Hello everyone!

I am actually studying ipsec solutions to set up a VPN based on RADIUS autentification and dynamic VLAN attribution. I must point out that I have never used IPSEC, but have studyied theory (at school!).
So I found Racoon, and have been trying out different possibilities. Today I am trying the hybrid_rsa_client/server auth method, in a roadwarrior concept.
I am using Debian "testing" on both sides, both with Racoon 6.6 from deb packages.
I will attatch my conf files at the end of my message for more comprehension.
I have set up certificates and keys, signed them with a Certificate authority and set them up on both sides.
I use setkey to set up the security policies, manually (via /etc/ipsec-tools.conf), and for the moment do not use racoon-tool.
I got the whole thing working with pre-shared-keys, but hybrid_rsa is somehow not working as I want it.
The main problem comes from the client side, who doesn't seem to recognize the auth method:
    "invalid authentication type 64221"
or
    "invalid authentication type 64222"
which, after googleing, seems to be the ref codes for hybrid_rsa_client and server.
I cheked out the mail archives, and come across a similiar subject, but posted in january 2006, saying that it is a missing feature for the actual version and proposed a patch. Before trying to recompile racoon, I would like to understand the issue, since most documentation I have found online uses hybrid_rsa for phase 1 authentification, without mentionning anything aboout patching the sources.
Plus, the server side doesn't seem to have any problems about the auth system.
Here are my confs:

RACOON.CONF:

Client side:
path include "/usr/include/racoon";
path certificate "/etc/racoon/certs";
path pre_shared_key "/etc/racoon/psk.txt";

listen {
       isakmp 192.168.0.2[500];
#       adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
}

remote 192.168.0.1 {
       exchange_mode main,aggressive;
       ca_type x509 "cacert.pem";
#       my_identifier user_fqdn robert;
#       peers_identifier address;
       certificate_type x509 "newcert.pem" "newkey.pem";
#       xauth_login test;
       proposal_check obey;
#       nat_traversal on;
#       ike_frag on;
       mode_cfg on;
#       script "/etc/racoon/phase1-up.sh" phase1_up;
#       script "/etc/racoon/phase1-down.sh" phase1_down;
       generate_policy on;
       passive off;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method hybrid_rsa_server;
#               authentication_method pre_shared_key;
               dh_group modp1024;
       }
}


sainfo anonymous {
       pfs_group modp1024;
       lifetime time 720 min;
       encryption_algorithm 3des;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate ;
}

Server side:
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log notify;

listen {
        isakmp 192.168.0.1[500];
}

remote anonymous {
        exchange_mode main,aggressive;       
        my_identifier address 192.168.0.1 ;
        certificate_type x509 "server-cert.pem" "server-key.pem";
#       peers_identifier user_fqdn;
        proposal_check claim;
#       generate_policy on;
        nat_traversal on;
        passive on;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                lifetime time 1800 min;
                authentication_method hybrid_rsa_client;
#                authentication_method pre_shared_key;
                dh_group modp1024;
        }

        exchange_mode main;
}

sainfo anonymous {
        pfs_group modp1024;
        lifetime time 43200 min;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

mode_cfg {
        auth_source system;
        conf_source local;
        accounting none;
        pool_size 100;
        network4 10.0.0.1;
        netmask4 255.255.255.0;
        }

and here is the error output, client side:

ERROR: invalid authentication type 64222
ERROR: failed to process packet.
ERROR: phase1 negotiation failed.

I just can't find any reason why it shouldn't work, so could someone tell what am I doing wrong?

Thanks
Robert


Essayez Live.com, votre nouvelle page d'accueil ! Personnalisez-la en quelques clics pour retrouver tout ce qui vous intéresse au même endroit. au même endroit.