Problems w. Racoon/Pluto Interoperability

Furbo · 01-17-2005, 06:23 AM

Hi !

I've got a problem making a vpn conenction between a linux roadwarrior runnig kame's racoon ike daemon with Linux Kernel 2.6 IPSEC stack and a Gateway with a dynamic IP-Adress using dyn dns. The gateway is runnig freeswan 2.04 on a 2.4 Kernel. It is productive since a year and running smmothly with windows 2000 and xp roadwarriors. So I think the configuration of my mandrake linux 10.1 is the problem. On the client machine I'm also runnig a windows xp installation from which I can connect to the vpn!

Here come the log messages of the client and the gateway when trying to establish a connection via a icmp echo request from roadwarrior to gateway:

Roadwarrior racoon.log:
client: INFO: @(#)ipsec-tools 0.5-rc1 (<url removed because of forums spam check>)
client: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (<url removed because of forums spam check>)
2005-01-14 16:04:32: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
client: INFO: 192.168.0.101[500] used as isakmp port (fd=7)
client: INFO: ::1[500] used as isakmp port (fd=8)
client: INFO: fe80::211:2fff:fe13:f3f%eth0[500] used as isakmp port (fd=9)
client: INFO: IPsec-SA request for <gateway's ip> queued due to no phase1 found.
client: INFO: initiate new phase 1 negotiation: 192.168.0.101[500]<=>80.138.164.3[500]
client: INFO: begin Identity Protection mode.
client: INFO: ISAKMP-SA established 192.168.0.101[500]-<gateway's ip>[500] spi:bff1bb588fe6b88d:1b1fecc2d8ebf346
client: INFO: initiate new phase 2 negotiation: 192.168.0.101[0]<=>80.138.164.3[0]
client: ERROR: pfkey UPDATE failed: Protocol not available
client: ERROR: pfkey ADD failed: Protocol not available

Those two last error messages make me wondering which protocol may be missing. Strange thing is the freeswan server thinks the handshaking was succesfull and says the ipsec SA has been established. Fact is only the phase 1 of IKE is succesfull.

Log of freeswan gateway:
gateway"client-to-subnet_53"[1] 217.228.16.243 #1: responding to Main Mode from unknown peer <clients router adress>
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1: Peer ID is ID_DER_ASN1_DN: <Zert_ASN_String>
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1: crl update is overdue since Nov 30 20:33:18 UTC 2004
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1: sent MR3, ISAKMP SA established
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
gateway: "subnet-to-subnet_53"[1] 217.228.16.243 #2: responding to Quick Mode
gateway: "subnet-to-subnet_53"[1] 217.228.16.243 #2: IPsec SA established {ESP=>0x02552400 <0x20a747fa}
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1: received Delete SA payload: deleting ISAKMP State #1

I tried two different configurations fo the ipsec-tools with:

./configure --enable-natt --enable-adminport --with-kernel-headers=/usr/src/linux-2.6.8.1-10mdk/include --enable-gssapi --enable-hybrid --enable-frag --enable-dpd --enable-samode-unspec
make
make install

and

./configure
make
make install

and still the same behaviour.

I also checked that all needed cyphers and protocols are supported by my kernel. Well at least I think that I checked all .
3des, md5, sha1;ipsec;rsasig;hmac

I append the racoon and setkey config for further info:

setkey policies:
flush;
spdflush;
spdadd 192.168.0.101/32 53.0.0.0/8 any -P out ipsec
esp/tunnel/192.168.0.101-<gateway's ip>/require;
spdadd 53.0.0.0/8 192.168.0.101 any -P in ipsec
esp/tunnel/<gateway's ip>-192.168.0.101/require;
~

racoon.conf:
path certificate "/etc/ssl/canorisCA";
remote <gateway's ip> {
exchange_mode main;

certificate_type x509 "zertificate-file" "decrypted_private_key_file";
verify_cert on;
verify_identifier on;
my_identifier asn1dn;
peers_identifier asn1dn <asn1 zert id>;

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

As you can see I'm using x509 certficates for authentification. Just to rule out the certs are not the problem:
They are the same I use for vpn connection on my windows xp installation. And phase 1 of IKE is succesfull. Something with the handshaking of the esp encryption goes wrong I think. Maybe there are some other points to deal with when interoperating freeswan and kame?

Help is very appreciated.

Thnks in advance.

Jan

P.S. Is there an elegant way to specify a gateway with dns name because the ip changes at least once a day? Or do I have to write a shellscript that gets the current ip, rewrites my config and restarts everything?