Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Help with configuring Racoon roadwarrior
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
MickKi
Veteran
Veteran


Joined: 08 Feb 2004
Posts: 1110
Location: 51:45:20N, 0:40:44W

PostPosted: Tue Mar 06, 2012 7:14 pm    Post subject: Help with configuring Racoon roadwarrior Reply with quote

Hi All,

I have managed to set up a roadwarrior configuration which sort of works when I run /etc/init.d/racoon start, but only after I set up routes manually.

However, I noticed that neither the phase1-up.sh scripts provided by ipsec-tools, nor racoonctl work with my configuration.

In particular, when I run the phase1-up.sh script no routes are being set up and the only address shown is that of the local gateway ${DEFAULT_GW}. /etc/resolve.conf is not being edited with the DNS resolver of the VPN gateway.

Running racoon-ctl returns this error:

# racoonctl reload-config
send: Bad file descriptor

# racoonctl show-sa isakmp
send: Bad file descriptor

I raised a bug but this was closed by the dev, because he was not getting such errors when racoon was configured correctly. So I thought of asking here for some help with my configuration.

This is my network topology:

Code:
[Roadwarrior]-10.211.48.75 =====[ISP's gateway]-XXX.XXX.XX.X=====Internet=====YYY.YYY.YY.Y-[My VPN gateway]-10.10.10.254-----10.10.10.0/24-[LAN boxen]


The tunnel is created between my laptop, which is configured as a roadwarrior and my router. The router is configured to send mode_cfg parameters to my laptop. In particular, the LAN pool of addresses allocated to the roadwarrior is 172.16.1.0/24 and the DNS resolver for the VPN is the router itself at 10.10.10.254.

So, starting from the top this is my /etc/racoon/racoon.conf:
Code:
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path certificate "/etc/racoon/certs";
path pre_shared_key "/etc/racoon/psk.txt";
path script "/etc/racoon/scripts";

listen {
        adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
}

remote YYY.YYY.YY.Y {
        exchange_mode aggressive;
        certificate_type x509 "RW_cert.pem" "RW_key.pem";
        ca_type x509 "cacert.pem";
        my_identifier  asn1dn ;
        peers_identifier address "YYY.YYY.YY.Y";
        peers_certfile x509 "router_VPN.pem";
        verify_identifier on;
        nat_traversal on;
        ike_frag on;
        mode_cfg on;
        proposal_check obey;
        script "/etc/racoon/scripts/phase1-up.sh" phase1_up;
        script "/etc/racoon/scripts/phase1-down.sh" phase1_down;
        passive off;
        proposal {
                encryption_algorithm aes 256;
                lifetime time 7080 seconds;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }
}


sainfo anonymous {
        pfs_group 2;
        lifetime time 28800 seconds;
        encryption_algorithm aes 256;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate ;
}


The scripts are unadulterated as provided by ipsec-tools in /usr/share/doc/ipsec-tools-0.8.0-r1/samples/roadwarrior/client/phase1-up.sh.bz2 and phase1-down.sh.bz2:

Code:
# ls -la /etc/racoon/scripts/
total 16
drwxr-x--- 2 root root 4096 Mar  6 18:46 .
drwxr-xr-x 4 root root 4096 Mar  6 18:54 ..
-rwxr-xr-- 1 root root 2107 Feb 13 14:25 phase1-down.sh
-rwxr-xr-- 1 root root 2255 Feb 13 14:24 phase1-up.sh


The /etc/racoon/ipsec.conf contains this:
Code:
#!/usr/sbin/setkey -f

# Flush SAD and SPD

flush;
spdflush;

#SP for racoon

spdadd 10.10.10.0/24 172.16.1.0/24 any -P in ipsec esp/tunnel/YYY.YYY.YY.Y-10.211.48.75/unique;
spdadd 172.16.1.0/24 10.10.10.0/24 any -P out ipsec esp/tunnel/10.211.48.75-YYY.YYY.YY.Y/unique;


The scripts fail to set up any routes, or pick up any addresses (local/remote/internal) but as I mentioned when I ran it by hand to see what gives, it manages to pick up the default GW.  All other addresses are blank.


To set up a tunnel I have to run manually:
Code:
ifconfig wlan0:1:0 172.16.1.1
ip route add 10.10.10.0/24 via 172.16.1.1 dev wlan0


After that I can ping a box inside the LAN and a connection is eventually established.

Can you see anything amiss with my configuration that explains why the routes are not being established and racoonctl barfs?
_________________
Regards,
Mick


Last edited by MickKi on Sat Feb 23, 2013 11:35 am; edited 1 time in total
Back to top
View user's profile Send private message
blueness
Developer
Developer


Joined: 25 Nov 2009
Posts: 31
Location: Buffalo, NY

PostPosted: Tue Mar 06, 2012 8:18 pm    Post subject: Reply with quote

I reproduced the problem and found the solution. Your listen paragraph in racoon.conf should be:

Code:

listen {
        adminsock "/var/lib/racoon/racoon.sock" "root" "operator" 0660;
}


Note your path is "/var/racoon/racoon.sock" which is not legit. racoon then crashes and you get the "send: Bad file descriptor"

If that solves it, post back. Although about a problem you had, this is a nice little howto on setting up RoadWarrior.
Back to top
View user's profile Send private message
MickKi
Veteran
Veteran


Joined: 08 Feb 2004
Posts: 1110
Location: 51:45:20N, 0:40:44W

PostPosted: Wed Mar 07, 2012 12:19 pm    Post subject: Reply with quote

Thanks blueness!

I have used the listen directive that is provided in /usr/share/doc/ipsec-tools-0.8.0-r1/samples/roadwarrior/client/racoon.conf.bz2:
Quote:
path certificate "/etc/openssl/certs";
path pre_shared_key "/etc/racoon/psk.txt";

listen {
adminsock "/var/racoon/racoon.sock" "root" "operator" 0660; <--- As shown here
}

remote 192.0.2.50 {
exchange_mode aggressive;
ca_type x509 "root-ca.crt";

[snip ...]


Are you saying that this is incorrect as provided by upstream, only applies to *BSDs, or is Gentoo doing it differently? Should I add this to the bug I raised?

Anyway, I changed the path to the one you suggest and now the racoonctl command does not produce an error. Thanks! :)

Code:
racoonctl show-sa isakmp
Destination            Cookies                           Created
YYY.YYY.YY.Y.4500     f22ccaf15ecb23c4:7bb843c9fae819e0 2012-03-07 12:07:58


However, I am not out of the woods yet as far as the phase1-up.sh script and setting up routes are concerned. The script only shows local gateway like so, when I run it in a terminal, even after I have established a tunnel and phase 2 has been completed:
Code:
# /etc/racoon/scripts/phase1-up.sh phase1_up
phase1_up
LOCAL_ADDR =
LOCAL_PORT =
REMOTE_ADDR =
REMOTE_PORT =
DEFAULT_GW = 10.110.63.254
INTERNAL_ADDR4 =
INTERNAL_NETMASK4 =
INTERNAL_DNS4 =


It will set no routes - I must manually do that with ifconfig and ip. I must also add policies in /etc/racoon/ipsec.conf (that's the path I use for racoon's ipsec.conf) or nothing much gets configured when racoon is launched. This is a pain because I have to edit ipsec.conf every time I connect to a different network. Isn't the idea of these scripts that the routing and policies are set up automatically when /etc/init.d/racoon start is run and /etc/racoon/racoon.conf is loaded? I am not clear I guess how much of establishing a VPN tunnel is manual effort and how much is scripts doing it for you.
_________________
Regards,
Mick
Back to top
View user's profile Send private message
planckscnst
n00b
n00b


Joined: 21 Jan 2006
Posts: 8
Location: Tampa, FL, USA

PostPosted: Mon Jul 02, 2012 6:16 pm    Post subject: RE: Help with configuring Racoon roadwarrior Reply with quote

I have the same problem; I'm pretty sure it's a bug in Racoon. We recently upgraded our Racoon version and the phase1_up script stopped working; phase1_down still works. We're not using Gentoo, so it's not a Gentoo packaging error.
Back to top
View user's profile Send private message
MickKi
Veteran
Veteran


Joined: 08 Feb 2004
Posts: 1110
Location: 51:45:20N, 0:40:44W

PostPosted: Sat Jul 07, 2012 3:28 pm    Post subject: Reply with quote

Thanks planckscnst,

What distro are you using?

I've seen people running CentOS/RHL systems having no problem setting up routes with the scripts provided.
_________________
Regards,
Mick
Back to top
View user's profile Send private message
planckscnst
n00b
n00b


Joined: 21 Jan 2006
Posts: 8
Location: Tampa, FL, USA

PostPosted: Sat Jul 07, 2012 3:48 pm    Post subject: Reply with quote

I'm compiling from source using Buildroot. I've also seen someone else with the problem who posted to the ipsec-tools-users list.

I had my collegue post on ipsec-tools-devel list about this bug. I haven't yet had time to dive in to the source and see what's happening.

Are you sure that users of CentOS/RHEL are using 0.8? The bug did not exist in previous versions. CentOS 5 came with ipsec-tools 0.6.5; CentOS 6 doesn't have an ipsec-tools package at all.
Back to top
View user's profile Send private message
planckscnst
n00b
n00b


Joined: 21 Jan 2006
Posts: 8
Location: Tampa, FL, USA

PostPosted: Sat Jul 07, 2012 5:42 pm    Post subject: Reply with quote

This morning, I took a look at the source. The script is called potentially from three different places - twice in isakmp_cfg.c (if mode config is requested - one path for initiator, another for the responder) and once in isakmp.c (if mode config is not requested). It looks like if you are using mode config, it only calls the script if you are using an authentication_method of either xauth_rsa_server, xauth_rsa_client, xauth_psk_server or xauth_psk_client. If you are not using mode config, it calls the script unless your authentication_method is xauth_psk_server, xauth_rsa_server, or hybrid_rsa_server.

I looked through the commit messages in the revision history of those files and didn't see anything that would change the behavior since 0.7.2, so I'm still investigating.
Back to top
View user's profile Send private message
MickKi
Veteran
Veteran


Joined: 08 Feb 2004
Posts: 1110
Location: 51:45:20N, 0:40:44W

PostPosted: Sat Feb 23, 2013 11:33 am    Post subject: Reply with quote

Hi planckscnst,

It took me some time to get back to this. I have been using StrongSwan, because it sets up the routes automatically (although it fails to set up DNS). I would still be interested to find out why tje Racoon scripts are not working.

I am using mod_cfg, as you can see from my racoon.conf, but I am not using xauth. However I don't understand, why would the code only run the up/down scripts if xauth is used?
_________________
Regards,
Mick
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum