IPsec debugging

To: tech-net%NetBSD.org@localhost
Subject: IPsec debugging
From: Frank Wille <frank%phoenix.owl.de@localhost>
Date: Sun, 28 Feb 2016 21:31:30 +0100
Hi,

I would like to know if there are any more options to debug an IPsec
connection. I'm establishing the connection as a client using a CA
certificate and a client certificate and key. This is phase 1
"authentication method" "rsasig", as far as I know?

I have IPSEC_DEBUG in the kernel. I'm using "log debug2" in racoon.conf and
I start racoon with "-dddd" options. But everything I get is this:

---8<---
Feb 26 12:16:23 powerbook racoon: INFO: @(#)ipsec-tools cvs
(http://ipsec-tools.sourceforge.net) 
Feb 26 12:16:23 powerbook racoon: INFO: @(#)This product linked OpenSSL
1.0.1p 9 Jul 2015 (http://www.openssl.org/) 
Feb 26 12:16:23 powerbook racoon: INFO: Reading configuration from
"/etc/racoon/racoon.conf" 
Feb 26 12:16:23 powerbook racoon: ERROR: /etc/racoon/racoon.conf:70: "}" no
compression algorithm at loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0

Feb 26 12:16:23 powerbook racoon: ERROR: fatal parse failure (1 errors) 
Feb 26 12:17:11 powerbook racoon: INFO: @(#)ipsec-tools cvs
(http://ipsec-tools.sourceforge.net) 
Feb 26 12:17:11 powerbook racoon: INFO: @(#)This product linked OpenSSL
1.0.1p 9 Jul 2015 (http://www.openssl.org/) 
Feb 26 12:17:11 powerbook racoon: INFO: Reading configuration from
"/etc/racoon/racoon.conf" 
Feb 26 12:17:11 powerbook racoon: ERROR: /etc/racoon/racoon.conf:70: "}" no
compression algorithm at loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0

Feb 26 12:17:11 powerbook racoon: ERROR: fatal parse failure (1 errors) 
Feb 26 12:24:52 powerbook racoon: INFO: @(#)ipsec-tools cvs
(http://ipsec-tools.sourceforge.net) 
Feb 26 12:24:52 powerbook racoon: INFO: @(#)This product linked OpenSSL
1.0.1p 9 Jul 2015 (http://www.openssl.org/) 
Feb 26 12:24:52 powerbook racoon: INFO: Reading configuration from
"/etc/racoon/racoon.conf" 
Feb 26 12:24:53 powerbook racoon: INFO: 192.168.1.5[500] used for NAT-T 
Feb 26 12:24:53 powerbook racoon: INFO: 192.168.1.5[500] used as isakmp port
(fd=7) 
Feb 26 12:24:53 powerbook racoon: INFO: 192.168.1.5[4500] used for NAT-T 
Feb 26 12:24:53 powerbook racoon: INFO: 192.168.1.5[4500] used as isakmp
port (fd=8) 
Feb 26 12:24:53 powerbook racoon: INFO: 127.0.0.1[500] used for NAT-T 
Feb 26 12:24:53 powerbook racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=9) 
Feb 26 12:24:53 powerbook racoon: INFO: 127.0.0.1[4500] used for NAT-T 
Feb 26 12:24:53 powerbook racoon: INFO: 127.0.0.1[4500] used as isakmp port
(fd=10) 
Feb 26 12:26:07 powerbook racoon: INFO: accept a request to establish
IKE-SA: 1.2.3.4 
Feb 26 12:26:07 powerbook racoon: INFO: initiate new phase 1 negotiation:
192.168.1.5[500]<=>1.2.3.4[500] 
Feb 26 12:26:07 powerbook racoon: INFO: begin Identity Protection mode. 
Feb 26 12:26:07 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02  
Feb 26 12:26:07 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-03 
Feb 26 12:26:07 powerbook racoon: INFO: received Vendor ID: RFC 3947 
Feb 26 12:26:07 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt 
Feb 26 12:26:07 powerbook racoon: INFO: received Vendor ID: DPD 
Feb 26 12:26:07 powerbook racoon: [1.2.3.4] INFO: Selected NAT-T version:
RFC 3947 
Feb 26 12:26:07 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with
algo #1  
Feb 26 12:26:07 powerbook racoon: [192.168.1.5] INFO: Hashing
192.168.1.5[500] with algo #1  
Feb 26 12:26:07 powerbook racoon: INFO: Adding remote and local NAT-D
payloads. 
Feb 26 12:26:07 powerbook racoon: [192.168.1.5] INFO: Hashing
192.168.1.5[500] with algo #1  
Feb 26 12:26:07 powerbook racoon: INFO: NAT-D payload #0 doesn't match 
Feb 26 12:26:07 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with
algo #1  
Feb 26 12:26:07 powerbook racoon: INFO: NAT-D payload #1 verified 
Feb 26 12:26:07 powerbook racoon: INFO: NAT detected: ME  
Feb 26 12:26:07 powerbook racoon: INFO: KA list add:
192.168.1.5[4500]->1.2.3.4[4500] 
Feb 26 12:26:08 powerbook racoon: WARNING: unable to get certificate CRL(3)
at depth:0
SubjectName:/postalCode=32052/OU=IT/ST=NRW/L=HERFORD/C=DE/O=WPS/CN=ZENTRALE

Feb 26 12:26:08 powerbook racoon: WARNING: unable to get certificate CRL(3)
at depth:1 SubjectName:/C=DE/O=LANCOM SYSTEMS/CN=LANCOM CA 
Feb 26 12:26:08 powerbook racoon: [1.2.3.4] INFO: received INITIAL-CONTACT 
Feb 26 12:26:08 powerbook racoon: INFO: ISAKMP-SA established
192.168.1.5[4500]-1.2.3.4[4500] spi:b093a6d4667c8c59:420b8c66dd98416b 
Feb 26 12:27:13 powerbook racoon: [1.2.3.4] INFO: DPD: remote (ISAKMP-SA
spi=b093a6d4667c8c59:420b8c66dd98416b) seems to be dead. 
Feb 26 12:27:13 powerbook racoon: INFO: purging ISAKMP-SA
spi=b093a6d4667c8c59:420b8c66dd98416b. 
Feb 26 12:27:13 powerbook racoon: INFO: purged ISAKMP-SA
spi=b093a6d4667c8c59:420b8c66dd98416b. 
Feb 26 12:27:13 powerbook racoon: INFO: ISAKMP-SA deleted
192.168.1.5[4500]-1.2.3.4[4500] spi:b093a6d4667c8c59:420b8c66dd98416b 
Feb 26 12:27:13 powerbook racoon: INFO: KA remove:
192.168.1.5[4500]->1.2.3.4[4500] 
---8<---


The connection always dies 5 seconds after being established, because DPD
thinks the peer is dead. tcpdump shows that the peer's UDP Port 4500
suddeny became unreachable, although it worked before.

I would like to get some more information to debug the problem.

Here is my racoon.conf (the remote VPN router was replaced with 1.2.3.4 in
these examples):

path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

log debug2;

remote "wpsd"
{
    remote_address 1.2.3.4;
    exchange_mode main,base;

    #my_identifier fqdn "arwen.wpsd.lcl";
    my_identifier asn1dn;
    #peers_identifier asn1dn;
    #verify_identifier on;

    certificate_type x509 "arwen.wpsd.lcl.crt" "arwen.wpsd.lcl.key";
    ca_type x509 "ca.crt";

    #initial_contact off;
    mode_cfg on;    # ISAKMP mode config
    dpd_delay 20;   # peer detection (alive check)
    nat_traversal on;   # force

    #ike_frag on;
    #esp_frag 552;
    #script "phase1-up.sh" phase1_up;
    #script "phase1-down.sh" phase1_down;
    script "test.sh" phase1_up;
    script "test.sh" phase1_down;
    #lifetime time 8 hour;

    # phase 1 proposal (for ISAKMP SA)
    proposal {
        encryption_algorithm aes;
        hash_algorithm md5;
        #authentication_method hybrid_rsa_client;
        authentication_method rsasig;
        dh_group 2;
    }

    # the configuration could makes racoon (as a responder)
    # to obey the initiator's lifetime and PFS group proposal,
    # by setting proposal_check to obey.
    # this would makes testing "so much easier", but is really
    # *not* secure !!!
    #proposal_check strict;
    proposal_check obey;
}

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
    pfs_group 2;
    lifetime time 8 hour;
    encryption_algorithm aes 128;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
}

-- 
Frank Wille
Follow-Ups:
- Re: IPsec debugging
  - From: Christos Zoulas
- Re: IPsec debugging
  - From: Greg Troxel
Prev by Date: Re: Proxy ARP
Next by Date: Re: IPsec debugging
Previous by Thread: Proxy ARP
Next by Thread: Re: IPsec debugging
Indexes:
Home | Main Index | Thread Index | Old Index