Re: Simple IPSEC client with certificate - phase 1 time out

To: netbsd-users%netbsd.org@localhost
Subject: Re: Simple IPSEC client with certificate - phase 1 time out
From: Frank Wille <frank%phoenix.owl.de@localhost>
Date: Thu, 25 Feb 2016 23:10:07 +0100

On 25.02.16 18:52:52 I wrote:

> and the VPN connection
> # racoonctl vc 1.2.3.4
>
> ...it fails very early:
>
> [...]
> Feb 25 17:24:08 arwen racoon: INFO: begin Identity Protection mode. 
> Feb 25 17:24:59 arwen racoon: ERROR: phase1 negotiation failed due to
> time up. 05349d3fe352e138:0000000000000000

Seems I forgot IPSEC_DEBUG, so I missed important information? I tried it
again with a 7.0 kernel and IPSEC_DEBUG on my PowerBook and the cause
turned out to be a bad "authentication_method" in my propsal:

Feb 25 22:30:08 powerbook racoon: [1.2.3.4] ERROR: notification
NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. 

I had to replace "hybrid_rsa_client" by "rsasig" - although I'm not
completely sure about the difference. I have a signed certificate and don't
want to use any username or password authentication with xauth, so "rsasig"
is probably ok...?


Now I reach phase 2 and it looks to me that the VPN connection is
established for a second, but a few seconds later I get "DPD: remote seems
to be dead". No idea at the moment.

Do I have to worry about "WARNING: unable to get certificate CRL(3)" ?

What does "KA" mean?

---8<---
Feb 25 22:31:25 powerbook racoon: INFO: @(#)ipsec-tools cvs
(http://ipsec-tools.sourceforge.net) 
Feb 25 22:31:25 powerbook racoon: INFO: @(#)This product linked OpenSSL
1.0.1p 9 Jul 2015 (http://www.openssl.org/) 
Feb 25 22:31:25 powerbook racoon: INFO: Reading configuration from
"/etc/racoon/racoon.conf" 
Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[500] used for NAT-T 
Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[500] used as isakmp port
(fd=7) 
Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[4500] used for NAT-T 
Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[4500] used as isakmp
port (fd=8) 
Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[500] used for NAT-T 
Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=9) 
Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[4500] used for NAT-T 
Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[4500] used as isakmp port
(fd=10) 
Feb 25 22:31:35 powerbook racoon: INFO: accept a request to establish
IKE-SA: 1.2.3.4 
Feb 25 22:31:35 powerbook racoon: INFO: initiate new phase 1 negotiation:
192.168.1.5[500]<=>1.2.3.4[500] 
Feb 25 22:31:35 powerbook racoon: INFO: begin Identity Protection mode. 
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02  
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-03 
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: RFC 3947 
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt 
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: DPD 
Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Selected NAT-T version:
RFC 3947 
Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with
algo #1  
Feb 25 22:31:35 powerbook racoon: [192.168.1.5] INFO: Hashing
192.168.1.5[500] with algo #1  
Feb 25 22:31:35 powerbook racoon: INFO: Adding remote and local NAT-D
payloads. 
Feb 25 22:31:35 powerbook racoon: [192.168.1.5] INFO: Hashing
192.168.1.5[500] with algo #1  
Feb 25 22:31:35 powerbook racoon: INFO: NAT-D payload #0 doesn't match 
Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with
algo #1  
Feb 25 22:31:35 powerbook racoon: INFO: NAT-D payload #1 verified 
Feb 25 22:31:35 powerbook racoon: INFO: NAT detected: ME  
Feb 25 22:31:35 powerbook racoon: INFO: KA list add:
192.168.1.5[4500]->1.2.3.4[4500] 
Feb 25 22:31:36 powerbook racoon: WARNING: unable to get certificate CRL(3)
at depth:0
SubjectName:/postalCode=32052/OU=IT/ST=NRW/L=HERFORD/C=DE/O=WPS/CN=ZENTRALE

Feb 25 22:31:36 powerbook racoon: WARNING: unable to get certificate CRL(3)
at depth:1 SubjectName:/C=DE/O=LANCOM SYSTEMS/CN=LANCOM CA 
Feb 25 22:31:36 powerbook racoon: [1.2.3.4] INFO: received INITIAL-CONTACT 
Feb 25 22:31:36 powerbook racoon: INFO: ISAKMP-SA established
192.168.1.5[4500]-1.2.3.4[4500] spi:554e0ed2b394bee9:df77769896bfb2bd 
Feb 25 22:32:42 powerbook racoon: [1.2.3.4] INFO: DPD: remote (ISAKMP-SA
spi=554e0ed2b394bee9:df77769896bfb2bd) seems to be dead. 
Feb 25 22:32:42 powerbook racoon: INFO: purging ISAKMP-SA
spi=554e0ed2b394bee9:df77769896bfb2bd. 
Feb 25 22:32:42 powerbook racoon: INFO: purged ISAKMP-SA
spi=554e0ed2b394bee9:df77769896bfb2bd. 
Feb 25 22:32:42 powerbook racoon: INFO: ISAKMP-SA deleted
192.168.1.5[4500]-1.2.3.4[4500] spi:554e0ed2b394bee9:df77769896bfb2bd 
Feb 25 22:32:42 powerbook racoon: INFO: KA remove:
192.168.1.5[4500]->1.2.3.4[4500] 
---8<---

-- 
Frank Wille

Follow-Ups:
- Re: Simple IPSEC client with certificate - phase 1 time out
  - From: Andy Ruhl

References:
- Simple IPSEC client with certificate - phase 1 time out
  - From: Frank Wille

Prev by Date: Re: pf or npf?
Next by Date: Re: Simple IPSEC client with certificate - phase 1 time out
Previous by Thread: Simple IPSEC client with certificate - phase 1 time out
Next by Thread: Re: Simple IPSEC client with certificate - phase 1 time out
Indexes:

Home | Main Index | Thread Index | Old Index