Simple IPSEC client with certificate - phase 1 time out

To: netbsd-users%netbsd.org@localhost
Subject: Simple IPSEC client with certificate - phase 1 time out
From: Frank Wille <frank%phoenix.owl.de@localhost>
Date: Thu, 25 Feb 2016 18:52:52 +0100

Hi,

I want to set up an IPSEC client to connect to my office's Lancom router. I
was provided with the following details:

- Main mode IKEv1
- DH group 2 (1024 bit)
- PFS group 2 (1024 bit)
- phase 1: IKE AES128, MD5
- phase 2: IPSec AES128, MD5
- phase 2 tunnel mode ESP
- remote network 192.168.0.0/24, configuring with ISAKMP mode config
- supports NAT-T UDP port 4500
- using x509 certificate/key

I got a PKCS12 archive, where I extracted my client certificate/key and the
CA-certificate.

# openssl pkcs12 -cacerts -nokeys -in vpnclient15.p12 -out ca.crt
# openssl pkcs12 -clcerts -nokeys -in vpnclient15.p12 -out
arwen.wpsd.lcl.crt
# openssl pkcs12 -nocerts -in vpnclient15.p12 -out arwen.rsa
# openssl rsa -in arwen.rsa -out arwen.wpsd.lcl.key


After a lot of reading I came up with the following racoon.conf for the task
(remote address of the Lancom replaced by 1.2.3.4 here):

---8<---
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
log debug2;

#timer
#{
#   natt_keepalive 15 seconds;
#}

remote 1.2.3.4
{
    #exchange_mode main,aggressive,base;
    exchange_mode main,base;

    #my_identifier fqdn "arwen.wpsd.lcl";
    my_identifier asn1dn;
    #peers_identifier asn1dn;
    #verify_identifier on;

    certificate_type x509 "arwen.wpsd.lcl.crt" "arwen.wpsd.lcl.key";
    ca_type x509 "ca.crt";

    #initial_contact off;
    mode_cfg on;    # ISAKMP mode config
    dpd_delay 20;   # peer detection (alive check)
    nat_traversal on;   # force

    #ike_frag on;
    #esp_frag 552;
    #script "phase1-up.sh" phase1_up;
    #script "phase1-down.sh" phase1_down;
    script "test.sh" phase1_up;
    script "test.sh" phase1_down;
    lifetime time 8 hour;

    # phase 1 proposal (for ISAKMP SA)
    proposal {
        encryption_algorithm aes 128;
        hash_algorithm md5;
        authentication_method hybrid_rsa_client;
        #authentication_method rsasig;
        dh_group 2;
    }

    # the configuration could makes racoon (as a responder)
    # to obey the initiator's lifetime and PFS group proposal,
    # by setting proposal_check to obey.
    # this would makes testing "so much easier", but is really
    # *not* secure !!!
    #proposal_check strict;
    proposal_check obey;
}

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
    pfs_group 2;
    lifetime time 8 hour;
    encryption_algorithm aes 128;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
}
---8<---

Are there any serious problems left in it?


I'm testing on a Soekris router, running NetBSD 6.1.5, having IPSEC,
IPSEC_ESP and IPSEC_NAT_T enabled in the kernel. It has a WAN interface, so
NAT-T is not really needed for now.

Unfortunately after starting Racoon
# /etc/rc.d/racoon onestart

and the VPN connection
# racoonctl vc 1.2.3.4

...it fails very early:

Feb 25 17:23:38 arwen racoon: INFO: @(#)ipsec-tools cvs
(http://ipsec-tools.sourceforge.net) 
Feb 25 17:23:38 arwen racoon: INFO: @(#)This product linked OpenSSL 1.0.1i 6
Aug 2014 (http://www.openssl.org/) 
Feb 25 17:23:38 arwen racoon: INFO: Reading configuration from
"/etc/racoon/racoon.conf" 
Feb 25 17:23:38 arwen racoon: INFO: 192.168.0.254[500] used for NAT-T 
Feb 25 17:23:38 arwen racoon: INFO: 192.168.0.254[500] used as isakmp port
(fd=8) 
Feb 25 17:23:38 arwen racoon: INFO: 192.168.0.254[4500] used for NAT-T 
Feb 25 17:23:38 arwen racoon: INFO: 192.168.0.254[4500] used as isakmp port
(fd=9) 
Feb 25 17:23:38 arwen racoon: INFO: 127.0.0.1[500] used for NAT-T 
Feb 25 17:23:38 arwen racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=10)
Feb 25 17:23:38 arwen racoon: INFO: 127.0.0.1[4500] used for NAT-T 
Feb 25 17:23:38 arwen racoon: INFO: 127.0.0.1[4500] used as isakmp port
(fd=11) 
Feb 25 17:23:38 arwen racoon: INFO: 91.56.242.176[500] used for NAT-T 
Feb 25 17:23:38 arwen racoon: INFO: 91.56.242.176[500] used as isakmp port
(fd=12) 
Feb 25 17:23:38 arwen racoon: INFO: 91.56.242.176[4500] used for NAT-T 
Feb 25 17:23:38 arwen racoon: INFO: 91.56.242.176[4500] used as isakmp port
(fd=13) 
Feb 25 17:24:08 arwen racoon: INFO: accept a request to establish IKE-SA:
1.2.3.4 
Feb 25 17:24:08 arwen racoon: INFO: initiate new phase 1 negotiation:
91.56.242.176[4500]<=>1.2.3.4[500] 
Feb 25 17:24:08 arwen racoon: INFO: begin Identity Protection mode. 
Feb 25 17:24:59 arwen racoon: ERROR: phase1 negotiation failed due to time
up. 05349d3fe352e138:0000000000000000



---8<---
arwen# tcpdump -i pppoe0 host 212.62.95.76
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pppoe0, link-type PPP_ETHER (PPPoE), capture size 65535 bytes
17:24:08.847578 PPPoE  [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t >
212.62.95.76.isakmp: isakmp:
17:24:08.884661 PPPoE  [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP
212.62.95.76 udp port isakmp unreachable, length 36
17:24:08.885322 PPPoE  [ses 0x9b9] IP 212.62.95.76.isakmp >
91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf
17:24:18.906170 PPPoE  [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t >
212.62.95.76.isakmp: isakmp:
17:24:18.943086 PPPoE  [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP
212.62.95.76 udp port isakmp unreachable, length 36
17:24:18.943549 PPPoE  [ses 0x9b9] IP 212.62.95.76.isakmp >
91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf
17:24:28.966408 PPPoE  [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t >
212.62.95.76.isakmp: isakmp:
17:24:29.005141 PPPoE  [ses 0x9b9] IP 212.62.95.76.isakmp >
91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf
17:24:29.005186 PPPoE  [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP
212.62.95.76 udp port isakmp unreachable, length 36
17:24:39.027346 PPPoE  [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t >
212.62.95.76.isakmp: isakmp:
17:24:39.064511 PPPoE  [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP
212.62.95.76 udp port isakmp unreachable, length 36
17:24:39.066388 PPPoE  [ses 0x9b9] IP 212.62.95.76.isakmp >
91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf
17:24:49.126577 PPPoE  [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t >
212.62.95.76.isakmp: isakmp:
17:24:49.163077 PPPoE  [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP
212.62.95.76 udp port isakmp unreachable, length 36
17:24:49.163787 PPPoE  [ses 0x9b9] IP 212.62.95.76.isakmp >
91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf






Regards,

-- 
Frank Wille

Follow-Ups:
- Re: Simple IPSEC client with certificate - phase 1 time out
  - From: Frank Wille

Prev by Date: Re: nVidia vs NetBSD v7 resolving issue.
Next by Date: Re: nVidia vs NetBSD v7 resolving issue.
Previous by Thread: nVidia vs NetBSD v7 resolving issue.
Next by Thread: Re: Simple IPSEC client with certificate - phase 1 time out
Indexes:

Home | Main Index | Thread Index | Old Index