Racoon(8) Deleting SPD Entries

Tue Mar 29 06:07:08 PST 2005

Hi,
I have a similar problem.
I’m using native kernel 2.6.9-1.667 in fedora core3 and ipsec-tools
-0.3.3-5.6 
My peer (84.222.18.181) is a zyxel series 600 and I’m natted behind a
same router.
The network is:

Ipsec-sever (fc3)                        zyxel/NAT
internet                         zyxel ipsec
ipsec client
192.168.0.71------------------192.168.0.1/80.19.213.28------------------
---------------84.222.18.181/192.168.254.254-------------192.168.254.123

The dialog start, the connection is established, but I can’t ping
and after 360 sec, it go down.

The ipsec.conf:
#!/usr/bin/setkey -f

#configurazione per 192.168.0.71

#svuoto il SAD e SPD
flush;
spdflush;

#security policy
spdadd 192.168.0.71 192.168.254.123 any -P out ipsec
esp/tunnel/80.19.213.28-84.222.18.181/require;
spdadd 192.168.254.123 192.168.0.71 any -P in ipsec
esp/tunnel/84.222.18.181-80.19.213.28/require;

The racoon.conf

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

log debug3;

padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

listen
{
        #isakmp ::1 [7000];
        isakmp 192.168.0.71     [500];
        isakmp_natt 192.168.0.71        [4500];
        #admin  [7002]; #administrative's port by kmpstat
        strict_address; #required all addresses must be found
}

#specification of default various timer
timer
{
        #these values can be changed per remote node
        counter 5;      #maximum trying count to send
        interval        20      sec;    #maximum interval to resend
        persend 1;      #the number of packets per a send

        #timer for a waiting to complete each phase
        phase1  180     sec;
        phase2  360     sec;
}

remote anonymous
{
        exchange_mode   main;
        lifetime        time    28800   sec;    #sec,min,hour
        nat_traversal on;
        proposal        {
                encryption_algorithm    3des;
                hash_algorithm          md5;
                authentication_method   pre_shared_key;
                dh_group        1;
        }
}

sainfo anonymous
{
                lifetime time   28800 sec;
                encryption_algorithm    3des;
                authentication_algorithm   hmac_md5;
                compression_algorithm   deflate;
}

psk.txt is correctly setted ;-)

The racoon_start.sh
#!/bin/sh
/sbin/setkey -FP
sleep 1
/sbin/setkey -F
sleep 1
/sbin/setkey -f /etc/ipsec.conf
sleep 1
/sbin/setkey -DP
sleep 1
killall racoon
sleep 1
/usr/sbin/racoon -d -f /etc/racoon/racoon.conf

The short trace :
Mar 29 15:36:12 laptopemy kernel: device eth0 left promiscuous mode
Mar 29 15:36:14 laptopemy kernel: eth0: Promiscuous mode enabled.
Mar 29 15:36:14 laptopemy kernel: device eth0 entered promiscuous mode
Mar 29 15:36:47 laptopemy kernel: device eth0 left promiscuous mode
Mar 29 15:36:52 laptopemy kernel: eth0: Promiscuous mode enabled.
Mar 29 15:36:52 laptopemy kernel: device eth0 entered promiscuous mode
Mar 29 15:37:58 laptopemy kernel: device eth0 left promiscuous mode
Mar 29 15:38:08 laptopemy kernel: eth0: Promiscuous mode enabled.
Mar 29 15:38:08 laptopemy kernel: device eth0 entered promiscuous mode
Mar 29 15:48:07 laptopemy racoon: INFO: @(#)ipsec-tools 0.3.3
(http://ipsec-tools.sourceforge.net)
Mar 29 15:48:07 laptopemy racoon: INFO: @(#)This product linked OpenSSL
0.9.7a Feb 19 2003 (http://www.openssl.org/)
Mar 29 15:48:08 laptopemy racoon: WARNING: /etc/racoon/racoon.conf:9:
"debug3" it is osboleted.  use "debug2"
Mar 29 15:48:08 laptopemy racoon: INFO: 192.168.0.71[4500] used as
isakmp port (fd=8)
Mar 29 15:48:08 laptopemy racoon: INFO: 192.168.0.71[4500] used for
NAT-T
Mar 29 15:48:08 laptopemy racoon: INFO: 192.168.0.71[500] used as isakmp
port (fd=9)
Mar 29 15:48:24 laptopemy racoon: INFO: IPsec-SA request for
84.222.18.181 queued due to no phase1 found.
Mar 29 15:48:24 laptopemy racoon: INFO: initiate new phase 1
negotiation: 80.19.213.28[500]<=>84.222.18.181[500]
Mar 29 15:48:24 laptopemy racoon: INFO: begin Identity Protection mode.
Mar 29 15:48:48 laptopemy racoon: INFO: ISAKMP-SA established
80.19.213.28[500]-84.222.18.181[500]
spi:5751c3384413cdd1:32fa62bc06fe123c
Mar 29 15:48:48 laptopemy racoon: INFO: initiate new phase 2
negotiation: 80.19.213.28[0]<=>84.222.18.181[0]
Mar 29 15:48:51 laptopemy racoon: WARNING: attribute has been modified.
Mar 29 15:48:52 laptopemy racoon: INFO: IPsec-SA established: ESP/Tunnel
84.222.18.181->80.19.213.28 spi=113195563(0x6bf3a2b)
Mar 29 15:48:52 laptopemy racoon: INFO: IPsec-SA established: ESP/Tunnel
80.19.213.28->84.222.18.181 spi=3612357826(0xd75034c2)
Mar 29 15:50:27 laptopemy racoon: INFO: purged IPsec-SA proto_id=ESP
spi=3612357826.
Mar 29 15:50:28 laptopemy racoon: INFO: purged ISAKMP-SA proto_id=ISAKMP
spi=5751c3384413cdd1:32fa62bc06fe123c.
Mar 29 15:50:29 laptopemy racoon: INFO: ISAKMP-SA deleted
80.19.213.28[500]-84.222.18.181[500]
spi:5751c3384413cdd1:32fa62bc06fe123c

Any idea?
I don’t know how to continue.

Thanks for all.

Dott. Emilio mastriani