Hello,

I am trying to setup an IPSec connection between my server and a telecoms company network but I am unable to connect and get the following errors in /var/log/messages. Any help on what might be the problem and how to solve/debug would be appreciated.

Mar 31 22:39:08 ip-208-109-87-191 racoon: ERROR: racoon: MLS support is not enabled.
Mar 31 22:39:08 ip-208-109-87-191 racoon: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
Mar 31 22:39:08 ip-208-109-87-191 racoon: INFO: @(#)This product linked OpenSSL 1.0.0d-fips 8 Feb 2011 (http://www.openssl.org/)
Mar 31 22:39:08 ip-208-109-87-191 racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Mar 31 22:39:08 ip-208-109-87-191 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Mar 31 22:39:08 ip-208-109-87-191 racoon: INFO: 127.0.0.1[500] used for NAT-T
Mar 31 22:39:08 ip-208-109-87-191 racoon: INFO: y.y.y.212[500] used as isakmp port (fd=9)
Mar 31 22:39:08 ip-208-109-87-191 racoon: INFO: y.y.y.212[500] used for NAT-T
Mar 31 22:39:08 ip-208-109-87-191 racoon: INFO: y.y.y.201[500] used as isakmp port (fd=10)
Mar 31 22:39:08 ip-208-109-87-191 racoon: INFO: y.y.y.201[500] used for NAT-T
Mar 31 22:39:08 ip-208-109-87-191 racoon: INFO: ::1[500] used as isakmp port (fd=11)
Mar 31 22:39:08 ip-208-109-87-191 racoon: INFO: fe80::82ee:73ff:fe31:b3bf%eth0[500] used as isakmp port (fd=12)
Mar 31 22:39:11 ip-208-109-87-191 racoon: INFO: IPsec-SA request for x.x.x.103 queued due to no phase1 found.
Mar 31 22:39:11 ip-208-109-87-191 racoon: INFO: initiate new phase 1 negotiation: y.y.y.201[500]<=>x.x.x.103[500]
Mar 31 22:39:11 ip-208-109-87-191 racoon: INFO: begin Identity Protection mode.
Mar 31 22:39:11 ip-208-109-87-191 racoon: ERROR: such policy does not already exist: "y.y.y.212/32[0] x.x.x.106/32[5434] proto=tcp dir=out"
Mar 31 22:39:11 ip-208-109-87-191 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Mar 31 22:39:11 ip-208-109-87-191 racoon: INFO: received Vendor ID: CISCO-UNITY
Mar 31 22:39:11 ip-208-109-87-191 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mar 31 22:39:11 ip-208-109-87-191 racoon: INFO: received Vendor ID: DPD
Mar 31 22:39:11 ip-208-109-87-191 racoon: INFO: ISAKMP-SA established y.y.y.201[500]-x.x.x.103[500] spi:2f90e8a679c55aee:64d0a57dd9da31bc
Mar 31 22:39:12 ip-208-109-87-191 racoon: INFO: initiate new phase 2 negotiation: y.y.y.201[500]<=>x.x.x.103[500]
Mar 31 22:39:12 ip-208-109-87-191 racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
Mar 31 22:39:12 ip-208-109-87-191 racoon: ERROR: Message: 'TV )JK Z _j $ V \ N,} X 2 !K]6 mW ` '.
Mar 31 22:39:12 ip-208-109-87-191 racoon: INFO: ISAKMP-SA expired y.y.y.201[500]-x.x.x.103[500] spi:2f90e8a679c55aee:64d0a57dd9da31bc
Mar 31 22:39:22 ip-208-109-87-191 racoon: ERROR: phase2 negotiation failed due to phase1 expired. 2f90e8a679c55aee:64d0a57dd9da31bc:00009e6c
Mar 31 22:39:23 ip-208-109-87-191 racoon: INFO: ISAKMP-SA deleted y.y.y.201[500]-x.x.x.103[500] spi:2f90e8a679c55aee:64d0a57dd9da31bc
Mar 31 22:39:42 ip-208-109-87-191 racoon: INFO: IPsec-SA expired: AH/Tunnel x.x.x.103[0]->y.y.y.201[0] spi=89570829(0x556be0d)
Mar 31 22:39:42 ip-208-109-87-191 racoon: INFO: IPsec-SA expired: ESP/Tunnel x.x.x.103[0]->y.y.y.201[0] spi=172895357(0xa4e2c7d)
Mar 31 22:55:44 ip-208-109-87-191 racoon: ERROR: such policy does not already exist: "y.y.y.212/32[0] x.x.x.106/32[0] proto=tcp dir=out"

 


I have been given the following information by the telecoms company for their side:

IPSec tunnel endpoint: x.x.x.103
Service Public IP: x.x.x.106
Phase 1:
   IKE Mode: Main
   Message Encryption Algorithm: 3des-cbc
   Message Integrity (Hash) Algorithm: ah-sha-hmac
   Peer authentication method: pre-shared
   Peer authentication key: .....
   Key exchange DH group identifier: 2 (1024 bits)
   ISAKMP policy Lifetime (sec): 86400 (1 day)
   ISAKMP Keepalives: Supported/Optional
   Dead Peer Detection (DPD): Supported/Optional (Recom.)
Phase 2:
   IPSec Mode: Tunnel
   IPSec SA Lifetime (sec): 3600 (1 hour)
   IKE Mode: quick
   Mechanism for Payload Authentication (ESP): esp-sha-hmac
   Mechanism for Payload Encryption (ESP) esp-3des-cbc
   Encryption: none
   IPsec Packet Fragmentation: Pre-Fragmentation


My IPs are:

IPSec tunnel endpoint: y.y.y.201
Service Public IP: y.y.y.212


So I added the auth key in /etc/sysconfig/network-scripts/keys-ipsec1 and in /etc/sysconfig/network-scripts/ifcfg-ipsec1 I have:

SRC=y.y.y.201
SRCNET=y.y.y.0/24
DST=x.x.x.103
DSTNET=x.x.x.0/24
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK


/etc/racoon/racoon.conf:

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

sainfo anonymous
{
        #pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm 3des, blowfish 448, rijndael ;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}

include "/etc/racoon/x.x.x.103.conf";

/etc/racoon/x.x.x.103.conf:

remote x.x.x.103
{
        exchange_mode main;
        my_identifier address;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}


Thank you