Today I haven't been with the opennhrp very much... The only thing I have done is to see the outputs you have told me. The outputs are the following ones, in which I don't see the -w in the racoonctl, maybe it is the problem. But what is strange for me is that in this case the error is different, because when I had installed with ipsec-tools 0.7 the output of the error was about -w, but in this case the error is different. If this info help more ...

racoon -V

- OpenSSL 0.9.8g 19 Oct 2007 (
- IPv6 support
- Dead Peer Detection
- IKE fragmentation
- Hybrid authentication
- NAT Traversal
- Timing statistics
- Admin port
- Monotonic clock
- Security context


racoonctl [opts] reload-config
  racoonctl [opts] show-schedule
  racoonctl [opts] show-sa [protocol]
  racoonctl [opts] flush-sa [protocol]
  racoonctl [opts] delete-sa <saopts>
  racoonctl [opts] establish-sa [-u identity] [-n remoteconf] [-w] <saopts>
  racoonctl [opts] vpn-connect [-u identity] vpn_gateway
  racoonctl [opts] vpn-disconnect vpn_gateway
  racoonctl [opts] show-event
  racoonctl [opts] logout-user login

General options:
  -d        Debug: hexdump admin messages before sending
  -l        Increase output verbosity (mainly for show-sa)
  -s <socket>    Specify adminport socket to use (default: /usr/local/var/racoon/racoon.sock)

Parameter specifications:
    <protocol>: "isakmp", "esp" or "ah".
        In the case of "show-sa" or "flush-sa", you can use "ipsec".

    <saopts>: "isakmp" <family> <src> <dst>
            : {"esp","ah"} <family> <src/prefixlen/port> <dst/prefixlen/port>
    <family>: "inet" or "inet6"
    <ul_proto>: "icmp", "tcp", "udp", "gre" or "any"

De: Timo Teräs <>
Para: Luis Garcia <>
Enviado: miércoles, 12 de agosto, 2009 6:50:09
Asunto: Re: What does exitstatus1 mean?

Luis Garcia wrote:
> But it is strange, because I haven't got any racoon.log neither in /var/log nor in any other file in all the computer. I have been searching it. And I have seen in these forums of people sending the outputs of the logs.

Both ipsec-tools and opennhrp use syslog to log stuff. Additionally
they print to stderr if started from command line.

> The only log I have found with any information of opennhrp is the syslog, but no new information is shown. Even the opennhrp -v doesn't show any additional information.
>  I know that this is not relevant information, but the problem shown to me is racoonctl: kmpstat: invalid argument
> Peer up script failed: exitstatus 1

This is exactly the important bit of information.

> In the forum a person with a similar problem is inforced to install ipsec-tools 0.8, but this is the version I have. The config files a copied-pasted, and the Cisco architecture is adapted to the configuration of the examples.

Yes, but maybe you installed it to different place from where the
stock OS version is. E.g. operating system provides it in /usr/bin
and you put it in /usr/local/bin; and the OS version still gets used.

You might want to remove the OS ipsec-tools package. Or at least
verify that the right version is being used (racoon -V prints version;
or just "racoonctl" and you can verify presense of -w flag for
establish-sa command in usage).

- Timo