We are trying to connect a linux server to a cisco router with ipsec using Racoon. We see the tunnel is established and from the cisco side we see packets coming in and ou but they are not making it to the linux serve. Here is the output from the cisco side. local ident (addr/mask/prot/port): (xx/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (xx/255.255.255.255/0/0) current_peer xx port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 131, #pkts encrypt: 131, #pkts digest: 131 #pkts decaps: 188, #pkts decrypt: 188, #pkts verify: 188 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: xx, remote crypto endpt.: xx path mtu 1500, ip mtu 1500 current outbound spi: 0xBE7F6BD(199751357) inbound esp sas: spi: 0x3180D2BE(830526142) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2017, flow_id: SW:17, crypto map: VPNPROD sa timing: remaining key lifetime (k/sec): (4411488/3445) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xBE7F6BD(199751357) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2010, flow_id: SW:10, crypto map: VPNPROD sa timing: remaining key lifetime (k/sec): (4411495/3445) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: We want to enable packet logging on our side as the other side is limited to what they can do to troubleshoot this but the command we have tried to turn logging on seems to not be working. (see below). Apparently the more -d's you have the more logging you get out of it. It is not logging the packets but does show the tunnel being estabalished. Once the tunnel is estabalished the logging stops. racoon -d -d -d -d -v -f /etc/racoon/racoon.conf -l /var/log/racoon.log I guess getting the logging to continue after the tunnel is up would show why traffic is not flowing in the turnnel. Here is the linux racoon.conf # Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries. path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; log debug2; listen { isakmp xxx.xxx.xxx.xx ; } remote xxx.xxx.xxx.xx { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo address xxx.xxx.xxx.xx any address xxx.xxx.xxx.xx any { pfs_group 2; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } Setkey.conf #!/usr/sbin/setkey -f # # Flush SAD and SPD flush; spdflush; # Create policies for racoon spdadd xxx.xxx.xxx.xx xxx.xxx.xxx.xx any -P out ipsec esp/tunnel/ xxx.xxx.xxx.xx - xxx.xxx.xxx.xx /require; spdadd xxx.xxx.xxx.xx xxx.xxx.xxx.xx any -P in ipsec esp/tunnel/ xxx.xxx.xxx.xx - xxx.xxx.xxx.xx /require; psk.txt xxx.xxx.xxx.xxx key
