#11 Problem freeswan racoon interoperability

closed
nobody
5
2009-01-16
2005-01-14
Anonymous
No

Hi !

I've got a problem making a vpn conenction between a
linux roadwarrior runnig kame's racoon ike daemon with
Linux Kernel 2.6 IPSEC stack and a Gateway with a
dynamic IP-Adress using dyn dns. The gateway is runnig
freeswan 2.04 on a 2.4 Kernel. It is productive since a
year and running smmothly with windows 2000 and xp
roadwarriors. So I think the configuration of my
mandrake linux 10.1 is the problem. On the client
machine I'm also runnig a windows xp installation from
which I can connect to the vpn!

Here come the log messages of the client and the
gateway when trying to establish a connection via a
icmp echo request from roadwarrior to gateway:

Roadwarrior racoon.log:
client: INFO: @(#)ipsec-tools 0.5-rc1
(http://ipsec-tools.sourceforge.net)
client: INFO: @(#)This product linked OpenSSL 0.9.7d 17
Mar 2004 (http://www.openssl.org/)
2005-01-14 16:04:32: INFO: 127.0.0.1[500] used as
isakmp port (fd=6)
client: INFO: 192.168.0.101[500] used as isakmp port (fd=7)
client: INFO: ::1[500] used as isakmp port (fd=8)
client: INFO: fe80::211:2fff:fe13:f3f%eth0[500] used as
isakmp port (fd=9)
client: INFO: IPsec-SA request for <gateway's ip>
queued due to no phase1 found.
client: INFO: initiate new phase 1 negotiation:
192.168.0.101[500]<=>80.138.164.3[500]
client: INFO: begin Identity Protection mode.
client: INFO: ISAKMP-SA established
192.168.0.101[500]-<gateway's ip>[500]
spi:bff1bb588fe6b88d:1b1fecc2d8ebf346
client: INFO: initiate new phase 2 negotiation:
192.168.0.101[0]<=>80.138.164.3[0]
client: ERROR: pfkey UPDATE failed: Protocol not available
client: ERROR: pfkey ADD failed: Protocol not available

Those two last error messages make me wondering which
protocol may be missing. Strange thing is the freeswan
server thinks the handshaking was succesfull and says
the ipsec SA has been established. Fact is only the
phase 1 of IKE is succesfull.

Log of freeswan gateway:
gateway"client-to-subnet_53"[1] 217.228.16.243 #1:
responding to Main Mode from unknown peer <clients
router adress>
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1:
Peer ID is ID_DER_ASN1_DN: <Zert_ASN_String>
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1:
crl update is overdue since Nov 30 20:33:18 UTC 2004
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1:
sent MR3, ISAKMP SA established
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
gateway: "subnet-to-subnet_53"[1] 217.228.16.243 #2:
responding to Quick Mode
gateway: "subnet-to-subnet_53"[1] 217.228.16.243 #2:
IPsec SA established {ESP=>0x02552400 <0x20a747fa}
gateway: "client-to-subnet_53"[1] 217.228.16.243 #1:
received Delete SA payload: deleting ISAKMP State #1

I tried two different configurations fo the ipsec-tools
with:

./configure --enable-natt --enable-adminport
--with-kernel-headers=/usr/src/linux-2.6.8.1-10mdk/include
--enable-gssapi --enable-hybrid --enable-frag
--enable-dpd --enable-samode-unspec
make
make install

and

./configure
make
make install

and still the same behaviour.

I also checked that all needed cyphers and protocols
are supported by my kernel. Well at least I think that
I checked all .
3des, md5, sha1;ipsec;rsasig;hmac

I append the racoon and setkey config for further info:

setkey policies:
flush;
spdflush;
spdadd 192.168.0.101/32 53.0.0.0/8 any -P out ipsec
esp/tunnel/192.168.0.101-<gateway's ip>/require;
spdadd 53.0.0.0/8 192.168.0.101 any -P in ipsec
esp/tunnel/80.138.164.3-<gateway's ip>/require;
~

racoon.conf:
path certificate "/etc/ssl/canorisCA";
remote <gateway's ip> {
exchange_mode main;

certificate_type x509 "zertificate-file"
"decrypted_private_key_file";
verify_cert on;
verify_identifier on;
my_identifier asn1dn;
peers_identifier asn1dn <asn1 zert id>;

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

As you can see I'm using x509 certficates for
authentification. Just to rule out the certs are not
the problem:
They are the same I use for vpn connection on my
windows xp installation. And phase 1 of IKE is
succesfull. Something with the handshaking of the esp
encryption goes wrong I think. Maybe there are some
other points to deal with when interoperating freeswan
and kame?

Help is very appreciated.

Thnks in advance.

Jan

P.S. Is there an elegant way to specify a gateway with
dns name because the ip changes at least once a day? Or
do I have to write a shellscript that gets the current
ip, rewrites my config and restarts everything?

Discussion

  • Logged In: NO

    Hello! Anybody out there?

     
  • Timo Teras
    Timo Teras
    2009-01-16

    • status: open --> closed
     
  • Timo Teras
    Timo Teras
    2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.