LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   VPN and racoon (https://www.linuxquestions.org/questions/linux-networking-3/vpn-and-racoon-814916/)

rafalek 06-18-2010 08:23 AM
VPN and racoon
 
Hi, I try to configure VPN but it dont want to work.

This is scheme:
Code:

10.10.1.90 <--> externalIP1 <--> MY external IP

My /etc/ipsec.conf where I type setkey -f

Code:
cat /etc/ipsec.conf
flush;
spdflush;
spdadd MY_EXTERNAL_IP 10.10.1.0/24 any -P out ipsec esp/tunnel/MY_EXTERNAL_IP-EXTERNAL_IP1/require;
spdadd 10.10.1.0/24 MY_EXTERNAL_IP any -P in ipsec esp/tunnel/EXTERNAL_IP1-MY_EXTERNAL_IP/require;
My racoon.conf:

Code:
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;

padding
{
    maximum_length 20;      # maximum padding length.
    randomize off;          # enable randomize length.
    strict_check off;      # enable strict check.
    exclusive_tail off;    # extract last one octet.
}

listen
{
    isakmp MY_EXTERNAL_IP [500];
}

timer
{
    counter 5;              # maximum trying count to send.
    interval 20 sec;        # maximum interval to resend.
    persend 1;              # the number of packets per a send.
    phase1 30 sec;
    phase2 15 sec;
}

remote EXTERNAL_IP1
{
    exchange_mode main, aggressive;
    doi                        ipsec_doi;
    my_identifier address;
    nonce_size 16;
    lifetime time 8 hour;  # sec,min,hour
    initial_contact on;
    proposal_check obey;    # obey, strict or claim
   
    proposal {
        encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group 2 ;
        lifetime time                28800 sec;
    }
}

sainfo anonymous
{
    pfs_group 2;
    lifetime time 3600 sec;
   
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate ;
}
And results:

Code:
$setkey -D
No SAD entries.

$setkey -DP
10.10.1.0/24[any] MY_EXTERNAL_IP/24[any] any
        in ipsec
        esp/tunnel/EXTERNAL_IP1-MY_EXTERNAL_IP/require
        created: Jun 18 11:25:26 2010  lastused: Jun 18 11:25:26 2010
        lifetime: 0(s) validtime: 0(s)
        spid=16415 seq=1 pid=70379
        refcnt=1
MY_EXTERNAL_IP/24[any] 10.10.1.0/24[any] any
        out ipsec
        esp/tunnel/MY_EXTERNAL_IP-EXTERNAL_IP1/require
        created: Jun 18 11:25:26 2010  lastused: Jun 18 11:25:26 2010
        lifetime: 0(s) validtime: 0(s)
        spid=16414 seq=0 pid=70379
        refcnt=1
pings dont show anything - all packets are lost.

And part of racoon.log

Code:
2010-06-18 11:45:00: DEBUG: pk_recv: retry[0] recv()
2010-06-18 11:45:00: DEBUG: get pfkey ACQUIRE message
2010-06-18 11:45:00: DEBUG: suitable outbound SP found: MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out.
2010-06-18 11:45:00: DEBUG: sub:0x7fffffffe450: 10.10.1.0/24[0] 7MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:00: DEBUG: db :0x5a8610: 10.10.1.0/24[0] MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:00: DEBUG: suitable inbound SP found: 10.10.1.0/24[0] 78.133.158.218/32[0] proto=any dir=in.
2010-06-18 11:45:00: DEBUG: new acquire MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out
2010-06-18 11:45:00: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:00: DEBUG: getsainfo params: loc='MY_EXTERNAL_IP', rmt='10.10.1.0/24', peer='NULL', id=0
2010-06-18 11:45:00: DEBUG: getsainfo pass #2
2010-06-18 11:45:00: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:00: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:00: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2010-06-18 11:45:00: DEBUG:  (trns_id=3DES encklen=0 authtype=hmac-md5)
2010-06-18 11:45:00: DEBUG: in post_acquire
2010-06-18 11:45:00: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:00: INFO: IPsec-SA request for EXTERNAL_IP1 queued due to no phase1 found.
2010-06-18 11:45:00: ERROR: unknown AF: 0
2010-06-18 11:45:00: DEBUG: ===
2010-06-18 11:45:00: INFO: initiate new phase 1 negotiation: MY_EXTERNAL_IP[500]<=>95.130.250.98[500]
2010-06-18 11:45:00: INFO: begin Identity Protection mode.
2010-06-18 11:45:00: DEBUG: new cookie:
1057cf78f6df7c03
2010-06-18 11:45:00: DEBUG: add payload of len 48, next type 13
2010-06-18 11:45:00: DEBUG: add payload of len 16, next type 0
2010-06-18 11:45:00: DEBUG: 100 bytes from MY_EXTERNAL_IP[500] to EXTERNAL_IP1[500]
2010-06-18 11:45:00: DEBUG: sockname MY_EXTERNAL_IP[500]
2010-06-18 11:45:00: DEBUG: send packet from MY_EXTERNAL_IP[500]
2010-06-18 11:45:00: DEBUG: send packet to EXTERNAL_IP1[500]
2010-06-18 11:45:00: DEBUG: 1 times of 100 bytes message will be sent to EXTERNAL_IP1[500]
2010-06-18 11:45:00: DEBUG:
1057cf78 f6df7c03 00000000 00000000 01100200 00000000 00000064 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc
77570100
2010-06-18 11:45:00: DEBUG: resend phase1 packet 1057cf78f6df7c03:0000000000000000
2010-06-18 11:45:12: DEBUG: pk_recv: retry[0] recv()
2010-06-18 11:45:12: DEBUG: get pfkey ACQUIRE message
2010-06-18 11:45:12: DEBUG: Zombie ph2 found, expiring it
2010-06-18 11:45:12: INFO: phase2 sa expired MY_EXTERNAL_IP-EXTERNAL_IP1
2010-06-18 11:45:12: DEBUG: suitable outbound SP found: MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out.
2010-06-18 11:45:12: DEBUG: sub:0x7fffffffe450: 10.10.1.0/24[0] MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:12: DEBUG: db :0x5a8610: 10.10.1.0/24[0] MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:12: DEBUG: suitable inbound SP found: 10.10.1.0/24[0] 78.133.158.218/32[0] proto=any dir=in.
2010-06-18 11:45:12: DEBUG: new acquire MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out
2010-06-18 11:45:12: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:12: DEBUG: getsainfo params: loc='MY_EXTERNAL_IP', rmt='10.10.1.0/24', peer='NULL', id=0
2010-06-18 11:45:12: DEBUG: getsainfo pass #2
2010-06-18 11:45:12: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:12: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:12: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2010-06-18 11:45:12: DEBUG:  (trns_id=3DES encklen=0 authtype=hmac-md5)
2010-06-18 11:45:12: DEBUG: in post_acquire
2010-06-18 11:45:12: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:12: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
2010-06-18 11:45:13: INFO: phase2 sa deleted MY_EXTERNAL_IP-EXTERNAL_IP1
2010-06-18 11:45:13: DEBUG: an undead schedule has been deleted.
2010-06-18 11:45:20: DEBUG: 100 bytes from MY_EXTERNAL_IP[500] to EXTERNAL_IP1[500]
2010-06-18 11:45:20: DEBUG: sockname MY_EXTERNAL_IP[500]
2010-06-18 11:45:20: DEBUG: send packet from MY_EXTERNAL_IP[500]
2010-06-18 11:45:20: DEBUG: send packet to EXTERNAL_IP1[500]
2010-06-18 11:45:20: DEBUG: 1 times of 100 bytes message will be sent to EXTERNAL_IP1[500]
2010-06-18 11:45:20: DEBUG:
1057cf78 f6df7c03 00000000 00000000 01100200 00000000 00000064 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc
77570100
What I do wrong and how can I fix it?
I use FreeBSD 6.3

johnxcitizen 07-17-2010 08:08 PM
Are you married to BSD for this?
 
I've been trying to get this to work for a few weeks (including on pfSense/BSD), and the thing that worked for me (in VMs) is this. For this, assume that network 1 has IP range 192.168.1.x, and network 2 has IP range 192.168.2.x, and the two networks talk to each other through the "Internet", which is on range 192.168.0.x (that is, on a testbench LAN connection):

* Clean install Debian Lenny (standard system only, nothing extra)
* apt-get install sysvconfig openswan

When openswan installs, say no to opportunistic encryption and do not generate a public key. Then (the SAME on both VPN endpoints, do NOT switch left and right), create these files:

/etc/ipsec.conf (replace ..... with a tab, the indentation is important):
config setup
......charonstart=yes #this line probably not required for IKEv1
......plutostart=yes


conn MyVPN
......left=192.168.0.5 # "public" IP of network 1's router
......leftsubnet=192.168.1.0/24
......right=192.168.0.6 # "public" IP of network 2's router
......rightsubnet=192.168.2.0/24
......auto=start
......authby=secret #manpage says that this is the default, but the behavior of openswan says otherwise




/etc/ipsec.secrets:
192.168.0.5 192.168.0.6 : PSK "mysecretpassword"



Then run "service ipsec restart" on both boxes. Once this is done, run "ipsec setup --status" to see status. If you are having problems, "ipsec barf" will give loads of information about it.


Please be aware that this configuration is a testbench configuration only, you really need to research x509 certificates and the cipher suites to set it up in a secure manner -- but it is much easier to change one setting at a time once you have something basic working.

If you are using virtual servers be aware that entropy will be a problem (especially if running on a 2.6 kernel) -- I think that timer_entropyd that is the best solution (unless you can get USB or serial passthrough to work and fit a hardware TRNG). Does anyone know how good the entropy from timer_entropyd is?


All times are GMT -5. The time now is 08:24 PM.