Frank Wille
2016-03-04 18:24:55 UTC
Hi,
after I found out that an "rsasig" Roadwarrior client with IKE mode config
does not work with Racoon, I wanted to try something proven, which many
people successfully configured: "hybrid_rsa_client" (configuation
attached).
I initiate the connection and enter my password:
# racoonctl vc -u frank 77.182.71.224
Phase 1 is established, racoonctl returned, the MOTD is displayed and even
mode config worked fine, assigning me an IP address and a gateyway. The
phase1-up script entered the correct SPD policies (192.168.0.90 is the
first address from my "mode-configured" VPN pool):
# setkey -DP
0.0.0.0/0[any] 192.168.0.90[any] reserved
in ipsec
esp/tunnel/77.182.71.224-192.168.1.5/require
spid=8 seq=1 pid=2094
refcnt=1
192.168.0.90[any] 0.0.0.0/0[any] reserved
out ipsec
esp/tunnel/192.168.1.5-77.182.71.224/require
spid=7 seq=0 pid=2094
refcnt=1
There are no SAD entries yet, and phase 2 was not attempted. But I guess
this is normal. Phase 2 is established when accessing an address from my
VPN network, e.g. by typing "ping 192.168.0.100".
But it looks like Racoon cannot update the SA database? The following
happens:
/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
/netbsd: key_update: no SA index found.
/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
/netbsd: key_setsaval: unable to initialize SA type 3.
racoon: ERROR: pfkey UPDATE failed: No such file or directory
racoon: ERROR: pfkey ADD failed: Invalid argument
racoon: ERROR: 77.182.71.224 give up to get IPsec-SA due to time up to wait.
Any idea why there is no SA index found? What is wrong with type 3?
This is a macppc running a 7.0 kernel.
Just one of the required two(?) SAD entries appears.
# setkey -D
77.182.71.224 192.168.1.5
esp mode=tunnel spi=29020503(0x01bad157) reqid=0(0x00000000)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
sadb_seq=0 pid=2777 refcnt=1
The VPN gateway (NetBSD/i386 6.1.5) doesn't seem to have any problem with
the keys:
/netbsd: key_update: type 2, sport = 50185, dport = 37905
/netbsd: key_update: type 2, sport = 37905, dport = 50185
racoon: INFO: IPsec-SA established: ESP/Tunnel
77.182.71.224[500]->91.56.227.155[500] spi=88411440(0x5450d30)
racoon: INFO: IPsec-SA established: ESP/Tunnel
77.182.71.224[500]->91.56.227.155[500] spi=29020503(0x1bad157)
Racoon client configuration, client/gateway logs and tcpdumps attached.
after I found out that an "rsasig" Roadwarrior client with IKE mode config
does not work with Racoon, I wanted to try something proven, which many
people successfully configured: "hybrid_rsa_client" (configuation
attached).
I initiate the connection and enter my password:
# racoonctl vc -u frank 77.182.71.224
Phase 1 is established, racoonctl returned, the MOTD is displayed and even
mode config worked fine, assigning me an IP address and a gateyway. The
phase1-up script entered the correct SPD policies (192.168.0.90 is the
first address from my "mode-configured" VPN pool):
# setkey -DP
0.0.0.0/0[any] 192.168.0.90[any] reserved
in ipsec
esp/tunnel/77.182.71.224-192.168.1.5/require
spid=8 seq=1 pid=2094
refcnt=1
192.168.0.90[any] 0.0.0.0/0[any] reserved
out ipsec
esp/tunnel/192.168.1.5-77.182.71.224/require
spid=7 seq=0 pid=2094
refcnt=1
There are no SAD entries yet, and phase 2 was not attempted. But I guess
this is normal. Phase 2 is established when accessing an address from my
VPN network, e.g. by typing "ping 192.168.0.100".
But it looks like Racoon cannot update the SA database? The following
happens:
/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
/netbsd: key_update: no SA index found.
/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
/netbsd: key_setsaval: unable to initialize SA type 3.
racoon: ERROR: pfkey UPDATE failed: No such file or directory
racoon: ERROR: pfkey ADD failed: Invalid argument
racoon: ERROR: 77.182.71.224 give up to get IPsec-SA due to time up to wait.
Any idea why there is no SA index found? What is wrong with type 3?
This is a macppc running a 7.0 kernel.
Just one of the required two(?) SAD entries appears.
# setkey -D
77.182.71.224 192.168.1.5
esp mode=tunnel spi=29020503(0x01bad157) reqid=0(0x00000000)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
sadb_seq=0 pid=2777 refcnt=1
The VPN gateway (NetBSD/i386 6.1.5) doesn't seem to have any problem with
the keys:
/netbsd: key_update: type 2, sport = 50185, dport = 37905
/netbsd: key_update: type 2, sport = 37905, dport = 50185
racoon: INFO: IPsec-SA established: ESP/Tunnel
77.182.71.224[500]->91.56.227.155[500] spi=88411440(0x5450d30)
racoon: INFO: IPsec-SA established: ESP/Tunnel
77.182.71.224[500]->91.56.227.155[500] spi=29020503(0x1bad157)
Racoon client configuration, client/gateway logs and tcpdumps attached.
--
Frank Wille
Frank Wille