I am having problems setting up racoon on FreeBSD. I have consulted various websites and guides but I can't find something that is similar to what I need to do. I believe my main problem is that I don't understand the parameters of racoon so it might as well just been something as simple as a configuration problem. I am completely new to FreeBSD so please bare with me. Also, I'm basing my configuration on the guide from the FreeBSD documentation. I can't post likes because this is my first post.

I have two Boxs having FreeBSD installed. Box A and Box B. Box A has three network cards, one of which unused, one is connected to the Internet (em0) and one is directly connected to Box B (msk0). Box B only has one network card which is connected to Box A (msk0).

What I would like to do is have Box A create two IPSec encrypted tunnels with Box B over the established direct connection.

For the timebeing, I'm concerning myself with establishing just one tunnel rather than two.

Box A has the following IP address for msk0:
Public: 192.168.1.1
Private (for the tunnel): 10.0.0.1

Box B
Public: 192.168.1.2
Private (for the tunnel): 10.0.0.2

I edited the kernel of both boxes to enable IPSec and recompiled. These are the options I added:
Code:
options   IPSEC        #IP security
device    crypto
options   IPSEC_DEBUG  #debug for IP security
I saw on some guides they added options IPSEC_ESP but the guide I was following did not so I did not add it. I installed ipsec-tools because I couldn't find enough guides for racoon2 available from the ports collection.

I then executed the following commands on Box A:
Code:
ifconfig gif0 create
ifconfig gif0 10.0.0.1 10.0.0.2
ifconfig gif0 tunnel 192.168.1.1 192.168.1.2
route add 10.0.0.0 10.0.0.2 255.255.255.0
Box B:
Code:
ifconfig gif0 create
ifconfig gif0 10.0.0.2 10.0.0.1
ifconfig gif0 tunnel 192.168.1.2 192.168.1.1
route add 10.0.0.0 10.0.0.1 255.255.255.0
After doing so, I am able to ping between the private and public IP addresses. It might be helpful to note that after doing this, I loose internet connection on Box A. Restarting networking and flushing route table does not help. I actually have to restart the machine. But this is something minor.

Now, I go to the more complicated part. I edited rc.conf to start racoon upon start-up.
Code:
racoon_enable="YES"
I created a directory for racoon /usr/local/etc/racoon/ and placed the following files in it: psk.txt, racoon.conf and setkey.conf.

Here are the contents of these files:

psk.txt on Box A
Code:
192.168.1.2	password
psk.txt on Box B
Code:
192.168.1.1	password
setkey.conf on Box A
Code:
flush;
spdflush;
# To the home network
spdadd 10.0.0.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/192.168.1.1-192.168.1.2/use;
spdadd 10.0.0.0/24 10.0.0.0/24 any -P in ipsec esp/tunnel/192.168.1.2-192.168.1.1/use;
setkey.conf on Box B
Code:
flush;
spdflush;
# To the home network
spdadd 10.0.0.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/192.168.1.2-192.168.1.1/use;
spdadd 10.0.0.0/24 10.0.0.0/24 any -P in ipsec esp/tunnel/192.168.1.1-192.168.1.2/use;
racoon.conf on Box A
Code:
# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $

# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
log debug;

padding # options are not to be changed
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer   # timing options. change as needed
{
        counter         5;
        interval        20 sec;
        persend         1;
#       natt_keepalive  15 sec;
        phase1          30 sec;
        phase2          15 sec;
}

listen  # address [port] that racoon will listening on
{
        isakmp          192.168.1.1 [500];
        isakmp_natt     192.168.1.1 [4500];
}

remote 192.168.1.2 [500]
{
	exchange_mode   main,aggressive;
        doi             ipsec_doi;
        situation       identity_only;
        my_identifier   address 192.168.1.1;
        peers_identifier        address 192.168.1.2;
        lifetime        time 8 hour;
        passive         off;
        proposal_check  obey;
#       nat_traversal   off;
        generate_policy off;

                        proposal {
                                encryption_algorithm    blowfish;
                                hash_algorithm          md5;
                                authentication_method   pre_shared_key;
                                lifetime time           30 sec;
                                dh_group                1;
                        }

}

# phase 2 proposal (for IPsec SA).
sainfo  (address 10.0.0.0/24 any address 10.0.0.0/24 any)    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
{                               # $network must be the two internal networks you are joining.
        pfs_group       1;
        lifetime        time    36000 sec;
        encryption_algorithm    blowfish,3des,des;
        authentication_algorithm        hmac_md5,hmac_sha1;
        compression_algorithm   deflate;
}
racoon.conf on Box B
Code:
# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $

# the file should contain key ID/key pairs, for pre-shared key authentication.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
log debug;

padding # options are not to be changed
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer   # timing options. change as needed
{
        counter         5;
        interval        20 sec;
        persend         1;
#       natt_keepalive  15 sec;
        phase1          30 sec;
        phase2          15 sec;
}

listen  # address [port] that racoon will listening on
{
        isakmp          192.168.1.2 [500];
        isakmp_natt     192.168.1.2 [4500];
}

remote 192.168.1.1 [500]
{
	exchange_mode   main,aggressive;
        doi             ipsec_doi;
        situation       identity_only;
        my_identifier   address 192.168.1.1;
        peers_identifier        address 192.168.1.1;
        lifetime        time 8 hour;
        passive         off;
        proposal_check  obey;
#       nat_traversal   off;
        generate_policy off;

                        proposal {
                                encryption_algorithm    blowfish;
                                hash_algorithm          md5;
                                authentication_method   pre_shared_key;
                                lifetime time           30 sec;
                                dh_group                1;
                        }

}

# phase 2 proposal (for IPsec SA).
sainfo  (address 10.0.0.0/24 any address 10.0.0.0/24 any)    # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
{                               # $network must be the two internal networks you are joining.
        pfs_group       1;
        lifetime        time    36000 sec;
        encryption_algorithm    blowfish,3des,des;
        authentication_algorithm        hmac_md5,hmac_sha1;
        compression_algorithm   deflate;
}

Finally, I run /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log on Box B and then on Box A (I don't know where I must execute them so I did it on both. I get the following outputs:

Box B Output:
Code:
VPN# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log
Foreground mode.
2010-05-05 15:35:23: INFO: (#)ipsec-tools 0.7.3 ()
2010-05-05 15:35:23: INFO: (#)This product linked OpenSSL 0.9.8k 25 Mar 2009 ()
2010-05-05 15:35:23: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2010-05-05 15:35:23: DEBUG: hmac(modp768)
2010-05-05 15:35:23: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2010-05-05 15:35:23: DEBUG: getsainfo params: loc='10.0.0.0/24', rmt='10.0.0.0/24', peer='NULL', id=0
2010-05-05 15:35:23: DEBUG: getsainfo pass #2
2010-05-05 15:35:23: INFO: 192.168.1.2[4500] used as isakmp port (fd=4)
2010-05-05 15:35:23: WARNING: setsocketopt(UDP_ENCAP_ESPINDUDP): UDP_ENCAP Invalid argument
2010-05-05 15:35:23: INFO: 192.168.1.2[500] used as isakmp port (fd=5)
2010-05-05 15:35:23: WARNING: setsocketopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
2010-05-05 15:35:23: DEBUG: pk_recv: retry[0] recv()
2010-05-05 15:35:23: DEBUG: get pfkey X_SPDDUMP message
2010-05-05 15:35:23: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
Box A Output:
Code:
VPN# /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log
Foreground mode.
2010-05-05 15:35:23: INFO: (#)ipsec-tools 0.7.3 ()
2010-05-05 15:35:23: INFO: (#)This product linked OpenSSL 0.9.8k 25 Mar 2009 ()
2010-05-05 15:35:23: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2010-05-05 15:35:23: DEBUG: hmac(modp768)
2010-05-05 15:35:23: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2010-05-05 15:35:23: DEBUG: getsainfo params: loc='10.0.0.0/24', rmt='10.0.0.0/24', peer='NULL', id=0
2010-05-05 15:35:23: DEBUG: getsainfo pass #2
2010-05-05 15:35:23: ERROR: failed to bind to address 192.168.1.1[4500] (Address already in use).
2010-05-05 15:35:23: ERROR: failed to bind to address 192.168.1.1[500] (Address already in use).
2010-05-05 15:35:23: ERROR: no address could be bound.
I try to terminate on Box B by Ctrl+C and I get the following:
Code:
2010-05-05 15:36:17: INFO: caught signal 2
2010-05-05 15:36:17: DEBUG: pk_recv: retry[0] recv()
2010-05-05 15:36:17: DEBUG: get pfkey FLUSH message
2010-05-05 15:36:17: DEBUG: call pfkey_send_dump
2010-05-05 15:36:17: DEBUG: pk_recv: retry[0] recv()
2010-05-05 15:36:17: INFO: racoon shutdown
VPN#
What am I doing wrong here? Can somebody please explain to me what is going on?