Re: Simple IPSEC client with certificate - phase 1 time out

[christos%astron.com@localhost (Christos Zoulas)]

In article <47cda77073c.607dceb8%mail.owl.de@localhost>,
Frank Wille  <frank%phoenix.owl.de@localhost> wrote:
>Brett Lynn wrote:
>
>On 04.03.16 09:20:12 you wrote:
>
>> Well, let's say packet loss from the point of view of racoon, ipsec can
>> be very sensitive to lossy networks so it is good the eliminate that as
>> a cause.  The test with the windows client is valuable, it shows that
>> ipsec can work from where you are.
>
>Indeed. And I guess we can ignore a potential packet loss for now. I
>debugged Racoon and studied the source over several hours and came to the
>conclusion that IKE mode config only works with Hybrid authentication
>modes. No plain "rsasig", which is a pity.
>
>Might not be too difficult to add...
>
>
>> As for the keep alives, the
>> handling of those depends on the client and/or its configuration -
>> maybe the windows client is configured to ignore the keep alives?
>
>Now I guess that keep-alives are just sent to have some traffic, but no need
>to reply them. The Lancom gateway does not sent them itself My own NetBSD
>gateway generates them, but does not reply either.
>
>
>> I do recall being able to get logging out of racoon.  Have you tried
>> running racoon in the foreground
>
>Correct. I discovered that in the meantime. "debug" output is never written
>to syslog for security reasons (contains hexdumps of keys and
>certificates).
>
>
>>> Also I'm getting doubt whether "authentication_method rsasig" is
>>> working at all. Until now I found no success stories with such a
>>> configuration on the net, especially when using mode_cfg.
>>> 
>>
>> As for a lot of things, it is hard to find success stories on the net -
>
>True, but unfortunately I was right here. :|
>
>
>> I have only done hybrid-xauth, part of that was validating a
>> certificate.
>
>Now I tried "hybrid_rsa_client", which perfectly does mode config, calls my
>phase1-up script and adds the appropriate SPD entries.
>
>There is no phase 2 negotiation before I try to connect to any VPN address,
>but I think that's normal.
>
>Unfortunately even the proven hybrid authentication fails for me. The kernel
>cannot update or add keys for SAD:
>
>racoon: INFO: initiate new phase 2 negotiation:
>192.168.1.5[4500]<=>77.182.71.224[4500] 
>racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3). 
>racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel 
>racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) 
>/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
>/netbsd: key_update: no SA index found.
>/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
>/netbsd: key_setsaval: unable to initialize SA type 3.
>racoon: ERROR: pfkey UPDATE failed: No such file or directory 
>racoon: ERROR: pfkey ADD failed: Invalid argument 
>racoon: ERROR: 77.182.71.224 give up to get IPsec-SA due to time up to wait.
>
>
>On the other hand, the Racoon server/gateway has no problem. It may have
>something to do with NAT-T...?

If your server is behind NAT, I think that got broken at some point.
I meant to debug this... I guess I should just do it...

christos