You are now ready to launch racoon and test the VPN tunnel. For debugging purposes, open the Firewall-1 Log Viewer and define a log filter to isolate entries pertaining to FreeBSD GW. You may also find it helpful to tail(1) the racoon log:
# tail -f /var/log/racoon.log
Start racoon using the following command:
# /usr/local/sbin/racoon -f /usr/local/etc/racoon/racoon.conf
Once racoon has been launched, telnet(1) to a host on the Firewall-1 protected network.
# telnet -s 192.168.10.3 199.208.192.66 22
This command attempts to connect to the ssh(1) port on 199.208.192.66, a machine in the Firewall-1 protected network. The
-s switch indicates the source interface of the outbound
connection. This is particularly important when running NAT and IPFW on FreeBSD
GW. Using -s and
specifying an explicit source address prevents NAT from mangling the packet prior to tunneling.
A successful racoon key exchange will output the following to the racoon.log log file:
pfkey UPDATE succeeded: ESP/Tunnel 216.218.197.2->208.229.100.6 pk_recvupdate(): IPSec-SA established: ESP/Tunnel 216.218.197.2->208.229.100.6 get pfkey ADD message IPsec-SA established: ESP/Tunnel 208.229.100.6->216.218.197.2
Once key exchange completes (which takes a few seconds), an ssh(1) banner will appear. If all went well, two “Key Install” messages will be logged in the Firewall-1 Log Viewer.
Action | Source | Dest. | Info. Key Install | 216.218.197.2 | 208.229.100.6 | IKE Log: Phase 1 (aggressive) completion. Key Install | 216.218.197.2 | 208.229.100.6 | scheme: IKE methods
Under the information column, the full log detail will read:
IKE Log: Phase 1 (aggressive) completion. 3DES/MD5/Pre shared secrets Negotiation Id: scheme: IKE methods: Combined ESP: 3DES + MD5 + PFS (phase 2 completion) for host: