LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-18-2010, 08:23 AM   #1
rafalek
Member
 
Registered: Oct 2003
Posts: 43

Rep: Reputation: 15
VPN and racoon


Hi, I try to configure VPN but it dont want to work.

This is scheme:
Code:

10.10.1.90 <--> externalIP1 <--> MY external IP

My /etc/ipsec.conf where I type setkey -f

Code:
cat /etc/ipsec.conf 
flush;
spdflush;
spdadd MY_EXTERNAL_IP 10.10.1.0/24 any -P out ipsec esp/tunnel/MY_EXTERNAL_IP-EXTERNAL_IP1/require;
spdadd 10.10.1.0/24 MY_EXTERNAL_IP any -P in ipsec esp/tunnel/EXTERNAL_IP1-MY_EXTERNAL_IP/require;
My racoon.conf:

Code:
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;

padding
{
    maximum_length 20;      # maximum padding length.
    randomize off;          # enable randomize length.
    strict_check off;       # enable strict check.
    exclusive_tail off;     # extract last one octet.
}

listen
{
    isakmp MY_EXTERNAL_IP [500];
}

timer
{
    counter 5;              # maximum trying count to send.
    interval 20 sec;        # maximum interval to resend.
    persend 1;              # the number of packets per a send.
    phase1 30 sec;
    phase2 15 sec;
}

remote EXTERNAL_IP1
{
    exchange_mode main, aggressive;
    doi			ipsec_doi;
    my_identifier address;
    nonce_size 16;
    lifetime time 8 hour;   # sec,min,hour
    initial_contact on;
    proposal_check obey;    # obey, strict or claim
    
    proposal {
	encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group 2 ;
        lifetime time		28800 sec;
    }
}

sainfo anonymous
{
    pfs_group 2;
    lifetime time 3600 sec;
    
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate ;
}
And results:

Code:
$setkey -D
No SAD entries.

$setkey -DP
10.10.1.0/24[any] MY_EXTERNAL_IP/24[any] any
	in ipsec
	esp/tunnel/EXTERNAL_IP1-MY_EXTERNAL_IP/require
	created: Jun 18 11:25:26 2010  lastused: Jun 18 11:25:26 2010
	lifetime: 0(s) validtime: 0(s)
	spid=16415 seq=1 pid=70379
	refcnt=1
MY_EXTERNAL_IP/24[any] 10.10.1.0/24[any] any
	out ipsec
	esp/tunnel/MY_EXTERNAL_IP-EXTERNAL_IP1/require
	created: Jun 18 11:25:26 2010  lastused: Jun 18 11:25:26 2010
	lifetime: 0(s) validtime: 0(s)
	spid=16414 seq=0 pid=70379
	refcnt=1
pings dont show anything - all packets are lost.

And part of racoon.log

Code:
2010-06-18 11:45:00: DEBUG: pk_recv: retry[0] recv() 
2010-06-18 11:45:00: DEBUG: get pfkey ACQUIRE message
2010-06-18 11:45:00: DEBUG: suitable outbound SP found: MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out.
2010-06-18 11:45:00: DEBUG: sub:0x7fffffffe450: 10.10.1.0/24[0] 7MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:00: DEBUG: db :0x5a8610: 10.10.1.0/24[0] MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:00: DEBUG: suitable inbound SP found: 10.10.1.0/24[0] 78.133.158.218/32[0] proto=any dir=in.
2010-06-18 11:45:00: DEBUG: new acquire MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out
2010-06-18 11:45:00: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:00: DEBUG: getsainfo params: loc='MY_EXTERNAL_IP', rmt='10.10.1.0/24', peer='NULL', id=0
2010-06-18 11:45:00: DEBUG: getsainfo pass #2
2010-06-18 11:45:00: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:00: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:00: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2010-06-18 11:45:00: DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-md5)
2010-06-18 11:45:00: DEBUG: in post_acquire
2010-06-18 11:45:00: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:00: INFO: IPsec-SA request for EXTERNAL_IP1 queued due to no phase1 found.
2010-06-18 11:45:00: ERROR: unknown AF: 0
2010-06-18 11:45:00: DEBUG: ===
2010-06-18 11:45:00: INFO: initiate new phase 1 negotiation: MY_EXTERNAL_IP[500]<=>95.130.250.98[500]
2010-06-18 11:45:00: INFO: begin Identity Protection mode.
2010-06-18 11:45:00: DEBUG: new cookie:
1057cf78f6df7c03 
2010-06-18 11:45:00: DEBUG: add payload of len 48, next type 13
2010-06-18 11:45:00: DEBUG: add payload of len 16, next type 0
2010-06-18 11:45:00: DEBUG: 100 bytes from MY_EXTERNAL_IP[500] to EXTERNAL_IP1[500]
2010-06-18 11:45:00: DEBUG: sockname MY_EXTERNAL_IP[500]
2010-06-18 11:45:00: DEBUG: send packet from MY_EXTERNAL_IP[500]
2010-06-18 11:45:00: DEBUG: send packet to EXTERNAL_IP1[500]
2010-06-18 11:45:00: DEBUG: 1 times of 100 bytes message will be sent to EXTERNAL_IP1[500]
2010-06-18 11:45:00: DEBUG: 
1057cf78 f6df7c03 00000000 00000000 01100200 00000000 00000064 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc
77570100
2010-06-18 11:45:00: DEBUG: resend phase1 packet 1057cf78f6df7c03:0000000000000000
2010-06-18 11:45:12: DEBUG: pk_recv: retry[0] recv() 
2010-06-18 11:45:12: DEBUG: get pfkey ACQUIRE message
2010-06-18 11:45:12: DEBUG: Zombie ph2 found, expiring it
2010-06-18 11:45:12: INFO: phase2 sa expired MY_EXTERNAL_IP-EXTERNAL_IP1
2010-06-18 11:45:12: DEBUG: suitable outbound SP found: MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out.
2010-06-18 11:45:12: DEBUG: sub:0x7fffffffe450: 10.10.1.0/24[0] MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:12: DEBUG: db :0x5a8610: 10.10.1.0/24[0] MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:12: DEBUG: suitable inbound SP found: 10.10.1.0/24[0] 78.133.158.218/32[0] proto=any dir=in.
2010-06-18 11:45:12: DEBUG: new acquire MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out
2010-06-18 11:45:12: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:12: DEBUG: getsainfo params: loc='MY_EXTERNAL_IP', rmt='10.10.1.0/24', peer='NULL', id=0
2010-06-18 11:45:12: DEBUG: getsainfo pass #2
2010-06-18 11:45:12: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:12: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:12: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2010-06-18 11:45:12: DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-md5)
2010-06-18 11:45:12: DEBUG: in post_acquire
2010-06-18 11:45:12: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:12: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
2010-06-18 11:45:13: INFO: phase2 sa deleted MY_EXTERNAL_IP-EXTERNAL_IP1
2010-06-18 11:45:13: DEBUG: an undead schedule has been deleted.
2010-06-18 11:45:20: DEBUG: 100 bytes from MY_EXTERNAL_IP[500] to EXTERNAL_IP1[500]
2010-06-18 11:45:20: DEBUG: sockname MY_EXTERNAL_IP[500]
2010-06-18 11:45:20: DEBUG: send packet from MY_EXTERNAL_IP[500]
2010-06-18 11:45:20: DEBUG: send packet to EXTERNAL_IP1[500]
2010-06-18 11:45:20: DEBUG: 1 times of 100 bytes message will be sent to EXTERNAL_IP1[500]
2010-06-18 11:45:20: DEBUG: 
1057cf78 f6df7c03 00000000 00000000 01100200 00000000 00000064 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc
77570100
What I do wrong and how can I fix it?
I use FreeBSD 6.3
 
Old 07-17-2010, 08:08 PM   #2
johnxcitizen
LQ Newbie
 
Registered: Aug 2009
Posts: 13

Rep: Reputation: 0
Are you married to BSD for this?

I've been trying to get this to work for a few weeks (including on pfSense/BSD), and the thing that worked for me (in VMs) is this. For this, assume that network 1 has IP range 192.168.1.x, and network 2 has IP range 192.168.2.x, and the two networks talk to each other through the "Internet", which is on range 192.168.0.x (that is, on a testbench LAN connection):

* Clean install Debian Lenny (standard system only, nothing extra)
* apt-get install sysvconfig openswan

When openswan installs, say no to opportunistic encryption and do not generate a public key. Then (the SAME on both VPN endpoints, do NOT switch left and right), create these files:

/etc/ipsec.conf (replace ..... with a tab, the indentation is important):
config setup
......charonstart=yes #this line probably not required for IKEv1
......plutostart=yes


conn MyVPN
......left=192.168.0.5 # "public" IP of network 1's router
......leftsubnet=192.168.1.0/24
......right=192.168.0.6 # "public" IP of network 2's router
......rightsubnet=192.168.2.0/24
......auto=start
......authby=secret #manpage says that this is the default, but the behavior of openswan says otherwise




/etc/ipsec.secrets:
192.168.0.5 192.168.0.6 : PSK "mysecretpassword"



Then run "service ipsec restart" on both boxes. Once this is done, run "ipsec setup --status" to see status. If you are having problems, "ipsec barf" will give loads of information about it.


Please be aware that this configuration is a testbench configuration only, you really need to research x509 certificates and the cipher suites to set it up in a secure manner -- but it is much easier to change one setting at a time once you have something basic working.

If you are using virtual servers be aware that entropy will be a problem (especially if running on a 2.6 kernel) -- I think that timer_entropyd that is the best solution (unless you can get USB or serial passthrough to work and fit a hardware TRNG). Does anyone know how good the entropy from timer_entropyd is?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Racoon + L2TP roadwarrior with Mac OS X Server VPN oli004 Linux - Networking 0 02-12-2010 03:45 PM
racoon and client Shrew VPN mjnman Linux - Networking 1 02-26-2009 02:37 AM
Remote Access VPN with Racoon to Cisco ASA kuksi Linux - Security 1 07-19-2008 12:27 AM
Racoon VPN connection problem to Netscreen Firewall bence8810 Linux - Networking 4 05-17-2007 04:04 PM
racoon as a server to Cisco VPN client etzvetanov Linux - Networking 0 02-01-2007 07:08 AM


All times are GMT -5. The time now is 06:32 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration