#11 Problem freeswan racoon interoperability


Hi !

I've got a problem making a vpn conenction between a
linux roadwarrior runnig kame's racoon ike daemon with
Linux Kernel 2.6 IPSEC stack and a Gateway with a
dynamic IP-Adress using dyn dns. The gateway is runnig
freeswan 2.04 on a 2.4 Kernel. It is productive since a
year and running smmothly with windows 2000 and xp
roadwarriors. So I think the configuration of my
mandrake linux 10.1 is the problem. On the client
machine I'm also runnig a windows xp installation from
which I can connect to the vpn!

Here come the log messages of the client and the
gateway when trying to establish a connection via a
icmp echo request from roadwarrior to gateway:

Roadwarrior racoon.log:
client: INFO: @(#)ipsec-tools 0.5-rc1
client: INFO: @(#)This product linked OpenSSL 0.9.7d 17
Mar 2004 (http://www.openssl.org/)
2005-01-14 16:04:32: INFO:[500] used as
isakmp port (fd=6)
client: INFO:[500] used as isakmp port (fd=7)
client: INFO: ::1[500] used as isakmp port (fd=8)
client: INFO: fe80::211:2fff:fe13:f3f%eth0[500] used as
isakmp port (fd=9)
client: INFO: IPsec-SA request for <gateway's ip>
queued due to no phase1 found.
client: INFO: initiate new phase 1 negotiation:[500]<=>[500]
client: INFO: begin Identity Protection mode.
client: INFO: ISAKMP-SA established[500]-<gateway's ip>[500]
client: INFO: initiate new phase 2 negotiation:[0]<=>[0]
client: ERROR: pfkey UPDATE failed: Protocol not available
client: ERROR: pfkey ADD failed: Protocol not available

Those two last error messages make me wondering which
protocol may be missing. Strange thing is the freeswan
server thinks the handshaking was succesfull and says
the ipsec SA has been established. Fact is only the
phase 1 of IKE is succesfull.

Log of freeswan gateway:
gateway"client-to-subnet_53"[1] #1:
responding to Main Mode from unknown peer <clients
router adress>
gateway: "client-to-subnet_53"[1] #1:
Peer ID is ID_DER_ASN1_DN: <Zert_ASN_String>
gateway: "client-to-subnet_53"[1] #1:
crl update is overdue since Nov 30 20:33:18 UTC 2004
gateway: "client-to-subnet_53"[1] #1:
sent MR3, ISAKMP SA established
gateway: "client-to-subnet_53"[1] #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
gateway: "subnet-to-subnet_53"[1] #2:
responding to Quick Mode
gateway: "subnet-to-subnet_53"[1] #2:
IPsec SA established {ESP=>0x02552400 <0x20a747fa}
gateway: "client-to-subnet_53"[1] #1:
received Delete SA payload: deleting ISAKMP State #1

I tried two different configurations fo the ipsec-tools

./configure --enable-natt --enable-adminport
--enable-gssapi --enable-hybrid --enable-frag
--enable-dpd --enable-samode-unspec
make install


make install

and still the same behaviour.

I also checked that all needed cyphers and protocols
are supported by my kernel. Well at least I think that
I checked all .
3des, md5, sha1;ipsec;rsasig;hmac

I append the racoon and setkey config for further info:

setkey policies:
spdadd any -P out ipsec
esp/tunnel/<gateway's ip>/require;
spdadd any -P in ipsec
esp/tunnel/<gateway's ip>/require;

path certificate "/etc/ssl/canorisCA";
remote <gateway's ip> {
exchange_mode main;

certificate_type x509 "zertificate-file"
verify_cert on;
verify_identifier on;
my_identifier asn1dn;
peers_identifier asn1dn <asn1 zert id>;

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
sainfo anonymous {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;

As you can see I'm using x509 certficates for
authentification. Just to rule out the certs are not
the problem:
They are the same I use for vpn connection on my
windows xp installation. And phase 1 of IKE is
succesfull. Something with the handshaking of the esp
encryption goes wrong I think. Maybe there are some
other points to deal with when interoperating freeswan
and kame?

Help is very appreciated.

Thnks in advance.


P.S. Is there an elegant way to specify a gateway with
dns name because the ip changes at least once a day? Or
do I have to write a shellscript that gets the current
ip, rewrites my config and restarts everything?


  • Nobody/Anonymous

    Logged In: NO

    Hello! Anybody out there?

  • Timo Teras

    Timo Teras - 2009-01-16
    • status: open --> closed
  • Timo Teras

    Timo Teras - 2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks