Gentoo Forums :: View topic - IPSec/Racoon Woes

IPSec/Racoon Woes

View unanswered posts
View posts from last 24 hours

Gentoo Forums Forum Index

Networking & Security

View previous topic :: View next topic

Author

Message

EddieOfTheRocks
n00b
n00b

Joined: 01 Feb 2007
Posts: 35
Location: Edmonton, Alberta, Canada

Posted: Sat Sep 07, 2013 5:41 pm Post subject: IPSec/Racoon Woes

I've been stuck for a few days on an IPSec/Racoon issue. I can't seem to get my machine to actually send out a negotiation request to my server. I set up all my routes, get racoon started, try a ping and nothing. Looking through the log files it seems as though racoon is making some level of effort, but while running wireshark I can see that it isn't actually sending out any ISAKMP whatsoever. There is zero activity on all network interfaces whatsoever.

An interesting tidbit is that if I run a "racoonctl vpn-connect 123.456.789.123", it successfully completes the negotiation and connects. It just isn't usable.

Below are all the necessary details.

/etc/racoon/racoon.conf

Code:

path certificate "/etc/ssl/certs";

log debug;

remote 123.456.789.123 {
exchange_mode main;
certificate_type x509 "/etc/ssl/certs/dorado.crt" "/etc/ssl/private/dorado.key";
ca_type x509 "/etc/ssl/certs/example-ca.crt";
peers_certfile x509 "/etc/ssl/certs/whiskey.crt";
verify_cert on;
my_identifier fqdn "dorado.example.org";
peers_identifier fqdn "whiskey.example.org";
nat_traversal on;
proposal {
   encryption_algorithm aes;
   hash_algorithm sha256;
   authentication_method rsasig;
   dh_group modp1024;
}
}

sainfo address 10.0.13.64 any address 10.0.13.0/26 any from fqdn "whiskey.example.org" {
pfs_group modp1024;
encryption_algorithm aes;
authentication_algorithm hmac_sha256;
compression_algorithm deflate;
}

/etc/ipsec-tools.conf

Code:

flush;
spdflush;

spdadd 10.0.13.64 10.0.13.0/26 any -P out ipsec
esp/tunnel/0.0.0.0-123.456.789.123/require;

spdadd 10.0.13.0/26 10.0.13.64 any -P in ipsec
esp/tunnel/123.456.789.123-0.0.0.0/require;

/etc/conf.d/net (relevant part)

Code:

config_dummy0="10.0.13.64 netmask 255.255.255.255 broadcast 10.0.13.64"
routes_dummy0="-host 10.0.13.1
10.0.13.0/26 via 10.0.13.1"
modules_dummy0="!ifplugd"

Racoon Output

This follows from doing a ping 10.0.13.1. Note, as I said before. Wireshark shows zero activity on all network interfaces.

Code:

2013-09-07 11:37:20: DEBUG: pk_recv: retry[0] recv()
2013-09-07 11:37:20: DEBUG: got pfkey ACQUIRE message
2013-09-07 11:37:20: DEBUG: suitable outbound SP found: 10.0.13.64/32[0] 10.0.13.0/26[0] proto=any dir=out.
2013-09-07 11:37:20: DEBUG: sub:0x7fffdb00c640: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=in
2013-09-07 11:37:20: DEBUG: db :0x1c96ec0: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=fwd
2013-09-07 11:37:20: DEBUG: sub:0x7fffdb00c640: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=in
2013-09-07 11:37:20: DEBUG: db :0x1c97140: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=in
2013-09-07 11:37:20: DEBUG: suitable inbound SP found: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=in.
2013-09-07 11:37:20: DEBUG: new acquire 10.0.13.64/32[0] 10.0.13.0/26[0] proto=any dir=out
2013-09-07 11:37:20: [123.456.789.123] DEBUG: configuration "123.456.789.123[500]" selected.
2013-09-07 11:37:20: DEBUG: getsainfo params: loc='10.0.13.64' rmt='10.0.13.0/26' peer='NULL' client='NULL' id=0
2013-09-07 11:37:20: DEBUG: evaluating sainfo: loc='10.0.13.64', rmt='10.0.13.0/26', peer='whiskey.example.org', id=0
2013-09-07 11:37:20: DEBUG: check and compare ids : values matched (ANONYMOUS)
2013-09-07 11:37:20: DEBUG: check and compare ids : values matched (IPv4_address)
2013-09-07 11:37:20: DEBUG: cmpid target: '10.0.13.64'
2013-09-07 11:37:20: DEBUG: cmpid source: '10.0.13.64'
2013-09-07 11:37:20: DEBUG: check and compare ids : values matched (IPv4_subnet)
2013-09-07 11:37:20: DEBUG: cmpid target: '10.0.13.0/26'
2013-09-07 11:37:20: DEBUG: cmpid source: '10.0.13.0/26'
2013-09-07 11:37:20: DEBUG: selected sainfo: loc='10.0.13.64', rmt='10.0.13.0/26', peer='whiskey.example.org', id=0
2013-09-07 11:37:20: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2013-09-07 11:37:20: DEBUG: (trns_id=AES encklen=128 authtype=hmac-sha256)
2013-09-07 11:37:20: DEBUG: in post_acquire
2013-09-07 11:37:20: [123.456.789.123] DEBUG: configuration "123.456.789.123[500]" selected.
2013-09-07 11:37:20: INFO: IPsec-SA request for 123.456.789.123 queued due to no phase1 found.
2013-09-07 11:37:20: DEBUG: ===
2013-09-07 11:37:20: INFO: initiate new phase 1 negotiation: 0.0.0.0[500]<=>123.456.789.123[500]
2013-09-07 11:37:20: INFO: begin Identity Protection mode.
2013-09-07 11:37:20: DEBUG: new cookie:
f74640cd78778e1f
2013-09-07 11:37:20: DEBUG: add payload of len 52, next type 13
2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 13
2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 13
2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 13
2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 13
2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 0
2013-09-07 11:37:20: ERROR: phase1 negotiation failed due to send error. f74640cd78778e1f:0000000000000000
2013-09-07 11:37:20: ERROR: failed to begin ipsec sa negotication.

_________________
Eddie Carle

Display posts from previous:

	Gentoo Forums Forum Index Networking & Security	All times are GMT
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy