Re: Simple IPSEC client with certificate - phase 1 time out

[Frank Wille <frank%phoenix.owl.de@localhost>]

Brett Lynn wrote:

On 04.03.16 09:20:12 you wrote:

> Well, let's say packet loss from the point of view of racoon, ipsec can
> be very sensitive to lossy networks so it is good the eliminate that as
> a cause.  The test with the windows client is valuable, it shows that
> ipsec can work from where you are.

Indeed. And I guess we can ignore a potential packet loss for now. I
debugged Racoon and studied the source over several hours and came to the
conclusion that IKE mode config only works with Hybrid authentication
modes. No plain "rsasig", which is a pity.

Might not be too difficult to add...


> As for the keep alives, the
> handling of those depends on the client and/or its configuration -
> maybe the windows client is configured to ignore the keep alives?

Now I guess that keep-alives are just sent to have some traffic, but no need
to reply them. The Lancom gateway does not sent them itself My own NetBSD
gateway generates them, but does not reply either.


> I do recall being able to get logging out of racoon.  Have you tried
> running racoon in the foreground

Correct. I discovered that in the meantime. "debug" output is never written
to syslog for security reasons (contains hexdumps of keys and
certificates).


>> Also I'm getting doubt whether "authentication_method rsasig" is
>> working at all. Until now I found no success stories with such a
>> configuration on the net, especially when using mode_cfg.
>> 
>
> As for a lot of things, it is hard to find success stories on the net -

True, but unfortunately I was right here. :|


> I have only done hybrid-xauth, part of that was validating a
> certificate.

Now I tried "hybrid_rsa_client", which perfectly does mode config, calls my
phase1-up script and adds the appropriate SPD entries.

There is no phase 2 negotiation before I try to connect to any VPN address,
but I think that's normal.

Unfortunately even the proven hybrid authentication fails for me. The kernel
cannot update or add keys for SAD:

racoon: INFO: initiate new phase 2 negotiation:
192.168.1.5[4500]<=>77.182.71.224[4500] 
racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3). 
racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel 
racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) 
/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
/netbsd: key_update: no SA index found.
/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
/netbsd: key_setsaval: unable to initialize SA type 3.
racoon: ERROR: pfkey UPDATE failed: No such file or directory 
racoon: ERROR: pfkey ADD failed: Invalid argument 
racoon: ERROR: 77.182.71.224 give up to get IPsec-SA due to time up to wait.


On the other hand, the Racoon server/gateway has no problem. It may have
something to do with NAT-T...?

-- 
Frank Wille