From: Victor B. <Vic...@qu...> - 2007-11-12 08:24:21
|
Hi there, I've got a debian linux box running racoon 0.6.6, which listens for both regular and NAT-T encapsulated connections. It's a road warrior setup with the following config: /********************** racoon.conf (excerpt) # # NOTE: This file will not be used if you use racoon-tool(8) to manage your # IPsec connections. racoon-tool will process racoon-tool.conf(5) and # generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead # of this file. # # Simple racoon.conf # # # Please look in /usr/share/doc/racoon/examples for # examples that come with the source. # # Please read racoon.conf(5) for details, and alsoread setkey(8). # # # Also read the Linux IPSEC Howto up at # http://www.ipsec-howto.org/t1.html # path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/certs/vpn"; listen { isakmp 59.167.247.164 [500]; isakmp_natt 59.167.247.164 [4500]; } # 'road-warrior' config using key pairs remote anonymous { exchange_mode main; my_identifier fqdn "vpn.quantium.com.au"; # certificate_type x509 "quibble_vpn_cert.pem" "quibble_vpn_key.pem" ; # certificate_type x509 "quibble_vpn_07_cert.pem" "quibble_vpn_07_key.pem" ; # certificate_type x509 "quantium_vpn_07_2_cert.pem" "quantium_vpn_07_2_key.pem" ; certificate_type x509 "quantium_vpn_07_3_cert.pem" "quantium_vpn_07_3_key.pem" ; certificate_type x509 "garretti_07_cert.pem" "garretti_07_key.pem" ; ca_type x509 "cacert.pem"; lifetime time 1 hour ; # sec,min,hour passive on; generate_policy on; nat_traversal on; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig ; dh_group 2; } proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig ; dh_group 2; } proposal_check obey; } # phase 2 proposal (for IPsec SA). # quick mode description for all connections sainfo anonymous { pfs_group 2; lifetime time 10 min ; encryption_algorithm 3des; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } /**********************=20 Whenever a client attempts to connect to the road warrior policy using ESP with no NAT Traversal, everything works fine. Whenever a client attempts to connect with NAT-T, racoon doesn't generate the policy on its end properly. As a result, the client thinks the tunnel is established but no traffic goes through. The following errors are reported in the log when this happens (shown with a few lines of context - can provide further back on request): /****************************** 19:03:01 racoon: DEBUG: KEYMAT computed. 19:03:01 racoon: DEBUG: call pk_sendupdate 19:03:01 racoon: DEBUG: encryption(3des) 19:03:01 racoon: DEBUG: hmac(hmac_sha1) 19:03:01 racoon: DEBUG: call pfkey_send_update_nat 19:03:01 racoon: DEBUG: pfkey update sent. 19:03:01 racoon: DEBUG: encryption(3des) 19:03:01 racoon: DEBUG: hmac(hmac_sha1) 19:03:01 racoon: DEBUG: call pfkey_send_add_nat 19:03:01 racoon: DEBUG: pfkey add sent. 19:03:01 racoon: DEBUG: call pfkey_send_spdupdate2 19:03:01 racoon: DEBUG: pfkey spdupdate2(inbound) sent. 19:03:01 racoon: DEBUG: call pfkey_send_spdupdate2 19:03:01 racoon: DEBUG: pfkey spdupdate2(outbound) sent. 19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.2.10/32[0] 192.168.16.0/24[0] proto=3Dany dir=3Din 19:03:01 racoon: DEBUG: db :0x80befb8: 192.168.1.1/32[0] 192.168.16.0/24[0] proto=3Dany dir=3Din 19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.2.10/32[0] 192.168.16.0/24[0] proto=3Dany dir=3Din 19:03:01 racoon: DEBUG: db :0x80bf290: 192.168.16.0/24[0] 192.168.1.1/32[0] proto=3Dany dir=3Dout 19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.2.10/32[0] 192.168.16.0/24[0] proto=3Dany dir=3Din 19:03:01 racoon: DEBUG: db :0x80bf4d0: 192.168.1.1/32[0] 192.168.16.0/24[0] proto=3Dany dir=3Dfwd 19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.2.10/32[0] 192.168.16.0/24[0] proto=3Dany dir=3Dfwd 19:03:01 racoon: DEBUG: db :0x80befb8: 192.168.1.1/32[0] 192.168.16.0/24[0] proto=3Dany dir=3Din 19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.2.10/32[0] 192.168.16.0/24[0] proto=3Dany dir=3Dfwd 19:03:01 racoon: DEBUG: db :0x80bf290: 192.168.16.0/24[0] 192.168.1.1/32[0] proto=3Dany dir=3Dout 19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.2.10/32[0] 192.168.16.0/24[0] proto=3Dany dir=3Dfwd 19:03:01 racoon: DEBUG: db :0x80bf4d0: 192.168.1.1/32[0] 192.168.16.0/24[0] proto=3Dany dir=3Dfwd 19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.16.0/24[0] 192.168.2.10/32[0] proto=3Dany dir=3Dout 19:03:01 racoon: DEBUG: db :0x80befb8: 192.168.1.1/32[0] 192.168.16.0/24[0] proto=3Dany dir=3Din 19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.16.0/24[0] 192.168.2.10/32[0] proto=3Dany dir=3Dout 19:03:01 racoon: DEBUG: db :0x80bf290: 192.168.16.0/24[0] 192.168.1.1/32[0] proto=3Dany dir=3Dout 19:03:01 racoon: DEBUG: sub:0xbf999de0: 192.168.16.0/24[0] 192.168.2.10/32[0] proto=3Dany dir=3Dout 19:03:01 racoon: DEBUG: db :0x80bf4d0: 192.168.1.1/32[0] 192.168.16.0/24[0] proto=3Dany dir=3Dfwd 19:03:01 racoon: DEBUG: get pfkey UPDATE message 19:03:01 racoon: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel 143.238.212.72[0]->59.167.247.164[0] spi=3D57177202(0x368 7472) 19:03:01 racoon: INFO: IPsec-SA established: ESP/Tunnel 143.238.212.72[0]->59.167.247.164[0] spi=3D57177202(0x368747 2) 19:03:01 racoon: DEBUG: =3D=3D=3D 19:03:01 racoon: DEBUG: get pfkey ADD message 19:03:01 racoon: INFO: IPsec-SA established: ESP/Tunnel 59.167.247.164[0]->143.238.212.72[0] spi=3D207298076(0xc5b1e 1c) 19:03:01 racoon: DEBUG: =3D=3D=3D 19:03:01 racoon: DEBUG: get pfkey X_SPDUPDATE message 19:03:01 racoon: ERROR: pfkey X_SPDUPDATE failed: Invalid argument 19:03:01 racoon: DEBUG: get pfkey X_SPDUPDATE message 19:03:01 racoon: ERROR: pfkey X_SPDUPDATE failed: Invalid argument 19:03:21 racoon: DEBUG: =3D=3D=3D /****************************** The "extra" db entries are normal, as there are actually other static policies defined on the server other than the road warrior one, so it is checking the client's proposal first against those.=20 What seems to be the problem is the ' pfkey X_SPDUPDATE failed: Invalid argument' message - whenever I see this, the policy on the server side has not been set up properly.=20 Given this is a road warrior config, it would be really nice to have NAT-T working. If anyone could provide even some suggestions as to what to investigate, I would be very grateful. More background info follows. quibble:~# setkey -V setkey @(#) ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) quibble:~# uname -a Linux quibble 2.6.21.4vb20070609 #2 Sat Jun 9 19:23:37 EST 2007 i686 GNU/Linux quibble:~# lsmod Module Size Used by xt_mark 2048 5 xt_MARK 2432 2 xt_state 2688 9 ipt_MASQUERADE 3584 1 xt_multiport 3200 2 ipt_recent 8984 2 ipt_LOG 6144 5 xt_limit 2816 5 iptable_mangle 2944 1 nf_nat_ftp 3584 0 nf_conntrack_ftp 9600 1 nf_nat_ftp iptable_nat 7428 1 nf_nat 16556 3 ipt_MASQUERADE,nf_nat_ftp,iptable_nat xt_TCPMSS 4992 0 xt_tcpmss 2432 0 xt_tcpudp 3328 35 iptable_filter 3200 1 ip_tables 11592 3 iptable_mangle,iptable_nat,iptable_filter x_tables 14340 13 xt_mark,xt_MARK,xt_state,ipt_MASQUERADE,xt_multiport,ipt_recent,ipt_LOG, xt_limit,iptable_nat,xt_TCPMSS,xt_tcpmss,xt_tcpudp,ip_tables pppoe 12736 2 pppox 3720 1 pppoe ppp_generic 24980 6 pppoe,pppox slhc 6144 1 ppp_generic ipv6 223328 26 smbfs 57592 2 twofish 8576 0 twofish_common 36352 1 twofish serpent 19072 0 blowfish 9472 0 ecb 3584 0 aes 28224 0 xcbc 5512 0 sha256 11264 0 crypto_null 2688 0 dm_snapshot 16416 0 dm_mirror 18964 0 dm_mod 51276 2 dm_snapshot,dm_mirror tsdev 7744 0 i810_audio 31636 0 ac97_codec 16140 1 i810_audio snd_intel8x0 31260 0 snd_ac97_codec 90656 1 snd_intel8x0 intel_agp 23196 1 ac97_bus 2432 1 snd_ac97_codec snd_pcm 68744 2 snd_intel8x0,snd_ac97_codec snd_timer 19844 1 snd_pcm snd 46692 4 snd_intel8x0,snd_ac97_codec,snd_pcm,snd_timer soundcore 7392 2 i810_audio,snd parport_pc 32292 0 i2c_i801 8208 0 agpgart 31792 1 intel_agp rtc 11672 0 snd_page_alloc 9736 2 snd_intel8x0,snd_pcm parport 32840 1 parport_pc psmouse 34696 0 evdev 9344 0 serio_raw 6660 0 floppy 52932 0 i2c_core 20624 1 i2c_i801 pcspkr 2944 0 ext3 118280 5 jbd 49832 1 ext3 mbcache 7940 1 ext3 ide_cd 36256 0 cdrom 32928 1 ide_cd ide_disk 15616 7 8139too 24576 0 8139cp 21120 0 e100 32392 0 mii 5504 3 8139too,8139cp,e100 piix 9476 0 [permanent] ide_core 108812 3 ide_cd,ide_disk,piix ehci_hcd 29452 0 uhci_hcd 21648 0 usbcore 120088 3 ehci_hcd,uhci_hcd Cheers, V |