Questions[racoon](server)

We swapped to ASA's over the weekend, and we replaced our VPN infrastructure which was previously based on openvpn and are now using IPSec between our ASA 5520's and our other sites that have linux (CentOS) routers.

The VPNs connect just fine, but after a period of time the connections fail. On the ASA, it shows no ipsec SA's for the peer, but it does show an isakmp sa still active. If I clear the SA's on both sides of the connection, the VPN will come back up again.

I'm assuming the problem is a rekeying issue, but it appears like all of the proposals have the same key lifetimes (shown below). Any thoughts on what could be the problem?

NOTE -- I've obfuscated the ip addresses from these captures; I have a suspicion something's wrong with my proposal so the IPs shouldn't be relevant. Assume all IPs are placeholders.

ASA show run crypto

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map OUTSIDE_DYN_MAP 10 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_DYN_MAP 10 set security-association lifetime seconds 288000
crypto dynamic-map OUTSIDE_DYN_MAP 10 set reverse-route
crypto map vpnmap 10 match address colo1_to_hq_vpn
crypto map vpnmap 10 set pfs
crypto map vpnmap 10 set peer 1.1.1.1
crypto map vpnmap 10 set ikev1 transform-set ESP-3DES-SHA
crypto map vpnmap 20 match address colo1_to_colo2_vpn
crypto map vpnmap 20 set pfs
crypto map vpnmap 20 set peer 2.2.2.2
crypto map vpnmap 20 set ikev1 transform-set ESP-3DES-SHA
crypto map vpnmap 65500 ipsec-isakmp dynamic OUTSIDE_DYN_MAP
crypto map vpnmap interface OUTSIDE
crypto isakmp identity address
crypto isakmp nat-traversal 300
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

ASA show crypto isakmp sa detail

IKEv1 SAs:

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: x.x.x.x
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_ACTIVE
    Encrypt : 3des            Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 85905
2   IKE Peer: y.y.y.y
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 85976

ASA show crypto ipsec sa

peer address: x.x.x.x
    Crypto map tag: vpnmap, seq num: 10, local addr: y.y.y.y

      access-list peer1_to_hq_vpn extended permit ip z.z.z.z 255.255.0.0 t.t.t.t 255.255.0.0
      local ident (addr/mask/prot/port): (9.9.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (8.8.0.0/255.255.0.0/0/0)
      current_peer: 38.104.67.142

      #pkts encaps: 4714, #pkts encrypt: 4714, #pkts digest: 4714
      #pkts decaps: 4672, #pkts decrypt: 4672, #pkts verify: 4672
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4714, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 06596006
      current inbound spi : 55EC97A1

    inbound esp sas:
      spi: 0x55EC97A1 (1441568673)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 204800, crypto-map: vpnmap
         sa timing: remaining key lifetime (sec): 85731
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xBFFFFFFF
    outbound esp sas:
      spi: 0x06596006 (106520582)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 204800, crypto-map: vpnmap
         sa timing: remaining key lifetime (sec): 85731
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

CentOS IPSec config:

TYPE=IPSEC
ONBOOT=YES
IKE_METHOD=PSK
SRCGW=1.1.1.1
DSTGW=2.2.2.2
SRCNET=1.1.1.1/16
DSTNET=2.2.2.2/16
DST=64.34.119.71
AH_PROTO=none

racoon config:

sainfo anonymous
{
        pfs_group 2;
        lifetime time 24 hour;
        encryption_algorithm 3des, blowfish 448, rijndael;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
remote 1.2.3.4
{
        exchange_mode aggressive, main;
        my_identifier address;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

Relevant SAD/SPD entries:

64.34.119.71 38.104.67.142
        esp mode=tunnel spi=106520582(0x06596006) reqid=0(0x00000000)
        E: 3des-cbc  8973cb22 ce1ab25c c4a4427c aac0c857 06917359 9b88e01e
        A: hmac-sha1  3655fb9b e6882226 829f2214 0b22ec27 8155587b
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Apr 16 11:30:43 2012   current: Apr 16 11:36:58 2012
        diff: 375(s)    hard: 86400(s)  soft: 69120(s)
        last: Apr 16 11:30:43 2012      hard: 0(s)      soft: 0(s)
        current: 898519(bytes)  hard: 0(bytes)  soft: 0(bytes)
        allocated: 2749 hard: 0 soft: 0
        sadb_seq=3 pid=12574 refcnt=0
38.104.67.142 64.34.119.71
        esp mode=tunnel spi=1441568673(0x55ec97a1) reqid=0(0x00000000)
        E: 3des-cbc  0f5bdfdc 23b140f8 4636326f f194fa0d 6a919f28 a6974b5f
        A: hmac-sha1  586e3bf7 794960e1 e9da8707 5863e94d e88e0a11
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Apr 16 11:30:43 2012   current: Apr 16 11:36:58 2012
        diff: 375(s)    hard: 86400(s)  soft: 69120(s)
        last: Apr 16 11:30:43 2012      hard: 0(s)      soft: 0(s)
        current: 645624(bytes)  hard: 0(bytes)  soft: 0(bytes)
        allocated: 2764 hard: 0 soft: 0
        sadb_seq=0 pid=12574 refcnt=0

1.1.0.0/16[any] 2.2.0.0/16[any] any
        in prio def ipsec
        esp/tunnel/1.1.1.1-2.2.2.2/require
        created: Apr 16 11:30:12 2012  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=12784 seq=59 pid=12583
        refcnt=1

2.2.0.0/16[any] 1.1.0.0/16[any] any
        out prio def ipsec
        esp/tunnel/1.1.1.1-2.2.2.2/require
        created: Apr 16 11:30:12 2012  lastused: Apr 16 11:37:59 2012
        lifetime: 0(s) validtime: 0(s)
        spid=12777 seq=57 pid=12583
        refcnt=402

1.1.0.0/16[any] 2.2.0.0/16[any] any
        fwd prio def ipsec
        esp/tunnel/1.1.1.1-2.2.2.2/require
        created: Apr 16 11:30:12 2012  lastused: Apr 16 11:37:59 2012
        lifetime: 0(s) validtime: 0(s)
        spid=12794 seq=55 pid=12583
        refcnt=54

• I'm able to connect successfully from a laptop to my server using Openvpn.
• I have ipv4 forwarding and NAT enabled on the server.
• I can access the web, etc.

But the server also has a S2S VPN with Racoon enabled. When I SSH to my server and then 'telnet 80' to the racoon-connected-server it works perfect.

But when I connect from the laptop (which comes over Openvpn) to one of the IPs in the Racoon S2S VPN subnet, it fails.

Any ideas how to setup Racoon together with Openvpn?

I am working on an IPSec VPN solution allowing iPhones / iPads to connect to a Linux server running Gentoo. I have been able to get the VPN functioning as expected using PSK authentication (PSK + Login + Password), but I am having trouble getting the VPN working with certificate authentication (Certificate + Login + Password). I am running only Racoon (IPSEC), without l2tp.

When I try to connect from the iPhone, it sometimes succeeds (rarely, I can't find a pattern as to when). Most of the time, the iPhone fails to connect with "Negotiation with the VPN server failed."

The certifications are generated with easy-rsa (installed with openvpn). As follows:

build-key-server ipsec-server
build-key --pkcs11 mgorbach_mobile_iPhone

Am I missing something with my setup?

path certificate "/etc/racoon/ssl";                                   

remote anonymous {                                                    
    exchange_mode main,aggressive;                                    
    ca_type x509 "ca.crt";                                            
    certificate_type x509 "ipsec_server.crt" "ipsec_server.key";      
    proposal_check claim;                                             
    generate_policy on;                                               
    verify_cert off;                                                  
    nat_traversal on;                                                 
    dpd_delay 20;                                                     
    mode_cfg on;                                                      
    ike_frag on;                                                      
    passive on;                                                       
    my_identifier asn1dn;                                             
    script "/etc/racoon/phase1-up.sh" phase1_up;                      
    script "/etc/racoon/phase1-down.sh" phase1_down;                  
    proposal {                                                        
        encryption_algorithm aes 256;                                 
        hash_algorithm sha1;                                          
        authentication_method xauth_rsa_server;                       
        dh_group 5;                                                   
        lifetime time 3600 sec;                                       
    }                                                                 
}                                                                     

mode_cfg {                                                            
    conf_source local;                                                
    network4 10.0.8.1;                                                
    netmask4 255.255.255.0;                                           
    pool_size 10;                                                     
    auth_source system;                                               
    save_passwd off;                                                  
    split_network include 172.16.1.0/24;                              
    pfs_group 2;                                                      
}                                                                     

sainfo anonymous {                                                    
    pfs_group 5;                                                      
    lifetime time 3600 sec;                                           
    encryption_algorithm aes 256;                                     
    authentication_algorithm hmac_sha1;                               
    compression_algorithm deflate;                                    
}

Logs from Server in the failure case:

2012-02-14 20:41:19: INFO: 172.16.1.102[500] used for NAT-T  
2012-02-14 20:41:19: INFO: 172.16.1.102[500] used as isakmp port (fd=11)  
2012-02-14 20:41:19: INFO: 172.16.1.102[4500] used for NAT-T  
2012-02-14 20:41:19: INFO: 172.16.1.102[4500] used as isakmp port (fd=12)  
2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%eth2[500] used as isakmp port (fd=13)  
2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%eth2[4500] used as isakmp port (fd=14)  
2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%br0[500] used as isakmp port (fd=15)  
2012-02-14 20:41:19: INFO: fe80::20e:c6ff:fe89:24a6%br0[4500] used as isakmp port (fd=16)  
2012-02-14 20:41:19: INFO: fe80::459:22ff:fe33:495e%tap0[500] used as isakmp port (fd=17)  
2012-02-14 20:41:19: INFO: fe80::459:22ff:fe33:495e%tap0[4500] used as isakmp port (fd=18)  
2012-02-14 20:41:56: INFO: respond new phase 1 negotiation: 172.16.1.102[500]  <=>174.252.45.42[5331]  
2012-02-14 20:41:56: INFO: begin Identity Protection mode.  
2012-02-14 20:41:56: INFO: received Vendor ID: RFC 3947  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
2012-02-14 20:41:56: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt  
2012-02-14 20:41:56: INFO: received Vendor ID: CISCO-UNITY  
2012-02-14 20:41:56: INFO: received Vendor ID: DPD  
2012-02-14 20:41:56: [174.252.45.42] INFO: Selected NAT-T version: RFC 3947  
2012-02-14 20:41:56: INFO: Adding xauth VID payload.  
2012-02-14 20:41:56: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2  
2012-02-14 20:41:56: INFO: NAT-D payload #0 doesn't match  
2012-02-14 20:41:56: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2  
2012-02-14 20:41:56: INFO: NAT-D payload #1 doesn't match  
2012-02-14 20:41:56: INFO: NAT detected: ME PEER  
2012-02-14 20:41:56: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2  
2012-02-14 20:41:56: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2  
2012-02-14 20:41:56: INFO: Adding remote and local NAT-D payloads.  
2012-02-14 20:41:58: INFO: NAT-T: ports changed to: 174.252.45.42[5335]<->172.16.1.102[4500]  
2012-02-14 20:41:58: INFO: KA list add: 172.16.1.102[4500]->174.252.45.42[5335]  
2012-02-14 20:41:58: WARNING: CERT validation disabled by configuration  
2012-02-14 20:41:58: INFO: Sending Xauth request  
2012-02-14 20:41:58: [174.252.45.42] INFO: received INITIAL-CONTACT  
2012-02-14 20:41:58: INFO: ISAKMP-SA established 172.16.1.102[4500]-174.252.45.42[5335] spi:732afbfe416c3732:452dbadff1dceda9  
2012-02-14 20:41:58: INFO: Using port 0  
2012-02-14 20:41:58: INFO: login succeeded for user "mgorbach"  
2012-02-14 20:41:58: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY  
2012-02-14 20:41:58: ERROR: Cannot open "/etc/motd"  
2012-02-14 20:41:58: WARNING: Ignored attribute 28683  
2012-02-14 20:41:58: INFO: unsupported PF_KEY message REGISTER  
2012-02-14 20:41:59: INFO: purging ISAKMP-SA spi=732afbfe416c3732:452dbadff1dceda9:00007bb0.  
2012-02-14 20:41:59: INFO: purged ISAKMP-SA spi=732afbfe416c3732:452dbadff1dceda9:00007bb0.  
2012-02-14 20:41:59: INFO: ISAKMP-SA deleted 172.16.1.102[4500]-174.252.45.42[5335] spi:732afbfe416c3732:452dbadff1dceda9  
2012-02-14 20:41:59: INFO: KA remove: 172.16.1.102[4500]->174.252.45.42[5335]  
2012-02-14 20:41:59: INFO: Released port 0  
2012-02-14 20:41:59: INFO: unsupported PF_KEY message REGISTER  
2012-02-14 20:41:59: INFO: respond new phase 1 negotiation: 172.16.1.102[500]<=>174.252.45.42[5331]  
2012-02-14 20:41:59: INFO: begin Identity Protection mode.  
2012-02-14 20:41:59: INFO: received Vendor ID: RFC 3947  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
2012-02-14 20:41:59: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt  
2012-02-14 20:41:59: INFO: received Vendor ID: CISCO-UNITY  
2012-02-14 20:41:59: INFO: received Vendor ID: DPD  
2012-02-14 20:41:59: [174.252.45.42] INFO: Selected NAT-T version: RFC 3947  
2012-02-14 20:41:59: INFO: Adding xauth VID payload.  
2012-02-14 20:41:59: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2  
2012-02-14 20:41:59: INFO: NAT-D payload #0 doesn't match  
2012-02-14 20:41:59: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2  
2012-02-14 20:41:59: INFO: NAT-D payload #1 doesn't match  
2012-02-14 20:41:59: INFO: NAT detected: ME PEER  
2012-02-14 20:41:59: [174.252.45.42] INFO: Hashing 174.252.45.42[5331] with algo #2  
2012-02-14 20:41:59: [172.16.1.102] INFO: Hashing 172.16.1.102[500] with algo #2  
2012-02-14 20:41:59: INFO: Adding remote and local NAT-D payloads.  
2012-02-14 20:42:01: INFO: NAT-T: ports changed to: 174.252.45.42[5335]<->172.16.1.102[4500]  
2012-02-14 20:42:01: INFO: KA list add: 172.16.1.102[4500]->174.252.45.42[5335]  
2012-02-14 20:42:01: WARNING: CERT validation disabled by configuration  
2012-02-14 20:42:01: INFO: Sending Xauth request  
2012-02-14 20:42:01: [174.252.45.42] INFO: received INITIAL-CONTACT  
2012-02-14 20:42:01: INFO: ISAKMP-SA established 172.16.1.102[4500]-174.252.45.42[5335] spi:d5a612eed1d76757:ea9806655c9c96c8  
2012-02-14 20:42:16: INFO: purging ISAKMP-SA spi=d5a612eed1d76757:ea9806655c9c96c8.  
2012-02-14 20:42:16: INFO: purged ISAKMP-SA spi=d5a612eed1d76757:ea9806655c9c96c8.  
2012-02-14 20:42:16: INFO: ISAKMP-SA deleted 172.16.1.102[4500]-174.252.45.42[5335] spi:d5a612eed1d76757:ea9806655c9c96c8  
2012-02-14 20:42:16: INFO: KA remove: 172.16.1.102[4500]->174.252.45.42[5335]  
2012-02-14 20:42:16: INFO: unsupported PF_KEY message REGISTER  

I have configured two Linux boxes so they automatically use a transport-level IPSec connection whenever they need to communicate. The configuration is based on Racoon with X509 authentication and the bundle_complex option set to on, as well as policies that require both ESP and AH between the two boxes.

While the configuration works, generally speaking, the first few packets are always lost, e.g.:

$ ping -c 3 A.B.C.D
PING A.B.C.D (A.B.C.D) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
64 bytes from A.B.C.D: icmp_req=3 ttl=64 time=0.497 ms

Is there any way to prevent this, for example by "delaying" the packets until the IPSec transport has been negotiated?

I pay for a VPS from a Xen VPS host and the load on it is fairly light, so I'd like to run a VPN off of it. The configuration I'm shooting for is "roadwarrior"-style, as I'd like to use it to secure connections from my iPhone and Mac when I'm not at home. Keep in mind that I'm a programmer, not a sysadmin, so this is all fairly foreign to me.

After failing to get a StrongSWAN/PPP/xL2TP setup working, I came across racoon which seems to be a very simple option. I'm trying to avoid the use of certificates because the process of getting certs onto an iOS device is probably annoying (just a guess). Thus, I've configured racoon on the VPS so that I can connect to it successfully and authenticate via XAUTH backed by the system user database. That all seems to be working, it's the NAT/networking stuff that isn't working, and I'm completely out of my element with it.

My VPS is running Ubuntu 10.10. I get the following output from ifconfig (I'm guessing it might be relevant):

eth0      Link encap:Ethernet  HWaddr 00:16:3e:4a:7f:29  
          inet addr:69.172.231.11  Bcast:69.172.231.63  Mask:255.255.255.192
          inet6 addr: fe80::216:3eff:fe4a:7f29/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5234214 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2417090 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:553246281 (553.2 MB)  TX bytes:5237753987 (5.2 GB)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1577698 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1577698 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

Here is my racoon configuration file:

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

timer {
        natt_keepalive 10sec;
}

remote anonymous {
        exchange_mode main, aggressive, base;
        doi ipsec_doi;
        situation identity_only;
        nat_traversal on;
        script "/etc/racoon/phase1-up.sh" phase1_up;
        script "/etc/racoon/phase1-down.sh" phase1_down;
        generate_policy on;
        ike_frag on;
        passive on;
        my_identifier address 69.172.231.11;
        peers_identifier fqdn "zcr.me";
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method xauth_psk_server;
                dh_group 2;
        }
        proposal_check claim;
}


sainfo anonymous {
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

mode_cfg {
        auth_source system;
        save_passwd on;
        network4 10.1.0.0;
        pool_size 100;
}

That configuration has been pieced together from various tutorials around the 'net, so it may be...strange. When I connect to the VPN, the following output is received on the client side:

4/12/11 2:21:43 PM  racoon[191] Connecting.
4/12/11 2:21:43 PM  racoon[191] IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
4/12/11 2:21:43 PM  racoon[191] IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
4/12/11 2:21:43 PM  racoon[191] IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
4/12/11 2:21:43 PM  racoon[191] IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
4/12/11 2:21:43 PM  racoon[191] IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: transmit success. (Mode-Config message).
4/12/11 2:21:46 PM  racoon[191] IKEv1 XAUTH: success. (XAUTH Status is OK).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: transmit success. (Mode-Config message).
4/12/11 2:21:46 PM  racoon[191] IKEv1 Config: retransmited. (Mode-Config retransmit).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: receive success. (MODE-Config).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: receive success. (Initiator, Quick-Mode message 2).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
4/12/11 2:21:46 PM  racoon[191] IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
4/12/11 2:22:03 PM  racoon[191] IKE Packet: transmit success. (Information message).
4/12/11 2:22:03 PM  racoon[191] IKEv1 Information-Notice: transmit success. (R-U-THERE?).
4/12/11 2:22:03 PM  racoon[191] IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
4/12/11 2:22:04 PM  racoon[191] IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
4/12/11 2:22:04 PM  racoon[191] IKE Packet: receive success. (Information message).
4/12/11 2:22:04 PM  racoon[191] IKE Packet: transmit success. (Information message).
4/12/11 2:22:04 PM  racoon[191] IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
4/12/11 2:22:04 PM  racoon[191] IKE Packet: transmit success. (Information message).
4/12/11 2:22:04 PM  racoon[191] IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

The same connection generates the following output on the server side:

Apr 12 13:20:20 Zaccaro racoon: INFO: respond new phase 1 negotiation: SERVER.IP.ADDRESS[500]<=>CLIENT.IP.ADDRESS[500]
Apr 12 13:20:20 Zaccaro racoon: INFO: begin Aggressive mode.
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: RFC 3947
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: CISCO-UNITY
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: DPD
Apr 12 13:20:20 Zaccaro racoon: WARNING: No ID match.
Apr 12 13:20:20 Zaccaro racoon: INFO: Selected NAT-T version: RFC 3947
Apr 12 13:20:20 Zaccaro racoon: INFO: Adding remote and local NAT-D payloads.
Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing CLIENT.IP.ADDRESS[500] with algo #2 
Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing SERVER.IP.ADDRESS[500] with algo #2 
Apr 12 13:20:20 Zaccaro racoon: INFO: Adding xauth VID payload.
Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-T: ports changed to: SERVER.IP.ADDRESS[32768]<->CLIENT.IP.ADDRESS[4500]
Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing SERVER.IP.ADDRESS[4500] with algo #2 
Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-D payload #0 verified
Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing CLIENT.IP.ADDRESS[32768] with algo #2 
Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-D payload #1 doesn't match
Apr 12 13:20:20 Zaccaro racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Apr 12 13:20:20 Zaccaro racoon: INFO: NAT detected: PEER
Apr 12 13:20:20 Zaccaro racoon: INFO: Sending Xauth request
Apr 12 13:20:20 Zaccaro racoon: INFO: ISAKMP-SA established SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da
Apr 12 13:20:23 Zaccaro racoon: INFO: Using port 0
Apr 12 13:20:23 Zaccaro racoon: INFO: login succeeded for user "username"
Apr 12 13:20:23 Zaccaro racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Apr 12 13:20:23 Zaccaro racoon: WARNING: Ignored attribute 28683
Apr 12 13:20:23 Zaccaro racoon: INFO: unsupported PF_KEY message REGISTER
Apr 12 13:20:23 Zaccaro racoon: INFO: respond new phase 2 negotiation: SERVER.IP.ADDRESS[4500]<=>CLIENT.IP.ADDRESS[32768]
Apr 12 13:20:23 Zaccaro racoon: INFO: no policy found, try to generate the policy : 10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=in
Apr 12 13:20:23 Zaccaro racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Apr 12 13:20:23 Zaccaro racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Apr 12 13:20:23 Zaccaro racoon: INFO: IPsec-SA established: ESP/Tunnel CLIENT.IP.ADDRESS[32768]->SERVER.IP.ADDRESS[4500] spi=141535132(0x86fa79c)
Apr 12 13:20:23 Zaccaro racoon: INFO: IPsec-SA established: ESP/Tunnel SERVER.IP.ADDRESS[4500]->CLIENT.IP.ADDRESS[32768] spi=48270910(0x2e08e3e)
Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=in"
Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=fwd"
Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 10.1.0.0/32[0] proto=any dir=out"
Apr 12 13:20:40 Zaccaro racoon: INFO: generated policy, deleting it.
Apr 12 13:20:40 Zaccaro racoon: INFO: purged IPsec-SA proto_id=ESP spi=48270910.
Apr 12 13:20:40 Zaccaro racoon: INFO: ISAKMP-SA expired SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da
Apr 12 13:20:41 Zaccaro racoon: INFO: ISAKMP-SA deleted SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da
Apr 12 13:20:41 Zaccaro racoon: INFO: Released port 0
Apr 12 13:20:41 Zaccaro racoon: INFO: unsupported PF_KEY message REGISTER
Apr 12 13:21:02 Zaccaro sm-msp-queue[23481]: unable to qualify my own domain name (Zaccaro) -- using short name

I think part of the problem might be stemming from the phase1up and phase1down scripts.

phase1-up.sh:

#!/bin/bash

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

echo "
spdadd 192.168.1.0/24 ${INTERNAL_ADDR4}/32 any
        -P out ipsec esp/tunnel/${LOCAL_ADDR}[4500]-${REMOTE_ADDR}[4500]/require;
spdadd ${INTERNAL_ADDR4}/32 192.168.1.0/24 any
        -P in ipsec esp/tunnel/${REMOTE_ADDR}[4500]-${LOCAL_ADDR}[4500]/require;
" | setkey -c

phase1-down.sh:

#!/bin/bash

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

echo "
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;

spddelete 192.168.1.0/24[any] ${INTERNAL_ADDR4}[any] any
        -P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require;
spddelete  ${INTERNAL_ADDR4}[any] 192.168.1.0/24 [any] any
        -P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;
" | setkey -c

All of this happens and the client says it is connected successfully with the IP address 10.1.0.0. At that point, any attempt to connect to the internet fails instantly. And that's the problem.

Edit: Here is a bit more diagnostic information.

When I am connected to the VPN, a ping to the public IP address of the VPS is successful. However, ping to 8.8.8.8 (the DNS server that the VPN is set to use by default) gives a timeout. Thus, no hostnames can be resolved at all.

Second edit:

» route -nv      
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
69.172.231.0    0.0.0.0         255.255.255.192 U     0      0        0 eth0
0.0.0.0         69.172.231.1    0.0.0.0         UG    0      0        0 eth0

» iptables -L -nv
Chain INPUT (policy ACCEPT 49270 packets, 6376K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 42570 packets, 8573K bytes)
 pkts bytes target     prot opt in     out     source               destination