Racoon Problem

[Anonymous]

I’m trying to make my Jaguar box as an IPSec client of a Netopia R9100, i’ve followed the how-to’s at http://www.netopia.com

http://www.netopia.com/en-us/support/technotes/hardware/NIR_080.html
http://www.netopia.com/en-us/support/technotes/hardware/NQG_053.html
and of course the flying racoons, but I’m still getting some troubles,
the first one is

#racoon -f /etc/racoon/racoon.conf -d -d -d -F -v
gives

2002-11-13 02:08:39: ERROR: isakmp.c:1349:isakmp_open(): failed to bind (Address already in use).
2002-11-13 02:08:39: ERROR: isakmp.c:1349:isakmp_open(): failed to bind (Address already in use).
2002-11-13 02:08:39: ERROR: isakmp.c:1349:isakmp_open(): failed to bind (Address already in use).
2002-11-13 02:08:39: ERROR: isakmp.c:1349:isakmp_open(): failed to bind (Address already in use).
2002-11-13 02:08:39: ERROR: isakmp.c:1349:isakmp_open(): failed to bind (Address already in use).
2002-11-13 02:08:39: ERROR: isakmp.c:1349:isakmp_open(): failed to bind (Address already in use).
2002-11-13 02:08:39: ERROR: isakmp.c:1372:isakmp_open(): no address could be bound.

and I don’t know wich address is in use as far as I’m connected via a PPPoE DSL connection and an Alcatel SpeedTouch home (wich default IP is 10.0.0.138).

Can someone tell me a command with wich I can find which process is using the faulty address ?

The second problem is that doing and Nmap on the R9100 there’s no 500, 50 or 51 port open, I’ll manage that in a second phase, but perhaps that’s normal ?

Thanks for your help

Vickey

[Anonymous]

Thanks for the help, that was certainly the case but as I’ve rebooted since my first attemp I have a new error message :

[quote:bf009dc206]INFO: isakmp.c:1700:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found.[/quote:bf009dc206]
and a few lines after
[quote:bf009dc206]
isakmp.c:1773:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 195.154.xxx.xxx->213.203.xxx.xxx
[/quote:bf009dc206]

These messages appear if I try to make an AFP connection from the Finder to 192.168.1.11 wich is a file server on the LAN behind the R9100.

Is there any way to verify that the R9100 asnwers on the right ports like making a
#telnet R9100-IP 500 ?

It seems that the R9100 is not answering anything to the Jaguar box…

[Anonymous]

Oh I forget, I’m running 10.2.2 on a PPPoE DSL connection. And my vpnsetuo.txt looks like this :

[quote:8bdd59fef0]
flush;
spdflush;
spdadd 192.168.1.0/24 xxx.xxx.117.114/32 any -P in ipsec esp/tunnel/xxx.xxx.29.199-xxx.xxx.117.114/require;
spdadd xxx.xxx.117.114/32 192.168.1.0/24 any -P out ipsec esp/tunnel/xxx.xxx.117.114-xxx.xxx.29.199/require;
[/quote:8bdd59fef0]
wich could be understood as :
[quote:8bdd59fef0]
flush;
spdflush;
spdadd R9100-LAN/24 PPPoE-IP/32 any -P in ipsec esp/tunnel/R9100PublicIP-PPPoE-IP/require;
spdadd PPPoE-IP/32 R9100-LAN/24 any -P out ipsec esp/tunnel/PPPoE-IP-R9100PublicIP/require;
[/quote:8bdd59fef0]

As you have understood the LAN behind the R9100 is on 192.168.1.x/255.255.255.0
The R9100 gets on the Net using PPTP and has a static IP.
my psk.txt file only has one line :
[quote:8bdd59fef0]
R9100-IP sharedsecretkey
[/quote:8bdd59fef0]

Could it be something wrong with my PPPoE dynamic connection ?
Is there any way to not modify the vpnsetup.txt file each time I get connected (could 0.0.0.0/32 work for any IP) ?
I’ve read some forums about IPSec on BSD 4.4, they talk about ifconfig, gifconfig, and gif0 building tunnel before making anything, do we also have to do this on OS X ?

The R9100 asks for special settings in his IKE setup, the screen looks like this :
[quote:8bdd59fef0] Negotiation… Normal

SA Use Policy… Newest SAs Immediately
Allow Dangling Phase 2 SAs: Yes
Phase 1 SA Lifetime (seconds): 28800
Phase 1 SA Lifetime (Kbytes): 0

Send Initial Contact Message: Yes
Include Vendor ID Payload: Yes
Independent Phase 2 Re-keys: Yes
Strict Port Policy: No
[/quote:8bdd59fef0]
Perhaps this could help you give me some advice…

Thanks for your help

Regards

Vickey

[Author]

Posts