Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Can't get racoon going on client
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
MickKi
Veteran
Veteran


Joined: 08 Feb 2004
Posts: 1162

PostPosted: Sun Nov 20, 2011 11:05 pm    Post subject: [SOLVED] Can't get racoon going on client Reply with quote

Hi All,

I have been trying for some time now to set up a road warrior VPN client so that I can connect to my home router and administer machines on the LAN.

No matter what I've tried I cannot get a network configured via racoon. Could some kind soul give me a nudge in troubleshooting this?


On the home router I have:

Code:
public IP:  123.456.78.9
LAN:  10.10.10.0/24
router LAN IP:  10.10.10.1
respond anymode
local-id fqdn router1_VPN
peer any
encryption aes-256-cbc
authentication pre-share
DH group 2

crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp-sha-hmac
mode tunnel



On the laptop, I have this in the racoon.conf:

EDIT: I've added some comments in here from errors I discovered later on.
Code:
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon";

listen {
       # socket used for communication between racoon and racoonctl
        adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660;
       }

remote 123.456.78.9 {
        exchange_mode aggressive;
        my_identifier fqdn "dell_xps_VPN";
        peers_identifier fqdn "router1_VPN";
        mode_cfg on;
        proposal_check obey;
#       nat_traversal on;
#       ike_frag on;
#       script "/etc/racoon/phase1_up_down.sh" phase1_up;
#       script "/etc/racoon/phase1_up_downdown.sh" phase1_down;
        proposal {
                encryption_algorithm aes;  <--This was wrong-should have aes 256 to match the router
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
                }
        }

sainfo anonymous {
        lifetime time 1 hour;  <--This was probably wrong-should have matched the router's setting
        encryption_algorithm aes;  <--This was wrong-should have aes 256 to match the router
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        }




I connect to the Internet using my mobile and I get this from the ISP:

Code:
# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         193.30.166.3    0.0.0.0         UG        0 0          0 ppp0
127.0.0.0       127.0.0.1       255.0.0.0       UG        0 0          0 lo
193.30.166.3    0.0.0.0         255.255.255.255 UH        0 0          0 ppp0


Where 193.30.166.3 is the ISP's gateway. The ppp0 ip address is 10.149.124.40:

Code:
# ifconfig
lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:252 errors:0 dropped:0 overruns:0 frame:0
          TX packets:252 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:10678 (10.4 KiB)  TX bytes:10678 (10.4 KiB)

ppp0      Link encap:Point-to-Point Protocol 
          inet addr:10.149.124.40  P-t-P:193.30.166.3  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:74 (74.0 B)  TX bytes:107 (107.0 B)


Now the problem is that upon starting racoon I do not see a tunnel being formed and indeed I cannot connect to machines in the LAN. This from the log:[snip ...]


I've experimented with NAT on/off, etc, in racoon.conf but no joy. No additional routes seem to be created and the router logs do not show anything attempting a connection.

I get this error in the log:
Code:
Nov 20 23:03:12 dell_xps racoon: DEBUG: pk_recv: retry[0] recv()
Nov 20 23:03:12 dell_xps racoon: DEBUG: pk_recv: retry[0] recv()
Nov 20 23:03:12 dell_xps racoon: DEBUG: get pfkey X_SPDDUMP message
Nov 20 23:03:12 dell_xps racoon: DEBUG: get pfkey X_SPDDUMP message
Nov 20 23:03:12 dell_xps racoon: DEBUG2:
Nov 20 23:03:12 dell_xps racoon: DEBUG2:
Nov 20 23:03:12 dell_xps 02120200 02000000 00000000 0f1d0000
Nov 20 23:03:12 dell_xps 02120200 02000000 00000000 0f1d0000
Nov 20 23:03:12 dell_xps 02120200 02000000 00000000 0f1d0000
Nov 20 23:03:12 dell_xps racoon: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
Nov 20 23:03:12 dell_xps racoon: DEBUG: pfkey X_SPDDUMP failed: No such file or directory


What does it mean? Where should I look next?

EDIT: This means that there is not tunnel. The phase1-up script that I used did not work. Later on I found the scripts installed with racoon for roadwarrior client machines. However, they don't work either! 8O

To get it working I had to manually set up routes in ipsec.conf and also set up the router VPN pool as a gateway in the client, to tunnel LAN addresses through. Will write this up if I get time one day.
_________________
Regards,
Mick


Last edited by MickKi on Sun Dec 04, 2011 8:15 pm; edited 1 time in total
Back to top
View user's profile Send private message
MickKi
Veteran
Veteran


Joined: 08 Feb 2004
Posts: 1162

PostPosted: Mon Nov 21, 2011 12:29 pm    Post subject: Reply with quote

[snip ...]
_________________
Regards,
Mick


Last edited by MickKi on Sun Dec 04, 2011 8:16 pm; edited 1 time in total
Back to top
View user's profile Send private message
AngelKnight
Tux's lil' helper
Tux's lil' helper


Joined: 14 Jan 2003
Posts: 126

PostPosted: Fri Nov 25, 2011 5:33 pm    Post subject: Reply with quote

MickKi wrote:
OK, I've tried connecting from a different location.

I added these lines in /etc/ipsec.conf and it now seems to set the correct associations in the logs but the routing table still does not show anything
related to the VPN server or LAN, only the current ISP routing. The previous "pfkey X_SPDDUMP failed" error is gone.


You won't see anything; on Linux, IPsec for IPv4 doesn't result in any additions or changes to the FIB. All of the related adjustments appear in the Securiy Policy Database.

In your previous config you didn't supply a DH group for phase2; might be useful to explicitly set it there also.
Back to top
View user's profile Send private message
MickKi
Veteran
Veteran


Joined: 08 Feb 2004
Posts: 1162

PostPosted: Sun Nov 27, 2011 12:01 am    Post subject: Reply with quote

[snip ...]
_________________
Regards,
Mick


Last edited by MickKi on Sun Dec 04, 2011 8:18 pm; edited 1 time in total
Back to top
View user's profile Send private message
MickKi
Veteran
Veteran


Joined: 08 Feb 2004
Posts: 1162

PostPosted: Mon Nov 28, 2011 10:51 pm    Post subject: Reply with quote

OK, I think I know what's the problem ... routing is not being set up.

The phase_up_down.sh scripts are not working.

I also tried the scripts shown here: http://en.gentoo-wiki.com/wiki/VPN_iPhone_IPSec but they do not work either.

Should something like echo ${INTERNAL_ADDR4} show something? It returns nothing here. :(
_________________
Regards,
Mick
Back to top
View user's profile Send private message
MickKi
Veteran
Veteran


Joined: 08 Feb 2004
Posts: 1162

PostPosted: Wed Nov 30, 2011 9:12 pm    Post subject: Reply with quote

OK, after searching around I discovered that ipsec-tools actually drops in some scripts (I wish an enotice told me so!!!)

Looking at /usr/share/doc I found just what I needed for my roardwarrior configuration:

Code:
$ ls -la /usr/share/doc/ipsec-tools-0.7.3-r1/samples/roadwarrior/client/
total 20
drwxr-xr-x 2 root root 4096 Nov 15 15:56 .
drwxr-xr-x 4 root root 4096 Nov 15 15:56 ..
-rw-r--r-- 1 root root  875 Nov 15 15:56 phase1-down.sh.bz2
-rw-r--r-- 1 root root  911 Nov 15 15:56 phase1-up.sh.bz2
-rw-r--r-- 1 root root  445 Nov 15 15:56 racoon.conf.bz2


Copied them in /etc/racoon/scripts/, unpacked them, removed the spdadd entries in my etc/ipsec.conf, and fired up /etc/init.d/racoon ...

Code:
Nov 30 21:00:02 dell_xps racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Nov 30 21:00:02 dell_xps racoon: DEBUG: call pfkey_send_register for AH
Nov 30 21:00:03 dell_xps racoon: DEBUG: call pfkey_send_register for ESP
Nov 30 21:00:03 dell_xps racoon: DEBUG: call pfkey_send_register for IPCOMP
Nov 30 21:00:03 dell_xps racoon: DEBUG: reading config file /etc/racoon/racoon.conf
Nov 30 21:00:03 dell_xps racoon: DEBUG2: lifetime = 28800
Nov 30 21:00:03 dell_xps racoon: DEBUG2: lifebyte = 0
Nov 30 21:00:03 dell_xps racoon: DEBUG2: encklen=256
Nov 30 21:00:03 dell_xps racoon: DEBUG2: p:1 t:1
Nov 30 21:00:03 dell_xps racoon: DEBUG2: AES-CBC(7)
Nov 30 21:00:03 dell_xps racoon: DEBUG2: SHA(2)
Nov 30 21:00:03 dell_xps racoon: DEBUG2: 1024-bit MODP group(2)
Nov 30 21:00:03 dell_xps racoon: DEBUG2: pre-shared key(1)
Nov 30 21:00:03 dell_xps racoon: DEBUG2:
Nov 30 21:00:03 dell_xps racoon: DEBUG: hmac(modp1024)
Nov 30 21:00:03 dell_xps racoon: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
Nov 30 21:00:03 dell_xps racoon: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0
Nov 30 21:00:03 dell_xps racoon: DEBUG: getsainfo pass #2
Nov 30 21:00:03 dell_xps racoon: DEBUG2: parse successed.
Nov 30 21:00:03 dell_xps racoon: DEBUG: open /var/lib/racoon/racoon.sock as racoon management.
Nov 30 21:00:03 dell_xps racoon: DEBUG: my interface: fe80::226:b9ff:fe20:b49c%eth0 (eth0)
Nov 30 21:00:03 dell_xps racoon: DEBUG: my interface: ::1 (lo)
Nov 30 21:00:03 dell_xps racoon: DEBUG: my interface: 10.10.10.7 (eth0)
Nov 30 21:00:03 dell_xps racoon: DEBUG: my interface: 127.0.0.1 (lo)
Nov 30 21:00:03 dell_xps racoon: DEBUG: configuring default isakmp port.
Nov 30 21:00:03 dell_xps racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
Nov 30 21:00:03 dell_xps racoon: DEBUG: 8 addrs are configured successfully
Nov 30 21:00:03 dell_xps racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
Nov 30 21:00:03 dell_xps racoon: INFO: 127.0.0.1[500] used for NAT-T
Nov 30 21:00:03 dell_xps racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=8)
Nov 30 21:00:03 dell_xps racoon: INFO: 127.0.0.1[4500] used for NAT-T
Nov 30 21:00:03 dell_xps racoon: INFO: 10.10.10.7[500] used as isakmp port (fd=9)
Nov 30 21:00:03 dell_xps racoon: INFO: 10.10.10.7[500] used for NAT-T
Nov 30 21:00:03 dell_xps racoon: INFO: 10.10.10.7[4500] used as isakmp port (fd=10)
Nov 30 21:00:03 dell_xps racoon: INFO: 10.10.10.7[4500] used for NAT-T
Nov 30 21:00:03 dell_xps racoon: INFO: ::1[500] used as isakmp port (fd=11)
Nov 30 21:00:03 dell_xps racoon: INFO: ::1[4500] used as isakmp port (fd=12)
Nov 30 21:00:03 dell_xps racoon: INFO: fe80::226:b9ff:fe20:b49c%eth0[500] used as isakmp port (fd=13)
Nov 30 21:00:03 dell_xps racoon: INFO: fe80::226:b9ff:fe20:b49c%eth0[4500] used as isakmp port (fd=14)
Nov 30 21:00:03 dell_xps racoon: DEBUG: pk_recv: retry[0] recv()
Nov 30 21:00:03 dell_xps racoon: DEBUG: get pfkey X_SPDDUMP message
Nov 30 21:00:03 dell_xps racoon: DEBUG2:
Nov 30 21:00:03 dell_xps racoon: DEBUG: pfkey X_SPDDUMP failed: No such file or directory


What is the error "pfkey X_SPDDUMP failed: No such file or directory" about? Is this because I have no spdadd entries in my ipsec.conf? Aren't these meant to be created via mode_cfg?

EDIT: Yes, they are meant to be created by the scripts, which however do not work as written. I succeeded in getting this working after set up routes manually using ip route add <LAN subnet> via <VPN pool address> dev eth0
_________________
Regards,
Mick
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum