LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-11-2007, 10:23 AM   #1
bence8810
Member
 
Registered: Nov 2004
Location: Budapest, Hungary
Distribution: Debian
Posts: 110

Rep: Reputation: 15
Racoon VPN connection problem to Netscreen Firewall


Hi

I am trying to connect to our corporate VPN, but before even attempting to connect to the actual box, I set up another netscreen for testing purposes; however, I am unable to connect to this unit somehow.
The reason for the test is that I dont have access to the Corp firewall to see the logs, and I dont want to piss our IT off with attacking "seemingly" their system.

I have followed the following tutorial for the netscreen setup:

http://www.bluetrait.com/archive/200...o-a-netscreen/

(I followed the first part only, to set up the firewall)

Then I followed this to set up racoon:

http://www.bluetrait.com/archive/200...en-vpn-dialup/

All went well, except I am unable to make any kind of connection, and I am sure the problem is with me, as I am new to linux, and specially to VPNs.

Here I paste the related config file from the netscreen (with forged information)

Code:
set user "bfrank.user" uid 1
set user "bfrank.user" ike-id fqdn "bfrank.user" share-limit 1
set user "bfrank.user" type  ike
set user "bfrank.user" "enable"
set ike gateway "bfrank.userP1" dialup "bfrank.user" Aggr outgoing-interface "untrust" preshare "scrambled_passcode" proposal "pre-g2-des-md5"
set ike gateway "bfrank.userP1" cert peer-ca all
unset ike gateway "bfrank.userP1" nat-traversal
set ike respond-bad-spi 1
set vpn "bfrank.userP2" gateway "bfrank.userP1" replay tunnel idletime 0 proposal "g2-esp-des-md5" 
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set url protocol sc-cpa
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
set policy id 2 name "bfrank.user" from "Untrust" to "Trust"  "Any" "Dial-Up VPN" "ANY" tunnel vpn "bfrank.userP2" id 1 
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
Here I paste my /etc/racoon/racoon.conf

Code:
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/ipsec.conf";

padding
{
    maximum_length 20;      # maximum padding length.
    randomize off;          # enable randomize length.
    strict_check off;       # enable strict check.
    exclusive_tail off;     # extract last one octet.
}

# Specification of default various timer.
timer
{
    # These value can be changed per remote node.
    counter 5;              # maximum trying count to send.
    interval 20 sec;        # maximum interval to resend.
    persend 1;              # the number of packets per a send.

    # timer for waiting to complete each phase.
    phase1 30 sec;
    phase2 30 sec;
}

remote  VPN-PUBLIC-IP {
  exchange_mode aggressive;
  doi ipsec_doi;
  situation identity_only;
  my_identifier fqdn "bfrank.user";
  peers_identifier address;
  verify_identifier off;
  lifetime time 28800 seconds;
  initial_contact on;
  passive off;
  proposal_check obey;
  support_mip6 on;
  generate_policy off;
  nonce_size 16;
  proposal {
    encryption_algorithm des;
    hash_algorithm md5;
    authentication_method pre_shared_key;
    dh_group modp1024;
  }
}

sainfo address CLIENT-INTERNAL-IP any address VPN-INTERNAL-NETWORK/24 any {
  pfs_group modp1024;
  lifetime time 3600 seconds;
  encryption_algorithm des;
  authentication_algorithm hmac_md5;
  compression_algorithm deflate;
}

listen {
  isakmp CLIENT-INTERNAL-IP;
}

log debug2;
This is my /etc/racoon/psk.txt

Code:
VPN-PUBLIC-IP    SCRAMBLED-PASSCODE
And here is my /etc/ipsec.conf

Code:
#!/usr/sbin/setkey -f
#nat_traversal=yes
flush;
spdflush;
#out
spdadd CLIENT-INTERNAL-IP VPN-INTERNAL-NETWORK/24 any
    -P out ipsec esp/tunnel/CLIENT_IP-VPN_PUBLIC_IP/require;
#in

spdadd VPN_INTERNAL_NETWORK/24 CLIENT_INTERNAL_IP any
    -P in ipsec esp/tunnel/VPN_PUBLIC_IP-CLIENT_INTERNAL_IP/require;
The issue is I don't even know how to initiate the connection, but what I read on google is that I only need to ping the remote network, which I did, and nothing happens, nothing shows up in the syslog. Then I figured I start racoon /usr/sbin/racoon and then I have the following in my syslog

Code:
May 11 17:19:57 bfrank-laptop racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) 
May 11 17:19:57 bfrank-laptop racoon: INFO: @(#)This product linked OpenSSL 0.9.8c 05 Sep 2006 (http://www.openssl.org/) 
May 11 17:19:57 bfrank-laptop racoon: WARNING: /etc/racoon/racoon.conf:36: "support_mip6" it is obsoleted.  use "support_proxy". 
May 11 17:19:57 bfrank-laptop racoon: DEBUG2: parse successed. 
May 11 17:19:57 bfrank-laptop racoon: DEBUG: open /var/run/racoon/racoon.sock as racoon management. 
May 11 17:19:57 bfrank-laptop racoon: INFO: CLIENT_INTERNAL_IP[500] used as isakmp port (fd=7) 
May 11 17:19:57 bfrank-laptop racoon: INFO: CLIENT_INTERNAL_IP[500] used for NAT-T 
May 11 17:19:57 bfrank-laptop racoon: DEBUG: get pfkey X_SPDDUMP message 
May 11 17:19:57 bfrank-laptop racoon: DEBUG2:  02120200 02000000 00000000 99420000 
May 11 17:19:57 bfrank-laptop racoon: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
There should be more lines at least what I found on google indicates that to me.

Also on the firewall side, I dont see any connection coming in, no requests, no failures. That firewall has a static IP, and all ports are open towards it, but it sits behind a small Cisco 806.

This is what I get once I start racoon and check "lsof -i"

Code:
racoon    17086   root    7u  IPv4  61592       UDP bfrank-laptop.local:isakmp
At this point I feel like dead in the water, and dont know where to start. Any suggestions are welcome,

Thanks

Ben
 
Old 05-13-2007, 04:34 AM   #2
bence8810
Member
 
Registered: Nov 2004
Location: Budapest, Hungary
Distribution: Debian
Posts: 110

Original Poster
Rep: Reputation: 15
Hi

In the meantime I tried it from another laptop running Debian, and I have exactly the same behaviour. This is for sure that I am doing something wrong, and the strange thing is that nothing gets logged on the Netscreen side, as if the request isnt even hitting the Firewall, but stuck and not going out from the Linux client side.

Any help is greatly appreciated,

Thanks

Ben
 
Old 05-14-2007, 01:34 PM   #3
bence8810
Member
 
Registered: Nov 2004
Location: Budapest, Hungary
Distribution: Debian
Posts: 110

Original Poster
Rep: Reputation: 15
Hi

Basically I would like to initiate a Dial-up VPN connection using racoon. Lets forget where I am trying to connect.

How to initiate a Dial up VPN connection from a roaming client to a fixed VPN server?

Thanks for any help,

Ben
 
Old 05-16-2007, 08:52 AM   #4
bence8810
Member
 
Registered: Nov 2004
Location: Budapest, Hungary
Distribution: Debian
Posts: 110

Original Poster
Rep: Reputation: 15
Hi

Just bumping the thread, still looking for a solution, any help would be useful,
Thanks

Ben
 
Old 05-17-2007, 04:04 PM   #5
bence8810
Member
 
Registered: Nov 2004
Location: Budapest, Hungary
Distribution: Debian
Posts: 110

Original Poster
Rep: Reputation: 15
Hi

Still not many responses to this thread :|

Meantime, I got connected to my testing Netscreen box.

The only thing I need now is to connect to the Production VPN gateway.

The problem is with the pre-shared key, which I dont have on the Netscreen. I have its config file, but in that the key is encrypted, and if I try to use that it wont work.

I also have the Windows based Remote Connect, and that stores the pre shared key in a HEX format in the registry.

Any way to retrieve the ASCII version of the key?

Thanks

Ben
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
racoon as a server to Cisco VPN client etzvetanov Linux - Networking 0 02-01-2007 07:08 AM
netscreen and vsftpd problem justkeny2k Linux - Networking 8 01-24-2007 08:07 PM
VPN Connection problem..... clipper Linux - Networking 0 02-03-2004 12:23 PM
VPN Connection problem..... clipper Linux - Software 0 02-03-2004 07:48 AM
netscreen VPN ateh Linux - Networking 0 07-23-2002 10:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration