From: Lindsay H. <fmo...@fm...> - 2005-10-22 18:33:59
|
This seems to be a common problem :-( I'll try to be concise. My setup is as follows: I'm trying to set up a VPN from two boxes running Gentoo Linux, kernel 2.6.13. One end is a public machine, Shakti. The other end is a box on a private LAN, Vishnu, with an RFC1918 address. It's NAT'd behind a box running Linux kernel 2.4, and because this box is already running FreeS/WAN to another server (and because it's short on memory), it can't be upgraded to kernel 2.6; however, it works fine as a firewall. Shakti's IP address: 216.110.12.105 (public box) Vishnu's IP address: 192.168.1.16 (NAT'd box) Firewall's publilc IP: 70.112.241.55 Both Vishnu and Shakti are running kernels with the required ipsec support (either built-in or installed as modules), as per Ralf Spenneberg's HOWTO at <http://www.ipsec-howto.org/x299.html>, plus the ipcomp module. Shakti, the public box, is set up with the following security polices: spdadd 216.110.12.105/32 192.168.1.0/24 any -P out ipsec esp/tunnel/216.110.12.105-192.168.1.16/require; spdadd 192.168.1.0/24 216.110.12.105/32 any -P in ipsec esp/tunnel/192.168.1.16-216.110.12.105/require; Vishnu, the private box, has these security policies: spdadd 216.110.12.105/32 192.168.1.0/24 any -P in ipsec esp/tunnel/216.110.12.105-192.168.1.16/require; spdadd 192.168.1.0/24 216.110.12.105/32 any -P out ipsec esp/tunnel/192.168.1.16-216.110.12.105/require; (I get the same result whether or not I have "/32" on the public server's IP spec., but thought it might be appropriate since public server is, in effect, a network of 1 address). If someone can advise me on this, I can post additional parts of the racoon.conf files on both boxes, but here's a summary. On both boxes, I have the following: proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } sainfo has: authentication_algorithm hmac_sha1; compression_algorithm deflate; remote has: exchange_mode main; and on Shakti, the public box, remote also has: nat_traversal on; Shakti also has isakmp_natt 216.110.12.105 [4500]; in the 'listen' section. ---------- My results are as follows: When I start racoon on the Shakti, the public server, I get these log entries: Oct 22 12:59:15 shakti racoon: INFO: @(#)ipsec-tools 0.5.2 (http://ipsec-tools.sourceforge.net) Oct 22 12:59:15 shakti racoon: INFO: @(#)This product linked OpenSSL 0.9.7e 25 Oct 2004 (http://www.openssl.org/) Oct 22 12:59:15 shakti racoon: INFO: 216.110.12.105[4500] used as isakmp port (fd=7) Oct 22 12:59:15 shakti racoon: INFO: 216.110.12.105[4500] used for NAT-T Oct 22 12:59:15 shakti racoon: INFO: 216.110.12.105[500] used as isakmp port (fd=8) Oct 22 12:59:15 shakti racoon: INFO: 216.110.12.105[500] used for NAT-T I start racoon on the private box and the log file on Shakti, the public server, says: Oct 22 13:01:42 shakti racoon: INFO: IPsec-SA request for 192.168.1.16 queued due to no phase1 found. Oct 22 13:01:42 shakti racoon: INFO: initiate new phase 1 negotiation: 216.110.12.105[500]<=>192.168.1.16[500] Oct 22 13:01:42 shakti racoon: INFO: begin Identity Protection mode. Oct 22 13:01:58 shakti racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.1.16->216.110.12.105 Oct 22 13:01:58 shakti racoon: INFO: delete phase 2 handler. Oct 22 13:01:58 shakti racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Oct 22 13:02:14 shakti racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.1.16->216.110.12.105 Oct 22 13:02:14 shakti racoon: INFO: delete phase 2 handler. Attempts to ping from the private box to the public box fail with similar errors in the public box's log, e.g.: on the private box: # ping shakti.fmp.com connect: Resource temporarily unavailable and in the log on the public box: Oct 22 13:12:15 shakti racoon: INFO: respond new phase 1 negotiation: 216.110.12.105[500]<=>70.112.241.55[500] Oct 22 13:12:15 shakti racoon: INFO: begin Identity Protection mode. Oct 22 13:12:15 shakti racoon: INFO: received Vendor ID: DPD Oct 22 13:12:15 shakti racoon: INFO: ISAKMP-SA established 216.110.12.105[500]-70.112.241.55[500] spi:13933d92c29b29f0:1af211796737af14 Oct 22 13:12:16 shakti racoon: INFO: respond new phase 2 negotiation: 216.110.12.105[0]<=>70.112.241.55[0] Oct 22 13:12:16 shakti racoon: INFO: IPsec-SA established: ESP/Tunnel 70.112.241.55->216.110.12.105 spi=222215331(0xd3ebca3) Oct 22 13:12:16 shakti racoon: INFO: IPsec-SA established: ESP/Tunnel 216.110.12.105->70.112.241.55 spi=231738010(0xdd00a9a) Oct 22 13:12:56 shakti racoon: ERROR: phase1 negotiation failed due to time up. de3fdf32bf2efefe:0000000000000000 I thought that maybe the SNAT masquerading on the gateway was timing out and killing the tunnel, so I tried adding a DNAT rule to the gateway so that all traffic to the gateway _originating_ on the public server goes to Vishnu inside the LAN, but the results are exactly the same. Can anyone advise me on how to troubleshoot this further, or where I might look for more complete informaiton on setting up this VPN configuration? -- Lindsay Haisley | "Fighting against human | PGP public key FMP Computer Services | creativity is like | available at 512-259-1190 | trying to eradicate | <http://pubkeys.fmp.com> http://www.fmp.com | dandelions" | | (Pamela Jones) | |