I use Debian and Racoon to connect to a Cisco VPN Gateway. We have got two tunnels between the same endpoints. Somehow and sometimes, packets go to the wrong tunnel.
This is the log message from the remote Cisco system:
Aug 13 17:55:01 XXXXX %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0x5CAAB58E, sequence number= 0x6) from MY_PUBLIC_IP_ADDRESS (user= MY_PUBLIC_IP_ADDRESS) to REMOTE_PUBLIC_IP_ADDRESS. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as REMOTE_INNER_HOST_PRIVATE_IP_2, its source as MY_INNER_HOST_PRIVATE_IP, and its protocol as icmp. The SA specifies its local proxy as REMOTE_INNER_HOST_PRIVATE_IP_1/255.255.255.255/ip/0 and its remote_proxy as MY_INNER_HOST_NETWORK/255.255.255.0/ip/0.
The message appeared when I tried to "ping" REMOTE_INNER_HOST_PRIVATE_IP_2 from MY_INNER_HOST_PRIVATE_IP. (I replaced the IP addresses.)
This is the output of setkey -D -P | grep REMOTE_INNER_HOST_PRIVATE_IP_1|2:
REMOTE_INNER_HOST_PRIVATE_IP_2[any] MY_INNER_HOST_NETWORK[any] 255 REMOTE_INNER_HOST_PRIVATE_IP_2[any] MY_INNER_HOST_NETWORK[any] 255 MY_INNER_HOST_NETWORK[any] REMOTE_INNER_HOST_PRIVATE_IP_2[any] 255 REMOTE_INNER_HOST_PRIVATE_IP_1[any] MY_INNER_HOST_NETWORK[any] 255 REMOTE_INNER_HOST_PRIVATE_IP_1[any] MY_INNER_HOST_NETWORK[any] 255 MY_INNER_HOST_NETWORK[any] REMOTE_INNER_HOST_PRIVATE_IP_1[any] 255
In my opinion, this shows that the /etc/ipsec-tools.conf file is read in successfully. Here is the relevant section of this file:
spdadd MY_INNER_HOST_NETWORK/24 REMOTE_INNER_HOST_PRIVATE_IP_1/32 any -P out ipsec esp/tunnel/MY_PUBLIC_IP_ADDRESS-REMOTE_PUBLIC_IP_ADDRESS/require;
spdadd REMOTE_INNER_HOST_PRIVATE_IP_1/32 MY_INNER_HOST_NETWORK/24 any -P in ipsec esp/tunnel/REMOTE_PUBLIC_IP_ADDRESS-MY_PUBLIC_IP_ADDRESS/require;
spdadd MY_INNER_HOST_NETWORK/24 REMOTE_INNER_HOST_PRIVATE_IP_2/32 any -P out ipsec esp/tunnel/MY_PUBLIC_IP_ADDRESS-REMOTE_PUBLIC_IP_ADDRESS/require;
spdadd REMOTE_INNER_HOST_PRIVATE_IP_2/32 MY_INNER_HOST_NETWORK/24 any -P in ipsec esp/tunnel/REMOTE_PUBLIC_IP_ADDRESS-MY_PUBLIC_IP_ADDRESS/require;
Lastly, this is the relevant section from /etc/racoon/racoon.conf (there are no suspicious log rows in /var/log/racoon.log):
remote REMOTE_PUBLIC_IP_ADDRESS
{
exchange_mode main;
proposal_check obey;
my_identifier address MY_PUBLIC_IP_ADDRESS;
lifetime time 86400 sec;
proposal
{
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 86400 sec;
}
}
sainfo address MY_INNER_HOST_NETWORK/24 any address REMOTE_INNER_HOST_PRIVATE_IP_1/32 any
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address MY_INNER_HOST_NETWORK/24 any address REMOTE_INNER_HOST_PRIVATE_IP_2/32 any {
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Is there an identifier clash? What can I do to solve the situation? Thanks a lot!