[Ipsec-tools-users] Configuration Assistance (or possible issue with racoon RoadWarrior setup)
Brought to you by:
mit_warlord,
netbsd
From: Troy L. Y. <tyo...@ec...> - 2011-10-19 23:05:52
|
Hoping someone on the list here can help out. Trying to tackle a Roadwarrior Mode Config PSK+XAuth setup on Ubuntu Server 10.3 LTS using only ipsec-tools (racoon/setkey) v0.7.1 (from lucid repo). Basic setup: Internal Networks: 10.11.0.0/16 VPN Network: 172.16.1.0/24 External IF: eth1, Static IP Address Internal IF: eth0, Static Private IP Address This server is a VPN concentrator ONLY; it is not the default gateway for the network it's guarding. Static routes are configured on the default internal network gateway to pass all traffic for the VPN ModeConfig-assigned subnet to the internal IF of the VPN Gateway. I can get the connection into the VPN server fine, and can ping the VPN Gateway and into the "internal" network from both the VPN gateway and the RW system (WinXP w/ShrewSoft VPN Client 2.0). I cannot, however, get a ping out to the RW system from either the VPN server itself or from the "internal" network; the ping enters the internal IF and is routed directly to the external IF without being encapsulated/routed to the VPN connection. I've shut down the Windows Firewall on the RW client. I make no mods to setkey as it is presumed that racoon should be generating the appropriate SAD/SPD entries. It _appears_ to be doing so; however, attempting to hit the Mode Config-generated address routes directly out of the external IF without being encrypted. Doesn't go anywhere, as I'm using private IPs across the board for internal and Mode Config-generated IPs. racoon.conf file from the server and outputs from iptables/ip route/tcpdump/setkey -D/setkey -DP/sysctl follow (edited for security). I also tried this on a Ubuntu Ocelot server with ipsec-tools v0.8; wasn't able to even get this far (couldn't ping across the VPN at all), but that may have been my config. Any clues out there in user-land? Am I screwing this up? -- Troy === /etc/racoon/racoon.conf (whitespace stripped) path pre_shared_key "/etc/racoon/psk.txt"; listen { isakmp *VPN_GW_EXT_IP* [500]; isakmp_natt *VPN_GW_EXT_IP* [4500]; adminsock disabled; } timer { natt_keepalive 10 seconds; phase1 30 seconds; phase2 20 seconds; } remote anonymous { exchange_mode aggressive; verify_identifier on; my_identifier user_fqdn "*VPN_GW_HOSTNAME@INT_AD_DOMAIN*"; peers_identifier user_fqdn "*SINGLE USER_FQDN LISTED IN PSK.TXT*"; passive on; generate_policy unique; ike_frag on; nat_traversal on; dpd_delay 15; proposal_check claim; lifetime time 6 hours; proposal { encryption_algorithm aes 256; hash_algorithm sha1; authentication_method xauth_psk_server; dh_group 5; } } mode_cfg { auth_source system; conf_source local; network4 172.16.1.1; pool_size 253; netmask4 255.255.255.0; dns4 *INT_DNS1*,*INT_DNS2*,*INT_DNS3*; nbns4 *INT_WINS1*,*INT_WINS2*; split_network include 10.11.0.0/16; default_domain "*INT_AD_DOMAIN*"; split_dns "*INT_AD_DOMAIN*"; auth_throttle 5; } sainfo anonymous { lifetime time 3600 seconds; encryption_algorithm aes 256; authentication_algorithm hmac_sha1; compression_algorithm deflate ; pfs_group 5; } === ip route output *VPN_GW_EXT_NETWORK*/28 dev eth1 proto kernel scope link src *VPN_GW_EXT_IP* 172.16.1.0/24 dev eth1 scope link src *VPN_GW_EXT_IP* 10.11.1.0/24 dev eth0 proto kernel scope link src *VPN_GW_INT_IP* 10.11.0.0/16 via *INT_GATEWAY* dev eth0 default via *VPN_GW_EXT_GATEWAY* dev eth1 metric 100 === iptables output *mangle :PREROUTING ACCEPT :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT -A INPUT -p esp -j MARK --set-xmark 0x1/0xffffffff *nat :PREROUTING ACCEPT :POSTROUTING ACCEPT :OUTPUT ACCEPT -A POSTROUTING -p esp -j ACCEPT -A POSTROUTING -p ah -j ACCEPT -A POSTROUTING -s 172.16.1.0/24 -o eth1 -j SNAT --to-source *VPN_GW_EXT_IP* -A POSTROUTING -o eth1 -j MASQUERADE *filter :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT -A INPUT -m pkttype --pkt-type broadcast -j DROP -A INPUT -m pkttype --pkt-type multicast -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -o lo -j ACCEPT -A INPUT -s 10.11.0.0/16 -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT -A INPUT -i eth1 -p esp -j ACCEPT -A INPUT -i eth1 -p ah -j ACCEPT -A INPUT -i eth1 -p udp -m udp --sport 500 -j ACCEPT -A INPUT -i eth1 -p udp -m udp --sport 4500 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -o lo -j ACCEPT -A FORWARD -s 10.11.0.0/16 -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A FORWARD -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT -A FORWARD -s 172.16.1.0/24 -m state --state NEW -j ACCEPT -A FORWARD -d 172.16.1.0/24 -m state --state NEW -j ACCEPT -A FORWARD -i eth1 -m mark --mark 0x1 -j ACCEPT -A FORWARD -o eth1 -m mark --mark 0x1 -j ACCEPT === sysctl -a (filtered) Output net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_sack = 1 net.ipv4.ip_dynaddr = 0 net.ipv4.ip_forward = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 1 net.ipv4.conf.all.shared_media = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.src_valid_mark = 0 net.ipv4.conf.all.proxy_arp = 0 net.ipv4.conf.all.medium_id = 0 net.ipv4.conf.all.bootp_relay = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.all.tag = 0 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.arp_announce = 0 net.ipv4.conf.all.arp_ignore = 0 net.ipv4.conf.all.arp_accept = 0 net.ipv4.conf.all.arp_notify = 0 net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 === setkey -D Output *VPN_GW_EXT_IP*[4500] *FAR_END_DSL_IP*[4500] esp-udp mode=tunnel spi=*VALID_DEC_SPI*(0x*VALID_HEX_SPI*) reqid=4(0x00000004) E: aes-cbc *VARIOUS_HEX_STRINGS* A: hmac-sha1 *VARIOUS_HEX_STRINGS* seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Oct 19 14:31:39 2011 current: Oct 19 14:46:19 2011 diff: 880(s) hard: 3600(s) soft: 2880(s) last: Oct 19 14:31:40 2011 hard: 0(s) soft: 0(s) current: 61940(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 429 hard: 0 soft: 0 sadb_seq=1 pid=14295 refcnt=0 *FAR_END_DSL_IP*[4500] *VPN_GW_EXT_IP*[4500] esp-udp mode=tunnel spi=*VALID_DEC_SPI*(0x*VALID_HEX_SPI*) reqid=4(0x00000004) E: aes-cbc *VARIOUS_HEX_STRINGS* A: hmac-sha1 *VARIOUS_HEX_STRINGS* seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Oct 19 14:31:39 2011 current: Oct 19 14:46:19 2011 diff: 880(s) hard: 3600(s) soft: 2880(s) last: Oct 19 14:31:40 2011 hard: 0(s) soft: 0(s) current: 32993(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 415 hard: 0 soft: 0 sadb_seq=2 pid=14295 refcnt=0 *FAR_END_DSL_IP*[4500] *VPN_GW_EXT_IP*[4500] esp-udp mode=tunnel spi=*VALID_DEC_SPI*(0x*VALID_HEX_SPI*) reqid=2(0x00000002) E: aes-cbc *VARIOUS_HEX_STRINGS* A: hmac-sha1 *VARIOUS_HEX_STRINGS* seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Oct 19 14:23:41 2011 current: Oct 19 14:46:20 2011 diff: 1359(s) hard: 3600(s) soft: 2880(s) last: Oct 19 14:25:58 2011 hard: 0(s) soft: 0(s) current: 1020(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 17 hard: 0 soft: 0 sadb_seq=0 pid=14295 refcnt=0 === setkey -DP Output 10.11.0.0/16[any] 172.16.1.1[any] any out prio def ipsec esp/tunnel/*VPN_GW_EXT_IP*-*FAR_END_DSL_IP*/unique:4 created: Oct 19 14:31:39 2011 lastused: Oct 19 14:49:58 2011 lifetime: 3600(s) validtime: 0(s) spid=1993 seq=1 pid=14296 refcnt=3 172.16.1.1[any] 10.11.0.0/16[any] any fwd prio def ipsec esp/tunnel/*FAR_END_DSL_IP*-*VPN_GW_EXT_IP*/unique:4 created: Oct 19 14:31:39 2011 lastused: Oct 19 14:49:58 2011 lifetime: 3600(s) validtime: 0(s) spid=1986 seq=2 pid=14296 refcnt=3 172.16.1.1[any] 10.11.0.0/16[any] any in prio def ipsec esp/tunnel/*FAR_END_DSL_IP*-*VPN_GW_EXT_IP*/unique:4 created: Oct 19 14:31:39 2011 lastused: lifetime: 3600(s) validtime: 0(s) spid=1976 seq=3 pid=14296 refcnt=2 (per-socket policy) Policy:[Invalid direciton] created: Oct 19 11:08:17 2011 lastused: Oct 19 14:31:27 2011 lifetime: 0(s) validtime: 0(s) spid=1900 seq=4 pid=14296 refcnt=1 (per-socket policy) Policy:[Invalid direciton] created: Oct 19 11:08:17 2011 lastused: Oct 19 14:31:26 2011 lifetime: 0(s) validtime: 0(s) spid=1891 seq=5 pid=14296 refcnt=1 (per-socket policy) Policy:[Invalid direciton] created: Oct 19 11:08:17 2011 lastused: Oct 19 14:49:57 2011 lifetime: 0(s) validtime: 0(s) spid=1884 seq=6 pid=14296 refcnt=1 (per-socket policy) Policy:[Invalid direciton] created: Oct 19 11:08:17 2011 lastused: Oct 19 14:49:58 2011 lifetime: 0(s) validtime: 0(s) spid=1875 seq=0 pid=14296 refcnt=1 === tcpdump Output * SUCCESSFUL PING FROM RW CLIENT * [eth1] 15:36:05.501523 IP *FAR_END_DSL_IP*.4500 > *VPN_GW_EXT_IP*.4500: UDP-encap: ESP(spi=0xINSPI,seq=0xb), length 100 [eth1] 15:36:05.501692 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id 768, seq 1028, length 40 [eth0] 15:36:05.501797 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id 768, seq 1028, length 40 [eth0] 15:36:05.503529 IP *INT_HOST*1 > 172.16.1.1: ICMP echo reply, id 768, seq 1028, length 40 [eth1] 15:36:05.503708 IP *VPN_GW_EXT_IP*.4500 > *FAR_END_DSL_IP*.4500: UDP-encap: ESP(spi=0xOUTSPI,seq=0xb), length 100 [eth1] 15:36:06.415621 IP *FAR_END_DSL_IP*.4500 > *VPN_GW_EXT_IP*.4500: UDP-encap: ESP(spi=0xINSPI,seq=0xc), length 100 [eth1] 15:36:06.415739 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id 768, seq 1284, length 40 [eth0] 15:36:06.415795 IP 172.16.1.1 > *INT_HOST*1: ICMP echo request, id 768, seq 1284, length 40 [eth0] 15:36:06.416571 IP *INT_HOST* > 172.16.1.1: ICMP echo reply, id 768, seq 1284, length 40 [eth1] 15:36:06.416710 IP *VPN_GW_EXT_IP*.4500 > *FAR_END_DSL_IP*.4500: UDP-encap: ESP(spi=0xOUTSPI,seq=0xc), length 100 [eth1] 15:36:07.384496 IP *FAR_END_DSL_IP*.4500 > *VPN_GW_EXT_IP*.4500: UDP-encap: ESP(spi=0xINSPI,seq=0xd), length 100 [eth1] 15:36:07.384615 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id 768, seq 1540, length 40 [eth0] 15:36:07.384669 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id 768, seq 1540, length 40 [eth0] 15:36:07.385316 IP *INT_HOST* > 172.16.1.1: ICMP echo reply, id 768, seq 1540, length 40 [eth1] 15:36:07.385499 IP *VPN_GW_EXT_IP*.4500 > *FAR_END_DSL_IP*.4500: UDP-encap: ESP(spi=0xOUTSPI,seq=0xd), length 100 [eth1] 15:36:08.287506 IP *FAR_END_DSL_IP*.4500 > *VPN_GW_EXT_IP*.4500: UDP-encap: ESP(spi=0xINSPI,seq=0xe), length 100 [eth1] 15:36:08.287660 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id 768, seq 1796, length 40 [eth0] 15:36:08.287717 IP 172.16.1.1 > *INT_HOST*: ICMP echo request, id 768, seq 1796, length 40 [eth0] 15:36:08.288310 IP *INT_HOST* > 172.16.1.1: ICMP echo reply, id 768, seq 1796, length 40 [eth1] 15:36:08.288453 IP *VPN_GW_EXT_IP*.4500 > *FAR_END_DSL_IP*.4500: UDP-encap: ESP(spi=0xOUTSPI,seq=0xe), length 100 * FAILED PING FROM VPN GATEWAY * [eth1] 15:33:14.991427 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*, length 28 [eth1] 15:33:15.991383 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*, length 28 [eth1] 15:33:16.991366 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*, length 28 [eth1] 15:33:18.007384 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*, length 28 [eth1] 15:33:19.007385 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*, length 28 [eth1] 15:33:20.007490 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*, length 28 * FAILED PING FROM INTERNAL HOST * [eth0] 15:27:12.927499 IP *INT_HOST* > 172.16.1.1: ICMP echo request, id 512, seq 25857, length 40 [eth1] 15:27:12.931396 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*, length 28 [eth0] 15:27:15.934145 IP *INT_HOST* > 172.16.1.1: ICMP echo request, id 512, seq 26113, length 40 [eth1] 15:27:15.935397 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*, length 28 [eth0] 15:27:18.938425 IP *INT_HOST* > 172.16.1.1: ICMP echo request, id 512, seq 26369, length 40 [eth1] 15:27:18.939394 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*, length 28 [eth0] 15:27:21.942403 IP *INT_HOST* > 172.16.1.1: ICMP echo request, id 512, seq 26625, length 40 [eth1] 15:27:21.943394 ARP, Request who-has 172.16.1.1 tell *VPN_GW_EXT_IP*, length 28 === iptstate Output Source Destination Proto State TTL *FAR_END_DSL_IP*:4500 *VPN_GW_EXT_IP*:4500 udp 0:02:59 - ESP connection from RW to VPN Gateway *VPN_GW_EXT_IP* 172.16.1.1 icmp 8/0 (14286) 0:00:29 - Failing ping from VPN Gateway 172.16.1.1 *INT_HOST* icmp 8/0 (3) 0:00:29 - Successful ping from RW client *INT_HOST2* 172.16.1.1 icmp 8/0 (2) 0:00:27 - Failing ping from internal system 172.16.1.1:1027 *INT_HOST*:3389 tcp ESTABLISHED 119:59:51 - Connection to internal host from RW === ip monitor all Output * SUCCESSFUL PING FROM RW CLIENT * [NEIGH]*INT_HOST* dev eth0 lladdr 00:MA:CA:DD:RE:SS STALE (after approximately 15 seconds from first successful ping) * FAILED PING FROM VPN GATEWAY OR INTERNAL HOST * [NEIGH]172.16.1.1 dev eth1 FAILED [NEIGH]172.16.1.1 dev eth1 FAILED [NEIGH]172.16.1.1 dev eth1 FAILED [NEIGH]172.16.1.1 dev eth1 FAILED [ === ping Outputs * FROM RW CLIENT * C:\> ping *INT_HOST* Pinging *INT_HOST* with 32 bytes of data: Reply from *INT_HOST*: bytes=32 time=179ms TTL=62 Reply from *INT_HOST*: bytes=32 time=205ms TTL=62 Reply from *INT_HOST*: bytes=32 time=218ms TTL=62 Reply from *INT_HOST*: bytes=32 time=182ms TTL=62 Ping statistics for *INT_HOST*: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 179ms, Maximum = 218ms, Average = 196ms * FROM VPN GATEWAY * root@*VPN_GW_HOSTNAME*:/root# ping 172.16.1.1 -c 4 PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data. >From *VPN_GW_EXT_IP* icmp_seq=1 Destination Host Unreachable >From *VPN_GW_EXT_IP* icmp_seq=2 Destination Host Unreachable >From *VPN_GW_EXT_IP* icmp_seq=3 Destination Host Unreachable >From *VPN_GW_EXT_IP* icmp_seq=4 Destination Host Unreachable --- 172.16.165.1 ping statistics --- 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3015ms , pipe 3 * FROM INTERNAL HOST (Also WinXP) * C:\>ping 172.16.1.1 Pinging 172.16.1.1 with 32 bytes of data: Reply from *VPN_GW_EXT_IP*: Destination host unreachable. Reply from *VPN_GW_EXT_IP*: Destination host unreachable. Reply from *VPN_GW_EXT_IP*: Destination host unreachable. Reply from *VPN_GW_EXT_IP*: Destination host unreachable. Ping statistics for 172.16.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms |