From: Don S. <do...@se...> - 2005-03-31 20:56:47
|
In order to just get _something_ working, the VPN admin has disabled xauth and should now just take certs. However I'm failing to even complete phase1 negotiation. All I see in my log is "ERROR: ignore the packet, received unexpecting payload type 7." and the timeouts for phases 1 and 2. I have nat_traversal on in my racoon.conf, specify the certificate_type x509 with the two certs, am not defining my_identifier or peers_identifier. The VPN admin says he doesn't even see any cert info =66rom me, just an initial connection/session creation that eventually fails due to no certs being passed. I'm forwarding 500 and 4500 back to my home desktop as this is behind the firewall and ipsec-tools is installed locally on the desktop. Any thoughts? --=20 Don Seiler do...@se... Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xFC87F041 Fingerprint: 0B56 50D5 E91E 4D4C 83B7 207C 76AC 5DA2 FC87 F041 |
From: Don S. <do...@se...> - 2005-03-31 21:46:02
|
On 14:53 Thu 31 Mar , Don Seiler wrote: > In order to just get _something_ working, the VPN admin has disabled > xauth and should now just take certs. However I'm failing to even > complete phase1 negotiation. What is really disturbing me is that if I omit/misspel the certificate path or certificate names, the error is the same. It is as if racoon isn't even _trying_ to send the certs in phase 1. --=20 Don Seiler do...@se... Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xFC87F041 Fingerprint: 0B56 50D5 E91E 4D4C 83B7 207C 76AC 5DA2 FC87 F041 |
From: F. S. <fre...@la...> - 2005-03-31 21:49:59
|
(Aaaaw, did it again. Sorry for the direct reply without the list.) Thursday, March 31, 2005, 10:53:20 PM, you wrote: > In order to just get _something_ working, the VPN admin has disabled > xauth and should now just take certs. However I'm failing to even > complete phase1 negotiation. > All I see in my log is "ERROR: ignore the packet, received unexpecting > payload type 7." and the timeouts for phases 1 and 2. Payload 7 is... certificate request. I think more info is needed. Could you post the relevant parts of your racoon.conf (the remote block) ? (On a lighter note, I find the image of an unexpecting payload highly amusing ; maybe it's the late hour, but... :) ) > I have nat_traversal on in my racoon.conf, specify the certificate_type > x509 with the two certs, am not defining my_identifier or > peers_identifier. I belive you should use my_identifier asn1dn; & peers_identifier asn1dn;. > The VPN admin says he doesn't even see any cert info > from me, just an initial connection/session creation that eventually > fails due to no certs being passed. Are you sure your path certificate directive points to the correct location (yeah, dumb question) ? > I'm forwarding 500 and 4500 back to my home desktop as this is behind > the firewall and ipsec-tools is installed locally on the desktop. _Forwarding_ ? There may be a problem here, too. Do you initiate the connections ? Fred -- People like us Know how to survive There's no point in living If you can't feel the life We know when to kiss And we know when to kill If we can't have it all Then nobody will (Garbage, The World Is Not Enough) |
From: Don S. <do...@se...> - 2005-03-31 22:34:11
|
On 23:49 Thu 31 Mar , F. Senault wrote: > (Aaaaw, did it again. Sorry for the direct reply without the list.) D'oh. Just saw this and of course I replied just to you. Here we go again. > Payload 7 is... certificate request. I think more info is needed. > Could you post the relevant parts of your racoon.conf (the remote > block) ? remote W.X.Y.Z { exchange_mode main; nat_traversal on; #generate_policy on; proposal_check obey; my_identifier asn1dn; peers_identifier asn1dn; #verify_cert off; verify_identifier on; certificate_type x509 "company_provided.pem" "company_provided_pk.pem"; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group 2; } } > (On a lighter note, I find the image of an unexpecting payload highly > amusing ; maybe it's the late hour, but... :) ) >=20 > > I have nat_traversal on in my racoon.conf, specify the certificate_type > > x509 with the two certs, am not defining my_identifier or > > peers_identifier. >=20 > I belive you should use my_identifier asn1dn; & peers_identifier > asn1dn;. I'm doing this now, getting same error. > > The VPN admin says he doesn't even see any cert info > > from me, just an initial connection/session creation that eventually > > fails due to no certs being passed. >=20 > Are you sure your path certificate directive points to the correct > location (yeah, dumb question) ? Yes. I've copied/pasted the path into 'ls' command it shows certs just fine. > > I'm forwarding 500 and 4500 back to my home desktop as this is behind > > the firewall and ipsec-tools is installed locally on the desktop. >=20 > _Forwarding_ ? There may be a problem here, too. Yes this is on my home desktop, which is behind a NAT firewall/router. Should ipsec-tools be on the router instead? > Do you initiate the connections ? =2E.. how could I not? --=20 Don Seiler do...@se... Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xFC87F041 Fingerprint: 0B56 50D5 E91E 4D4C 83B7 207C 76AC 5DA2 FC87 F041 |
From: F. S. <fre...@la...> - 2005-03-31 22:10:41
|
Thursday, March 31, 2005, 11:59:10 PM, you wrote: > On 23:47 Thu 31 Mar , F. Senault wrote: >> Payload 7 is... certificate request. I think more info is needed. >> Could you post the relevant parts of your racoon.conf (the remote >> block) ? > Here it is (names changed to protect the innocent) > remote W.X.Y.Z { > exchange_mode main; Could you try aggressive mode ? (I've got a working raccon setup with substantially the same parameters, except that one. And the fact I'm talking to ciscos and other racoons.) >> > I'm forwarding 500 and 4500 back to my home desktop as this is behind >> > the firewall and ipsec-tools is installed locally on the desktop. >> >> _Forwarding_ ? There may be a problem here, too. >> >> Do you initiate the connections ? > Yes. My home desktop is behind a NAT firewall/router (on a dynamic IP > from ADSL). I've set my firewall to accept and forward 500 and 4500 udp > and send it back to my desktop. The firewall allows all outgoing. As long as your firewall accepts connections on those ports, you shouldn't need to forward them, AFAIK. Fred -- I don't need no arms around me I don't need no drugs to calm me I have seen the writing on the wall Don't think I need anything at all No, don't think I'll need anything at all (Pink Floyd, Another Brick in The Wall part 3) |
From: Don S. <do...@se...> - 2005-03-31 22:35:53
|
On 00:10 Fri 01 Apr , F. Senault wrote: > Could you try aggressive mode ? (I've got a working raccon setup with > substantially the same parameters, except that one. And the fact I'm > talking to ciscos and other racoons.) I have tried and failed. Our windows clients are all configured to use main mode as well. > > Yes. My home desktop is behind a NAT firewall/router (on a dynamic IP > > from ADSL). I've set my firewall to accept and forward 500 and 4500 udp > > and send it back to my desktop. The firewall allows all outgoing. >=20 > As long as your firewall accepts connections on those ports, you > shouldn't need to forward them, AFAIK. =2E.. then how do they find their way back to my desktop? --=20 Don Seiler do...@se... Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xFC87F041 Fingerprint: 0B56 50D5 E91E 4D4C 83B7 207C 76AC 5DA2 FC87 F041 |
From: Don S. <do...@se...> - 2005-03-31 22:43:19
|
On 00:10 Fri 01 Apr , F. Senault wrote: > Could you try aggressive mode ? (I've got a working raccon setup with > substantially the same parameters, except that one. And the fact I'm > talking to ciscos and other racoons.) I just tried again and magic happened, then terror: Unexpected SET attribute 0 That basically just floods the log and I have to kill racoon. But I could actually see it referencing my certs for once. --=20 Don Seiler do...@se... Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xFC87F041 Fingerprint: 0B56 50D5 E91E 4D4C 83B7 207C 76AC 5DA2 FC87 F041 |
From: Don S. <do...@se...> - 2005-03-31 22:54:51
|
On 16:43 Thu 31 Mar , Don Seiler wrote: > I just tried again and magic happened, then terror: >=20 > Unexpected SET attribute 0 >=20 > That basically just floods the log and I have to kill racoon. But I > could actually see it referencing my certs for once. The VPN admin said he sees it timing out with this error: information: MODE_CONFIG exchange terminated - MODE_CONFIG negotiation timed out (retransmission threshold reached) =20 I thought mode_cfg was just for hybrid auth? --=20 Don Seiler do...@se... Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xFC87F041 Fingerprint: 0B56 50D5 E91E 4D4C 83B7 207C 76AC 5DA2 FC87 F041 |
From: F. S. <fre...@la...> - 2005-04-01 08:25:02
|
Friday, April 1, 2005, 12:54:48 AM, you wrote: > On 16:43 Thu 31 Mar , Don Seiler wrote: >> I just tried again and magic happened, then terror: >> >> Unexpected SET attribute 0 >> >> That basically just floods the log and I have to kill racoon. But I >> could actually see it referencing my certs for once. > The VPN admin said he sees it timing out with this error: > information: MODE_CONFIG exchange terminated - MODE_CONFIG negotiation > timed out (retransmission threshold reached) > I thought mode_cfg was just for hybrid auth? Yes, it is. Actually, that's probably the reason behind all the logs you referenced. It seems that the system at the other end of the tunnel tries to configure your end, just like it would do to a classical roadwarrior, but I think we only support it in the hybrid modes (xauth_psk, hybrid_rsa, and maybe xauth_rsa when it'll be done). /.../ >> > Yes. My home desktop is behind a NAT firewall/router (on a dynamic IP >> > from ADSL). I've set my firewall to accept and forward 500 and 4500 udp >> > and send it back to my desktop. The firewall allows all outgoing. >> >> As long as your firewall accepts connections on those ports, you >> shouldn't need to forward them, AFAIK. > > ... then how do they find their way back to my desktop? It's the magic of NAT - once you have established the connection, it should flow in both ways. All I can tell is that I have at least four people here using ipsec clients from the inside if my NAT'd network, and I never had anything to change in my firewall to make it work... Fred -- -#@^&*^(@#$!! -What? -We've been decoding a Make Money Fast chain letter for the last month! -Those Bastards! (George William Herbert in RASFW) |
From: Emmanuel D. <ma...@ne...> - 2005-04-01 08:29:56
|
On Fri, Apr 01, 2005 at 10:24:57AM +0200, F. Senault wrote: > > I thought mode_cfg was just for hybrid auth? > > Yes, it is. Actually, that's probably the reason behind all the logs > you referenced. It seems that the system at the other end of the tunnel > tries to configure your end, just like it would do to a classical > roadwarrior, but I think we only support it in the hybrid modes > (xauth_psk, hybrid_rsa, and maybe xauth_rsa when it'll be done). At some time we'll have to split the --enable-hybrid configure option into two distinc options: --enable-xauth --enable-mode_cfg -- Emmanuel Dreyfus ma...@ne... |
From: F. S. <fre...@la...> - 2005-04-01 08:52:07
|
Friday, April 1, 2005, 10:29:53 AM, you wrote: > On Fri, Apr 01, 2005 at 10:24:57AM +0200, F. Senault wrote: >> Yes, it is. Actually, that's probably the reason behind all the logs >> you referenced. It seems that the system at the other end of the tunnel >> tries to configure your end, just like it would do to a classical >> roadwarrior, but I think we only support it in the hybrid modes >> (xauth_psk, hybrid_rsa, and maybe xauth_rsa when it'll be done). > At some time we'll have to split the --enable-hybrid configure option > into two distinc options: > --enable-xauth > --enable-mode_cfg Excellent idea. And while we're at it, it will be useful to take a look at which functionnality is supported in which mode, and to document / complete it. Fred -- In India, 'cold weather' is merely a conventional phrase and has come into use through the necessity of having some way to distinguish between weather which will melt a brass door-knob and weather which will only make it mushy. (Mark Twain) |
From: Don S. <do...@se...> - 2005-04-04 14:11:18
|
On 10:52 Fri 01 Apr , F. Senault wrote: > Friday, April 1, 2005, 10:29:53 AM, you wrote: > >> Yes, it is. Actually, that's probably the reason behind all the logs > >> you referenced. It seems that the system at the other end of the tunn= el > >> tries to configure your end, just like it would do to a classical > >> roadwarrior, but I think we only support it in the hybrid modes > >> (xauth_psk, hybrid_rsa, and maybe xauth_rsa when it'll be done). >=20 > > At some time we'll have to split the --enable-hybrid configure option= =20 > > into two distinc options: > > --enable-xauth > > --enable-mode_cfg >=20 > Excellent idea. And while we're at it, it will be useful to take a > look at which functionnality is supported in which mode, and to > document / complete it. If there is anything I can do to accelerate supporting my configurations, please let me know. My C isn't the best, but I'm willing to try some patching and testing if you show me the way. --=20 Don Seiler do...@se... Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xFC87F041 Fingerprint: 0B56 50D5 E91E 4D4C 83B7 207C 76AC 5DA2 FC87 F041 |
From: Emmanuel D. <ma...@ne...> - 2005-04-04 14:49:09
|
On Mon, Apr 04, 2005 at 09:10:53AM -0500, Don Seiler wrote: > If there is anything I can do to accelerate supporting my > configurations, please let me know. My C isn't the best, but I'm > willing to try some patching and testing if you show me the way. Not everythign is clear in your setup. But indeed you can investigate. Look at src/racoon/isakmp_cfg.c. This is where ISAKMP mode config packets are handled. isakmp_cfg_r gets any ISAMP mode config packet. These packets contain HDR HASH ATTR isakmp_cfg_attr_r is called to handle the ATTR payload. ATTR starts by a payload header (struct isakmp_pl_attr), which has a type, chosen from the list (REQUEST, REPLY, SET, ACK). You get a SET, which is a configuration push. You have to reply by an ACK. SET are handled by isakmp_cfg_set. It examines what comes after the payload headers: a list of attributes (struct isakmp_data). Attributes have a type and a value. The only type supported in the code is XAUTH_STATUS, used by the edge device to tell the roadwarrior that it passed or failed authentication. You get attribute type 0, which is not defined in the documentation. What you could do now is trying to dump the attribute value. You can do that by adding a call to plogdump(LLV_INFO, (char *)attr, tlen); after the ""Unexpected SET attribut" error message. Maybe the edge device just sends you an empty attribute of type 0 just to check if you support ISAKMP mode config. There is no vendor ID for this extension, so that could be an explanation. Whatever this attribute is for, the IETF draft require racoon to answer by an ACK. You can test for attribute type 0 in isakmp_cfg_set, allocate and set reply_attr, which is the attribute sent back by racoon: vchar_t *buffer; if ((buffer = vmalloc(sizeof(*reply_attr))) == NULL) { plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n"); return NULL; } reply_attr = (struct isakmp_data *)buffer->v; reply_attr->type = htons(type | ISAKMP_GEN_TV); reply_attr->lorv = htons(0); -- Emmanuel Dreyfus ma...@ne... |
From: Don S. <do...@se...> - 2005-04-04 15:08:08
|
On 14:49 Mon 04 Apr , Emmanuel Dreyfus wrote: > Not everythign is clear in your setup. But indeed you can investigate. What information can I provide to make things more clear? > You get attribute type 0, which is not defined in the documentation.=20 > What you could do now is trying to dump the attribute value. You can do t= hat > by adding a call to plogdump(LLV_INFO, (char *)attr, tlen); after the=20 > ""Unexpected SET attribut" error message. What are your thoughts on the flooding of those messages killing my racoon daemon? Unavoidable? I've also notified the VPN vendor (Secure Computing), as they were interested in seeing it work as well. --=20 Don Seiler do...@se... Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xFC87F041 Fingerprint: 0B56 50D5 E91E 4D4C 83B7 207C 76AC 5DA2 FC87 F041 |
From: Don S. <do...@se...> - 2005-04-01 20:08:25
|
On 10:24 Fri 01 Apr , F. Senault wrote: > Yes, it is. Actually, that's probably the reason behind all the logs > you referenced. It seems that the system at the other end of the tunnel > tries to configure your end, just like it would do to a classical > roadwarrior, but I think we only support it in the hybrid modes > (xauth_psk, hybrid_rsa, and maybe xauth_rsa when it'll be done). Well that is just sorry news then. Ultimately I think I'll want hybrid_rsa_client. Some more background, all the windows clients enter into QUICK mode. I do see QUICK mode in my racoon logs, and lot of hashing and numbers flying by. Then I get this: Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 1 Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 2 Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 3 Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 3 Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 4=20 Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 13 Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 13 Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 13 Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 13 Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 13 Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 0=20 Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 6400 Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 26824 Apr 1 13:58:08 linguo racoon: DEBUG: Unexpected SET attribute 0 And that final attribute 0 lin will repeat very fast, causing racoon to die. > It's the magic of NAT - once you have established the connection, it > should flow in both ways. I'll leave it for now, it doesn't seem to be a cause of any problems currently. --=20 Don Seiler do...@se... Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xFC87F041 Fingerprint: 0B56 50D5 E91E 4D4C 83B7 207C 76AC 5DA2 FC87 F041 |
From: Don S. <do...@se...> - 2005-04-01 20:37:08
|
On 14:07 Fri 01 Apr , Don Seiler wrote: > Some more background, all the windows clients enter into QUICK mode. I > do see QUICK mode in my racoon logs, and lot of hashing and numbers > flying by. Just want to note that VPN admin says it does look like I'm still connected (even after racoon daemon has died). However any attempt to ping the remote machines gives either "Resource temporarily unavailable" and then later "No such process". Should I see new entries in my route table? --=20 Don Seiler do...@se... Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xFC87F041 Fingerprint: 0B56 50D5 E91E 4D4C 83B7 207C 76AC 5DA2 FC87 F041 |