[Ipsec-tools-devel] phase1 negotiation failed due to time up

[Lindsay H. <fmo...@fm...>]

This seems to be a common problem :-(  I'll try to be concise.

My setup is as follows:

I'm trying to set up a VPN from two boxes running Gentoo Linux, kernel
2.6.13.  One end is a public machine, Shakti.  The other end is a box on a
private LAN, Vishnu, with an RFC1918 address.  It's NAT'd behind a box
running Linux kernel 2.4, and because this box is already running FreeS/WAN
to another server (and because it's short on memory), it can't be upgraded
to kernel 2.6; however, it works fine as a firewall.

Shakti's IP address:	216.110.12.105		(public box)
Vishnu's IP address:	192.168.1.16		(NAT'd box)
Firewall's publilc IP:	70.112.241.55

Both Vishnu and Shakti are running kernels with the required ipsec support
(either built-in or installed as modules), as per Ralf Spenneberg's HOWTO at
<http://www.ipsec-howto.org/x299.html>, plus the ipcomp module.

Shakti, the public box, is set up with the following security polices:

    spdadd 216.110.12.105/32 192.168.1.0/24 any -P out ipsec
               esp/tunnel/216.110.12.105-192.168.1.16/require;

    spdadd 192.168.1.0/24 216.110.12.105/32 any -P in ipsec
               esp/tunnel/192.168.1.16-216.110.12.105/require;


Vishnu, the private box, has these security policies:

    spdadd 216.110.12.105/32 192.168.1.0/24 any -P in ipsec
               esp/tunnel/216.110.12.105-192.168.1.16/require;

    spdadd 192.168.1.0/24 216.110.12.105/32 any -P out ipsec
               esp/tunnel/192.168.1.16-216.110.12.105/require;

(I get the same result whether or not I have "/32" on the public server's IP
spec., but thought it might be appropriate since public server is, in
effect, a network of 1 address).


If someone can advise me on this, I can post additional parts of the
racoon.conf files on both boxes, but here's a summary.  On both boxes, I
have the following:

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }


sainfo has:

        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;

remote has:
        exchange_mode main;

and on Shakti, the public box, remote also has:
        nat_traversal on;

Shakti also has

        isakmp_natt 216.110.12.105 [4500];

in the 'listen' section.

----------

My results are as follows:

When I start racoon on the Shakti, the public server, I get these log
entries:

Oct 22 12:59:15 shakti racoon: INFO: @(#)ipsec-tools 0.5.2 (http://ipsec-tools.sourceforge.net)
Oct 22 12:59:15 shakti racoon: INFO: @(#)This product linked OpenSSL 0.9.7e 25 Oct 2004 (http://www.openssl.org/)
Oct 22 12:59:15 shakti racoon: INFO: 216.110.12.105[4500] used as isakmp port (fd=7)
Oct 22 12:59:15 shakti racoon: INFO: 216.110.12.105[4500] used for NAT-T
Oct 22 12:59:15 shakti racoon: INFO: 216.110.12.105[500] used as isakmp port (fd=8)
Oct 22 12:59:15 shakti racoon: INFO: 216.110.12.105[500] used for NAT-T

I start racoon on the private box and the log file on Shakti, the public
server, says:

Oct 22 13:01:42 shakti racoon: INFO: IPsec-SA request for 192.168.1.16 queued due to no phase1 found.
Oct 22 13:01:42 shakti racoon: INFO: initiate new phase 1 negotiation: 216.110.12.105[500]<=>192.168.1.16[500]
Oct 22 13:01:42 shakti racoon: INFO: begin Identity Protection mode.
Oct 22 13:01:58 shakti racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.1.16->216.110.12.105 
Oct 22 13:01:58 shakti racoon: INFO: delete phase 2 handler.
Oct 22 13:01:58 shakti racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Oct 22 13:02:14 shakti racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.1.16->216.110.12.105 
Oct 22 13:02:14 shakti racoon: INFO: delete phase 2 handler.

Attempts to ping from the private box to the public box fail with similar
errors in the public box's log, e.g.:

on the private box:

# ping shakti.fmp.com
connect: Resource temporarily unavailable

and in the log on the public box:

Oct 22 13:12:15 shakti racoon: INFO: respond new phase 1 negotiation: 216.110.12.105[500]<=>70.112.241.55[500]
Oct 22 13:12:15 shakti racoon: INFO: begin Identity Protection mode.
Oct 22 13:12:15 shakti racoon: INFO: received Vendor ID: DPD
Oct 22 13:12:15 shakti racoon: INFO: ISAKMP-SA established 216.110.12.105[500]-70.112.241.55[500] spi:13933d92c29b29f0:1af211796737af14
Oct 22 13:12:16 shakti racoon: INFO: respond new phase 2 negotiation: 216.110.12.105[0]<=>70.112.241.55[0]
Oct 22 13:12:16 shakti racoon: INFO: IPsec-SA established: ESP/Tunnel 70.112.241.55->216.110.12.105 spi=222215331(0xd3ebca3)
Oct 22 13:12:16 shakti racoon: INFO: IPsec-SA established: ESP/Tunnel 216.110.12.105->70.112.241.55 spi=231738010(0xdd00a9a)
Oct 22 13:12:56 shakti racoon: ERROR: phase1 negotiation failed due to time up. de3fdf32bf2efefe:0000000000000000

I thought that maybe the SNAT masquerading on the gateway was timing out and
killing the tunnel, so I tried adding a DNAT rule to the gateway so that all
traffic to the gateway _originating_ on the public server goes to Vishnu
inside the LAN, but the results are exactly the same.

Can anyone advise me on how to troubleshoot this further, or where I might
look for more complete informaiton on setting up this VPN configuration?

-- 
Lindsay Haisley       | "Fighting against human |     PGP public key
FMP Computer Services |    creativity is like   |      available at
512-259-1190          |    trying to eradicate  | <http://pubkeys.fmp.com>
http://www.fmp.com    |        dandelions"      |
                      |      (Pamela Jones)     |