Hi All,

 I am trying to connect road warrior (iPhone) to racoon server, but ran into an issue with traffic not being sent to iPhone.

I have a server running pfSense with ipsec-tools v20090422. Server has two interfaces LAN and Wifi:

LAN Net: 192.168.100.0/24
Server IP on LAN Net: 192.168.100.1/32

Wifi Net: 192.168.102.0/24
Server IP on Wifi Net: 192.168.102.1/32


Racoon listens on LAN interface. racoon.conf:

-----
path pre_shared_key "/var/etc/psk.txt";  
path certificate  "/var/etc";            

listen         
{
        adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
        isakmp 192.168.100.1 [500];      
        isakmp_natt 192.168.100.1 [4500];
}
 
 
mode_cfg       
{
        auth_source system;
        group_source system;
        pool_size 253;      
        network4 192.168.103.1;          
        netmask4 255.255.255.0;          
        dns4 192.168.100.1;
        banner "/var/etc/racoon.motd";   
}
 
 
remote anonymous            
{
        ph1id 2;            
        exchange_mode aggressive;        
        my_identifier fqdn "REMOVED";        
        peers_identifier fqdn "REMOVED";          
        ike_frag on;        
        generate_policy = on;            
        initial_contact = off;           
        nat_traversal = on;
        passive = on;       
        dpd_delay = 10;     
        dpd_maxfail = 5;    
        support_proxy on;   
        proposal_check claim;            
        proposal            
        {      
            authentication_method xauth_psk_server;            
            encryption_algorithm aes 256;         
            hash_algorithm sha1;     
            dh_group 2;
            lifetime time 28800 secs;
        }      
}
 
sainfo   anonymous          
{
        remoteid 2;         
        encryption_algorithm 3des;       
        authentication_algorithm hmac_sha1;           
        lifetime time 3600 secs;         
        compression_algorithm deflate;   
}     
-----

iPhone connects to the server via wifi and establishes vpn tunnel just fine:

/usr/local/sbin/setkey -D      

192.168.100.1 192.168.102.140            
        esp mode=any spi=59422147(0x038ab5c3) reqid=0(0x00000000)  
        E: 3des-cbc  0f4c4312 307636c4 684d8674 87beeda9 56539c43 f1a91f51      
        A: hmac-sha1  a9a7e369 0609da04 b6228e84 869b18ed b099d950
        seq=0x00000000 replay=4 flags=0x00000000 state=mature      
        created: Mar 20 21:04:34 2010   current: Mar 20 21:23:45 2010           
        diff: 1151(s)   hard: 3600(s)   soft: 2880(s)
        last: hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)     
        allocated: 0    hard: 0 soft: 0  
        sadb_seq=1 pid=20284 refcnt=1    
192.168.102.140 192.168.100.1            
        esp mode=tunnel spi=144469689(0x089c6eb9) reqid=0(0x00000000)           
        E: 3des-cbc  0a2b9ec2 0a4f8b50 8415ab53 48e76358 ce91e627 8de5829d      
        A: hmac-sha1  bbdd5542 e6a88045 beb4885b 155f21cb fca629ba
        seq=0x00000011 replay=4 flags=0x00000000 state=mature      
        created: Mar 20 21:04:34 2010   current: Mar 20 21:23:45 2010           
        diff: 1151(s)   hard: 3600(s)   soft: 2880(s)
        last: Mar 20 21:15:09 2010      hard: 0(s)      soft: 0(s)
        current: 1460(bytes)    hard: 0(bytes)  soft: 0(bytes)     
        allocated: 17   hard: 0 soft: 0  
        sadb_seq=0 pid=20284 refcnt=1    

/usr/local/sbin/setkey -DP     

192.168.103.1[any] 0.0.0.0/0[any] any    
        in ipsec            
        esp/tunnel/192.168.102.140-192.168.100.1/require           
        created: Mar 20 21:04:34 2010  lastused: Mar 20 21:04:34 2010           
        lifetime: 3600(s) validtime: 0(s)
        spid=65 seq=1 pid=20384          
        refcnt=1            
0.0.0.0/0[any] 192.168.103.1[any] any    
        out ipsec           
        esp/tunnel/192.168.100.1-192.168.102.140/require           
        created: Mar 20 21:04:34 2010  lastused: Mar 20 21:15:09 2010           
        lifetime: 3600(s) validtime: 0(s)
        spid=66 seq=0 pid=20384          
        refcnt=1     


but when I try to ping host on LAN, iPhone does not get any response. I ran tcpdump on various interfaces and I see ESP traffic coming from iPhone to server ICMP traffic leaving server on LAN interface and response coming back from host, but there is no ESP traffic going from wifi interface to iPhone.

Now the interesting thing is if I flush SPD entries while iPhone is connected and add them again using setkey command:

cat spd2.conf

spdadd 192.168.103.1/32[any] 0.0.0.0/0[any] any -P in ipsec esp/tunnel/192.168.102.140-192.168.100.1/require;
spdadd 0.0.0.0/0[any] 192.168.103.1/32[any] any -P out ipsec esp/tunnel/192.168.100.1-192.168.102.140/require;

everything starts working fine and iPhone starts getting ESP traffic from racoon. If I try to add SPD entries without flushing, setkey complains that entries already exist so they must be same entries that racoon automatically generates.

Any idea what might be wrong here?

Thanks in advance.