LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-01-2007, 07:08 AM   #1
etzvetanov
LQ Newbie
 
Registered: Apr 2006
Posts: 9

Rep: Reputation: 0
racoon as a server to Cisco VPN client


Hi all,

I have ipsec-tools-0.6.6 compiled. I have
the VPN working and it is pretty good, but I have a
problem connecting from a Cisco VPN client to it.

Please, any expert... I need a hint.

I have set routing between all networks as needed.

Here is my racoon setup script:

Code:
###### racoon configuration file
#
#

path certificate "/etc/racoon/certs";
path pre_shared_key "/etc/racoon/conf/psk.txt";

remote anonymous {
        exchange_mode aggressive;
        certificate_type x509 "myhost.crt"
"myhost.key";
        xauth_login <some_id_in_psk.txt>
        my_identifier asn1dn;
        lifetime time 2147483 sec;
        proposal_check obey;
        generate_policy on;
        nat_traversal on;
        verify_cert off;
        peers_certfile "cvpn.crt";
        passive on;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method
hybrid_rsa_server;
                dh_group 2;
        }
}

mode_cfg {
        network4 192.168.34.0;
        netmask4 255.255.255.0;
        dns4 <dns_ip_here>;
#        wins4 <wins_ip_here> (none);
}

sainfo anonymous {
        pfs_group 2;
        lifetime time 12 hour;
#        encryption_algorithm 3des, rijndael;
        encryption_algorithm 3des, blowfish 448,
rijndael;
        authentication_algorithm hmac_sha1, hmac_md5;
        #authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

############## End of file ############
Here is also some racoon log (multigroup
authentication set on the Cisco VPN client):

Code:
Jan 30 13:14:49 somehost racoon: INFO: <some_network_ip_here>[4500] used as isakmp port(fd=10)
Jan 30 13:14:49 somehost racoon: INFO: <same_network_ip_here>[4500] used for NAT-T
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[500]used as isakmp port (fd=11)
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[500]used for NAT-T
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[4500]used as isakmp port (fd=12)
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[4500]used for NAT-T
Jan 30 13:14:49 somehost racoon: INFO: fe80::203:2dff:fe09:4f4%eth2[500] used as isakmp port (fd=13)
Jan 30 13:14:49 somehost racoon: INFO: fe80::203:2dff:fe09:4f4%eth2[4500] used as isakmp port (fd=14)
Jan 30 13:14:49 somehost racoon: INFO: ::1[500] used as isakmp port (fd=15)
Jan 30 13:14:49 somehost racoon: INFO: ::1[4500] used as isakmp port (fd=16)
Jan 30 13:15:46 somehost racoon: INFO: respond new phase 1 negotiation:
<my_ip_here>[500]<=><peer_ip_here>[500]
Jan 30 13:15:46 somehost racoon: INFO: begin Aggressive mode.
Jan 30 13:15:46 somehost racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 30 13:15:46 somehost racoon: INFO: received Vendor ID: DPD
Jan 30 13:15:46 somehost racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jan 30 13:15:46 somehost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jan 30 13:15:46 somehost racoon: INFO: received Vendor ID: CISCO-UNITY
Jan 30 13:15:46 somehost racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Jan 30 13:15:46 somehost racoon: INFO: Adding remote and local NAT-D payloads.
Jan 30 13:15:46 somehost racoon: INFO: Hashing <peer_ip_here>[500] with algo #2
Jan 30 13:15:46 somehost racoon: INFO: Hashing <my_ip_here>[500] with algo #2
Jan 30 13:15:46 somehost racoon: ERROR: reject the packet, received unexpecting payload type 0.
Jan 30 13:15:46 somehost racoon: ERROR: reject the packet, received unexpecting payload type 0.
Jan 30 13:16:46 somehost racoon: ERROR: phase1 negotiation failed due to time up.
d323fbd4271cee91:019b13d5c189eefa
The Cisco VPN client log:

Code:
Peer supports DPD
<down to this point the negotiation was fine>
181    13:39:28.968  01/30/07  Sev=Warning/3 IKE/0xE300007B Failed to verify signature
182    13:39:28.968  01/30/07  Sev=Warning/2 IKE/0xE3000099 Failed to authenticate peer (Navigator:904)
183    13:39:28.968  01/30/07  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to <my_ip_here>
184    13:39:28.968  01/30/07  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to <my_ip_here>
185    13:39:28.968  01/30/07  Sev=Warning/2 IKE/0xE30000A5 Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2237)
186    13:39:28.968  01/30/07  Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion 
(I_Cookie=D641B870710DE91E R_Cookie=230E0103188A17C3) reason = DEL_REASON_IKE_NEG_FAILED
187    13:39:29.875  01/30/07  Sev=Info/4 IKE/0x6300004B Discarding IKE SA negotiation
(I_Cookie=D641B870710DE91E R_Cookie=230E0103188A17C3)reason = DEL_REASON_IKE_NEG_FAILED
188    13:39:29.875  01/30/07  Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "<some IP here>" because of "DEL_REASON_IKE_NEG_FAILED"
189    13:39:29.875  01/30/07  Sev=Info/5 CM/0x63100025 Initializing CVPNDrv
190    13:39:29.875  01/30/07  Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection
191    13:39:29.906  01/30/07  Sev=Info/4 IPSEC/0x63700014 Deleted all keys
192    13:39:29.906  01/30/07  Sev=Info/4 IPSEC/0x63700014 Deleted all keys
193    13:39:29.906  01/30/07  Sev=Info/4 IPSEC/0x63700014 Deleted all keys
194    13:39:29.906  01/30/07  Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped
"Failed to verify signature" means that the password is not recognized, but I have my pks.txt file set woth the proper passwords. Except if it means something else...

When I use certificates it is even worse -- I only get
the following line in racoon's logs:

Jan 30 13:51:45 somehost racoon: ERROR: not acceptable
Identity Protection mode

Thanks in advance!
ET
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco VPN Client rgbeard Linux - Software 12 04-02-2008 11:44 PM
Cisco VPN-Client nodream Linux - Networking 3 12-23-2003 04:36 PM
Connect to Cisco VPN w/o Cisco VPN Client gboutwel Linux - Networking 4 02-07-2003 12:46 PM
Cisco VPN client swilde Linux - Networking 1 10-26-2002 07:31 PM
cisco vpn client aqoliveira Linux - Networking 4 07-19-2002 08:09 AM


All times are GMT -5. The time now is 12:48 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration