[pfSense Support] IPSec will not connect (racoon: couldn't find configuration)

Wed, 16 Jul 2008 07:14:21 -0700 

Hey, guys.

I'm having a problem with my IPSec configuration.
On one side, everything works out pretty nice.
On the other side, racoon is making bad noises about not finding a correct configuration. 

"ERROR: couldn't find configuration."


However, if I kill racoon, and run it in the foreground with debug 
output on, I get some more information.


2008-07-16 16:06:27: DEBUG: ===

2008-07-16 16:06:27: DEBUG: 100 bytes message received from 
81.167.211.58[57413] to 85.200.211.69[500]

2008-07-16 16:06:27: DEBUG:
ba9d946f 3cf4cf90 00000000 00000000 01100200 00000000 00000064 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c04b0
80010005 80030001 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc
77570100
2008-07-16 16:06:27: DEBUG: no remote configuration found.
2008-07-16 16:06:27: ERROR: couldn't find configuration.

The configuration is pretty straight forward, generated by pfSense.

# cat racoon.conf
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote <REMOTE_IP> {
        exchange_mode main;
        my_identifier address "<GW ON CORRECT VLAN>";

        peers_identifier address <REMOTE_IP>;
        initial_contact on;
        support_proxy on;
        proposal_check obey;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
                lifetime time 2400 secs;
        }
        lifetime time 2400 secs;
}

sainfo address <LOCAL_NETWORK> any address <REMOTE_NETWORK> any {
        encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate;
        lifetime time 1200 secs;
}

Here is the weird thing; if I change that remote stanza to read

remote anonymous {
        blah;
}


then everything works out nice, racoon even tells me it uses the 
anonymous stanza for that correct IP.



2008-07-16 16:11:06: DEBUG: anonymous configuration selected for 
81.167.211.58.



So, to me this seems really odd, how come racoon isn't picking up that 
stanza when configured like pfsense configures it ?
Using the remote stanza is not what I really want, and either way I 
can't see a way to make pfsense generate one of those either.


So, does anyone have any ideas on what is going on here ?

Using tcpdump I can see that it is in fact my <REMOTE_IP> that is coming 
through to racoon, on port 500/UDP.


Thanks for a great product, by the way.

-- Torbjørn / Nextline

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]















    











					Reply via email to