LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Racoon VPN connection problem to Netscreen Firewall (https://www.linuxquestions.org/questions/linux-networking-3/racoon-vpn-connection-problem-to-netscreen-firewall-553153/)

bence8810 05-11-2007 10:23 AM
Racoon VPN connection problem to Netscreen Firewall
 
Hi

I am trying to connect to our corporate VPN, but before even attempting to connect to the actual box, I set up another netscreen for testing purposes; however, I am unable to connect to this unit somehow.
The reason for the test is that I dont have access to the Corp firewall to see the logs, and I dont want to piss our IT off with attacking "seemingly" their system.

I have followed the following tutorial for the netscreen setup:

http://www.bluetrait.com/archive/200...o-a-netscreen/

(I followed the first part only, to set up the firewall)

Then I followed this to set up racoon:

http://www.bluetrait.com/archive/200...en-vpn-dialup/

All went well, except I am unable to make any kind of connection, and I am sure the problem is with me, as I am new to linux, and specially to VPNs.

Here I paste the related config file from the netscreen (with forged information)

Code:
set user "bfrank.user" uid 1
set user "bfrank.user" ike-id fqdn "bfrank.user" share-limit 1
set user "bfrank.user" type  ike
set user "bfrank.user" "enable"
set ike gateway "bfrank.userP1" dialup "bfrank.user" Aggr outgoing-interface "untrust" preshare "scrambled_passcode" proposal "pre-g2-des-md5"
set ike gateway "bfrank.userP1" cert peer-ca all
unset ike gateway "bfrank.userP1" nat-traversal
set ike respond-bad-spi 1
set vpn "bfrank.userP2" gateway "bfrank.userP1" replay tunnel idletime 0 proposal "g2-esp-des-md5"
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set url protocol sc-cpa
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 2 name "bfrank.user" from "Untrust" to "Trust"  "Any" "Dial-Up VPN" "ANY" tunnel vpn "bfrank.userP2" id 1
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
Here I paste my /etc/racoon/racoon.conf

Code:
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/ipsec.conf";

padding
{
    maximum_length 20;      # maximum padding length.
    randomize off;          # enable randomize length.
    strict_check off;      # enable strict check.
    exclusive_tail off;    # extract last one octet.
}

# Specification of default various timer.
timer
{
    # These value can be changed per remote node.
    counter 5;              # maximum trying count to send.
    interval 20 sec;        # maximum interval to resend.
    persend 1;              # the number of packets per a send.

    # timer for waiting to complete each phase.
    phase1 30 sec;
    phase2 30 sec;
}

remote  VPN-PUBLIC-IP {
  exchange_mode aggressive;
  doi ipsec_doi;
  situation identity_only;
  my_identifier fqdn "bfrank.user";
  peers_identifier address;
  verify_identifier off;
  lifetime time 28800 seconds;
  initial_contact on;
  passive off;
  proposal_check obey;
  support_mip6 on;
  generate_policy off;
  nonce_size 16;
  proposal {
    encryption_algorithm des;
    hash_algorithm md5;
    authentication_method pre_shared_key;
    dh_group modp1024;
  }
}

sainfo address CLIENT-INTERNAL-IP any address VPN-INTERNAL-NETWORK/24 any {
  pfs_group modp1024;
  lifetime time 3600 seconds;
  encryption_algorithm des;
  authentication_algorithm hmac_md5;
  compression_algorithm deflate;
}

listen {
  isakmp CLIENT-INTERNAL-IP;
}

log debug2;
This is my /etc/racoon/psk.txt

Code:
VPN-PUBLIC-IP    SCRAMBLED-PASSCODE
And here is my /etc/ipsec.conf

Code:
#!/usr/sbin/setkey -f
#nat_traversal=yes
flush;
spdflush;
#out
spdadd CLIENT-INTERNAL-IP VPN-INTERNAL-NETWORK/24 any
    -P out ipsec esp/tunnel/CLIENT_IP-VPN_PUBLIC_IP/require;
#in

spdadd VPN_INTERNAL_NETWORK/24 CLIENT_INTERNAL_IP any
    -P in ipsec esp/tunnel/VPN_PUBLIC_IP-CLIENT_INTERNAL_IP/require;
The issue is I don't even know how to initiate the connection, but what I read on google is that I only need to ping the remote network, which I did, and nothing happens, nothing shows up in the syslog. Then I figured I start racoon /usr/sbin/racoon and then I have the following in my syslog

Code:
May 11 17:19:57 bfrank-laptop racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
May 11 17:19:57 bfrank-laptop racoon: INFO: @(#)This product linked OpenSSL 0.9.8c 05 Sep 2006 (http://www.openssl.org/)
May 11 17:19:57 bfrank-laptop racoon: WARNING: /etc/racoon/racoon.conf:36: "support_mip6" it is obsoleted.  use "support_proxy".
May 11 17:19:57 bfrank-laptop racoon: DEBUG2: parse successed.
May 11 17:19:57 bfrank-laptop racoon: DEBUG: open /var/run/racoon/racoon.sock as racoon management.
May 11 17:19:57 bfrank-laptop racoon: INFO: CLIENT_INTERNAL_IP[500] used as isakmp port (fd=7)
May 11 17:19:57 bfrank-laptop racoon: INFO: CLIENT_INTERNAL_IP[500] used for NAT-T
May 11 17:19:57 bfrank-laptop racoon: DEBUG: get pfkey X_SPDDUMP message
May 11 17:19:57 bfrank-laptop racoon: DEBUG2:  02120200 02000000 00000000 99420000
May 11 17:19:57 bfrank-laptop racoon: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
There should be more lines at least what I found on google indicates that to me.

Also on the firewall side, I dont see any connection coming in, no requests, no failures. That firewall has a static IP, and all ports are open towards it, but it sits behind a small Cisco 806.

This is what I get once I start racoon and check "lsof -i"

Code:
racoon    17086  root    7u  IPv4  61592      UDP bfrank-laptop.local:isakmp
At this point I feel like dead in the water, and dont know where to start. Any suggestions are welcome,

Thanks

Ben

bence8810 05-13-2007 04:34 AM
Hi

In the meantime I tried it from another laptop running Debian, and I have exactly the same behaviour. This is for sure that I am doing something wrong, and the strange thing is that nothing gets logged on the Netscreen side, as if the request isnt even hitting the Firewall, but stuck and not going out from the Linux client side.

Any help is greatly appreciated,

Thanks

Ben

bence8810 05-14-2007 01:34 PM
Hi

Basically I would like to initiate a Dial-up VPN connection using racoon. Lets forget where I am trying to connect.

How to initiate a Dial up VPN connection from a roaming client to a fixed VPN server?

Thanks for any help,

Ben

bence8810 05-16-2007 08:52 AM
Hi

Just bumping the thread, still looking for a solution, any help would be useful,
Thanks

Ben

bence8810 05-17-2007 04:04 PM
Hi

Still not many responses to this thread :|

Meantime, I got connected to my testing Netscreen box.

The only thing I need now is to connect to the Production VPN gateway.

The problem is with the pre-shared key, which I dont have on the Netscreen. I have its config file, but in that the key is encrypted, and if I try to use that it wont work.

I also have the Windows based Remote Connect, and that stores the pre shared key in a HEX format in the registry.

Any way to retrieve the ASCII version of the key?

Thanks

Ben


All times are GMT -5. The time now is 08:46 PM.