LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-17-2005, 07:23 AM   #1
Furbo
LQ Newbie
 
Registered: Nov 2004
Posts: 1

Rep: Reputation: 0
Problems w. Racoon/Pluto Interoperability


Hi !

I've got a problem making a vpn conenction between a linux roadwarrior runnig kame's racoon ike daemon with Linux Kernel 2.6 IPSEC stack and a Gateway with a dynamic IP-Adress using dyn dns. The gateway is runnig freeswan 2.04 on a 2.4 Kernel. It is productive since a year and running smmothly with windows 2000 and xp roadwarriors. So I think the configuration of my mandrake linux 10.1 is the problem. On the client machine I'm also runnig a windows xp installation from which I can connect to the vpn!

Here come the log messages of the client and the gateway when trying to establish a connection via a icmp echo request from roadwarrior to gateway:

Roadwarrior racoon.log:
client: INFO: @(#)ipsec-tools 0.5-rc1 (<url removed because of forums spam check>)
client: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (<url removed because of forums spam check>)
2005-01-14 16:04:32: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
client: INFO: 192.168.0.101[500] used as isakmp port (fd=7)
client: INFO: ::1[500] used as isakmp port (fd=8)
client: INFO: fe80::211:2fff:fe13:f3f%eth0[500] used as isakmp port (fd=9)
client: INFO: IPsec-SA request for <gateway's ip> queued due to no phase1 found.
client: INFO: initiate new phase 1 negotiation: 192.168.0.101[500]<=>80.138.164.3[500]
client: INFO: begin Identity Protection mode.
client: INFO: ISAKMP-SA established 192.168.0.101[500]-<gateway's ip>[500] spi:bff1bb588fe6b88d:1b1fecc2d8ebf346
client: INFO: initiate new phase 2 negotiation: 192.168.0.101[0]<=>80.138.164.3[0]
client: ERROR: pfkey UPDATE failed: Protocol not available
client: ERROR: pfkey ADD failed: Protocol not available

Those two last error messages make me wondering which protocol may be missing. Strange thing is the freeswan server thinks the handshaking was succesfull and says the ipsec SA has been established. Fact is only the phase 1 of IKE is succesfull.

Log of freeswan gateway:
gateway"client-to-subnet_53"[1] 217.228.16.243 #1: responding to Main Mode from unknown peer <clients router adress>
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1: Peer ID is ID_DER_ASN1_DN: <Zert_ASN_String>
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1: crl update is overdue since Nov 30 20:33:18 UTC 2004
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1: sent MR3, ISAKMP SA established
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
gateway: "subnet-to-subnet_53"[1] 217.228.16.243 #2: responding to Quick Mode
gateway: "subnet-to-subnet_53"[1] 217.228.16.243 #2: IPsec SA established {ESP=>0x02552400 <0x20a747fa}
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1: received Delete SA payload: deleting ISAKMP State #1


I tried two different configurations fo the ipsec-tools with:

./configure --enable-natt --enable-adminport --with-kernel-headers=/usr/src/linux-2.6.8.1-10mdk/include --enable-gssapi --enable-hybrid --enable-frag --enable-dpd --enable-samode-unspec
make
make install

and

./configure
make
make install

and still the same behaviour.

I also checked that all needed cyphers and protocols are supported by my kernel. Well at least I think that I checked all .
3des, md5, sha1;ipsec;rsasig;hmac

I append the racoon and setkey config for further info:

setkey policies:
flush;
spdflush;
spdadd 192.168.0.101/32 53.0.0.0/8 any -P out ipsec
esp/tunnel/192.168.0.101-<gateway's ip>/require;
spdadd 53.0.0.0/8 192.168.0.101 any -P in ipsec
esp/tunnel/<gateway's ip>-192.168.0.101/require;
~


racoon.conf:
path certificate "/etc/ssl/canorisCA";
remote <gateway's ip> {
exchange_mode main;

certificate_type x509 "zertificate-file" "decrypted_private_key_file";
verify_cert on;
verify_identifier on;
my_identifier asn1dn;
peers_identifier asn1dn <asn1 zert id>;

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}


As you can see I'm using x509 certficates for authentification. Just to rule out the certs are not the problem:
They are the same I use for vpn connection on my windows xp installation. And phase 1 of IKE is succesfull. Something with the handshaking of the esp encryption goes wrong I think. Maybe there are some other points to deal with when interoperating freeswan and kame?

Help is very appreciated.

Thnks in advance.


Jan


P.S. Is there an elegant way to specify a gateway with dns name because the ip changes at least once a day? Or do I have to write a shellscript that gets the current ip, rewrites my config and restarts everything?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
thunderbird interoperability with other programs BCarey Slackware 2 11-01-2005 08:47 PM
Inkscape/Illustrator interoperability mykrob Linux - Software 1 10-30-2005 08:12 AM
problem with racoon nitinkhanna Linux - Security 0 10-28-2004 06:28 AM
Problems with 'racoon' and certificates ... sankeny Linux - Security 0 09-01-2004 05:29 PM
FreeSwan - Pluto Tarantismic Yak Linux - General 1 07-10-2001 07:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration