[Ipsec-tools-devel] Configuring a VPN with Racoon, on debian etch

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello list,

Please excuse me for subscribing to a devel list to ask for support, but i didn't find any other place to get help, if you can help me or point me to the right place i will really appreciate it!

if you dont hate me at this moment and have some minutes to help a user, I have the next problem:

I have to set up a VPN between a Debian etch server and a Nortel        Contivity 1750, behind this router lives the server I need to reach. (I only control the debian server)

Network topology

MyServer(DEBIAN) public IP: A.A.A.A/28
ExternalRouter(NORTEL)public IP: B.B.B.125/32
ExternalServer public IP: B.B.B.118/32

I dont have a router, and im not using firewalls nor NAT to avoid complications.

I found documentation for joining two private LANs, or to configure the gateways, but not about configuring a racoon in a server to connect to an existing VPN.

I am using debian, so I install using "aptitude install racoon" and it install "ipsec-tools" for dependencies, and used racoon-tool.

My /etc/racon/racon-tool.conf contains:

_________
# How to control the syslog level
global:
        log: notify

peer(B.B.B.125):
        exchange_mode: main
        lifetime: time 60 min
        hash_algorithm[0]: md5
        encryption_algorithm[0]: 3des
        authentication_method[0]: pre_shared_key
        dh_group[0]: 2

connection(me-they):
        src_ip: A.A.A.A
        dst_ip: B.B.B.125
        src_range: A.A.A.128/28
        dst_range: B.B.B.118/32
        admin_status: enabled
        lifetime: time 1410 min
        authentication_algorithm: hmac_md5
        encryption_algorithm: 3des
___________

When i tried to telnet or ping B.B.B.118

I get the next log from syslog:

__________

Sep 18 16:03:50 myserver racoon: INFO: IPsec-SA request for B.B.B.125 queued due to no phase1 found. 
Sep 18 16:03:50 myserver racoon: INFO: initiate new phase 1 negotiation: A.A.A.A[500]<=>B.B.B.125[500] 
Sep 18 16:03:50 myserver racoon: INFO: begin Identity Protection mode. 
Sep 18 16:03:50 myserver racoon: INFO: received Vendor ID: DPD 
Sep 18 16:03:50 myserver racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1. 
Sep 18 16:03:50 myserver racoon: INFO: ISAKMP-SA established A.A.A.A[500]-B.B.B.125[500] spi:6d1a2cb39e6fc8cd:2c15622583be4b45 
Sep 18 16:03:51 myserver racoon: INFO: purging ISAKMP-SA spi=6d1a2cb39e6fc8cd:2c15622583be4b45. 
Sep 18 16:03:51 myserver racoon: INFO: purged ISAKMP-SA spi=6d1a2cb39e6fc8cd:2c15622583be4b45. 
Sep 18 16:03:52 myserver racoon: INFO: ISAKMP-SA deleted 65.247.241.140[500]-200.1.124.125[500] spi:6d1a2cb39e6fc8cd:2c15622583be4b45 
Sep 18 16:04:21 myserver racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP B.B.B.125[0]->A.A.A.A[0]  
Sep 18 16:04:21 myserver racoon: INFO: delete phase 2 handler. 
_____________________

If I am right the racoon is being called when I telnet or ping the server B.B.B.118, however i dont get response...

I contacted the external router/server admin, and he says I complete phase1 but the packets his server receives, come from the internet, not from the tunnel and thats why the server doesn't answer me

I tried using things like:

ip route add B.B.B.118 via B.B.B.125 src A.A.A.A

somewhere, i found that i had to use: 

ip route add OTHER_NETWORK via LOCAL_DEFAULT_GW src INTERNAL_IP

but it didn't work too,

the command "setkey -DP" gives me:

B.B.B.118[any] A.A.A.128/28[any] any
        in ipsec
        esp/tunnel/B.B.B.125-A.A.A.A/unique#16385
        created: Sep 18 16:03:37 2007  lastused:                     
        lifetime: 0(s) validtime: 0(s)
        spid=2352 seq=12 pid=9173
        refcnt=1
A.A.A.128/28[any] B.B.B.118[any] any
        out ipsec
        esp/tunnel/A.A.A.A-B.B.B.125/unique#16384
        created: Sep 18 16:03:37 2007  lastused: Sep 18 16:03:50 2007
        lifetime: 0(s) validtime: 0(s)
        spid=2345 seq=11 pid=9173
        refcnt=1
B.B.B.118[any] A.A.A.128/28[any] any
        fwd ipsec
        esp/tunnel/B.B.B.125-A.A.A.A/require
        created: Sep 18 16:03:37 2007  lastused:                     
        lifetime: 0(s) validtime: 0(s)
        spid=2362 seq=10 pid=9173
        refcnt=1

I enabled forwarding on /etc/sysctl.conf and in
/proc/sys/net/ipv4/ip_forward

I DONT KNOW WHAT ELSE SHOULD I DO TO MAKE IT WORK, CAN SOMEBODY GIVE ME A HAND PLEASE?

Thanks in advance for any help

Jorge
-------------------------------------
Saca tu propia cuenta de email gratis en Colombia entrando a http://mail.conexcol.com