I am having problems getting racoon to work between two endpoints:

 

Left                     NAT router                 Right

NetBSD 3.0/i386          w/IPsec Passthrough        Linux kernel 2.6.17.4                                                          

(24.64.116.36)           (69.46.x.x)                (10.x.x.x/16)

 

IPsec G/W -> (Internet Cloud) -> Office Router doing NAT -> Internal workstation

 

The session log is below for this connection:

 

---------------

NetBSD 3.0 w/IPSEC_NATT built into the kernel

---------------

 

Starting racoon.

Jul 11 13:32:28 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:32:58 tungsten last message repeated 3 times Jul 11 13:32:59 tungsten racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 69.46.x.x[500]->24.64.116.36[500]

Jul 11 13:32:59 tungsten racoon: INFO: delete phase 2 handler.

Jul 11 13:33:08 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:33:14 tungsten racoon: INFO: caught signal 15 Jul 11 13:33:15 tungsten racoon: INFO: racoon shutdown Jul 11 13:33:16 tungsten racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)

Jul 11 13:33:16 tungsten racoon: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/) Jul 11 13:33:16 tungsten racoon: INFO: 24.64.116.36[4500] used as isakmp port (fd=7) Jul 11 13:33:16 tungsten racoon: INFO: 24.64.116.36[4500] used for NAT-T Jul 11 13:33:16 tungsten racoon: INFO: 24.64.116.36[500] used as isakmp port (fd=8) Jul 11 13:33:16 tungsten racoon: INFO: 24.64.116.36[500] used for NAT-T Jul 11 13:33:17 tungsten racoon: INFO: IPsec-SA request for 69.46.x.x queued due to no phase1 found.

Jul 11 13:33:17 tungsten racoon: INFO: initiate new phase 1 negotiation: 24.64.116.36[500]<=>69.46.x.x[500]

Jul 11 13:33:17 tungsten racoon: INFO: begin Aggressive mode.

Jul 11 13:33:17 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:33:37 tungsten last message repeated 2 times Jul 11 13:33:38 tungsten racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.

Jul 11 13:33:47 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:33:48 tungsten racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 69.46.x.x[500]->24.64.116.36[500]

Jul 11 13:33:48 tungsten racoon: INFO: delete phase 2 handler.

Jul 11 13:33:57 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:34:07 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:34:09 tungsten racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 69.46.x.x[500]->24.64.116.36[500]

Jul 11 13:34:09 tungsten racoon: INFO: delete phase 2 handler.

Jul 11 13:34:17 tungsten racoon: ERROR: phase1 negotiation failed due to time up. a1aebd9a9fa1fd8f:0000000000000000 Jul 11 13:34:50 tungsten racoon: INFO: IPsec-SA request for 69.46.x.x queued due to no phase1 found.

Jul 11 13:34:50 tungsten racoon: INFO: initiate new phase 1 negotiation: 24.64.116.36[500]<=>69.46.x.x[500]

Jul 11 13:34:50 tungsten racoon: INFO: begin Aggressive mode.

Jul 11 13:34:50 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:35:20 tungsten last message repeated 3 times Jul 11 13:35:21 tungsten racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 69.46.x.x[500]->24.64.116.36[500]

Jul 11 13:35:21 tungsten racoon: INFO: delete phase 2 handler.

Jul 11 13:35:30 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:35:40 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:35:50 tungsten racoon: ERROR: phase1 negotiation failed due to time up. b242746ec62a3e7c:0000000000000000 Jul 11 13:35:58 tungsten racoon: INFO: IPsec-SA request for 69.46.x.x queued due to no phase1 found.

Jul 11 13:35:58 tungsten racoon: INFO: initiate new phase 1 negotiation: 24.64.116.36[500]<=>69.46.x.x[500]

Jul 11 13:35:58 tungsten racoon: INFO: begin Aggressive mode.

Jul 11 13:35:58 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:36:28 tungsten last message repeated 3 times Jul 11 13:36:30 tungsten racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 69.46.x.x[500]->24.64.116.36[500]

Jul 11 13:36:30 tungsten racoon: INFO: delete phase 2 handler.

Jul 11 13:36:38 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:36:48 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:36:58 tungsten racoon: ERROR: phase1 negotiation failed due to time up. 2ccc38aa711ace50:0000000000000000 Jul 11 13:43:39 tungsten racoon: INFO: IPsec-SA request for 69.46.x.x queued due to no phase1 found.

Jul 11 13:43:39 tungsten racoon: INFO: initiate new phase 1 negotiation: 24.64.116.36[500]<=>69.46.x.x[500]

Jul 11 13:43:39 tungsten racoon: INFO: begin Aggressive mode.

Jul 11 13:43:39 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:44:09 tungsten last message repeated 3 times Jul 11 13:44:10 tungsten racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 69.46.x.x[500]->24.64.116.36[500]

Jul 11 13:44:10 tungsten racoon: INFO: delete phase 2 handler.

Jul 11 13:44:19 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:44:29 tungsten racoon: ERROR: reject the packet, received unexpecting payload type 0.

Jul 11 13:44:39 tungsten racoon: ERROR: phase1 negotiation failed due to time up. 3d8eee8b74e43295:0000000000000000

 

path pre_shared_key "/etc/racoon/psk.txt" ; log debug;

 

listen

{

        isakmp 24.64.116.36 [500];

        isakmp_natt 24.64.116.36 [4500]; }

 

timer

{

        natt_keepalive 20 sec;

}

 

remote 69.46.x.x

{

        exchange_mode aggressive ;

        my_identifier user_fqdn "russell@mcconnachie.ca" ;

        peers_identifier user_fqdn "russell@guest-tek.com" ;

        lifetime time 24 hour ;

        doi ipsec_doi ;

        situation identity_only ;

        initial_contact on ;

        nat_traversal force ;

        generate_policy on ;

 

        # phase 1 proposal (for ISAKMP SA)

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key ;

                dh_group 2 ;

        }

}

 

remote anonymous

{

        exchange_mode aggressive ;

#       exchange_mode main, aggressive, base ;

        my_identifier user_fqdn "russell@mcconnachie.ca" ;

        lifetime time 24 hour ;

        doi ipsec_doi ;

        situation identity_only ;

        initial_contact on ;

        nat_traversal force ;

        generate_policy on ;

 

        # phase 1 proposal (for ISAKMP SA)

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key ;

                dh_group 2 ;

        }

}

 

# phase 2 proposal (for IPsec SA).

# actual phase 2 proposal will obey the following items:

# - kernel IPsec policy configuration (like "esp/transport//use) # - permutation of the crypto/hash/compression algorithms presented below sainfo anonymous {

        pfs_group 2;

        lifetime time 2 min ;

        encryption_algorithm 3des, blowfish 448, des, rijndael ;

        authentication_algorithm hmac_sha1, hmac_md5 ;

        compression_algorithm deflate ;

}

 

--------------------------

Linux right-side endpoint

--------------------------

# $KAME: racoon.conf,v 1.28 2002/10/18 14:33:28 itojun Exp $

 

path pre_shared_key "/etc/racoon/psk.txt" ; log debug;

 

listen

{       

        isakmp 24.64.116.36 [500];

        isakmp_natt 24.64.116.36 [4500]; }

 

timer

{      

        natt_keepalive 20 sec;

}

 

remote 69.46.x.x

{      

        exchange_mode aggressive ;

        my_identifier user_fqdn "russell@mcconnachie.ca" ;

        peers_identifier user_fqdn "russell@guest-tek.com" ;

        lifetime time 24 hour ;

        doi ipsec_doi ;

        situation identity_only ;

        initial_contact on ;

        nat_traversal force ;

        generate_policy on ;

 

        # phase 1 proposal (for ISAKMP SA)

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key ;

                dh_group 2 ;

        }

}

 

remote anonymous

{      

        exchange_mode aggressive ;

#       exchange_mode main, aggressive, base ;

        my_identifier user_fqdn "russell@mcconnachie.ca" ;

        lifetime time 24 hour ;

        doi ipsec_doi ;

        situation identity_only ;

        initial_contact on ;

        nat_traversal force ;

        generate_policy on ;

 

        # phase 1 proposal (for ISAKMP SA)

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key ;

                dh_group 2 ;

        }

}

 

# phase 2 proposal (for IPsec SA).

# actual phase 2 proposal will obey the following items:

# - kernel IPsec policy configuration (like "esp/transport//use) # - permutation of the crypto/hash/compression algorithms presented below sainfo anonymous

{      

        pfs_group 2;

        lifetime time 2 min ;

        encryption_algorithm 3des, blowfish 448, des, rijndael ;

        authentication_algorithm hmac_sha1, hmac_md5 ;

        compression_algorithm deflate ;

}

 

Any help is appreciated.

 

Thanks

 

Russell McConnachie