From: tie <ip...@mo...> - 2009-12-21 13:27:13
|
I am having some weird problem running racoon as IPSec client, connecting to a Cisco device. The problem is that racoon drops the phase 1 negotiation as soon as it starts negotiationg phase 2, which results in the following error: racoon: ERROR: phase2 negotiation failed due to phase1 expired. 491e17df4135126b:ab709c5c7d4cc2dc:0000c643 Here is how things are set up (it's a Debian machine): racoon_ip = 1.1.1.1 cisco_ip = 2.2.2.2 The idea is to have the racoon client with (internal) IP 192.168.50.53 talk to the VPN network 10.16.0.0/16 behid the Cisco device: racoon (192.168.50.53, 1.1.1.1)---IPsec---Cisco(2.2.2.2)---10.16.0.0/16 Here is the /var/lib/racoon/racoon.conf (generated by racoon-tool): # # Global items # path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; # # Connection btc # remote 2.2.2.2 { proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } exchange_mode main; } sainfo address 192.168.50.53[any] any address 10.16.0.0/16[any] any { pfs_group modp1024; lifetime time 20 min; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } To trigger the tunnel, I have aliased 192.168.50.53 on the eth1 interface (where 1.1.1.1 is the main IP), and I have added a route for the 10.16.0.0/16 network: /sbin/ip route add 10.16.0.0/16 via 192.168.50.53 dev eth1 With all this in place, I assume I should be able to ping some host on the VPN network. Ping however, generates an error: #ping 10.16.1.1 PING 10.16.1.1 (10.16.1.1) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ^C And this error is probably coming from the fact that the tunnel cannot be established. Here is what gets recorded in /var/log/syslog when I run ping: Dec 21 14:16:14 epsilon racoon: INFO: IPsec-SA request for 2.2.2.2 queued due to no phase1 found. Dec 21 14:16:14 epsilon racoon: INFO: initiate new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500] Dec 21 14:16:14 epsilon racoon: INFO: begin Identity Protection mode. Dec 21 14:16:14 epsilon racoon: INFO: received broken Microsoft ID: FRAGMENTATION Dec 21 14:16:14 epsilon racoon: INFO: received Vendor ID: CISCO-UNITY Dec 21 14:16:14 epsilon racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Dec 21 14:16:14 epsilon racoon: INFO: received Vendor ID: DPD Dec 21 14:16:14 epsilon racoon: INFO: ISAKMP-SA established 1.1.1.1[500]-2.2.2.2[500] spi:894b0beb1e0f7e6a:ffac8ebd40d3a0ae Dec 21 14:16:15 epsilon racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[0]->1.1.1.1[0] spi=237719317(0xe2b4f15) Dec 21 14:16:15 epsilon racoon: INFO: initiate new phase 2 negotiation: 1.1.1.1[500]<=>2.2.2.2[500] Dec 21 14:16:15 epsilon racoon: INFO: ISAKMP-SA expired 1.1.1.1[500]-2.2.2.2[500] spi:894b0beb1e0f7e6a:ffac8ebd40d3a0ae Dec 21 14:16:25 epsilon racoon: ERROR: phase2 negotiation failed due to phase1 expired. 894b0beb1e0f7e6a:ffac8ebd40d3a0ae:0000d5a9 Dec 21 14:16:26 epsilon racoon: INFO: ISAKMP-SA deleted 1.1.1.1[500]-2.2.2.2[500] spi:894b0beb1e0f7e6a:ffac8ebd40d3a0ae Googling for this error did not yield any solutions. Please throw at me any ideas or recommendations, I am kinda desperate at this point. --tie |