Re: Simple IPSEC client with certificate - phase 1 time out

To: Frank Wille <frank%phoenix.owl.de@localhost>
Subject: Re: Simple IPSEC client with certificate - phase 1 time out
From: Brett Lymn <blymn%internode.on.net@localhost>
Date: Tue, 1 Mar 2016 10:49:27 +1030

On Sun, Feb 28, 2016 at 02:35:26PM +0100, Frank Wille wrote:
> 
> I don't even need hybrid or xauth. Just a plain signed certificate on both
> sides. A simple "road-warrior" client. Until now I found no example
> configurations for this case.
> 

Yes, it quite frustrating and complex...

> 
> >  IIRC, looping in phase 1 means both ends cannot agree on an
> > authentication method or the credentials presented are not correct.
> 
> Yes. But phase 1 is definitely ok in my case. I have now access to the
> VPN-status log of my office's Lancom router and it accepted everything:
> 

That is a good start.

> 
> But after 30 seconds and a few Phase 2 Inf messages it just says:
> 

OK, does phase 2 actually complete?  What does a "setkey -aD" output?
Have you tried a tcpdump to see what is going on at the network level?
You should expect encrypted packets, if you are seeing stuff in the
clear then check your routing and ensure the packets are properly routed
to the vpn tunnel end point.

> > Try increasing the debug level on raccoon and see what it is offering
> > to the remote end and see if that matches what you expect.
> 
> I tried everything. IPSEC_DEBUG in the kernel. "log debug2" in racoon.conf
> and starting the racoon daemon with -dddd. I don't get any more information
> out of it.
> 

It has been a long while since I played with this but I seem to recall
that you do get a log of what is being proposed by both sides.  I know
that it doesn't give any clear messages like "we failed because I didn't
like this option" but there should be a lot of transactional information
that can point to a solution.  Are you seeing this?

> 
> Unfortunately that's not possible. I cannot change the configuration of my
> office's router, because it will break the working VPN connection of all
> Windows notebooks.
> 

Yes, that is not surprising but it seems that you are doing phase 1 ok
anyway so I guess there is not much point.

-- 
Brett Lymn
Let go, or be dragged - Zen proverb.

Follow-Ups:
- Re: Simple IPSEC client with certificate - phase 1 time out
  - From: Frank Wille

References:
- Simple IPSEC client with certificate - phase 1 time out
  - From: Frank Wille
- Re: Simple IPSEC client with certificate - phase 1 time out
  - From: Frank Wille
- Re: Simple IPSEC client with certificate - phase 1 time out
  - From: Andy Ruhl
- Re: Simple IPSEC client with certificate - phase 1 time out
  - From: Frank Wille
- Re: Simple IPSEC client with certificate - phase 1 time out
  - From: Brett Lymn
- Re: Simple IPSEC client with certificate - phase 1 time out
  - From: Frank Wille

Prev by Date: Re: RAIDframe corruption
Next by Date: Re: RAIDframe corruption
Previous by Thread: Re: Simple IPSEC client with certificate - phase 1 time out
Next by Thread: Re: Simple IPSEC client with certificate - phase 1 time out
Indexes:

Home | Main Index | Thread Index | Old Index