tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
racoon with rsasig and mode_cfg
Hi!
Based on my previous thread to get an IPSec connection with a Lancom router
I did now set up a remote NetBSD router as VPN server (epia). It offers the
"rsasig" authentication method, IKE mode config and the same encryption
algorithms to simulate the Lancom.
Here is the racoon.conf of my VPN server: "epia". It has a WAN (dynamic
ADSL) and a LAN (192.168.0.0/24) interface.
---8<---
path certificate "/etc/racoon/certs";
log debug;
listen {
adminsock disabled;
}
remote anonymous {
exchange_mode main;
certificate_type x509 "vpngw_crt.pem" "vpngw_key.pem";
ca_type x509 "democa.pem";
my_identifier asn1dn;
peers_identifier asn1dn;
verify_identifier on;
generate_policy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
lifetime time 8 hour;
passive on;
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check claim;
}
mode_cfg {
# starting address of pool
network4 192.168.0.90;
# maximum number of clients
pool_size 10;
netmask4 255.255.255.0;
auth_source system;
dns4 192.168.0.254;
banner "/etc/racoon/motd";
}
sainfo anonymous {
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
---8<---
My PowerBook is a NetBSD/macppc notebook in a 192.168.1.0/24 WLAN, using a
Soekris NetBSD router (LAN, WLAN, WAN dynamic ADSL) as default gateway and
name server.
----------- ----------- --------
|PowerBook|====| Soekris | ==> ( Internet ) <== | Epia |
----------- ----------- --------
192.168.1.5 192.168.1.1 192.168.0.254
91.56.255.78 78.49.97.71
When all works well the PowerBook should get an internal VPN address between
192.168.0.90 and 192.168.0.99 inside the remote LAN.
The PowerBook's (192.168.1.5) racoon.conf is similar to the previous Lancom
test:
---8<---
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
remote "epia"
{
remote_address 78.49.97.71;
exchange_mode main,base;
my_identifier asn1dn;
#peers_identifier asn1dn;
#verify_identifier on;
certificate_type x509 "client1crt.pem" "client1key.pem";
ca_type x509 "epiaCA.pem";
mode_cfg on; # ISAKMP mode config
dpd_delay 20; # peer detection (alive check)
nat_traversal on; # force
ike_frag on;
#esp_frag 552;
script "phase1-up.sh" phase1_up;
script "phase1-down.sh" phase1_down;
lifetime time 8 hour;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check obey;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
---8<---
Unfortunately I cannot use epia.mydomain.tld but have to insert the current
dynamic IP every time, which is really stupid. :|
When the racoon daemon is running on both sides and I start the IPSec
connection on the PowerBook with
# racoonctl vc 78.49.97.71
... then phase 1 and the certificates seem to be ok. But it just sits there
and does nothing. racoonctl never returns, and when I break it, it makes no
difference for the connection either.
The client does not request IKE mode config from the server, exactly like in
the previous thread with the Lancom.
I see no phase 2 negotiation. No idea what it is waiting for... :(
Soekris and Epia tcpdumps, as well as PowerBook and Epia racoon logs
attached (I tried to sync the clocks, but better than 0.2s was impossible).
What am I missing? Did "rsasig" and/or "mode_cfg" ever work for anybody?
--
Frank Wille
Mar 2 16:38:14 epia racoon: INFO: respond new phase 1 negotiation: 78.49.97.71[500]<=>91.56.255.78[2532]
Mar 2 16:38:14 epia racoon: INFO: begin Identity Protection mode.
Mar 2 16:38:14 epia racoon: INFO: received Vendor ID: RFC 3947
Mar 2 16:38:14 epia racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 2 16:38:14 epia racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Mar 2 16:38:14 epia racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Mar 2 16:38:14 epia racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Mar 2 16:38:14 epia racoon: INFO: received Vendor ID: DPD
Mar 2 16:38:14 epia racoon: [91.56.255.78] INFO: Selected NAT-T version: RFC 3947
Mar 2 16:38:15 epia racoon: [78.49.97.71] INFO: Hashing 78.49.97.71[500] with algo #1
Mar 2 16:38:15 epia racoon: INFO: NAT-D payload #0 verified
Mar 2 16:38:15 epia racoon: [91.56.255.78] INFO: Hashing 91.56.255.78[2532] with algo #1
Mar 2 16:38:15 epia racoon: INFO: NAT-D payload #1 doesn't match
Mar 2 16:38:15 epia racoon: INFO: NAT detected: PEER
Mar 2 16:38:15 epia racoon: [91.56.255.78] INFO: Hashing 91.56.255.78[2532] with algo #1
Mar 2 16:38:15 epia racoon: [78.49.97.71] INFO: Hashing 78.49.97.71[500] with algo #1
Mar 2 16:38:15 epia racoon: INFO: Adding remote and local NAT-D payloads.
Mar 2 16:38:15 epia racoon: INFO: NAT-T: ports changed to: 91.56.255.78[2500]<->78.49.97.71[4500]
Mar 2 16:38:15 epia racoon: INFO: KA list add: 78.49.97.71[4500]->91.56.255.78[2500]
Mar 2 16:38:15 epia racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=DE/ST=NRW/L=Herford/O=Private/OU=Client1/CN=powerbook.owl.de/emailAddress=frank%phoenix.owl.de@localhost
Mar 2 16:38:15 epia racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=DE/ST=NRW/O=Private/CN=epia.owl.de/emailAddress=frank%phoenix.owl.de@localhost
Mar 2 16:38:15 epia racoon: INFO: ISAKMP-SA established 78.49.97.71[4500]-91.56.255.78[2500] spi:2bd2a347e000df80:cb033de44f1bb0b0
Mar 2 16:38:15 epia racoon: [91.56.255.78] INFO: received INITIAL-CONTACT
Mar 2 16:39:10 epia racoon: INFO: purging ISAKMP-SA spi=2bd2a347e000df80:cb033de44f1bb0b0.
Mar 2 16:39:10 epia racoon: INFO: purged ISAKMP-SA spi=2bd2a347e000df80:cb033de44f1bb0b0.
Mar 2 16:39:10 epia racoon: INFO: ISAKMP-SA deleted 78.49.97.71[4500]-91.56.255.78[2500] spi:2bd2a347e000df80:cb033de44f1bb0b0
Mar 2 16:39:10 epia racoon: INFO: KA remove: 78.49.97.71[4500]->91.56.255.78[2500]
16:38:14.865596 PPPoE [ses 0x1e5d] IP 91.56.255.78.2532 > 78.49.97.71.500: isakmp: phase 1 I ident
16:38:14.929688 PPPoE [ses 0x1e5d] IP 78.49.97.71.500 > 91.56.255.78.2532: isakmp: phase 1 R ident
16:38:15.066499 PPPoE [ses 0x1e5d] IP 91.56.255.78.2532 > 78.49.97.71.500: isakmp: phase 1 I ident
16:38:15.160822 PPPoE [ses 0x1e5d] IP 78.49.97.71.500 > 91.56.255.78.2532: isakmp: phase 1 R ident
16:38:15.341212 PPPoE [ses 0x1e5d] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 1 I ident[E]
16:38:15.475006 PPPoE [ses 0x1e5d] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 1 R ident[E]
16:38:15.492845 PPPoE [ses 0x1e5d] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 1 R ident[E]
16:38:15.499802 PPPoE [ses 0x1e5d] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 1 R ident[E]
16:38:15.527123 PPPoE [ses 0x1e5d] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
16:38:15.600938 PPPoE [ses 0x1e5d] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
16:38:27.741544 PPPoE [ses 0x1e5d] IP 78.49.97.71.4500 > 91.56.255.78.2500: isakmp-nat-keep-alive
16:38:31.127880 PPPoE [ses 0x1e5d] IP 91.56.255.78.2500 > 78.49.97.71.4500: isakmp-nat-keep-alive
16:38:35.547855 PPPoE [ses 0x1e5d] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
16:38:35.628004 PPPoE [ses 0x1e5d] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
16:38:35.646028 PPPoE [ses 0x1e5d] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
16:38:35.716962 PPPoE [ses 0x1e5d] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
16:38:47.761839 PPPoE [ses 0x1e5d] IP 78.49.97.71.4500 > 91.56.255.78.2500: isakmp-nat-keep-alive
16:38:51.148783 PPPoE [ses 0x1e5d] IP 91.56.255.78.2500 > 78.49.97.71.4500: isakmp-nat-keep-alive
16:38:55.708147 PPPoE [ses 0x1e5d] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
16:38:55.791632 PPPoE [ses 0x1e5d] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
16:38:55.808881 PPPoE [ses 0x1e5d] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
16:38:55.880521 PPPoE [ses 0x1e5d] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
16:39:07.782159 PPPoE [ses 0x1e5d] IP 78.49.97.71.4500 > 91.56.255.78.2500: isakmp-nat-keep-alive
16:39:10.726446 PPPoE [ses 0x1e5d] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
Mar 2 16:38:14 powerbook racoon: INFO: accept a request to establish IKE-SA: 78.49.97.71
Mar 2 16:38:14 powerbook racoon: INFO: initiate new phase 1 negotiation: 192.168.1.5[500]<=>78.49.97.71[500]
Mar 2 16:38:14 powerbook racoon: INFO: begin Identity Protection mode.
Mar 2 16:38:15 powerbook racoon: INFO: received Vendor ID: RFC 3947
Mar 2 16:38:15 powerbook racoon: INFO: received Vendor ID: DPD
Mar 2 16:38:15 powerbook racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Mar 2 16:38:15 powerbook racoon: [78.49.97.71] INFO: Selected NAT-T version: RFC 3947
Mar 2 16:38:15 powerbook racoon: [78.49.97.71] INFO: Hashing 78.49.97.71[500] with algo #1
Mar 2 16:38:15 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1
Mar 2 16:38:15 powerbook racoon: INFO: Adding remote and local NAT-D payloads.
Mar 2 16:38:15 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1
Mar 2 16:38:15 powerbook racoon: INFO: NAT-D payload #0 doesn't match
Mar 2 16:38:15 powerbook racoon: [78.49.97.71] INFO: Hashing 78.49.97.71[500] with algo #1
Mar 2 16:38:15 powerbook racoon: INFO: NAT-D payload #1 verified
Mar 2 16:38:15 powerbook racoon: INFO: NAT detected: ME
Mar 2 16:38:15 powerbook racoon: INFO: KA list add: 192.168.1.5[4500]->78.49.97.71[4500]
Mar 2 16:38:15 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=DE/ST=NRW/L=Herford/O=Private/OU=Serverstuen/CN=epia.owl.de/emailAddress=frank%phoenix.owl.de@localhost
Mar 2 16:38:15 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=DE/ST=NRW/O=Private/CN=epia.owl.de/emailAddress=frank%phoenix.owl.de@localhost
Mar 2 16:38:15 powerbook racoon: INFO: ISAKMP-SA established 192.168.1.5[4500]-78.49.97.71[4500] spi:2bd2a347e000df80:cb033de44f1bb0b0
Mar 2 16:38:15 powerbook racoon: [78.49.97.71] INFO: received INITIAL-CONTACT
Mar 2 16:39:10 powerbook racoon: INFO: Flushing all SAs for peer 78.49.97.71
Mar 2 16:39:10 powerbook racoon: INFO: purging ISAKMP-SA spi=2bd2a347e000df80:cb033de44f1bb0b0.
Mar 2 16:39:10 powerbook racoon: INFO: purged ISAKMP-SA spi=2bd2a347e000df80:cb033de44f1bb0b0.
Mar 2 16:39:10 powerbook racoon: INFO: ISAKMP-SA deleted 192.168.1.5[4500]-78.49.97.71[4500] spi:2bd2a347e000df80:cb033de44f1bb0b0
Mar 2 16:39:10 powerbook racoon: INFO: KA remove: 192.168.1.5[4500]->78.49.97.71[4500]
16:38:15.080554 PPPoE [ses 0x1080] IP 91.56.255.78.2532 > 78.49.97.71.500: isakmp: phase 1 I ident
16:38:15.189988 PPPoE [ses 0x1080] IP 78.49.97.71.500 > 91.56.255.78.2532: isakmp: phase 1 R ident
16:38:15.281215 PPPoE [ses 0x1080] IP 91.56.255.78.2532 > 78.49.97.71.500: isakmp: phase 1 I ident
16:38:15.425045 PPPoE [ses 0x1080] IP 78.49.97.71.500 > 91.56.255.78.2532: isakmp: phase 1 R ident
16:38:15.539143 PPPoE [ses 0x1080] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 1 I ident[E]
16:38:15.743362 PPPoE [ses 0x1080] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 1 R ident[E]
16:38:15.761552 PPPoE [ses 0x1080] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 1 R ident[E]
16:38:15.764207 PPPoE [ses 0x1080] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 1 R ident[E]
16:38:15.786141 PPPoE [ses 0x1080] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
16:38:15.817048 PPPoE [ses 0x1080] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
16:38:27.991494 PPPoE [ses 0x1080] IP 78.49.97.71.4500 > 91.56.255.78.2500: isakmp-nat-keep-alive
16:38:31.336078 PPPoE [ses 0x1080] IP 91.56.255.78.2500 > 78.49.97.71.4500: isakmp-nat-keep-alive
16:38:35.794505 PPPoE [ses 0x1080] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
16:38:35.832265 PPPoE [ses 0x1080] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
16:38:35.850505 PPPoE [ses 0x1080] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
16:38:35.963952 PPPoE [ses 0x1080] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
16:38:47.998803 PPPoE [ses 0x1080] IP 78.49.97.71.4500 > 91.56.255.78.2500: isakmp-nat-keep-alive
16:38:51.345147 PPPoE [ses 0x1080] IP 91.56.255.78.2500 > 78.49.97.71.4500: isakmp-nat-keep-alive
16:38:55.943241 PPPoE [ses 0x1080] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
16:38:55.983046 PPPoE [ses 0x1080] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
16:38:56.001119 PPPoE [ses 0x1080] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
16:38:56.115655 PPPoE [ses 0x1080] IP 78.49.97.71.4500 > 91.56.255.78.2500: NONESP-encap: isakmp: phase 2/others R inf[E]
16:39:08.007098 PPPoE [ses 0x1080] IP 78.49.97.71.4500 > 91.56.255.78.2500: isakmp-nat-keep-alive
16:39:10.909076 PPPoE [ses 0x1080] IP 91.56.255.78.2500 > 78.49.97.71.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
Home |
Main Index |
Thread Index |
Old Index