Re: Simple IPSEC client with certificate - phase 1 time out

To: Brett Lymn <blymn%internode.on.net@localhost>
Subject: Re: Simple IPSEC client with certificate - phase 1 time out
From: Frank Wille <frank%phoenix.owl.de@localhost>
Date: Sun, 28 Feb 2016 14:35:26 +0100

Brett Lymn wrote:

On 28.02.16 10:18:13 you wrote:

> Once upon a time I did manage to get hybrid xauth working using a
> NetBSD server and windows clients, so certificates did work for me.

I don't even need hybrid or xauth. Just a plain signed certificate on both
sides. A simple "road-warrior" client. Until now I found no example
configurations for this case.

>  IIRC, looping in phase 1 means both ends cannot agree on an
> authentication method or the credentials presented are not correct.

Yes. But phase 1 is definitely ok in my case. I have now access to the
VPN-status log of my office's Lancom router and it accepted everything:

[VPN-Status] 2016/02/29 12:31:52,304
IKE info: Phase-1 [responder] for peer VPNCLIENT15EF90 initiator id
CN=VPNCLIENT15,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052,
responder id CN=ZENTRALE,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052
IKE info: initiator cookie: 0x4f5e1f08e12bd21c, responder cookie:
0x2e8dc875b4e07c26
IKE info: NAT-T enabled in mode rfc, we are not behind a nat, the remote
side is  behind a nat
IKE info: SA ISAKMP for peer VPNCLIENT15EF90 encryption aes-cbc
authentication MD5
IKE info: life time ( 28800 sec/ 0 kb) DPD 0 sec

But after 30 seconds and a few Phase 2 Inf messages it just says:

[VPN-Status] 2016/02/29 12:32:22,284
VPN: connection for VPNCLIENT15EF90 (91.56.236.148) timed out: no response

[VPN-Status] 2016/02/29 12:32:22,284
VPN: Error: IFC-R-Connection-timeout-dynamic (0x1205) for VPNCLIENT15EF90
(91.56.236.148)

> Try increasing the debug level on raccoon and see what it is offering
> to the remote end and see if that matches what you expect.

I tried everything. IPSEC_DEBUG in the kernel. "log debug2" in racoon.conf
and starting the racoon daemon with -dddd. I don't get any more information
out of it.

>  If you have
> control over the other end then try simplifying things by using a
> pre-shared key (PSK) method of authentication

Unfortunately that's not possible. I cannot change the configuration of my
office's router, because it will break the working VPN connection of all
Windows notebooks.

Thanks,

-- 
Frank Wille

Follow-Ups:
- Re: Simple IPSEC client with certificate - phase 1 time out
  - From: Brett Lymn

References:
- Simple IPSEC client with certificate - phase 1 time out
  - From: Frank Wille
- Re: Simple IPSEC client with certificate - phase 1 time out
  - From: Frank Wille
- Re: Simple IPSEC client with certificate - phase 1 time out
  - From: Andy Ruhl
- Re: Simple IPSEC client with certificate - phase 1 time out
  - From: Frank Wille
- Re: Simple IPSEC client with certificate - phase 1 time out
  - From: Brett Lymn

Prev by Date: Re: create keys and certificates for postfix/tls
Next by Date: Re: RAIDframe corruption
Previous by Thread: Re: Simple IPSEC client with certificate - phase 1 time out
Next by Thread: Re: Simple IPSEC client with certificate - phase 1 time out
Indexes:

Home | Main Index | Thread Index | Old Index