Looks like I'm getting somewhere! I parsed the code and commented out these lines starting at src/racoon/isakmp.c:1772:

    /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
       must added just before the packet itself. For this we must
       allocate a new buffer and release it at the end. */
    if (extralen) {
        if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
            plog(LLV_ERROR, LOCATION, NULL,
                "vbuf allocation failed\n");
            return -1;
        }
        *(u_int32_t *)vbuf->v = 0;
        memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
        /* ensures that the modified buffer will be sent back to the caller, so
         * add_recvdpkt() will add the correct buffer
         */
        swap = *sbuf;
        *sbuf = *vbuf;
        *vbuf = swap;
        vfree(vbuf);
    }

Now:
http://i.imgur.com/OaKnbEe.png

Still not working, but will keep trying at it now that I have a place to start. Thanks.

--Victor


From: hero_of_nothing_1@hotmail.com
To: michaelkintzios@gmail.com
Date: Sat, 9 Nov 2013 14:58:26 -0800
CC: ipsec-tools-users@lists.sourceforge.net
Subject: Re: [Ipsec-tools-users] AD Kerberos + Racoon

Right, I'm still stuck at phase 1, if I can at least clear that, I should be good to go.

The Windows side is set to use 3des/sha1, Kerberos, and no PFS. I am using 3des/sha1 on the Linux side - this is my racoon.conf:

gss_id_enc utf-16le;

remote anonymous
{
        exchange_mode aggressive,main;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method gssapi_krb5;
                #Temporary, host/fqdn doesn't work but this does
                gss_id "RANDOM09320$@EXAMPLE.COM";
                dh_group 2;
        }
}

sainfo anonymous
{
        encryption_algorithm 3des ;
        authentication_algorithm hmac_sha1 ;
        compression_algorithm deflate ;
}
----------------------------------------------------
Kerberos tickets seem fine, here is the KRB5_TRACE:
[6996] 1384035736.362818: Retrieving RANDOM09320$@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
[6996] 1384035736.363296: Retrieving RANDOM09320$@EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[6996] 1384035736.363898: Retrieving RANDOM09320$@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
[6996] 1384035736.363973: Retrieving RANDOM09320$@EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[6996] 1384035736.364196: Retrieving RANDOM09320$@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
[6996] 1384035736.364270: Retrieving RANDOM09320$@EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[6996] 1384035736.364491: Retrieving RANDOM09320$@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
[6996] 1384035736.364571: Retrieving RANDOM09320$@EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[6996] 1384035736.364808: Retrieving RANDOM09320$@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
[6996] 1384035736.364877: Retrieving RANDOM09320$@EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[6996] 1384035736.365098: Retrieving RANDOM09320$@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
[6996] 1384035736.365167: Retrieving RANDOM09320$@EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[6996] 1384035736.365387: Retrieving RANDOM09320$@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
[6996] 1384035736.365463: Retrieving RANDOM09320$@EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[6996] 1384035736.365689: Retrieving RANDOM09320$@EXAMPLE.COM from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
[6996] 1384035736.365764: Retrieving RANDOM09320$@EXAMPLE.COM -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found
[6996] 1384035736.366261: Getting credentials RANDOM09320$@EXAMPLE.COM -> host/victor-05.example.com@EXAMPLE.COM using ccache FILE:/tmp/krb5cc_0
[6996] 1384035736.366315: Retrieving RANDOM09320$@EXAMPLE.COM -> host/victor-05.example.com@EXAMPLE.COM from FILE:/tmp/krb5cc_0 with result: 0/Success
[6996] 1384035736.366404: Creating authenticator for RANDOM09320$@EXAMPLE.COM -> host/victor-05.example.com@EXAMPLE.COM, seqnum 257164985, subkey aes256-cts/1E60, session key aes256-cts/2F8F
-------------------------------------------------------
Similarly, klist shows:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: RANDOM09320$@EXAMPLE.COM

Valid starting     Expires            Service principal
11/09/13 13:53:19  11/09/13 23:53:18  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 11/16/13 13:53:19
11/09/13 14:03:43  11/09/13 23:53:18  host/victor-05.example.com@EXAMPLE.COM
        renew until 11/16/13 13:53:19
--------------------------------------------------------
L2TP shouldn't apply here because I'm not trying to tunnel any traffic, just set up transport mode. I'll ask around the StrongSwan mailing lists to see if they can help as well.



Interestingly, when I run a packet capture, I can see that the packets sent from the Linux initiator seem to be malformed. The racoon.log shows it sending a cookie of c713bb0305ceeb29:

2013-11-09 14:22:16: DEBUG: isakmp.c:1860:isakmp_ph1resend(): resend phase1 packet c713bb0305ceeb29:0000000000000000
2013-11-09 14:22:17: DEBUG2: handler.c:187:getph1(): getph1: start
2013-11-09 14:22:17: DEBUG2: handler.c:188:getph1(): local: 10.162.30.254[0]
2013-11-09 14:22:17: DEBUG2: handler.c:189:getph1(): remote: 10.162.31.162[0]
2013-11-09 14:22:17: DEBUG2: handler.c:195:getph1(): p->local: 10.162.30.254[500]
2013-11-09 14:22:17: DEBUG2: handler.c:196:getph1(): p->remote: 10.162.31.162[500]
2013-11-09 14:22:17: DEBUG2: handler.c:229:getph1(): matched
2013-11-09 14:22:17: DEBUG2: isakmp.c:2401:isakmp_chkph1there(): CHKPH1THERE: no established ph1 handler found
2013-11-09 14:22:18: DEBUG2: handler.c:187:getph1(): getph1: start
2013-11-09 14:22:18: DEBUG2: handler.c:188:getph1(): local: 10.162.30.254[0]
2013-11-09 14:22:18: DEBUG2: handler.c:189:getph1(): remote: 10.162.31.162[0]
2013-11-09 14:22:18: DEBUG2: handler.c:195:getph1(): p->local: 10.162.30.254[500]
2013-11-09 14:22:18: DEBUG2: handler.c:196:getph1(): p->remote: 10.162.31.162[500]
2013-11-09 14:22:18: DEBUG2: handler.c:229:getph1(): matched
2013-11-09 14:22:18: DEBUG2: isakmp.c:2401:isakmp_chkph1there(): CHKPH1THERE: no established ph1 handler found
2013-11-09 14:22:19: DEBUG2: handler.c:187:getph1(): getph1: start
2013-11-09 14:22:19: DEBUG2: handler.c:188:getph1(): local: 10.162.30.254[0]
2013-11-09 14:22:19: DEBUG2: handler.c:189:getph1(): remote: 10.162.31.162[0]
2013-11-09 14:22:19: DEBUG2: handler.c:195:getph1(): p->local: 10.162.30.254[500]
2013-11-09 14:22:19: DEBUG2: handler.c:196:getph1(): p->remote: 10.162.31.162[500]
2013-11-09 14:22:19: DEBUG2: handler.c:229:getph1(): matched
2013-11-09 14:22:19: DEBUG2: isakmp.c:2401:isakmp_chkph1there(): CHKPH1THERE: no established ph1 handler found
2013-11-09 14:22:20: DEBUG2: handler.c:187:getph1(): getph1: start
2013-11-09 14:22:20: DEBUG2: handler.c:188:getph1(): local: 10.162.30.254[0]

but on the Windows side, it looks like the cookie is offset by a few bytes, with half of it spilling over to the responder cookie:
http://i.imgur.com/UXEv9Zy.png

The two machines are on a LAN and communicating via the same switch, so I doubt there's any corruption.

Thoughts?

--Victor

> From: michaelkintzios@gmail.com
> To: hero_of_nothing_1@hotmail.com
> Subject: Re: [Ipsec-tools-users] AD Kerberos + Racoon
> Date: Thu, 7 Nov 2013 21:54:23 +0000
> CC: ipsec-tools-users@lists.sourceforge.net
>
> OK, this good news! :-)
>
> As far as I know, racoon has the ability to use kerberos, but ONLY for Phase
> 1. According to this article you will need DES, or 3DES.
>
> http://technet.microsoft.com/library/bb878063
>
> You should also need PFS enabled on the Linux side. Unless the ipsec-tools
> code has evolved, I think that for Phase 2 you will need to use a different
> scheme (non-Kerberos). Also, bare in mind that your MSWindows set up may use
> L2TP with IKEv1 in which case you will also need to run something like xl2tpd
> on the Linux side.
>
>
> BTW, as far as I know StrongSwan is built against libkrb5-dev, so I assume
> that it would/should work with Kerberos, but I have no experience of it to
> advise further.
>
>
>
> On Thursday 07 Nov 2013 20:07:01 Victor T wrote:
> > Thanks Mike, but even with your suggestions it doesn't get past phase 1,
> > using main or aggressive mode. I think I will have to shelve this effort
> > for now.
> >
> > Thanks for your input though,
> > --Victor
> >
> > > From: michaelkintzios@gmail.com
> > > To: hero_of_nothing_1@hotmail.com
> > > Subject: Re: [Ipsec-tools-users] AD Kerberos + Racoon
> > > Date: Wed, 6 Nov 2013 23:31:36 +0000
> > > CC: ipsec-tools-users@lists.sourceforge.net
> > >
> > > I beg your pardon Victor, my understanding was incorrect. I had some
> > > time to look it up: MSWindows versions post Vista support *both* IKEv1
> > > and IKEv2.
> > >
> > > You may need to set up encoding to utf-16:
> > > gss_id_enc utf-16le;
> > >
> > > but I have no Kerberos (or much MSWindows) experience to help with either
> > > at this stage.
> > >
> > > On Wednesday 06 Nov 2013 21:57:24 Victor T wrote:
> > > > Thanks Mike, I wasn't even aware of IKEv2 only. I'm trying to do
> > > > transport only using GSSAPI/Kerberos for authentication, which the
> > > > *swans and racoon2 don't seem to support. Can you correct me if I'm
> > > > wrong? If that's the case, it doesn't seem like there's any solution
> > > > for my scenario.
> > > >
> > > > Thanks,
> > > >
> > > > --Victor
> > > >
> > > > > From: michaelkintzios@gmail.com
> > > > > To: ipsec-tools-users@lists.sourceforge.net
> > > > > Subject: Re: [Ipsec-tools-users] AD Kerberos + Racoon
> > > > > Date: Wed, 6 Nov 2013 06:46:22 +0000
> > > > > CC: hero_of_nothing_1@hotmail.com
> > > > >
> > > > > On Tuesday 05 Nov 2013 20:50:49 Victor T wrote:
> > > > > > Has anyone gotten racoon to work with Kerberos/GSSAPI, where the
> > > > > > KDC is a Windows server? I have a Linux(RHEL6.4) server trying to
> > > > > > establish a connection to a Windows machine where the IPSec
> > > > > > policies are pushed out via GPO, and it doesn't work at all as is.
> > > > > > I did some
> > > > > > modifications to gssapi.c and that got me a bit further, but still
> > > > > > no dice.
> > > > >
> > > > > I'm not the right person to speak of MSWindows, or Kerberos, but I
> > > > > understand that at least the post Vista versions only do IKEv2.
> > > > > Also, although you can
> > > > >
> > > > > use:
> > > > > authentication_method gssapi_krb;
> > > > >
> > > > > gss_id "host/fqdn";
> > > > >
> > > > > all this will only deal with the IKE negotiation (Phase 1), not IPSec
> > > > > (Phase 2). Check this if you haven't seen it already as it mentions
> > > > > some other gotchas that could trip you:
> > > > >
> > > > > http://blogs.technet.com/b/port25/archive/2007/05/09/windows-vista-be
> > > > > ta-l inux-ipsec-interop-testing.aspx
> > > > >
> > > > > I suspect that StrongSwan, or OpenSwan may be a better option for
> > > > > you.
> > > > >
> > > > > PS. There is also racoon2 which covers IKEv2:
> > > > > http://www.racoon2.wide.ad.jp/w/
>
> --
> Regards,
> Mick

------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________ Ipsec-tools-users mailing list Ipsec-tools-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users