#76 problem with pppoe & racoon

open
nobody
5
2014-12-10
2010-03-04
Anonymous
No

I have a weird problem trying to use racoon vpn tunnels with pppoe on
the WAN interface of a Debian PC I want to set up as a gateway/router.
It has been driving me crazy. I know the modems that we are using as
clients work with the ipsec-tools software (I have used them with
different network configurations), and I am confident that the config I
have here should work (although I would be relieved if someone shows me
it is a simple mistake).
My current situation means I can ping from the client end, back through
to the Debian PC, but no communication can go from the Debain PC to the
client ip range. I have tried the same configuaration on 2 different
ISP lines. I have been testing with and without iptables running. Sorry
if my ascii art sucks :)

IP's & names have been changed.

so the interfaces are:
eth0 : connected to a bridged modem
eth1: 10.2.25.1
ppp0: 123.456.789.123

iprange of client site: 10.1.97.0/24
wan ip of client ip: 321.987.654.321

I am trying to make a tunnel from 10.2.25.0/24 <--> 10.1.97.0/24

__________ __________________________ ____________ ______ _______________________ _________________
Office LAN \___/ Debian PC - pppoe conn to ISP \__ /Bridged modem\ __/ Internet \_____/ Client Modem \__/Other LAN \ 10.2.25.0/24 / \ 10.2.25.1 / 123.456.789.123 / \321.987.654.321 / \ 10.1.97.0/24/
/10.1.97.50

===============================
racoon.conf:
--------------
path _shared_key "/etc/racoon/psk.txt";

log info;

timer {
natt_keepalive 10sec;
}

listen {
isakmp 123.456.789.123 [500];
isakmp_natt 123.456.789.123 [4500];
}

remote anonymous
{
exchange_mode main;
nat_traversal on;
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method _shared_key;
dh_group 2;
}
}

sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1 ;
comssion_algorithm deflate ;
}
==============================
ipsec-tools.conf:
-----------------
#!/usr/sbin/setkey -f

flush;
spdflush;

spdadd 10.2.25.0/24 10.1.97.0/24 any -P out ipsec
esp/tunnel/123.456.789.123-321.987.654.321/require;
spdadd 10.1.97.0/24 10.2.25.0/24 any -P in ipsec
esp/tunnel/321.987.654.321-123.456.789.123/require;

===============================
output of setkey -DP:
--------------------
10.2.25.0/24[any] 10.1.97.0/24[any] any
out prio def ipsec
esp/tunnel/123.456.789.123-321.987.654.321/require
created: Mar 3 12:03:50 2010 lastused: Mar 3 12:06:01 2010
lifetime: 0(s) validtime: 0(s)
spid=57 seq=1 pid=3350
refcnt=2
10.1.97.0/24[any] 10.2.25.0/24[any] any
in prio def ipsec
esp/tunnel/321.987.654.321-123.456.789.123/require
created: Mar 3 12:03:50 2010 lastused: Mar 3 12:06:01 2010
lifetime: 0(s) validtime: 0(s)
spid=64 seq=2 pid=3350
refcnt=2
10.1.97.0/24[any] 10.2.25.0/24[any] any
fwd prio def ipsec
esp/tunnel/321.987.654.321-123.456.789.123/require
created: Mar 3 12:03:50 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=74 seq=0 pid=3350
refcnt=1
============================
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.172.216.13 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.2.25.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
===========================

log from /var/log/daemon.log:
----------------------
racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
racoon: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007
(http://www.openssl.org/)
racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
racoon: INFO: Resize address pool from 0 to 255
racoon: INFO: 123.456.789.123[4500] used as isakmp port (fd=7)
racoon: INFO: 123.456.789.123[4500] used for NAT-T
racoon: INFO: 123.456.789.123[500] used as isakmp port (fd=8)
racoon: INFO: 123.456.789.123[500] used for NAT-T
racoon: INFO: respond new phase 1 negotiation:
123.456.789.123[500]<=>321.987.654.321[500]
racoon: INFO: begin Identity Protection mode.
racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-00
racoon: INFO: Hashing 123.456.789.123[500] with algo #2
racoon: INFO: NAT-D payload #0 verified
racoon: INFO: Hashing 321.987.654.321[500] with algo #2
racoon: INFO: NAT-D payload #1 verified
racoon: INFO: NAT not detected
racoon: INFO: Hashing 321.987.654.321[500] with algo #2
racoon: INFO: Hashing 123.456.789.123[500] with algo #2
racoon: INFO: Adding remote and local NAT-D payloads.
racoon: WARNING: ignore INITIAL-CONTACT notification, because it is
only accepted after phase1.
racoon: INFO: ISAKMP-SA established
123.456.789.123[500]-321.987.654.321[500]
spi:656226b7cc8cfb8c:09f336ef677e854d
racoon: INFO: respond new phase 2 negotiation:
123.456.789.123[500]<=>321.987.654.321[500]
racoon: INFO: IPsec-SA established: ESP/Tunnel
321.987.654.321[0]->123.456.789.123[0] spi=74995840(0x4785880)
racoon: INFO: IPsec-SA established: ESP/Tunnel
123.456.789.123[500]->321.987.654.321[500] spi=2519042975(0x96258b9f)
======================================
traceroute from Debain PC to site:
traceroute to 10.1.97.51 (10.1.97.51), 30 hops max, 40 byte packets
1 blah.net.au (192.172.216.13) 9.961 ms 14.598 ms 19.510 ms
2 blah2.net.au (202.888.888.888) 24.668 ms 29.577 ms 34.739 ms
3 blah3.net.au (210.999.999.999) 39.906 ms 44.575 ms 50.235 ms
4 blah4.net.au (203.666.666.666) 54.918 ms 59.225 ms 64.261 ms
5 * * *
6 * * *
7 * * *
8 * * *
========================================

So it look like the racoon tunnel doesn't actually trap the traffic and
instead the intended traffic goes out to the internet. The traffic
flowing from the client site is correctly going through the tunnel to
the Debain PC. So is there anything I can do to fix this behaviour?

Discussion

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks