[nycbug-talk] ipsec-tools racoon with Cisco VPN client...
Evgueni Tzvetanov
attroppa at yahoo.com
Thu Feb 1 13:16:55 EST 2007
Hi all,
I have compiled ipsec-tools-0.6.6. I have
the VPN working and it is pretty good, but I have a
problem connecting from a Cisco VPN client to it.
Please, any expert... I need a hint.
I have set routing between all networks as needed.
Here is my racoon setup script:
###### racoon configuration file
#
#
path certificate "/etc/racoon/certs";
path pre_shared_key "/etc/racoon/conf/psk.txt";
remote anonymous {
exchange_mode aggressive;
certificate_type x509 "myhost.crt"
"myhost.key";
xauth_login <some_id_in_psk.txt>
my_identifier asn1dn;
lifetime time 2147483 sec;
proposal_check obey;
generate_policy on;
nat_traversal on;
verify_cert off;
peers_certfile "cvpn.crt";
passive on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method
hybrid_rsa_server;
dh_group 2;
}
}
mode_cfg {
network4 192.168.34.0;
netmask4 255.255.255.0;
dns4 <dns_ip_here>;
# wins4 <wins_ip_here> (none);
}
sainfo anonymous {
pfs_group 2;
lifetime time 12 hour;
# encryption_algorithm 3des, rijndael;
encryption_algorithm 3des, blowfish 448,
rijndael;
authentication_algorithm hmac_sha1, hmac_md5;
#authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
############## End of file ############
Here is also some racoon log (multigroup
authentication set on the Cisco VPN client):
======== snip ====================================
Jan 30 13:14:49 somehost racoon: INFO:
<some_network_ip_here>[4500] used as isakmp port
(fd=10)
Jan 30 13:14:49 somehost racoon: INFO:
<same_network_ip_here>[4500] used for NAT-T
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[500]
used as isakmp port (fd=11)
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[500]
used for NAT-T
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[4500]
used as isakmp port (fd=12)
Jan 30 13:14:49 somehost racoon: INFO: 127.0.0.1[4500]
used for NAT-T
Jan 30 13:14:49 somehost racoon: INFO:
fe80::203:2dff:fe09:4f4%eth2[500] used as isakmp port
(fd=13)
Jan 30 13:14:49 somehost racoon: INFO:
fe80::203:2dff:fe09:4f4%eth2[4500] used as isakmp port
(fd=14)
Jan 30 13:14:49 somehost racoon: INFO: ::1[500] used
as isakmp port (fd=15)
Jan 30 13:14:49 somehost racoon: INFO: ::1[4500] used
as isakmp port (fd=16)
Jan 30 13:15:46 somehost racoon: INFO: respond new
phase 1 negotiation:
<my_ip_here>[500]<=><peer_ip_here>[500]
Jan 30 13:15:46 somehost racoon: INFO: begin
Aggressive mode.
Jan 30 13:15:46 somehost racoon: INFO: received Vendor
ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 30 13:15:46 somehost racoon: INFO: received Vendor
ID: DPD
Jan 30 13:15:46 somehost racoon: INFO: received broken
Microsoft ID: FRAGMENTATION
Jan 30 13:15:46 somehost racoon: INFO: received Vendor
ID: draft-ietf-ipsec-nat-t-ike-02
Jan 30 13:15:46 somehost racoon: INFO: received Vendor
ID: CISCO-UNITY
Jan 30 13:15:46 somehost racoon: INFO: Selected NAT-T
version: draft-ietf-ipsec-nat-t-ike-02
Jan 30 13:15:46 somehost racoon: INFO: Adding remote
and local NAT-D payloads.
Jan 30 13:15:46 somehost racoon: INFO: Hashing
<peer_ip_here>[500] with algo #2
Jan 30 13:15:46 somehost racoon: INFO: Hashing
<my_ip_here>[500] with algo #2
Jan 30 13:15:46 somehost racoon: ERROR: reject the
packet, received unexpecting payload type 0.
Jan 30 13:15:46 somehost racoon: ERROR: reject the
packet, received unexpecting payload type 0.
Jan 30 13:16:46 somehost racoon: ERROR: phase1
negotiation failed due to time up.
d323fbd4271cee91:019b13d5c189eefa
======== snip ====================================
The Cisco VPN client log:
======== snip ====================================
Peer supports DPD
<<< so far the two ends were talking OK, but... >>>
181 13:39:28.968 01/30/07 Sev=Warning/3
IKE/0xE300007B
Failed to verify signature
182 13:39:28.968 01/30/07 Sev=Warning/2
IKE/0xE3000099
Failed to authenticate peer (Navigator:904)
183 13:39:28.968 01/30/07 Sev=Info/4
IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO)
to <my_ip_here>
184 13:39:28.968 01/30/07 Sev=Info/4
IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to
<my_ip_here>
185 13:39:28.968 01/30/07 Sev=Warning/2
IKE/0xE30000A5
Unexpected SW error occurred while processing
Aggressive Mode negotiator:(Navigator:2237)
186 13:39:28.968 01/30/07 Sev=Info/4
IKE/0x63000017
Marking IKE SA for deletion
(I_Cookie=D641B870710DE91E R_Cookie=230E0103188A17C3)
reason = DEL_REASON_IKE_NEG_FAILED
187 13:39:29.875 01/30/07 Sev=Info/4
IKE/0x6300004B
Discarding IKE SA negotiation
(I_Cookie=D641B870710DE91E R_Cookie=230E0103188A17C3)
reason = DEL_REASON_IKE_NEG_FAILED
188 13:39:29.875 01/30/07 Sev=Info/4
CM/0x63100014
Unable to establish Phase 1 SA with server "<some IP
here>" because of "DEL_REASON_IKE_NEG_FAILED"
189 13:39:29.875 01/30/07 Sev=Info/5
CM/0x63100025
Initializing CVPNDrv
190 13:39:29.875 01/30/07 Sev=Info/4
IKE/0x63000001
IKE received signal to terminate VPN connection
191 13:39:29.906 01/30/07 Sev=Info/4
IPSEC/0x63700014
Deleted all keys
192 13:39:29.906 01/30/07 Sev=Info/4
IPSEC/0x63700014
Deleted all keys
193 13:39:29.906 01/30/07 Sev=Info/4
IPSEC/0x63700014
Deleted all keys
194 13:39:29.906 01/30/07 Sev=Info/4
IPSEC/0x6370000A
IPSec driver successfully stopped
======== snip ====================================
The pks.txt file is with 600 permissions and is in the
right place. It contains the useername/password pairs
in non-encrypted clean text format.
When I use certificates it is even worse -- I only get
the following line in racoon's logs:
Jan 30 13:51:45 somehost racoon: ERROR: not acceptable
Identity Protection mode
Thanks in advance!
ET
____________________________________________________________________________________
Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbusiness.yahoo.com/r-index
More information about the talk
mailing list