EddieOfTheRocks n00b
Joined: 01 Feb 2007 Posts: 35 Location: Edmonton, Alberta, Canada
|
Posted: Sat Sep 07, 2013 5:41 pm Post subject: IPSec/Racoon Woes |
|
|
I've been stuck for a few days on an IPSec/Racoon issue. I can't seem to get my machine to actually send out a negotiation request to my server. I set up all my routes, get racoon started, try a ping and nothing. Looking through the log files it seems as though racoon is making some level of effort, but while running wireshark I can see that it isn't actually sending out any ISAKMP whatsoever. There is zero activity on all network interfaces whatsoever.
An interesting tidbit is that if I run a "racoonctl vpn-connect 123.456.789.123", it successfully completes the negotiation and connects. It just isn't usable.
Below are all the necessary details.
/etc/racoon/racoon.conf
Code: | path certificate "/etc/ssl/certs";
log debug;
remote 123.456.789.123 {
exchange_mode main;
certificate_type x509 "/etc/ssl/certs/dorado.crt" "/etc/ssl/private/dorado.key";
ca_type x509 "/etc/ssl/certs/example-ca.crt";
peers_certfile x509 "/etc/ssl/certs/whiskey.crt";
verify_cert on;
my_identifier fqdn "dorado.example.org";
peers_identifier fqdn "whiskey.example.org";
nat_traversal on;
proposal {
encryption_algorithm aes;
hash_algorithm sha256;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo address 10.0.13.64 any address 10.0.13.0/26 any from fqdn "whiskey.example.org" {
pfs_group modp1024;
encryption_algorithm aes;
authentication_algorithm hmac_sha256;
compression_algorithm deflate;
} |
/etc/ipsec-tools.conf
Code: | flush;
spdflush;
spdadd 10.0.13.64 10.0.13.0/26 any -P out ipsec
esp/tunnel/0.0.0.0-123.456.789.123/require;
spdadd 10.0.13.0/26 10.0.13.64 any -P in ipsec
esp/tunnel/123.456.789.123-0.0.0.0/require; |
/etc/conf.d/net (relevant part)
Code: | config_dummy0="10.0.13.64 netmask 255.255.255.255 broadcast 10.0.13.64"
routes_dummy0="-host 10.0.13.1
10.0.13.0/26 via 10.0.13.1"
modules_dummy0="!ifplugd" |
Racoon Output
This follows from doing a ping 10.0.13.1. Note, as I said before. Wireshark shows zero activity on all network interfaces.
Code: | 2013-09-07 11:37:20: DEBUG: pk_recv: retry[0] recv()
2013-09-07 11:37:20: DEBUG: got pfkey ACQUIRE message
2013-09-07 11:37:20: DEBUG: suitable outbound SP found: 10.0.13.64/32[0] 10.0.13.0/26[0] proto=any dir=out.
2013-09-07 11:37:20: DEBUG: sub:0x7fffdb00c640: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=in
2013-09-07 11:37:20: DEBUG: db :0x1c96ec0: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=fwd
2013-09-07 11:37:20: DEBUG: sub:0x7fffdb00c640: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=in
2013-09-07 11:37:20: DEBUG: db :0x1c97140: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=in
2013-09-07 11:37:20: DEBUG: suitable inbound SP found: 10.0.13.0/26[0] 10.0.13.64/32[0] proto=any dir=in.
2013-09-07 11:37:20: DEBUG: new acquire 10.0.13.64/32[0] 10.0.13.0/26[0] proto=any dir=out
2013-09-07 11:37:20: [123.456.789.123] DEBUG: configuration "123.456.789.123[500]" selected.
2013-09-07 11:37:20: DEBUG: getsainfo params: loc='10.0.13.64' rmt='10.0.13.0/26' peer='NULL' client='NULL' id=0
2013-09-07 11:37:20: DEBUG: evaluating sainfo: loc='10.0.13.64', rmt='10.0.13.0/26', peer='whiskey.example.org', id=0
2013-09-07 11:37:20: DEBUG: check and compare ids : values matched (ANONYMOUS)
2013-09-07 11:37:20: DEBUG: check and compare ids : values matched (IPv4_address)
2013-09-07 11:37:20: DEBUG: cmpid target: '10.0.13.64'
2013-09-07 11:37:20: DEBUG: cmpid source: '10.0.13.64'
2013-09-07 11:37:20: DEBUG: check and compare ids : values matched (IPv4_subnet)
2013-09-07 11:37:20: DEBUG: cmpid target: '10.0.13.0/26'
2013-09-07 11:37:20: DEBUG: cmpid source: '10.0.13.0/26'
2013-09-07 11:37:20: DEBUG: selected sainfo: loc='10.0.13.64', rmt='10.0.13.0/26', peer='whiskey.example.org', id=0
2013-09-07 11:37:20: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2013-09-07 11:37:20: DEBUG: (trns_id=AES encklen=128 authtype=hmac-sha256)
2013-09-07 11:37:20: DEBUG: in post_acquire
2013-09-07 11:37:20: [123.456.789.123] DEBUG: configuration "123.456.789.123[500]" selected.
2013-09-07 11:37:20: INFO: IPsec-SA request for 123.456.789.123 queued due to no phase1 found.
2013-09-07 11:37:20: DEBUG: ===
2013-09-07 11:37:20: INFO: initiate new phase 1 negotiation: 0.0.0.0[500]<=>123.456.789.123[500]
2013-09-07 11:37:20: INFO: begin Identity Protection mode.
2013-09-07 11:37:20: DEBUG: new cookie:
f74640cd78778e1f
2013-09-07 11:37:20: DEBUG: add payload of len 52, next type 13
2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 13
2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 13
2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 13
2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 13
2013-09-07 11:37:20: DEBUG: add payload of len 16, next type 0
2013-09-07 11:37:20: ERROR: phase1 negotiation failed due to send error. f74640cd78778e1f:0000000000000000
2013-09-07 11:37:20: ERROR: failed to begin ipsec sa negotication. |
_________________ Eddie Carle |
|