I thought I did, and I just restarted IPsec again now and tried to connect with the same negative results. Let me know how you make out after upgrading to Mountain Loin. BTW, has anyone tried Cisco's VPN client running on Windows?
tm -----Original Message----- From: Lonnie Abelbeck [mailto:li...@lonnie.abelbeck.com] Sent: Wednesday, September 12, 2012 2:35 PM To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] IPsec Mobile w/ iPad & OSX 10.8 Tom, Did you Restart IPsec in AstLinux after making certificate changes ? I'm upgrading (??) my wife's iMac from 10.7 to 10.8 and will give it a try myself. Possibly Michael will be back from Spain before it is finished. :-) I just tried my MacBook with 10.6 (my favorite) and Cisco IPsec worked perfectly. Lonnie On Sep 12, 2012, at 11:37 AM, Tom Mazzotta wrote: > Lonnie, > > I removed the old cert's, rebooted the Mac, and installed newly downloaded > copies of the certs. In addition, I recreated the VPN connection. Tried to > connect and no go. I then created a new client cert (w/ a different name), > and installed just that cert (i.e., did not reinstall the CA cert) and it > still would not connect. In all cases, the final entry in the log says: > "racoon: ERROR: phase1 negotiation failed due to time up." > > I'm happy to try something else if you have any other ideas... > > -tm > > -----Original Message----- > From: Lonnie Abelbeck [mailto:li...@lonnie.abelbeck.com] > Sent: Wednesday, September 12, 2012 11:59 AM > To: AstLinux Users Mailing List > Subject: Re: [Astlinux-users] IPsec Mobile w/ iPad & OSX 10.8 > > Hi Tom, > > Managing the certs/keys on OS X is not as simple as it should be. Personally > I have used 10.6 and 10.7 but have not yet tried IPSec Cisco with 10.8, but I > expect it to work. > > I would suggest removing the IPsec/alix certs/keys from your Mac, Reboot the > Mac, and then again carefully follow the instructions to install the > IPsec/alix certs/keys again. I seem to recall having issues with the Mac > installing over the same certs without rebooting. > > There should not be any timeout issues as your FYI suggested. > > Lonnie > > > On Sep 12, 2012, at 9:57 AM, Tom Mazzotta wrote: > >> OK, I'm almost there. I regenerated the cert's using a domain & FQDN that >> the DNS server on my LAN could resolve. I am able to connect with the iPad, >> but the Mac still errors out. FYI, I am attempting to connect to the WAN i/f >> of the Astlinux box, which is connected to the LAN in my lab for testing >> purposes. The iPad and Mac are also on the lab's LAN. The following is the >> log I see when the Mac tries to connect: >> >> Sep 12 10:48:13 pbx2 daemon.info racoon: INFO: respond new phase 1 >> negotiation: 192.168.1.216[500]<=>192.168.1.11[500] >> Sep 12 10:48:13 pbx2 daemon.info racoon: INFO: begin Identity Protection >> mode. >> Sep 12 10:48:13 pbx2 daemon.info racoon: INFO: received Vendor ID: >> RFC >> 3947 Sep 12 10:48:13 pbx2 daemon.info racoon: INFO: received Vendor >> ID: draft-ietf-ipsec-nat-t-ike-08 Sep 12 10:48:13 pbx2 daemon.info >> racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Sep >> 12 >> 10:48:13 pbx2 daemon.info racoon: INFO: received Vendor ID: >> draft-ietf-ipsec-nat-t-ike-06 Sep 12 10:48:13 pbx2 daemon.info racoon: >> INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Sep 12 >> 10:48:13 pbx2 daemon.info racoon: INFO: received Vendor ID: >> draft-ietf-ipsec-nat-t-ike-04 Sep 12 10:48:13 pbx2 daemon.info racoon: >> INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Sep 12 >> 10:48:13 pbx2 daemon.info racoon: INFO: received Vendor ID: >> draft-ietf-ipsec-nat-t-ike-02 Sep 12 10:48:13 pbx2 daemon.info racoon: >> INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Sep 12 >> 10:48:13 pbx2 daemon.info racoon: INFO: received Vendor ID: >> draft-ietf-ipsra-isakmp-xauth-06.txt >> Sep 12 10:48:13 pbx2 daemon.info racoon: INFO: received Vendor ID: >> CISCO-UNITY Sep 12 10:48:13 pbx2 daemon.info racoon: INFO: received >> broken Microsoft ID: FRAGMENTATION Sep 12 10:48:13 pbx2 daemon.info >> racoon: INFO: received Vendor ID: DPD Sep 12 10:48:13 pbx2 >> daemon.info >> racoon: [192.168.1.11] INFO: Selected NAT-T version: RFC 3947 Sep 12 >> 10:48:13 pbx2 daemon.info racoon: INFO: Adding xauth VID payload. >> Sep 12 10:48:13 pbx2 daemon.info racoon: [192.168.1.216] INFO: >> Hashing 192.168.1.216[500] with algo #2 Sep 12 10:48:13 pbx2 >> daemon.info >> racoon: INFO: NAT-D payload #0 verified Sep 12 10:48:13 pbx2 >> daemon.info racoon: [192.168.1.11] INFO: Hashing 192.168.1.11[500] >> with algo #2 Sep 12 10:48:13 pbx2 daemon.info racoon: INFO: NAT-D >> payload #1 verified Sep 12 10:48:13 pbx2 daemon.info racoon: INFO: >> NAT not detected Sep 12 10:48:13 pbx2 daemon.info racoon: >> [192.168.1.11] >> INFO: Hashing 192.168.1.11[500] with algo #2 Sep 12 10:48:13 pbx2 >> daemon.info racoon: [192.168.1.216] INFO: Hashing 192.168.1.216[500] with >> algo #2 Sep 12 10:48:13 pbx2 daemon.info racoon: INFO: Adding remote and >> local NAT-D payloads. >> Sep 12 10:49:03 pbx2 daemon.info racoon: ERROR: phase1 negotiation >> failed due to time up. 66a9b11d84cf28b9:18ecfbdc84284792 >> >> FYI, in my lab environment, I am running Astlinux on an Alix box. Is it >> possible that I need to adjust a timeout value on the Mac to give the Alix >> enough time to build the connection (although I did not have any problem w/ >> my iPad using the new cert's)? > >> >> -tm >> >> -----Original Message----- >> From: Lonnie Abelbeck [mailto:li...@lonnie.abelbeck.com] >> Sent: Wednesday, September 12, 2012 9:34 AM >> To: AstLinux Users Mailing List >> Subject: Re: [Astlinux-users] IPsec Mobile w/ iPad & OSX 10.8 >> >> Hi Tom, >> >> The IPsec VPN service must be used from the External interface (not the >> LAN), that is how the firewall is setup. In fact if your box has a static >> external address, it only listens on that address. >> >> Consequently the "Server Cert DNS Name:" must be the external interface's >> DNS, though that box can be local for testing and that works fine. I have a >> couple test AstLinux boxes that I have used that way. >> >> In production your public interface can be static or use DynDNS to define >> the "Server Cert DNS Name:". BTW, this is an Apple security thing. >> >> Lonnie >> >> >> On Sep 12, 2012, at 6:03 AM, Tom Mazzotta wrote: >> >>> Lonnie, >>> >>> I created the cert using Server Cert DNS Name = pbx2.lab.local. When I >>> review the cert, I can verify that's what's used for the CN. If I SSH to >>> the box, I can ping pbx2.lab.local (if returns the LAN interface IP). Is it >>> possible that I can't use the .local tld? >>> >>> tm >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck [mailto:li...@lonnie.abelbeck.com] >>> Sent: Tuesday, September 11, 2012 11:52 PM >>> To: AstLinux Users Mailing List >>> Subject: Re: [Astlinux-users] IPsec Mobile w/ iPad & OSX 10.8 >>> >>> Hi Tom, >>> >>> My guess is you don't have the proper "Server Cert DNS Name:" entry. It is >>> packed as part of the certificate and must be a valid DNS name resolved by >>> the client, (more info in the URL you referenced). >>> >>> The bad news is if you make a change to "Server Cert DNS Name:", you must >>> re-create all new certificates and keys. Try with the iPad first, it is >>> the easiest to manage the certs/keys . >>> >>> Lonnie >>> >>> BTW, I personally use this all the time, even with Push Network defined as >>> you mentioned. >>> >>> >>> On Sep 11, 2012, at 9:38 PM, Tom Mazzotta wrote: >>> >>>> I'm trying to configure IPsec on a Astlinux 1.0.4 to connect to an iPad >>>> and a Mac. I configured the systems by following the directions at >>>> doc.astlinux.org/userdoc:tt_ipsec_vpn_apple_ios. I believe the only >>>> difference is that I included a push network for the LAN side of the >>>> AstLinux box. Neither of the client devices are able to connect >>>> successfully. The error message I get from the iPad is "Could not validate >>>> the server certificate." The Mac says "the negotiation with the VPN server >>>> failed. Verify the server address and try reconnecting." Below is the log >>>> from when I try to connect with the iPad. Since this is all being done in >>>> a test environment, all the IP's are private, 192.168.1.216 is the WAN i/f >>>> of Astlinux, and .25 is the IP of the iPad. Originally, the WAN i/f was >>>> assigned via DHCP using a MAC reservation from my router. I retested using >>>> a static definition with Astlinux, and that didn't seem to help. Any >>>> suggestions as to what might be the problem? >>>> >>>> Sep 11 22:15:51 pbx2 daemon.info racoon: INFO: respond new phase 1 >>>> negotiation: 192.168.1.216[500]<=>192.168.1.25[500] >>>> Sep 11 22:15:51 pbx2 daemon.info racoon: INFO: begin Identity Protection >>>> mode. >>>> Sep 11 22:15:51 pbx2 daemon.info racoon: INFO: received Vendor ID: >>>> RFC >>>> 3947 Sep 11 22:15:51 pbx2 daemon.info racoon: INFO: received Vendor >>>> ID: draft-ietf-ipsec-nat-t-ike-08 Sep 11 22:15:51 pbx2 daemon.info >>>> racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Sep >>>> 11 >>>> 22:15:51 pbx2 daemon.info racoon: INFO: received Vendor ID: >>>> draft-ietf-ipsec-nat-t-ike-06 Sep 11 22:15:51 pbx2 daemon.info racoon: >>>> INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Sep 11 >>>> 22:15:51 pbx2 daemon.info racoon: INFO: received Vendor ID: >>>> draft-ietf-ipsec-nat-t-ike-04 Sep 11 22:15:51 pbx2 daemon.info racoon: >>>> INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Sep 11 >>>> 22:15:51 pbx2 daemon.info racoon: INFO: received Vendor ID: >>>> draft-ietf-ipsec-nat-t-ike-02 Sep 11 22:15:51 pbx2 daemon.info racoon: >>>> INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Sep 11 >>>> 22:15:51 pbx2 daemon.info racoon: INFO: received Vendor ID: >>>> draft-ietf-ipsra-isakmp-xauth-06.txt >>>> Sep 11 22:15:51 pbx2 daemon.info racoon: INFO: received Vendor ID: >>>> CISCO-UNITY Sep 11 22:15:51 pbx2 daemon.info racoon: INFO: received >>>> Vendor ID: DPD Sep 11 22:15:51 pbx2 daemon.info racoon: >>>> [192.168.1.25] >>>> INFO: Selected NAT-T version: RFC 3947 Sep 11 22:15:51 pbx2 daemon.info >>>> racoon: INFO: Adding xauth VID payload. >>>> Sep 11 22:15:52 pbx2 daemon.info racoon: [192.168.1.216] INFO: >>>> Hashing 192.168.1.216[500] with algo #2 Sep 11 22:15:52 pbx2 >>>> daemon.info >>>> racoon: INFO: NAT-D payload #0 verified Sep 11 22:15:52 pbx2 >>>> daemon.info racoon: [192.168.1.25] INFO: Hashing 192.168.1.25[500] >>>> with algo #2 Sep 11 22:15:52 pbx2 daemon.info racoon: INFO: NAT-D >>>> payload #1 verified Sep 11 22:15:52 pbx2 daemon.info racoon: INFO: >>>> NAT not detected Sep 11 22:15:52 pbx2 daemon.info racoon: >>>> [192.168.1.25] >>>> INFO: Hashing 192.168.1.25[500] with algo #2 Sep 11 22:15:52 pbx2 >>>> daemon.info racoon: [192.168.1.216] INFO: Hashing 192.168.1.216[500] with >>>> algo #2 Sep 11 22:15:52 pbx2 daemon.info racoon: INFO: Adding remote and >>>> local NAT-D payloads. >>>> Sep 11 22:15:52 pbx2 daemon.info racoon: WARNING: unable to get >>>> certificate CRL(3) at depth:0 >>>> SubjectName:/C=US/ST=Nebraska/L=Omaha/O=AstLinux >>>> Management/OU=IPsec Mobile >>>> Server/CN=iPad/emailAddress=i...@astlinux.org >>>> Sep 11 22:15:52 pbx2 daemon.info racoon: WARNING: unable to get >>>> certificate CRL(3) at depth:1 >>>> SubjectName:/C=US/ST=Nebraska/L=Omaha/O=AstLinux >>>> Management/OU=IPsec Mobile >>>> Server/CN=pbx2.lab.local/emailAddress=i...@astlinux.org >>>> Sep 11 22:15:52 pbx2 daemon.info racoon: INFO: Sending Xauth >>>> request Sep 11 22:15:53 pbx2 daemon.info racoon: [192.168.1.25] INFO: >>>> received INITIAL-CONTACT Sep 11 22:15:53 pbx2 daemon.info racoon: INFO: >>>> ISAKMP-SA established 192.168.1.216[500]-192.168.1.25[500] >>>> spi:2edf3d11d1435fc7:d0ed00ee21ce8efd >>>> Sep 11 22:15:53 pbx2 daemon.info racoon: ERROR: ignore information because >>>> the message is too short - 76 byte(s). >>>> Sep 11 22:15:58 pbx2 user.info kernel: AIF:PRIV UDP broadcast: >>>> IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:60:c5:47:0a:43:c0:08:00 >>>> SRC=192.168.1.11 DST=192.168.1.255 LEN=240 TOS=0x00 PREC=0x00 TTL=64 >>>> ID=58993 PROTO=UDP SPT=138 DPT=138 LEN=220 Sep 11 22:16:49 pbx2 >>>> daemon.info racoon: [192.168.1.25] INFO: DPD: remote (ISAKMP-SA >>>> spi=2edf3d11d1435fc7:d0ed00ee21ce8efd) seems to be dead. >>>> Sep 11 22:16:49 pbx2 daemon.info racoon: INFO: purging ISAKMP-SA >>>> spi=2edf3d11d1435fc7:d0ed00ee21ce8efd. >>>> Sep 11 22:16:49 pbx2 daemon.info racoon: INFO: purged ISAKMP-SA >>>> spi=2edf3d11d1435fc7:d0ed00ee21ce8efd. >>>> Sep 11 22:16:49 pbx2 daemon.info racoon: INFO: ISAKMP-SA deleted >>>> 192.168.1.216[500]-192.168.1.25[500] >>>> spi:2edf3d11d1435fc7:d0ed00ee21ce8efd > > > ---------------------------------------------------------------------- > -------- > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. > Discussions will include endpoint security, mobile security and the > latest in malware threats. > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > ---------------------------------------------------------------------- > -------- > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. > Discussions will include endpoint security, mobile security and the > latest in malware threats. > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
