[nycbug-talk] ipsec-tools racoon with Cisco VPN client...

Evgueni Tzvetanov attroppa at yahoo.com
Thu Feb 1 16:02:00 EST 2007 

--- Dru <dlavigne6 at sympatico.ca> wrote:

> 
> Sounds like they aren't agreeing on policy. What's
> the config at the Cisco 
> end?
> 
> Dru
> 
> 
> On Thu, 1 Feb 2007, Evgueni Tzvetanov wrote:
> 
> > Hi all,
> >
> > I have compiled ipsec-tools-0.6.6. I have
> > the VPN working and it is pretty good, but I have
> a
> > problem connecting from a Cisco VPN client to it.
> >
> > Please, any expert... I need a hint.
> > I have set routing between all networks as needed.
> >
> > Here is my racoon setup script:
> >
> > ###### racoon configuration file
> > #
> > #
> >
> > path certificate "/etc/racoon/certs";
> > path pre_shared_key "/etc/racoon/conf/psk.txt";
> >
> > remote anonymous {
> >        exchange_mode aggressive;
> >        certificate_type x509 "myhost.crt"
> > "myhost.key";
> >        xauth_login <some_id_in_psk.txt>
> >        my_identifier asn1dn;
> >        lifetime time 2147483 sec;
> >        proposal_check obey;
> >        generate_policy on;
> >        nat_traversal on;
> >        verify_cert off;
> >        peers_certfile "cvpn.crt";
> >        passive on;
> >        proposal {
> >                encryption_algorithm 3des;
> >                hash_algorithm sha1;
> >                authentication_method
> > hybrid_rsa_server;
> >                dh_group 2;
> >        }
> > }
> >
> > mode_cfg {
> >        network4 192.168.34.0;
> >        netmask4 255.255.255.0;
> >        dns4 <dns_ip_here>;
> > #        wins4 <wins_ip_here> (none);
> > }
> >
> > sainfo anonymous {
> >        pfs_group 2;
> >        lifetime time 12 hour;
> > #        encryption_algorithm 3des, rijndael;
> >        encryption_algorithm 3des, blowfish 448,
> > rijndael;
> >        authentication_algorithm hmac_sha1,
> hmac_md5;
> >        #authentication_algorithm hmac_md5;
> >        compression_algorithm deflate;
> > }
> >
> > ############## End of file ############
> >
> > Here is also some racoon log (multigroup
> > authentication set on the Cisco VPN client):
> >
> > ======== snip ====================================
> > Jan 30 13:14:49 somehost racoon: INFO:
> > <some_network_ip_here>[4500] used as isakmp port
> > (fd=10)
> > Jan 30 13:14:49 somehost racoon: INFO:
> > <same_network_ip_here>[4500] used for NAT-T
> > Jan 30 13:14:49 somehost racoon: INFO:
> 127.0.0.1[500]
> > used as isakmp port (fd=11)
> > Jan 30 13:14:49 somehost racoon: INFO:
> 127.0.0.1[500]
> > used for NAT-T
> > Jan 30 13:14:49 somehost racoon: INFO:
> 127.0.0.1[4500]
> > used as isakmp port (fd=12)
> > Jan 30 13:14:49 somehost racoon: INFO:
> 127.0.0.1[4500]
> > used for NAT-T
> > Jan 30 13:14:49 somehost racoon: INFO:
> > fe80::203:2dff:fe09:4f4%eth2[500] used as isakmp
> port
> > (fd=13)
> > Jan 30 13:14:49 somehost racoon: INFO:
> > fe80::203:2dff:fe09:4f4%eth2[4500] used as isakmp
> port
> > (fd=14)
> > Jan 30 13:14:49 somehost racoon: INFO: ::1[500]
> used
> > as isakmp port (fd=15)
> > Jan 30 13:14:49 somehost racoon: INFO: ::1[4500]
> used
> > as isakmp port (fd=16)
> > Jan 30 13:15:46 somehost racoon: INFO: respond new
> > phase 1 negotiation:
> > <my_ip_here>[500]<=><peer_ip_here>[500]
> > Jan 30 13:15:46 somehost racoon: INFO: begin
> > Aggressive mode.
> > Jan 30 13:15:46 somehost racoon: INFO: received
> Vendor
> > ID: draft-ietf-ipsra-isakmp-xauth-06.txt
> > Jan 30 13:15:46 somehost racoon: INFO: received
> Vendor
> > ID: DPD
> > Jan 30 13:15:46 somehost racoon: INFO: received
> broken
> > Microsoft ID: FRAGMENTATION
> > Jan 30 13:15:46 somehost racoon: INFO: received
> Vendor
> > ID: draft-ietf-ipsec-nat-t-ike-02
> > Jan 30 13:15:46 somehost racoon: INFO: received
> Vendor
> > ID: CISCO-UNITY
> > Jan 30 13:15:46 somehost racoon: INFO: Selected
> NAT-T
> > version: draft-ietf-ipsec-nat-t-ike-02
> > Jan 30 13:15:46 somehost racoon: INFO: Adding
> remote
> > and local NAT-D payloads.
> > Jan 30 13:15:46 somehost racoon: INFO: Hashing
> > <peer_ip_here>[500] with algo #2
> > Jan 30 13:15:46 somehost racoon: INFO: Hashing
> > <my_ip_here>[500] with algo #2
> > Jan 30 13:15:46 somehost racoon: ERROR: reject the
> > packet, received unexpecting payload type 0.
> > Jan 30 13:15:46 somehost racoon: ERROR: reject the
> > packet, received unexpecting payload type 0.
> > Jan 30 13:16:46 somehost racoon: ERROR: phase1
> > negotiation failed due to time up.
> > d323fbd4271cee91:019b13d5c189eefa
> > ======== snip ====================================
> >
> > The Cisco VPN client log:
> >
> > ======== snip ====================================
> > Peer supports DPD
> >
> > <<< so far the two ends were talking OK, but...
> >>>
> >
> > 181    13:39:28.968  01/30/07  Sev=Warning/3
> > IKE/0xE300007B
> > Failed to verify signature
> >
> > 182    13:39:28.968  01/30/07  Sev=Warning/2
> > IKE/0xE3000099
> > Failed to authenticate peer (Navigator:904)
> >
> > 183    13:39:28.968  01/30/07  Sev=Info/4
> > IKE/0x63000013
> > SENDING >>> ISAKMP OAK INFO
> (NOTIFY:INVALID_HASH_INFO)
> > to <my_ip_here>
> >
> > 184    13:39:28.968  01/30/07  Sev=Info/4
> > IKE/0x63000013
> > SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED)
> to
> > <my_ip_here>
> >
> > 185    13:39:28.968  01/30/07  Sev=Warning/2
> > IKE/0xE30000A5
> > Unexpected SW error occurred while processing
> > Aggressive Mode negotiator:(Navigator:2237)
> >
> > 186    13:39:28.968  01/30/07  Sev=Info/4
> > IKE/0x63000017
> > Marking IKE SA for deletion
> > (I_Cookie=D641B870710DE91E
> R_Cookie=230E0103188A17C3)
> > reason = DEL_REASON_IKE_NEG_FAILED
> >
> > 187    13:39:29.875  01/30/07  Sev=Info/4
> > IKE/0x6300004B
> > Discarding IKE SA negotiation
> > (I_Cookie=D641B870710DE91E
> R_Cookie=230E0103188A17C3)
> > reason = DEL_REASON_IKE_NEG_FAILED
> >
> > 188    13:39:29.875  01/30/07  Sev=Info/4
> > CM/0x63100014
> > Unable to establish Phase 1 SA with server "<some
> IP
> > here>" because of "DEL_REASON_IKE_NEG_FAILED"
> >
> > 189    13:39:29.875  01/30/07  Sev=Info/5
> > CM/0x63100025
> 
=== message truncated ===



The Cisco VPN Client (v.4.8.x is what I have)
configuration is as follows:


Mutual group authentication
Enabled Transport Tunneling with IPSec over UDP
(NAT/PAT)

I use a very easy example with user/password as
vpnuser/vpnpass.

I have my own CA and signed certificates with it.
Cisco accepts it and they are recognizing each other's
cert. But in this case certs are not used anyway.

There is not may options to set on the Cisco client.
Very limited...

Thanks!
ET



 
____________________________________________________________________________________
Get your own web address.  
Have a HUGE year through Yahoo! Small Business.
http://smallbusiness.yahoo.com/domains/?p=BESTDEAL

More information about the talk mailing list