Thread: [Ipsec-tools-devel] racoon config problem?
Brought to you by:
mit_warlord,
netbsd
From: Paul W. <Pau...@ta...> - 2007-03-01 16:11:30
|
I'm trying to get racoon to establish a vpn tunnel with a cisco pix, but I'm failing miserably. I hope someone can help. I'm trying on ubuntu with 2.6.17-11. Racoon 0.6.6 It seems to get through phase 1 ok, when I ping the remote end I get "connect: Resource temporarily unavailable" and a setkey -D shows: 12.123.12.123 192.168.67.150 esp mode=tunnel spi=84446182(0x05088be6) reqid=0(0x00000000) seq=0x00000000 replay=0 flags=0x00000000 state=larval created: Mar 1 15:52:20 2007 current: Mar 1 15:52:23 2007 diff: 3(s) hard: 30(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=9604 refcnt=0 192.168.67.150 12.123.12.123 esp mode=tunnel spi=0(0x00000000) reqid=0(0x00000000) seq=0x00000000 replay=0 flags=0x00000000 state=larval created: Mar 1 15:52:20 2007 current: Mar 1 15:52:23 2007 diff: 3(s) hard: 30(s) soft: 0(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=9604 refcnt=0 My phase1-up.sh script has: ifconfig eth0:1 192.168.76.250 ip route del default dev ip route add 12.123.12.123 via 192.168.64.1 dev eth0 ip route add default via 192.168.64.1 dev eth0:1 spdadd 192.168.76.250/32[any] 0.0.0.0/0[any] any \ -P out ipsec \ esp/tunnel/192.168.67.150[4500]-82.111.17.252[4500]/require; spdadd 0.0.0.0/0[any] 192.168.76.250[any] any \ -P in ipsec \ esp/tunnel/12.123.12.123[4500]-192.168.67.150[4500]/require; 192.168.67.150 is my local ip outside the vpn. My racoon.conf is: path pre_shared_key "/var/run/psk.txt"; remote 12.123.12.123 { exchange_mode aggressive; proposal_check obey; passive off; script "/etc/scripts/phase1-up.sh" phase1_up; script "/etc/scripts/phase1-down.sh" phase1_down; nat_traversal on; # dpd on; # dpd_delay 20; mode_cfg off; my_identifier keyid "/var/run/keyid"; proposal { authentication_method pre_shared_key; encryption_algorithm aes; hash_algorithm sha1; dh_group 2; } } sainfo anonymous { pfs_group 2; encryption_algorithm aes, 3des; authentication_algorithm hmac_sha1, hmac_sha256, hmac_md5; compression_algorithm deflate; } and the racoon.log has: 2007-03-01 15:45:33: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge .net) 2007-03-01 15:45:33: INFO: @(#)This product linked OpenSSL 0.9.8b 04 May 2006 (h ttp://www.openssl.org/) 2007-03-01 15:45:34: NOTIFY: NAT-T is enabled, autoconfiguring ports 2007-03-01 15:45:34: INFO: 127.0.0.1[500] used as isakmp port (fd=7) 2007-03-01 15:45:34: INFO: 127.0.0.1[500] used for NAT-T 2007-03-01 15:45:34: INFO: 127.0.0.1[4500] used as isakmp port (fd=8) 2007-03-01 15:45:34: INFO: 127.0.0.1[4500] used for NAT-T 2007-03-01 15:45:34: INFO: 192.168.67.150[500] used as isakmp port (fd=9) 2007-03-01 15:45:34: INFO: 192.168.67.150[500] used for NAT-T 2007-03-01 15:45:34: INFO: 192.168.67.150[4500] used as isakmp port (fd=10) 2007-03-01 15:45:34: INFO: 192.168.67.150[4500] used for NAT-T 2007-03-01 15:45:34: INFO: ::1[500] used as isakmp port (fd=11) 2007-03-01 15:45:34: INFO: ::1[4500] used as isakmp port (fd=12) 2007-03-01 15:45:34: INFO: fe80::216:d4ff:fe1b:f8f8%eth0[500] used as isakmp por t (fd=13) 2007-03-01 15:45:34: INFO: fe80::216:d4ff:fe1b:f8f8%eth0[4500] used as isakmp po rt (fd=14) 2007-03-01 15:45:40: INFO: accept a request to establish IKE-SA: 82.111.17.252 2007-03-01 15:45:40: INFO: initiate new phase 1 negotiation: 192.168.67.150[500] <=>82.111.17.252[500] 2007-03-01 15:45:40: INFO: begin Aggressive mode. 2007-03-01 15:45:41: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06. txt 2007-03-01 15:45:41: INFO: received Vendor ID: DPD 2007-03-01 15:45:41: INFO: received Vendor ID: CISCO-UNITY 2007-03-01 15:45:41: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 2007-03-01 15:45:41: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2007-03-01 15:45:41: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02 2007-03-01 15:45:41: INFO: Hashing 192.168.67.150[500] with algo #2 2007-03-01 15:45:41: INFO: NAT-D payload #-1 doesn't match 2007-03-01 15:45:41: INFO: Hashing 12.123.12.123[500] with algo #2 2007-03-01 15:45:41: INFO: NAT-D payload #0 doesn't match 2007-03-01 15:45:41: INFO: NAT detected: ME PEER 2007-03-01 15:45:41: INFO: KA list add: 192.168.67.150[4500]->12.123.12.123[4500 ] 2007-03-01 15:45:41: INFO: Adding remote and local NAT-D payloads. 2007-03-01 15:45:41: INFO: Hashing 12.123.12.123[4500] with algo #2 2007-03-01 15:45:41: INFO: Hashing 192.168.67.150[4500] with algo #2 2007-03-01 15:45:41: INFO: ISAKMP-SA established 192.168.67.150[4500]-12.123.12.123[4500] spi:c38e534b1be22c06:25d52dd5067f63b6 2007-03-01 15:45:41: INFO: unsupported PF_KEY message REGISTER 2007-03-01 15:45:46: NOTIFY: NAT-T is enabled, autoconfiguring ports 2007-03-01 15:45:46: INFO: 127.0.0.1[500] used as isakmp port (fd=7) 2007-03-01 15:45:46: INFO: 127.0.0.1[500] used for NAT-T 2007-03-01 15:45:46: INFO: 127.0.0.1[4500] used as isakmp port (fd=8)2007-03-01 15:45:46: INFO: 127.0.0.1[4500] used for NAT-T 2007-03-01 15:45:46: INFO: 192.168.67.150[500] used as isakmp port (fd=9) 2007-03-01 15:45:46: INFO: 192.168.67.150[500] used for NAT-T 2007-03-01 15:45:46: INFO: 192.168.67.150[4500] used as isakmp port (fd=10) 2007-03-01 15:45:46: INFO: 192.168.67.150[4500] used for NAT-T 2007-03-01 15:45:46: INFO: 192.168.76.250[500] used as isakmp port (fd=11) 2007-03-01 15:45:46: INFO: 192.168.76.250[500] used for NAT-T 2007-03-01 15:45:46: INFO: 192.168.76.250[4500] used as isakmp port (fd=12) 2007-03-01 15:45:46: INFO: 192.168.76.250[4500] used for NAT-T 2007-03-01 15:45:46: INFO: ::1[500] used as isakmp port (fd=13) 2007-03-01 15:45:46: INFO: ::1[4500] used as isakmp port (fd=14) 2007-03-01 15:45:46: INFO: fe80::216:d4ff:fe1b:f8f8%eth0[500] used as isakmp por t (fd=15) 2007-03-01 15:45:46: INFO: fe80::216:d4ff:fe1b:f8f8%eth0[4500] used as isakmp po rt (fd=16) 2007-03-01 15:45:54: INFO: initiate new phase 2 negotiation: 192.168.67.150[4500 ]<=>12.123.12.123[4500] 2007-03-01 15:45:54: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->61443) . 2007-03-01 15:45:54: WARNING: Ignored short attribute 13 2007-03-01 15:45:54: WARNING: Ignored attribute 14 2007-03-01 15:45:54: WARNING: Ignored attribute 15 2007-03-01 15:45:54: WARNING: Short payload 2007-03-01 15:45:59: WARNING: Short payload 2007-03-01 15:46:04: ERROR: packet shorter than isakmp header size (0, 195531103 9, 28) 2007-03-01 15:46:04: WARNING: Short payload 2007-03-01 15:46:09: ERROR: packet shorter than isakmp header size (0, 195531103 9, 28) 2007-03-01 15:46:09: WARNING: Short payload 2007-03-01 15:46:14: ERROR: packet shorter than isakmp header size (0, 195531103 9, 28) 2007-03-01 15:46:14: WARNING: Short payload 2007-03-01 15:46:19: WARNING: Short payload 2007-03-01 15:46:24: ERROR: 12.123.12.123give up to get IPsec-SA due to time up to wait. 2007-03-01 15:46:24: INFO: IPsec-SA expired: ESP/Tunnel 12.123.12.123[0]->192.16 8.67.150[0] spi=24565239(0x176d5f7) 2007-03-01 15:46:24: WARNING: Short payload 2007-03-01 15:46:29: WARNING: Short payload 2007-03-01 15:46:34: WARNING: Short payload 2007-03-01 15:46:39: WARNING: Short payload 2007-03-01 15:46:44: WARNING: Short payload Many thanks Paul |