Frank Wille
2016-03-02 16:13:00 UTC
Hi!
Based on my previous thread to get an IPSec connection with a Lancom router
I did now set up a remote NetBSD router as VPN server (epia). It offers the
"rsasig" authentication method, IKE mode config and the same encryption
algorithms to simulate the Lancom.
Here is the racoon.conf of my VPN server: "epia". It has a WAN (dynamic
ADSL) and a LAN (192.168.0.0/24) interface.
---8<---
path certificate "/etc/racoon/certs";
log debug;
listen {
adminsock disabled;
}
remote anonymous {
exchange_mode main;
certificate_type x509 "vpngw_crt.pem" "vpngw_key.pem";
ca_type x509 "democa.pem";
my_identifier asn1dn;
peers_identifier asn1dn;
verify_identifier on;
generate_policy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
lifetime time 8 hour;
passive on;
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check claim;
}
mode_cfg {
# starting address of pool
network4 192.168.0.90;
# maximum number of clients
pool_size 10;
netmask4 255.255.255.0;
auth_source system;
dns4 192.168.0.254;
banner "/etc/racoon/motd";
}
sainfo anonymous {
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
---8<---
My PowerBook is a NetBSD/macppc notebook in a 192.168.1.0/24 WLAN, using a
Soekris NetBSD router (LAN, WLAN, WAN dynamic ADSL) as default gateway and
name server.
----------- ----------- --------
|PowerBook|====| Soekris | ==> ( Internet ) <== | Epia |
----------- ----------- --------
192.168.1.5 192.168.1.1 192.168.0.254
91.56.255.78 78.49.97.71
When all works well the PowerBook should get an internal VPN address between
192.168.0.90 and 192.168.0.99 inside the remote LAN.
The PowerBook's (192.168.1.5) racoon.conf is similar to the previous Lancom
test:
---8<---
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
remote "epia"
{
remote_address 78.49.97.71;
exchange_mode main,base;
my_identifier asn1dn;
#peers_identifier asn1dn;
#verify_identifier on;
certificate_type x509 "client1crt.pem" "client1key.pem";
ca_type x509 "epiaCA.pem";
mode_cfg on; # ISAKMP mode config
dpd_delay 20; # peer detection (alive check)
nat_traversal on; # force
ike_frag on;
#esp_frag 552;
script "phase1-up.sh" phase1_up;
script "phase1-down.sh" phase1_down;
lifetime time 8 hour;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check obey;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
---8<---
Unfortunately I cannot use epia.mydomain.tld but have to insert the current
dynamic IP every time, which is really stupid. :|
When the racoon daemon is running on both sides and I start the IPSec
connection on the PowerBook with
# racoonctl vc 78.49.97.71
... then phase 1 and the certificates seem to be ok. But it just sits there
and does nothing. racoonctl never returns, and when I break it, it makes no
difference for the connection either.
The client does not request IKE mode config from the server, exactly like in
the previous thread with the Lancom.
I see no phase 2 negotiation. No idea what it is waiting for... :(
Soekris and Epia tcpdumps, as well as PowerBook and Epia racoon logs
attached (I tried to sync the clocks, but better than 0.2s was impossible).
What am I missing? Did "rsasig" and/or "mode_cfg" ever work for anybody?
Based on my previous thread to get an IPSec connection with a Lancom router
I did now set up a remote NetBSD router as VPN server (epia). It offers the
"rsasig" authentication method, IKE mode config and the same encryption
algorithms to simulate the Lancom.
Here is the racoon.conf of my VPN server: "epia". It has a WAN (dynamic
ADSL) and a LAN (192.168.0.0/24) interface.
---8<---
path certificate "/etc/racoon/certs";
log debug;
listen {
adminsock disabled;
}
remote anonymous {
exchange_mode main;
certificate_type x509 "vpngw_crt.pem" "vpngw_key.pem";
ca_type x509 "democa.pem";
my_identifier asn1dn;
peers_identifier asn1dn;
verify_identifier on;
generate_policy on;
nat_traversal on;
ike_frag on;
dpd_delay 20;
lifetime time 8 hour;
passive on;
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check claim;
}
mode_cfg {
# starting address of pool
network4 192.168.0.90;
# maximum number of clients
pool_size 10;
netmask4 255.255.255.0;
auth_source system;
dns4 192.168.0.254;
banner "/etc/racoon/motd";
}
sainfo anonymous {
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
---8<---
My PowerBook is a NetBSD/macppc notebook in a 192.168.1.0/24 WLAN, using a
Soekris NetBSD router (LAN, WLAN, WAN dynamic ADSL) as default gateway and
name server.
----------- ----------- --------
|PowerBook|====| Soekris | ==> ( Internet ) <== | Epia |
----------- ----------- --------
192.168.1.5 192.168.1.1 192.168.0.254
91.56.255.78 78.49.97.71
When all works well the PowerBook should get an internal VPN address between
192.168.0.90 and 192.168.0.99 inside the remote LAN.
The PowerBook's (192.168.1.5) racoon.conf is similar to the previous Lancom
test:
---8<---
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
remote "epia"
{
remote_address 78.49.97.71;
exchange_mode main,base;
my_identifier asn1dn;
#peers_identifier asn1dn;
#verify_identifier on;
certificate_type x509 "client1crt.pem" "client1key.pem";
ca_type x509 "epiaCA.pem";
mode_cfg on; # ISAKMP mode config
dpd_delay 20; # peer detection (alive check)
nat_traversal on; # force
ike_frag on;
#esp_frag 552;
script "phase1-up.sh" phase1_up;
script "phase1-down.sh" phase1_down;
lifetime time 8 hour;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2;
}
proposal_check obey;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
---8<---
Unfortunately I cannot use epia.mydomain.tld but have to insert the current
dynamic IP every time, which is really stupid. :|
When the racoon daemon is running on both sides and I start the IPSec
connection on the PowerBook with
# racoonctl vc 78.49.97.71
... then phase 1 and the certificates seem to be ok. But it just sits there
and does nothing. racoonctl never returns, and when I break it, it makes no
difference for the connection either.
The client does not request IKE mode config from the server, exactly like in
the previous thread with the Lancom.
I see no phase 2 negotiation. No idea what it is waiting for... :(
Soekris and Epia tcpdumps, as well as PowerBook and Epia racoon logs
attached (I tried to sync the clocks, but better than 0.2s was impossible).
What am I missing? Did "rsasig" and/or "mode_cfg" ever work for anybody?
--
Frank Wille
Frank Wille