Frank Wille <frank%phoenix.owl.de@localhost> writes: > I would like to know if there are any more options to debug an IPsec > connection. I'm establishing the connection as a client using a CA > certificate and a client certificate and key. This is phase 1 > "authentication method" "rsasig", as far as I know? > > I have IPSEC_DEBUG in the kernel. I'm using "log debug2" in racoon.conf and > I start racoon with "-dddd" options. But everything I get is this: I have 100% absorbed the details of what you are doing. But I have a few suggestions in addition to what you have done, all to be on both sides: run "route -n monitor" and save it to a file. Look for failed route lookups that seem relevant. run "setkey -x" and save that. This will probably just confirm that racoon is doing what it said. run 'tcpdump -s1500 -wFILE', and then go back and look at the 5 seconds very carefully. run 'setkey -D' and 'setkey -D -P' after negotiation and before the DPD failure. Check that the SAs match. The big question in my mind is whether the DPD is wrong or if the probe packet is actually being dropped because something else is wrong. > Feb 26 12:16:23 powerbook racoon: ERROR: /etc/racoon/racoon.conf:70: "}" no > compression algorithm at loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 > > Feb 26 12:16:23 powerbook racoon: ERROR: fatal parse failure (1 errors) This is fatal, it says. How is racoon starting? Or did you fix it and not trim the logs? > Feb 26 12:26:08 powerbook racoon: INFO: ISAKMP-SA established > 192.168.1.5[4500]-1.2.3.4[4500] spi:b093a6d4667c8c59:420b8c66dd98416b > Feb 26 12:27:13 powerbook racoon: [1.2.3.4] INFO: DPD: remote (ISAKMP-SA > spi=b093a6d4667c8c59:420b8c66dd98416b) seems to be dead. > Feb 26 12:27:13 powerbook racoon: INFO: purging ISAKMP-SA > spi=b093a6d4667c8c59:420b8c66dd98416b. > Feb 26 12:27:13 powerbook racoon: INFO: purged ISAKMP-SA > spi=b093a6d4667c8c59:420b8c66dd98416b. > Feb 26 12:27:13 powerbook racoon: INFO: ISAKMP-SA deleted > 192.168.1.5[4500]-1.2.3.4[4500] spi:b093a6d4667c8c59:420b8c66dd98416b > Feb 26 12:27:13 powerbook racoon: INFO: KA remove: > 192.168.1.5[4500]->1.2.3.4[4500] (Your log lines are wrapped in mail; it would be nice to not munge them.) This shows that the ISAKMP SA was created, but no phase 2 SA. So no real need to look at setkey. But the big question is what the logs on the other side show and if there is a 4500/4500 probe packet. > The connection always dies 5 seconds after being established, because DPD > thinks the peer is dead. tcpdump shows that the peer's UDP Port 4500 > suddeny became unreachable, although it worked before. What did tcpdump actually show? (data, not conclusion) Did you run tcpdump on the remote system? Are you sure your nat stuff in the middle is working (really, that is rhetorical; you can be sure of nothing, so I mean did you observe packets in both places....)?
Attachment:
signature.asc
Description: PGP signature