Re: racoon with rsasig and mode_cfg

To: tech-net%NetBSD.org@localhost
Subject: Re: racoon with rsasig and mode_cfg
From: Frank Wille <frank%phoenix.owl.de@localhost>
Date: Thu, 03 Mar 2016 14:42:23 +0100

Hi again,

today I successfully made a mode_cfg rsasig IPsec connection with my NetBSD
VPN gateway. But not with a NetBSD Roadwarrior client, but using the
commercial "Lancom Advanced VPN Client" under Windows.

Perhaps that leads to the conclusion that I'm not doing everything wrong,
but that we have a long-time bug in Racoon!

Seems that Racoon never worked with "authentication_mode rsasig" and
"mode_cfg on", when used as a Roadwarrior client. When anybody sees a
working example anywhere then please tell me! ;)


For comparison I attached the racoon log and the tcpdump from my VPN
gateway. The difference to a NetBSD client starts after "ISAKMP-SA
established":

Mar  3 13:49:34 epia racoon: INFO: Using port 0 
Mar  3 13:49:34 epia racoon: WARNING: Ignored attribute 20002 
Mar  3 13:49:34 epia racoon: WARNING: Ignored attribute 20003 
Mar  3 13:49:34 epia racoon: WARNING: Ignored attribute 20004 
Mar  3 13:49:34 epia racoon: WARNING: Ignored attribute 20005 
Mar  3 13:49:34 epia racoon: INFO: respond new phase 2 negotiation:
77.181.56.246[4500]<=>91.56.248.239[6182] 

"Using port 0" means IKE mode config. And the Windows client also starts the
phase 2 negotiation, while the NetBSD client does nothing.

This is mode config in the tcpdump (exchange type #6 means ISAKMP_ETYPE_CFG
in the racoon source):

13:49:34.274245 PPPoE  [ses 0x17df] IP 91.56.248.239.6182 >
77.181.56.246.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
13:49:34.347221 PPPoE  [ses 0x17df] IP 77.181.56.246.4500 >
91.56.248.239.6182: NONESP-encap: isakmp: phase 2/others R #6[E]


In more detail (DEBUG output, with hex-dumps removed for security reasons)
you can see that the Windows-client immediately sends a MODE_CFG packet:

INFO: ISAKMP-SA established 77.181.56.246[4500]-91.56.248.239[6182]
spi:99558d082de065e3:fc9250ac263d19a6
DEBUG: ===
DEBUG: ===
DEBUG: 204 bytes message received from 91.56.248.239[6182] to
77.181.56.246[4500]
DEBUG: compute IV for phase2
DEBUG: phase1 last IV:
DEBUG: hash(md5)
DEBUG: encryption(aes)
DEBUG: phase2 IV computed:
DEBUG: begin decryption.
DEBUG: encryption(aes)
DEBUG: IV was saved for next processing:
DEBUG: encryption(aes)
DEBUG: with key:
DEBUG: decrypted payload by IV:
DEBUG: decrypted payload, but not trimed.
DEBUG: padding len=1
DEBUG: skip to trim padding.
DEBUG: decrypted.
DEBUG: MODE_CFG packet
[...]

While the NetBSD-client does nothing, except a late INITIAL-CONTACT packet,
which Windows sent before "ISAKMP-SA established".

INFO: ISAKMP-SA established 77.181.56.246[4500]-91.56.248.239[2500]
spi:87ff62d4b8b0f4e5:7f3eec686b044b29
DEBUG: ===
DEBUG: ===
DEBUG: 92 bytes message received from 91.56.248.239[2500] to
77.181.56.246[4500]
DEBUG: receive Information.
DEBUG: compute IV for phase2
DEBUG: phase1 last IV:
DEBUG: hash(md5)
DEBUG: encryption(aes)
DEBUG: phase2 IV computed:
DEBUG: begin decryption.
DEBUG: encryption(aes)
DEBUG: IV was saved for next processing:
DEBUG: encryption(aes)
DEBUG: with key:
DEBUG: decrypted payload by IV:
DEBUG: decrypted payload, but not trimed.
DEBUG: padding len=16
DEBUG: skip to trim padding.
DEBUG: decrypted.
DEBUG: IV freed
DEBUG: HASH with:
DEBUG: hmac(hmac_md5)
DEBUG: HASH computed:
DEBUG: hash validated.
DEBUG: begin.
DEBUG: seen nptype=8(hash)
DEBUG: seen nptype=11(notify)
DEBUG: succeed.
[91.56.248.239] INFO: received INITIAL-CONTACT
DEBUG: call pfkey_send_dump
DEBUG: pk_recv: retry[0] recv() 
[...]

-- 
Frank Wille

Mar  3 13:49:24 epia racoon: INFO: @(#)ipsec-tools cvs (http://ipsec-tools.sourceforge.net) 
Mar  3 13:49:24 epia racoon: INFO: @(#)This product linked OpenSSL 1.0.1i 6 Aug 2014 (http://www.openssl.org/) 
Mar  3 13:49:24 epia racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" 
Mar  3 13:49:24 epia racoon: INFO: Resize address pool from 0 to 10 
Mar  3 13:49:24 epia racoon: INFO: 192.168.0.254[500] used for NAT-T 
Mar  3 13:49:24 epia racoon: INFO: 192.168.0.254[500] used as isakmp port (fd=7) 
Mar  3 13:49:24 epia racoon: INFO: 192.168.0.254[4500] used for NAT-T 
Mar  3 13:49:24 epia racoon: INFO: 192.168.0.254[4500] used as isakmp port (fd=8) 
Mar  3 13:49:24 epia racoon: INFO: 127.0.0.1[500] used for NAT-T 
Mar  3 13:49:24 epia racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) 
Mar  3 13:49:24 epia racoon: INFO: 127.0.0.1[4500] used for NAT-T 
Mar  3 13:49:24 epia racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=10) 
Mar  3 13:49:24 epia racoon: INFO: 77.181.56.246[500] used for NAT-T 
Mar  3 13:49:24 epia racoon: INFO: 77.181.56.246[500] used as isakmp port (fd=11) 
Mar  3 13:49:24 epia racoon: INFO: 77.181.56.246[4500] used for NAT-T 
Mar  3 13:49:24 epia racoon: INFO: 77.181.56.246[4500] used as isakmp port (fd=12) 
Mar  3 13:49:33 epia racoon: INFO: respond new phase 1 negotiation: 77.181.56.246[500]<=>91.56.248.239[6180] 
Mar  3 13:49:33 epia racoon: INFO: begin Identity Protection mode. 
Mar  3 13:49:33 epia racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
Mar  3 13:49:33 epia racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
Mar  3 13:49:33 epia racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
Mar  3 13:49:33 epia racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 
Mar  3 13:49:33 epia racoon: INFO: received Vendor ID: RFC 3947 
Mar  3 13:49:33 epia racoon: INFO: received Vendor ID: DPD 
Mar  3 13:49:33 epia racoon: INFO: received broken Microsoft ID: FRAGMENTATION 
Mar  3 13:49:33 epia racoon: INFO: received Vendor ID: CISCO-UNITY 
Mar  3 13:49:33 epia racoon: [91.56.248.239] INFO: Selected NAT-T version: RFC 3947 
Mar  3 13:49:33 epia racoon: INFO: Adding xauth VID payload. 
Mar  3 13:49:33 epia racoon: [77.181.56.246] INFO: Hashing 77.181.56.246[500] with algo #1  
Mar  3 13:49:33 epia racoon: INFO: NAT-D payload #0 verified 
Mar  3 13:49:33 epia racoon: [91.56.248.239] INFO: Hashing 91.56.248.239[6180] with algo #1  
Mar  3 13:49:33 epia racoon: INFO: NAT-D payload #1 doesn't match 
Mar  3 13:49:33 epia racoon: INFO: NAT detected: PEER 
Mar  3 13:49:33 epia racoon: [91.56.248.239] INFO: Hashing 91.56.248.239[6180] with algo #1  
Mar  3 13:49:33 epia racoon: [77.181.56.246] INFO: Hashing 77.181.56.246[500] with algo #1  
Mar  3 13:49:33 epia racoon: INFO: Adding remote and local NAT-D payloads. 
Mar  3 13:49:34 epia racoon: INFO: NAT-T: ports changed to: 91.56.248.239[6182]<->77.181.56.246[4500] 
Mar  3 13:49:34 epia racoon: INFO: KA list add: 77.181.56.246[4500]->91.56.248.239[6182] 
Mar  3 13:49:34 epia racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=DE/ST=NRW/L=Herford/O=Private/OU=Client1/CN=powerbook.owl.de/emailAddress=frank%phoenix.owl.de@localhost 
Mar  3 13:49:34 epia racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=DE/ST=NRW/O=Private/CN=epia.owl.de/emailAddress=frank%phoenix.owl.de@localhost 
Mar  3 13:49:34 epia racoon: [91.56.248.239] INFO: received INITIAL-CONTACT 
Mar  3 13:49:34 epia racoon: INFO: ISAKMP-SA established 77.181.56.246[4500]-91.56.248.239[6182] spi:3d16bb7b5ad1a239:72e19aee4177c4b5 
Mar  3 13:49:34 epia racoon: INFO: Using port 0 
Mar  3 13:49:34 epia racoon: WARNING: Ignored attribute 20002 
Mar  3 13:49:34 epia racoon: WARNING: Ignored attribute 20003 
Mar  3 13:49:34 epia racoon: WARNING: Ignored attribute 20004 
Mar  3 13:49:34 epia racoon: WARNING: Ignored attribute 20005 
Mar  3 13:49:34 epia racoon: INFO: respond new phase 2 negotiation: 77.181.56.246[4500]<=>91.56.248.239[6182] 
Mar  3 13:49:34 epia racoon: INFO: no policy found, try to generate the policy : 192.168.0.90/32[0] 192.168.0.0/24[0] proto=any dir=in 
Mar  3 13:49:35 epia racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel 
Mar  3 13:49:35 epia racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) 
Mar  3 13:49:35 epia /netbsd: key_update: type 2, sport = 9752, dport = 37905
Mar  3 13:49:35 epia /netbsd: key_update: type 2, sport = 37905, dport = 9752
Mar  3 13:49:35 epia racoon: INFO: IPsec-SA established: ESP/Tunnel 77.181.56.246[500]->91.56.248.239[500] spi=223566728(0xd535b88) 
Mar  3 13:49:35 epia racoon: INFO: IPsec-SA established: ESP/Tunnel 77.181.56.246[500]->91.56.248.239[500] spi=1271128794(0x4bc3e2da) 
Mar  3 13:49:53 epia racoon: INFO: deleting a generated policy. 
Mar  3 13:49:53 epia racoon: INFO: purged IPsec-SA proto_id=ESP spi=1271128794. 
Mar  3 13:49:53 epia racoon: INFO: purging ISAKMP-SA spi=3d16bb7b5ad1a239:72e19aee4177c4b5:0000e220. 
Mar  3 13:49:53 epia racoon: INFO: purged IPsec-SA spi=223566728. 
Mar  3 13:49:53 epia racoon: INFO: purged ISAKMP-SA spi=3d16bb7b5ad1a239:72e19aee4177c4b5:0000e220. 
Mar  3 13:49:53 epia racoon: INFO: ISAKMP-SA deleted 77.181.56.246[4500]-91.56.248.239[6182] spi:3d16bb7b5ad1a239:72e19aee4177c4b5 
Mar  3 13:49:53 epia racoon: INFO: KA remove: 77.181.56.246[4500]->91.56.248.239[6182] 
Mar  3 13:49:53 epia racoon: INFO: Released port 0

13:49:33.637313 PPPoE  [ses 0x17df] IP 91.56.248.239.6180 > 77.181.56.246.500: isakmp: phase 1 I ident
13:49:33.719141 PPPoE  [ses 0x17df] IP 77.181.56.246.500 > 91.56.248.239.6180: isakmp: phase 1 R ident
13:49:33.774305 PPPoE  [ses 0x17df] IP 91.56.248.239.6180 > 77.181.56.246.500: isakmp: phase 1 I ident
13:49:33.868744 PPPoE  [ses 0x17df] IP 77.181.56.246.500 > 91.56.248.239.6180: isakmp: phase 1 R ident
13:49:34.066365 PPPoE  [ses 0x17df] IP 91.56.248.239.6182 > 77.181.56.246.4500: NONESP-encap: isakmp: phase 1 I ident[E]
13:49:34.193478 PPPoE  [ses 0x17df] IP 77.181.56.246.4500 > 91.56.248.239.6182: NONESP-encap: isakmp: phase 1 R ident[E]
13:49:34.200257 PPPoE  [ses 0x17df] IP 77.181.56.246.4500 > 91.56.248.239.6182: NONESP-encap: isakmp: phase 1 R ident[E]
13:49:34.206975 PPPoE  [ses 0x17df] IP 77.181.56.246.4500 > 91.56.248.239.6182: NONESP-encap: isakmp: phase 1 R ident[E]
13:49:34.233056 PPPoE  [ses 0x17df] IP 77.181.56.246.4500 > 91.56.248.239.6182: NONESP-encap: isakmp: phase 2/others R inf[E]
13:49:34.274245 PPPoE  [ses 0x17df] IP 91.56.248.239.6182 > 77.181.56.246.4500: NONESP-encap: isakmp: phase 2/others I #6[E]
13:49:34.347221 PPPoE  [ses 0x17df] IP 77.181.56.246.4500 > 91.56.248.239.6182: NONESP-encap: isakmp: phase 2/others R #6[E]
13:49:34.420925 PPPoE  [ses 0x17df] IP 91.56.248.239.6182 > 77.181.56.246.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
13:49:35.239359 PPPoE  [ses 0x17df] IP 77.181.56.246.4500 > 91.56.248.239.6182: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
13:49:35.287887 PPPoE  [ses 0x17df] IP 91.56.248.239.6182 > 77.181.56.246.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
13:49:44.210173 PPPoE  [ses 0x17df] IP 77.181.56.246.4500 > 91.56.248.239.6182: isakmp-nat-keep-alive
13:49:49.244199 PPPoE  [ses 0x17df] IP 91.56.248.239.6182 > 77.181.56.246.4500: UDP-encap: ESP(spi=0x0d535b88,seq=0x1), length 100
13:49:49.246154 PPPoE  [ses 0x17df] IP 77.181.56.246.4500 > 91.56.248.239.6182: UDP-encap: ESP(spi=0x4bc3e2da,seq=0x1), length 100
13:49:53.088898 PPPoE  [ses 0x17df] IP 91.56.248.239.6182 > 77.181.56.246.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
13:49:53.091591 PPPoE  [ses 0x17df] IP 91.56.248.239.6182 > 77.181.56.246.4500: NONESP-encap: isakmp: phase 2/others I inf[E]

References:
- racoon with rsasig and mode_cfg
  - From: Frank Wille

Prev by Date: Re: passive references
Next by Date: Re: RFC: ALTQ caller refactor
Previous by Thread: racoon with rsasig and mode_cfg
Indexes:

Home | Main Index | Thread Index | Old Index