[Ipsec-tools-users] Configuration Assistance (or possible issue with racoon RoadWarrior setup)
Brought to you by:
mit_warlord,
netbsd
Menu
▾
▴
[Ipsec-tools-users] Configuration Assistance (or possible issue with racoon RoadWarrior setup)
|
From: Troy L. Y. <tyo...@ec...> - 2011-10-19 23:05:52
|
Hoping someone on the list here can help out.
Trying to tackle a Roadwarrior Mode Config PSK+XAuth setup on Ubuntu Server
10.3 LTS using only ipsec-tools (racoon/setkey) v0.7.1 (from lucid repo).
Basic setup:
Internal Networks: 10.11.0.0/16
VPN Network: 172.16.1.0/24
External IF: eth1, Static IP Address
Internal IF: eth0, Static Private IP Address
This server is a VPN concentrator ONLY; it is not the default gateway for
the network it's guarding. Static routes are configured on the default
internal network gateway to pass all traffic for the VPN ModeConfig-assigned
subnet to the internal IF of the VPN Gateway.
I can get the connection into the VPN server fine, and can ping the VPN
Gateway and into the "internal" network from both the VPN gateway and the RW
system (WinXP w/ShrewSoft VPN Client 2.0).
I cannot, however, get a ping out to the RW system from either the VPN
server itself or from the "internal" network; the ping enters the internal
IF and is routed directly to the external IF without being
encapsulated/routed to the VPN connection.
I've shut down the Windows Firewall on the RW client.
I make no mods to setkey as it is presumed that racoon should be generating
the appropriate SAD/SPD entries. It _appears_ to be doing so; however,
attempting to hit the Mode Config-generated address routes directly out of
the external IF without being encrypted. Doesn't go anywhere, as I'm using
private IPs across the board for internal and Mode Config-generated IPs.
racoon.conf file from the server and outputs from iptables/ip
route/tcpdump/setkey -D/setkey -DP/sysctl follow (edited for security).
I also tried this on a Ubuntu Ocelot server with ipsec-tools v0.8; wasn't
able to even get this far (couldn't ping across the VPN at all), but that
may have been my config.
Any clues out there in user-land? Am I screwing this up?
--
Troy
=== /etc/racoon/racoon.conf (whitespace stripped)
path pre_shared_key "/etc/racoon/psk.txt";
listen
{
isakmp *VPN_GW_EXT_IP* [500];
isakmp_natt *VPN_GW_EXT_IP* [4500];
adminsock disabled;
}
timer
{
natt_keepalive 10 seconds;
phase1 30 seconds;
phase2 20 seconds;
}
remote anonymous
{
exchange_mode aggressive;
verify_identifier on;
my_identifier user_fqdn "*VPN_GW_HOSTNAME@INT_AD_DOMAIN*";
peers_identifier user_fqdn "*SINGLE USER_FQDN LISTED IN PSK.TXT*";
passive on;
generate_policy unique;
ike_frag on;
nat_traversal on;
dpd_delay 15;
proposal_check claim;
lifetime time 6 hours;
proposal
{
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method xauth_psk_server;
dh_group 5;
}
}
mode_cfg
{
auth_source system;
conf_source local;
network4 172.16.1.1;
pool_size 253;
netmask4 255.255.255.0;
dns4 *INT_DNS1*,*INT_DNS2*,*INT_DNS3*;
nbns4 *INT_WINS1*,*INT_WINS2*;
split_network include 10.11.0.0/16;
default_domain "*INT_AD_DOMAIN*";
split_dns "*INT_AD_DOMAIN*";
auth_throttle 5;
}
sainfo anonymous
{
lifetime time 3600 seconds;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
pfs_group 5;
}
=== ip route output
*VPN_GW_EXT_NETWORK*/28 dev eth1 proto kernel scope link src
*VPN_GW_EXT_IP*
172.16.1.0/24 dev eth1 scope link src *VPN_GW_EXT_IP*
10.11.1.0/24 dev eth0 proto kernel scope link src *VPN_GW_INT_IP*
10.11.0.0/16 via *INT_GATEWAY* dev eth0
default via *VPN_GW_EXT_GATEWAY* dev eth1 metric 100
=== iptables output
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A INPUT -p esp -j MARK --set-xmark 0x1/0xffffffff
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A POSTROUTING -p esp -j ACCEPT
-A POSTROUTING -p ah -j ACCEPT
-A POSTROUTING -s 172.16.1.0/24 -o eth1 -j SNAT --to-source *VPN_GW_EXT_IP*
-A POSTROUTING -o eth1 -j MASQUERADE
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m pkttype --pkt-type multicast -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -o lo -j ACCEPT
-A INPUT -s 10.11.0.0/16 -i eth0 -p tcp -m tcp --dport 22 -m state --state
NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p esp -j ACCEPT
-A INPUT -i eth1 -p ah -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --sport 500 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --sport 4500 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -o lo -j ACCEPT
-A FORWARD -s 10.11.0.0/16 -i eth0 -p tcp -m tcp --dport 22 -m state --state
NEW -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
-A FORWARD -s 172.16.1.0/24 -m state --state NEW -j ACCEPT
-A FORWARD -d 172.16.1.0/24 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -m mark --mark 0x1 -j ACCEPT
-A FORWARD -o eth1 -m mark --mark 0x1 -j ACCEPT
=== sysctl -a (filtered) Output
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_sack = 1
net.ipv4.ip_dynaddr = 0
net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.shared_media = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.src_valid_mark = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.medium_id = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.tag = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.all.arp_accept = 0
net.ipv4.conf.all.arp_notify = 0
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
=== setkey -D Output
*VPN_GW_EXT_IP*[4500] *FAR_END_DSL_IP*[4500]
esp-udp mode=tunnel spi=*VALID_DEC_SPI*(0x*VALID_HEX_SPI*)
reqid=4(0x00000004)
E: aes-cbc *VARIOUS_HEX_STRINGS*
A: hmac-sha1 *VARIOUS_HEX_STRINGS*
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Oct 19 14:31:39 2011 current: Oct 19 14:46:19 2011
diff: 880(s) hard: 3600(s) soft: 2880(s)
last: Oct 19 14:31:40 2011 hard: 0(s) soft: 0(s)
current: 61940(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 429 hard: 0 soft: 0
sadb_seq=1 pid=14295 refcnt=0
*FAR_END_DSL_IP*[4500] *VPN_GW_EXT_IP*[4500]
esp-udp mode=tunnel spi=*VALID_DEC_SPI*(0x*VALID_HEX_SPI*)
reqid=4(0x00000004)
E: aes-cbc *VARIOUS_HEX_STRINGS*
A: hmac-sha1 *VARIOUS_HEX_STRINGS*
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Oct 19 14:31:39 2011 current: Oct 19 14:46:19 2011
diff: 880(s) hard: 3600(s) soft: 2880(s)
last: Oct 19 14:31:40 2011 hard: 0(s) soft: 0(s)
current: 32993(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 415 hard: 0 soft: 0
sadb_seq=2 pid=14295 refcnt=0
*FAR_END_DSL_IP*[4500] *VPN_GW_EXT_IP*[4500]
esp-udp mode=tunnel spi=*VALID_DEC_SPI*(0x*VALID_HEX_SPI*)
reqid=2(0x00000002)
E: aes-cbc *VARIOUS_HEX_STRINGS*
A: hmac-sha1 *VARIOUS_HEX_STRINGS*
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Oct 19 14:23:41 2011 current: Oct 19 14:46:20 2011
diff: 1359(s) hard: 3600(s) soft: 2880(s)
last: Oct 19 14:25:58 2011 hard: 0(s) soft: 0(s)
current: 1020(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 17 hard: 0 soft: 0
sadb_seq=0 pid=14295 refcnt=0
=== setkey -DP Output
10.11.0.0/16[any] 172.16.1.1[any] any
out prio def ipsec
esp/tunnel/*VPN_GW_EXT_IP*-*FAR_END_DSL_IP*/unique:4
created: Oct 19 14:31:39 2011 lastused: Oct 19 14:49:58 2011
lifetime: 3600(s) validtime: 0(s)
spid=1993 seq=1 pid=14296
refcnt=3
172.16.1.1[any] 10.11.0.0/16[any] any
fwd prio def ipsec
esp/tunnel/*FAR_END_DSL_IP*-*VPN_GW_EXT_IP*/unique:4
created: Oct 19 14:31:39 2011 lastused: Oct 19 14:49:58 2011
lifetime: 3600(s) validtime: 0(s)
spid=1986 seq=2 pid=14296
refcnt=3
172.16.1.1[any] 10.11.0.0/16[any] any
in prio def ipsec
esp/tunnel/*FAR_END_DSL_IP*-*VPN_GW_EXT_IP*/unique:4
created: Oct 19 14:31:39 2011 lastused:
lifetime: 3600(s) validtime: 0(s)
spid=1976 seq=3 pid=14296
refcnt=2
(per-socket policy)
Policy:[Invalid direciton]
created: Oct 19 11:08:17 2011 lastused: Oct 19 14:31:27 2011
lifetime: 0(s) validtime: 0(s)
spid=1900 seq=4 pid=14296
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Oct 19 11:08:17 2011 lastused: Oct 19 14:31:26 2011
lifetime: 0(s) validtime: 0(s)
spid=1891 seq=5 pid=14296
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Oct 19 11:08:17 2011 lastused: Oct 19 14:49:57 2011
lifetime: 0(s) validtime: 0(s)
spid=1884 seq=6 pid=14296
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Oct 19 11:08:17 2011 lastused: Oct 19 14:49:58 2011
lifetime: 0(s) validtime: 0(s)
spid=1875 seq=0 pid=14296
refcnt=1
=== tcpdump Output
* SUCCESSFUL PING FROM RW CLIENT *
[eth1] 15:36:05.501523 IP *FAR_END_DSL_IP*.4500 > *VPN_GW_EXT_IP*.4500:
UDP-encap: ESP(spi=0xINSPI,seq=0xb), length 100
[eth1] 15:36:05.501692 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id
768, seq 1028, length 40
[eth0] 15:36:05.501797 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id
768, seq 1028, length 40
[eth0] 15:36:05.503529 IP *INT_HOST*1 > 172.16.1.1: ICMP echo reply, id 768,
seq 1028, length 40
[eth1] 15:36:05.503708 IP *VPN_GW_EXT_IP*.4500 > *FAR_END_DSL_IP*.4500:
UDP-encap: ESP(spi=0xOUTSPI,seq=0xb), length 100
[eth1] 15:36:06.415621 IP *FAR_END_DSL_IP*.4500 > *VPN_GW_EXT_IP*.4500:
UDP-encap: ESP(spi=0xINSPI,seq=0xc), length 100
[eth1] 15:36:06.415739 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id
768, seq 1284, length 40
[eth0] 15:36:06.415795 IP 172.16.1.1 > *INT_HOST*1: ICMP echo request, id
768, seq 1284, length 40
[eth0] 15:36:06.416571 IP *INT_HOST* > 172.16.1.1: ICMP echo reply, id 768,
seq 1284, length 40
[eth1] 15:36:06.416710 IP *VPN_GW_EXT_IP*.4500 > *FAR_END_DSL_IP*.4500:
UDP-encap: ESP(spi=0xOUTSPI,seq=0xc), length 100
[eth1] 15:36:07.384496 IP *FAR_END_DSL_IP*.4500 > *VPN_GW_EXT_IP*.4500:
UDP-encap: ESP(spi=0xINSPI,seq=0xd), length 100
[eth1] 15:36:07.384615 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id
768, seq 1540, length 40
[eth0] 15:36:07.384669 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id
768, seq 1540, length 40
[eth0] 15:36:07.385316 IP *INT_HOST* > 172.16.1.1: ICMP echo reply, id 768,
seq 1540, length 40
[eth1] 15:36:07.385499 IP *VPN_GW_EXT_IP*.4500 > *FAR_END_DSL_IP*.4500:
UDP-encap: ESP(spi=0xOUTSPI,seq=0xd), length 100
[eth1] 15:36:08.287506 IP *FAR_END_DSL_IP*.4500 > *VPN_GW_EXT_IP*.4500:
UDP-encap: ESP(spi=0xINSPI,seq=0xe), length 100
[eth1] 15:36:08.287660 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id
768, seq 1796, length 40
[eth0] 15:36:08.287717 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id
768, seq 1796, length 40
[eth0] 15:36:08.288310 IP *INT_HOST* > 172.16.1.1: ICMP echo reply, id 768,
seq 1796, length 40
[eth1] 15:36:08.288453 IP *VPN_GW_EXT_IP*.4500 > *FAR_END_DSL_IP*.4500:
UDP-encap: ESP(spi=0xOUTSPI,seq=0xe), length 100
* FAILED PING FROM VPN GATEWAY *
[eth1] 15:33:14.991427 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*,
length 28
[eth1] 15:33:15.991383 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*,
length 28
[eth1] 15:33:16.991366 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*,
length 28
[eth1] 15:33:18.007384 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*,
length 28
[eth1] 15:33:19.007385 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*,
length 28
[eth1] 15:33:20.007490 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*,
length 28
* FAILED PING FROM INTERNAL HOST *
[eth0] 15:27:12.927499 IP *INT_HOST* > 172.16.1.1: ICMP echo request, id
512, seq 25857, length 40
[eth1] 15:27:12.931396 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*,
length 28
[eth0] 15:27:15.934145 IP *INT_HOST* > 172.16.1.1: ICMP echo request, id
512, seq 26113, length 40
[eth1] 15:27:15.935397 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*,
length 28
[eth0] 15:27:18.938425 IP *INT_HOST* > 172.16.1.1: ICMP echo request, id
512, seq 26369, length 40
[eth1] 15:27:18.939394 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*,
length 28
[eth0] 15:27:21.942403 IP *INT_HOST* > 172.16.1.1: ICMP echo request, id
512, seq 26625, length 40
[eth1] 15:27:21.943394 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*,
length 28
=== iptstate Output
Source Destination Proto State TTL
*FAR_END_DSL_IP*:4500 *VPN_GW_EXT_IP*:4500 udp
0:02:59 - ESP connection from RW to VPN Gateway
*VPN_GW_EXT_IP* 172.16.1.1 icmp 8/0 (14286)
0:00:29 - Failing ping from VPN Gateway
172.16.1.1 *INT_HOST* icmp 8/0 (3)
0:00:29 - Successful ping from RW client
*INT_HOST2* 172.16.1.1 icmp 8/0 (2)
0:00:27 - Failing ping from internal system
172.16.1.1:1027 *INT_HOST*:3389 tcp ESTABLISHED
119:59:51 - Connection to internal host from RW
=== ip monitor all Output
* SUCCESSFUL PING FROM RW CLIENT *
[NEIGH]*INT_HOST* dev eth0 lladdr 00:MA:CA:DD:RE:SS STALE (after
approximately 15 seconds from first successful ping)
* FAILED PING FROM VPN GATEWAY OR INTERNAL HOST *
[NEIGH]172.16.1.1 dev eth1 FAILED
[NEIGH]172.16.1.1 dev eth1 FAILED
[NEIGH]172.16.1.1 dev eth1 FAILED
[NEIGH]172.16.1.1 dev eth1 FAILED
[
=== ping Outputs
* FROM RW CLIENT *
C:\> ping *INT_HOST*
Pinging *INT_HOST* with 32 bytes of data:
Reply from *INT_HOST*: bytes=32 time=179ms TTL=62
Reply from *INT_HOST*: bytes=32 time=205ms TTL=62
Reply from *INT_HOST*: bytes=32 time=218ms TTL=62
Reply from *INT_HOST*: bytes=32 time=182ms TTL=62
Ping statistics for *INT_HOST*:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 179ms, Maximum = 218ms, Average = 196ms
* FROM VPN GATEWAY *
root@*VPN_GW_HOSTNAME*:/root# ping 172.16.1.1 -c 4
PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data.
>From *VPN_GW_EXT_IP* icmp_seq=1 Destination Host Unreachable
>From *VPN_GW_EXT_IP* icmp_seq=2 Destination Host Unreachable
>From *VPN_GW_EXT_IP* icmp_seq=3 Destination Host Unreachable
>From *VPN_GW_EXT_IP* icmp_seq=4 Destination Host Unreachable
--- 172.16.165.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3015ms
, pipe 3
* FROM INTERNAL HOST (Also WinXP) *
C:\>ping 172.16.1.1
Pinging 172.16.1.1 with 32 bytes of data:
Reply from *VPN_GW_EXT_IP*: Destination host unreachable.
Reply from *VPN_GW_EXT_IP*: Destination host unreachable.
Reply from *VPN_GW_EXT_IP*: Destination host unreachable.
Reply from *VPN_GW_EXT_IP*: Destination host unreachable.
Ping statistics for 172.16.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
|