[Ipsec-tools-devel] Problems with racoon 0.3.3-1 on Linux 2.6.8

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

I'm having big problems understanding exactly how I am supposed to
configure my gateway to make an IPSec tunnel work, despite a lot of
searching on the net I've failed to find an answer to my questions, so I
hope someone can explain this.

My setup is this: I have a Linux gateway/firewall routing traffic for a
small network (A), 10.1.0.0/16. It has an external IP 217.x.x.34 and a
default gateway (ADSL router) 217.x.x.47.

I want to establish an ESP tunnel to our corporate HQ netork (B)
10.0.0.0/16, which has a Cisco VPN concentrator at 80.x.x.18.

So basically:

[Network A]--[Gateway] <--[internet]--> [Cisco]--Network B

My setkey.conf looks like this:

#!/usr/sbin/setkey -f

flush;
spdflush;

spdadd 10.1.0.0/16 10.0.0.0/16 any -P out ipsec
        esp/tunnel/217.xxx.xxx.34-80.xxx.xxx.18/require;

spdadd 10.0.0.0/16 10.1.0.0/16 any -P in ipsec
        esp/tunnel/80.xxx.xxx.18-217.xxx.xxx.34/require;

and my racoon.conf like this:

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug;

remote 80.xxx.xxx.18 {
        exchange_mode main,aggressive;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
        generate_policy off;
}

sainfo address 10.1.0.0/16 any address 10.0.0.0/16 any {
        pfs_group 2;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        lifetime time 1 hour;
        compression_algorithm deflate;
}

The IKE negotiation goes well, and the SA's look correct from setkey -D.
Also the Cisco admin reports that the SA's look right on the remote side.

Now there are a few things I don't understand, and that I couldn't find
documented anywhere. I might have misunderstood something basic, because I
haven't been able to find anyone even mentioning similar problems.

1) How should my routing table on the gateway look, so that the gateway
itself will use it's 10.0.1.1 address to contact network B? I have tried
two options:

a: Not adding a route to network B at all:

In this case the box uses my default route (on the external interface)
when I try to ping a host on network B from the box. I can see the
unencrypted ICMP packet going out on the external interface.

b: Adding a route to the gateway's own internal IP (route add -net
10.0.0.0/24 gw 10.1.0.1)

This seems to work: when I ping 10.0.8.1 (a host on network B), with
tcpdump I can see an ESP packet going out on the external interface, and I
can see an ESP packet coming back from the remote Cisco. Also, the admin
of network B tells me he can see my ICMP Echo packets on his network (and
the response). However the packet somehow gets lost before it reaches the
ping program because I never see a response.

So my question is: What is the correct route to set up, and why am I
not seeing the ICMP Echo response?

2) I try to ping from another host on Network A to 10.0.8.1 on network B.
Again, how should my route be set up (and do I need a route at all for
this to work?). In either case, I don't see any outgoing ESP (or other
packets) from the gateway.

First I thought it was a problem with my iptables firewall rules, so I
flushed them all and set policy to Accept, however, this doesn't fix the
problem.

Any help will be greatly appreciated, I have tried all that I can think of
and I don't understand why this isn't working as I expected.

Best regards,

Thomas