Re: Simple IPSEC client with certificate - phase 1 time out

[Brett Lymn <blymn%internode.on.net@localhost>]

On Fri, Feb 26, 2016 at 11:21:09AM +0100, Frank Wille wrote:
> 
> > Would be really nice if there was an IPSEC secret decoder ring for
> > device compatibility/setup.
> 
> Indeed. Over the last days I wondered that there is only few information
> about IPSEC configuration on the net (especially with signed certificates),
> although the same Racoon software is used in all BSDs, Linux, Android and
> Mac OSX ... :|
> 

It would be nice but ipsec is such a hairy beast and things can change
between firmware vesions of the same device which makes it difficult.

Once upon a time I did manage to get hybrid xauth working using a NetBSD
server and windows clients, so certificates did work for me.  IIRC,
looping in phase 1 means both ends cannot agree on an authentication
method or the credentials presented are not correct.  Try increasing the
debug level on raccoon and see what it is offering to the remote end and
see if that matches what you expect.  If you have control over the other
end then try simplifying things by using a pre-shared key (PSK) method
of authentication, get that working first and then move on to
certificates after.  That way you can start from a known working setup
and focus on certificate problems.

Debugging ipsec is quite awful to do, you don't get a lot of logging and
what you do get can be downright confusing.

-- 
Brett Lymn
Let go, or be dragged - Zen proverb.