racoon as a server to Cisco VPN client

etzvetanov · 02-01-2007, 07:08 AM

Hi all,

I have ipsec-tools-0.6.6 compiled. I have
the VPN working and it is pretty good, but I have a
problem connecting from a Cisco VPN client to it.

Please, any expert... I need a hint.

I have set routing between all networks as needed.

Here is my racoon setup script:

Code:

###### racoon configuration file
#
#

path certificate "/etc/racoon/certs";
path pre_shared_key "/etc/racoon/conf/psk.txt";

remote anonymous {
        exchange_mode aggressive;
        certificate_type x509 "myhost.crt"
"myhost.key";
        xauth_login <some_id_in_psk.txt>
        my_identifier asn1dn;
        lifetime time 2147483 sec;
        proposal_check obey;
        generate_policy on;
        nat_traversal on;
        verify_cert off;
        peers_certfile "cvpn.crt";
        passive on;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method
hybrid_rsa_server;
                dh_group 2;
        }
}

mode_cfg {
        network4 192.168.34.0;
        netmask4 255.255.255.0;
        dns4 <dns_ip_here>;
#        wins4 <wins_ip_here> (none);
}

sainfo anonymous {
        pfs_group 2;
        lifetime time 12 hour;
#        encryption_algorithm 3des, rijndael;
        encryption_algorithm 3des, blowfish 448,
rijndael;
        authentication_algorithm hmac_sha1, hmac_md5;
        #authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

############## End of file ############

Here is also some racoon log (multigroup
authentication set on the Cisco VPN client):

Code:

Jan 30 13:14:49 somehost racoon: INFO: <some_network_ip_here>[4500] used as isakmp port(fd=10)
Jan 30 13:14:49 somehost racoon: INFO: <same_network_ip_here>[4500] used for NAT-T
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[500]used as isakmp port (fd=11)
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[500]used for NAT-T
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[4500]used as isakmp port (fd=12)
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[4500]used for NAT-T
Jan 30 13:14:49 somehost racoon: INFO: fe80::203:2dff:fe09:4f4%eth2[500] used as isakmp port (fd=13)
Jan 30 13:14:49 somehost racoon: INFO: fe80::203:2dff:fe09:4f4%eth2[4500] used as isakmp port (fd=14)
Jan 30 13:14:49 somehost racoon: INFO: ::1[500] used as isakmp port (fd=15)
Jan 30 13:14:49 somehost racoon: INFO: ::1[4500] used as isakmp port (fd=16)
Jan 30 13:15:46 somehost racoon: INFO: respond new phase 1 negotiation:
<my_ip_here>[500]<=><peer_ip_here>[500]
Jan 30 13:15:46 somehost racoon: INFO: begin Aggressive mode.
Jan 30 13:15:46 somehost racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 30 13:15:46 somehost racoon: INFO: received Vendor ID: DPD
Jan 30 13:15:46 somehost racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jan 30 13:15:46 somehost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jan 30 13:15:46 somehost racoon: INFO: received Vendor ID: CISCO-UNITY
Jan 30 13:15:46 somehost racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Jan 30 13:15:46 somehost racoon: INFO: Adding remote and local NAT-D payloads.
Jan 30 13:15:46 somehost racoon: INFO: Hashing <peer_ip_here>[500] with algo #2
Jan 30 13:15:46 somehost racoon: INFO: Hashing <my_ip_here>[500] with algo #2
Jan 30 13:15:46 somehost racoon: ERROR: reject the packet, received unexpecting payload type 0.
Jan 30 13:15:46 somehost racoon: ERROR: reject the packet, received unexpecting payload type 0.
Jan 30 13:16:46 somehost racoon: ERROR: phase1 negotiation failed due to time up.
d323fbd4271cee91:019b13d5c189eefa

The Cisco VPN client log:

Code:

Peer supports DPD
<down to this point the negotiation was fine>
181    13:39:28.968  01/30/07  Sev=Warning/3 IKE/0xE300007B Failed to verify signature
182    13:39:28.968  01/30/07  Sev=Warning/2 IKE/0xE3000099 Failed to authenticate peer (Navigator:904)
183    13:39:28.968  01/30/07  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to <my_ip_here>
184    13:39:28.968  01/30/07  Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to <my_ip_here>
185    13:39:28.968  01/30/07  Sev=Warning/2 IKE/0xE30000A5 Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2237)
186    13:39:28.968  01/30/07  Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion 
(I_Cookie=D641B870710DE91E R_Cookie=230E0103188A17C3) reason = DEL_REASON_IKE_NEG_FAILED
187    13:39:29.875  01/30/07  Sev=Info/4 IKE/0x6300004B Discarding IKE SA negotiation
(I_Cookie=D641B870710DE91E R_Cookie=230E0103188A17C3)reason = DEL_REASON_IKE_NEG_FAILED
188    13:39:29.875  01/30/07  Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "<some IP here>" because of "DEL_REASON_IKE_NEG_FAILED"
189    13:39:29.875  01/30/07  Sev=Info/5 CM/0x63100025 Initializing CVPNDrv
190    13:39:29.875  01/30/07  Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection
191    13:39:29.906  01/30/07  Sev=Info/4 IPSEC/0x63700014 Deleted all keys
192    13:39:29.906  01/30/07  Sev=Info/4 IPSEC/0x63700014 Deleted all keys
193    13:39:29.906  01/30/07  Sev=Info/4 IPSEC/0x63700014 Deleted all keys
194    13:39:29.906  01/30/07  Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped

"Failed to verify signature" means that the password is not recognized, but I have my pks.txt file set woth the proper passwords. Except if it means something else...

When I use certificates it is even worse -- I only get
the following line in racoon's logs:

Jan 30 13:51:45 somehost racoon: ERROR: not acceptable
Identity Protection mode

Thanks in advance!
ET