remote
ip route add default via dev eth0 table 1002
I am seeing the traffic go from the network through the tunnel, out to the HQ router and out to the internet, but when I do a tcpdump -i any, I see duplicate packets with the same sequence number. I can also ping and traceroute, but I can not get internet traffic working. If I set up the Linux server to NAT the traffic out of its eth1 interface, internet works, but with a lot of latency due to a bunch of RESET packets being sent.

Basic Topology Diagram: VPN_Connection.pdf

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.key";
log notify; # log verbosity and set to 'notify' when debug complete and use debug2 for debug

    maximum_length 20;
    randomize   off;
    strict_check off;
    exclusive_tail off;

    counter 5;
    interval 20 sec;
    persend 1;
    #natt_keep 15 sec;
    phase1      30 sec;
    phase2      15 sec;


    exchange_mode       aggressive,main;
    my_identifier address;
    peers_identifier address;
    nat_traversal off;
    initial_contact on;
    #script "/etc/racoon/" phase1_up;
    #script "/etc/racoon/" phase1_down;
    # Phase 1
    proposal {
        encryption_algorithm aes256;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;

#phase 2

sainfo anonymous
        pfs_group 2;
        lifetime time 3600 sec;
        encryption_algorithm aes256;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
Code:  SecretKeyHere
#!/sbin/setkey -f

#Exception - HQ Internet IP Range
spdadd any -P in none;
spdadd any -P out none;

#Exception - Remote Internet IP Range
spdadd any -P in none;
spdadd any -P out none;

#Exception - Remote Subnet IP Range
spdadd any -P in none;
spdadd any -P out none;

#Default Route - To HQ
spdadd any -P in ipsec esp/tunnel/;
spdadd any -P out ipsec esp/tunnel/;
What further troubleshooting steps should I take? Is there anything specific that would cause this type of behavior?


cisco, internet connection, ipsec, routing

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
site to site vpn racoon with cisco asa 5505 routing issues wastingtime Linux - Networking 1 04-02-2010 12:26 PM
Linux to cisco IPsec problems using Racoon. robalba Linux - Networking 2 12-05-2008 03:43 PM
Remote Access VPN with Racoon to Cisco ASA kuksi Linux - Security 1 07-19-2008 12:27 AM
linux routing VS cisco router shoot2kill Linux - Networking 5 07-01-2002 10:31 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:02 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration