Hi all,
I have ipsec-tools-0.6.6 compiled. I have
the VPN working and it is pretty good, but I have a
problem connecting from a Cisco VPN client to it.
Please, any expert... I need a hint.
I have set routing between all networks as needed.
Here is my racoon setup script:
Code:
###### racoon configuration file
#
#
path certificate "/etc/racoon/certs";
path pre_shared_key "/etc/racoon/conf/psk.txt";
remote anonymous {
exchange_mode aggressive;
certificate_type x509 "myhost.crt"
"myhost.key";
xauth_login <some_id_in_psk.txt>
my_identifier asn1dn;
lifetime time 2147483 sec;
proposal_check obey;
generate_policy on;
nat_traversal on;
verify_cert off;
peers_certfile "cvpn.crt";
passive on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method
hybrid_rsa_server;
dh_group 2;
}
}
mode_cfg {
network4 192.168.34.0;
netmask4 255.255.255.0;
dns4 <dns_ip_here>;
# wins4 <wins_ip_here> (none);
}
sainfo anonymous {
pfs_group 2;
lifetime time 12 hour;
# encryption_algorithm 3des, rijndael;
encryption_algorithm 3des, blowfish 448,
rijndael;
authentication_algorithm hmac_sha1, hmac_md5;
#authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
############## End of file ############
Here is also some racoon log (multigroup
authentication set on the Cisco VPN client):
Code:
Jan 30 13:14:49 somehost racoon: INFO: <some_network_ip_here>[4500] used as isakmp port(fd=10)
Jan 30 13:14:49 somehost racoon: INFO: <same_network_ip_here>[4500] used for NAT-T
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[500]used as isakmp port (fd=11)
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[500]used for NAT-T
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[4500]used as isakmp port (fd=12)
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[4500]used for NAT-T
Jan 30 13:14:49 somehost racoon: INFO: fe80::203:2dff:fe09:4f4%eth2[500] used as isakmp port (fd=13)
Jan 30 13:14:49 somehost racoon: INFO: fe80::203:2dff:fe09:4f4%eth2[4500] used as isakmp port (fd=14)
Jan 30 13:14:49 somehost racoon: INFO: ::1[500] used as isakmp port (fd=15)
Jan 30 13:14:49 somehost racoon: INFO: ::1[4500] used as isakmp port (fd=16)
Jan 30 13:15:46 somehost racoon: INFO: respond new phase 1 negotiation:
<my_ip_here>[500]<=><peer_ip_here>[500]
Jan 30 13:15:46 somehost racoon: INFO: begin Aggressive mode.
Jan 30 13:15:46 somehost racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 30 13:15:46 somehost racoon: INFO: received Vendor ID: DPD
Jan 30 13:15:46 somehost racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jan 30 13:15:46 somehost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jan 30 13:15:46 somehost racoon: INFO: received Vendor ID: CISCO-UNITY
Jan 30 13:15:46 somehost racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Jan 30 13:15:46 somehost racoon: INFO: Adding remote and local NAT-D payloads.
Jan 30 13:15:46 somehost racoon: INFO: Hashing <peer_ip_here>[500] with algo #2
Jan 30 13:15:46 somehost racoon: INFO: Hashing <my_ip_here>[500] with algo #2
Jan 30 13:15:46 somehost racoon: ERROR: reject the packet, received unexpecting payload type 0.
Jan 30 13:15:46 somehost racoon: ERROR: reject the packet, received unexpecting payload type 0.
Jan 30 13:16:46 somehost racoon: ERROR: phase1 negotiation failed due to time up.
d323fbd4271cee91:019b13d5c189eefa
The Cisco VPN client log:
Code:
Peer supports DPD
<down to this point the negotiation was fine>
181 13:39:28.968 01/30/07 Sev=Warning/3 IKE/0xE300007B Failed to verify signature
182 13:39:28.968 01/30/07 Sev=Warning/2 IKE/0xE3000099 Failed to authenticate peer (Navigator:904)
183 13:39:28.968 01/30/07 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to <my_ip_here>
184 13:39:28.968 01/30/07 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to <my_ip_here>
185 13:39:28.968 01/30/07 Sev=Warning/2 IKE/0xE30000A5 Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2237)
186 13:39:28.968 01/30/07 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion
(I_Cookie=D641B870710DE91E R_Cookie=230E0103188A17C3) reason = DEL_REASON_IKE_NEG_FAILED
187 13:39:29.875 01/30/07 Sev=Info/4 IKE/0x6300004B Discarding IKE SA negotiation
(I_Cookie=D641B870710DE91E R_Cookie=230E0103188A17C3)reason = DEL_REASON_IKE_NEG_FAILED
188 13:39:29.875 01/30/07 Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "<some IP here>" because of "DEL_REASON_IKE_NEG_FAILED"
189 13:39:29.875 01/30/07 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv
190 13:39:29.875 01/30/07 Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection
191 13:39:29.906 01/30/07 Sev=Info/4 IPSEC/0x63700014 Deleted all keys
192 13:39:29.906 01/30/07 Sev=Info/4 IPSEC/0x63700014 Deleted all keys
193 13:39:29.906 01/30/07 Sev=Info/4 IPSEC/0x63700014 Deleted all keys
194 13:39:29.906 01/30/07 Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped
"Failed to verify signature" means that the password is not recognized, but I have my pks.txt file set woth the proper passwords. Except if it means something else...
When I use certificates it is even worse -- I only get
the following line in racoon's logs:
Jan 30 13:51:45 somehost racoon: ERROR: not acceptable
Identity Protection mode
Thanks in advance!
ET