I have been experimenting with racoon2 since I learned of the new
patches to make it compile successfully on current.
It is possible to make an IKEv1 L2TP/IPSec connection through a NAT
device from a Windows 10 client to a NetBSD current VPN server starting
with the recent patches by Christos to the current branch of
pkgsrc/security/racoon2 package and adding one more small patch (apply
after extracting and applying existing patches for the package but
before building and installing):
--- pskgen/pskgen.in.orig 2005-09-16 06:52:20.000000000 +0000
+++ pskgen/pskgen.in
@@ -59,8 +59,8 @@ EOD
exit 0;
}
-require 'getopts.pl';
-do Getopts('rs:o:di:he:d');
+require Getopt::Std;
+Getopt::Std::getopts('rs:o:di:he:d');
$output = '-';
$output = $opt_o if ($opt_o);
Racoon2 is still rudimentary, but it is now functional (see attached log
snippets showing a successful connection below). Next is to try and get
it working as a server for IKEv2 connections. This would be a BSD
licensed solution for IKEv2 that racoon does not have.
It is not necessary to include the little patch shown in Christos' June
13 message to iked/isakmp.c:751 to get it functional. But to fully
install the package and to be able to generate a pre-shared key file
that is compatible with racoon2, it was necessary to update the pskgen
perl script to a supported version of perl5's getopts function, as shown
in the aforementioned patch.
It was also necessary to tweak the configuration files quite a lot, and
I plan on patching the sample configuration files so they are closer to
what actually works in today's world and making them available in the
near future.
Some of the gotchas that need to be solved to get an IKEv1 connection
working using racoon2:
1) If you are using a pre-shared key for the phase 1 authentication, you
need to generate it with the pskgen perl script that is installed with
the package and usable after applying the aforementioned patch. Without
doing this and trying to create the psk file with an editor such as vi,
there will be a newline character appended that invalidates the key. You
can use pskgen to strip away the newline character so the key will
exactly match the peer's key.
2) The sample configurations don't have anything close enough to what
will work for a transport mode IKEv1 connection to a modern client, even
if NAT traversal is not needed. The proposals of the samples and default
configuration do not result in successful matches with the proposals of
a default Windows 10 client, so those proposals need to be tweaked in
the configuration files to more closely match what modern clients will
accept.
3) For NAT traversal in transport mode, which is the mode the built-in
Windows and IOS L2TP/IPsec clients use, in addition to turning on port
4500 in racoon2.conf, as mentioned in the racoon2.conf sample
configuration file, it is necessary to add selectors for the NAT
original addresses to the configuration.
4) I have not yet tested multiple connections or roaming connections
from any IP address, but according to the documentation it should be
able to be configured for the "road warrior" scenario. Also, I noticed
the hook scripts were not working as expected and when disconnecting
only the outgoing phase 2 security association was deleted and I had to
delete the incoming phase 2 security association manually using the
setkey tool. I was able to use the ph1-up script to start the L2TP
service, but I had to start it from the ph1-up script instead of from a
script in the ph1-up.d directory. I also had to manually stop the L2TP
service after disconnecting.
It looks like Christos' recent patches successfully interface with the
new openssl 1.1 API on NetBSD current which appear to be incompatible
with openssl 1.0.x on NetBSD 7, so this package will not work on NetBSD
7. It looks like NetBSD 8 does not have the new API yet so for now I
think this only works on NetBSD current.
Are there plans to upgrade NetBSD 8 to the new openssl? If not, it might
be possible to get racoon2 working on NetBSD 7/8 by reversing some of
the recent patches that were added to support the new openssl on NetBSD
current.
Chuck
On 06/13/2018 03:52 PM, Christos Zoulas wrote:
On Jun 13, 2:20pm, frchu...@gmail.com (Chuck Zmudzinski) wrote:
-- Subject: Re: Testing racoon
| I saw your comment, Buck Rogers, when you made the racoon2
| package compile again in the 25th century!
|
| I will have some time to debug it and try to find out why IKEv1 isn't
| working in the next few weeks. It will probably take me a little
| while to learn how to setup the configuration files in racoon2.
My progress there is that doing this:
--- work.x86_64/racoon2-20100526a/iked/isakmp.c 2008-04-20 22:42:00.000000000
-0400
+++ work.x86_64/racoon2-20100526a/iked/isakmp.c 2018-05-29
13:51:52.991346267 -0400
@@ -748,7 +748,7 @@
goto end;
}
- if (extralen > 0) {
+ if (extralen > 0 && 0) {
rc_vchar_t *tmpbuf;
TRACE((PLOGLOC, "chopping %d bytes\n", extralen));
gets a little further on phase 1.
| I looked at the racoon2 project page. The most recent version is
| 8 years old. Oh My!
Yes, ouch.
christos
Jun 19 14:42:03 ave spmd: [INFO]: main.c:171: Racoon Spmd - Security Policy Management Daemon - Started
Jun 19 14:42:03 ave spmd: [INFO]: main.c:172: Spmd Version: 20100526a
Jun 19 14:42:03 ave spmd: [INFO]: main.c:451: 'files' found in nsswitch.conf hosts line, we will read hosts file
Jun 19 14:42:03 ave spmd: [INFO]: main.c:460: 'dns' found in nsswitch.conf hosts line, we will start dns proxy service
Jun 19 14:42:04 ave iked: [INFO]: main.c:305:main(): starting iked for racoon2 20100526a
Jun 19 14:42:04 ave iked: [INFO]: main.c:308:main(): OPENSSLDIR: "/etc/openssl"
Jun 19 14:42:04 ave iked: [INFO]: main.c:319:main(): reading config /usr/pkg/etc/racoon2/racoon2.conf
Jun 19 14:42:04 ave iked: [INFO]: isakmp.c:546:isakmp_open_address(): 192.168.1.254[4500] used for NAT-T
Jun 19 14:42:04 ave iked: [INFO]: isakmp.c:546:isakmp_open_address(): 127.0.0.1[4500] used for NAT-T
Jun 19 14:42:04 ave iked: [INFO]: main.c:433:main(): starting iked for racoon2 20100526a
Jun 19 14:43:28 ave iked: [INFO]: ikev1.c:997:isakmp_ph1begin_r(): respond new phase 1 negotiation: 192.168.1.254[500]<=>216.58.194.142[500]
Jun 19 14:43:28 ave iked: [INFO]: ikev1.c:1002:isakmp_ph1begin_r(): begin Identity Protection mode.
Jun 19 14:43:28 ave iked: [INFO]: vendorid.c:222:check_vendorid(): received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Jun 19 14:43:28 ave iked: [INFO]: vendorid.c:226:check_vendorid(): received Vendor ID: RFC 3947
Jun 19 14:43:28 ave iked: [INFO]: vendorid.c:226:check_vendorid(): received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 19 14:43:28 ave iked: [INFO]: vendorid.c:226:check_vendorid(): received Vendor ID: FRAGMENTATION
Jun 19 14:43:28 ave iked: [INFO]: isakmp_ident.c:889:ident_r1recv(): Selected NAT-T version: RFC 3947
Jun 19 14:43:28 ave iked: [PROTO_ERR]: ipsec_doi.c:2074:check_attr_isakmp(): invalid DH group 20.
Jun 19 14:43:28 ave iked: [PROTO_ERR]: ipsec_doi.c:2074:check_attr_isakmp(): invalid DH group 19.
Jun 19 14:43:28 ave iked: [INFO]: ikev1_natt.c:135:ikev1_natt_hash_addr(): Hashing 192.168.1.254[500] with algo #2
Jun 19 14:43:28 ave iked: [INFO]: isakmp_ident.c:1099:ident_r2recv(): NAT-D payload #0 doesn't match
Jun 19 14:43:28 ave iked: [INFO]: ikev1_natt.c:135:ikev1_natt_hash_addr(): Hashing 216.58.194.142[500] with algo #2
Jun 19 14:43:28 ave iked: [INFO]: isakmp_ident.c:1099:ident_r2recv(): NAT-D payload #1 verified
Jun 19 14:43:28 ave iked: [INFO]: isakmp_ident.c:1122:ident_r2recv(): NAT detected: ME
Jun 19 14:43:28 ave iked: [INFO]: ikev1_natt.c:135:ikev1_natt_hash_addr(): Hashing 216.58.194.142[500] with algo #2
Jun 19 14:43:28 ave iked: [INFO]: ikev1_natt.c:135:ikev1_natt_hash_addr(): Hashing 192.168.1.254[500] with algo #2
Jun 19 14:43:28 ave iked: [INFO]: isakmp_ident.c:1662:ident_ir2mx(): Adding remote and local NAT-D payloads.
Jun 19 14:43:29 ave iked: [INFO]: ikev1.c:1930:log_ph1established(): ISAKMP-SA established 192.168.1.254[4500]-216.58.194.142[4500] spi:bfac45b62d3ac730:016d48662ac9b5f9
Jun 19 14:43:29 ave iked: [INFO]: ikev1.c:1199:isakmp_ph2begin_r(): respond new phase 2 negotiation: 192.168.1.254[4500]<=>216.58.194.142[4500]
Jun 19 14:43:29 ave iked: [INFO]: proposal.c:410:cmpsaprop_alloc(): Adjusting peer's encmode UDP-Transport(4)->Transport(2)
Jun 19 14:43:29 ave iked: [INFO]: ike_pfkey.c:313:sadb_log_add(): SADB_UPDATE ul_proto=255 src=216.58.194.142[4500] dst=192.168.1.254[4500] satype=ESP samode=transport spi=0x0bfdb708 authtype=HMAC-SHA-1 enctype=AES256-CBC lifetime soft time=3600 bytes=0 hard time=3600 bytes=0
Jun 19 14:43:29 ave iked: [INFO]: ike_pfkey.c:313:sadb_log_add(): SADB_ADD ul_proto=255 src=192.168.1.254[4500] dst=216.58.194.142[4500] satype=ESP samode=transport spi=0xe733fb2c authtype=HMAC-SHA-1 enctype=AES256-CBC lifetime soft time=3600 bytes=0 hard time=3600 bytes=0
Jun 19 14:43:29 ave iked: [INFO]: pfkey.c:1104:ikev1_update_response(): IPsec-SA established: ESP/Transport 216.58.194.142[4500]->192.168.1.254[4500] spi=201176840(0xbfdb708)
Jun 19 14:43:29 ave iked: [INFO]: ikev1.c:555:ikev1_initiate(): 0:192.168.1.254[0] - 216.58.194.142[0]:0x0:remote ike_trans_remote passive mode specified for IKEv1, dropping acquire request
Jun 19 14:43:30 ave pppd[18742]: pppd 2.4.7 started by chuckz, uid 0
Jun 19 14:43:30 ave pppd[18742]: set_up_tty: Changed queue size of 7 from 1024 to 32768
Jun 19 14:43:30 ave pppd[18742]: tty_establish_ppp: Changed queue size of 7 from 1024 to 32768
Jun 19 14:43:30 ave pppd[18742]: Using interface ppp0
Jun 19 14:43:30 ave pppd[18742]: Connect: ppp0 <--> /dev/pts/2
Jun 19 14:43:33 ave pppd[18742]: local IP address 192.168.0.x
Jun 19 14:43:33 ave pppd[18742]: remote IP address 192.168.0.y
Jun 19 14:47:35 ave pppd[18742]: LCP terminated by peer (^T^?Lt^@<M-Mt^@^@^@^@)
Jun 19 14:47:35 ave pppd[18742]: Connect time 4.1 minutes.
Jun 19 14:47:35 ave pppd[18742]: Sent 740946 bytes, received 371972 bytes.
Jun 19 14:47:36 ave pppd[18742]: Modem hangup
Jun 19 14:47:36 ave pppd[18742]: Connection terminated.
Jun 19 14:47:36 ave pppd[18742]: Connect time 4.1 minutes.
Jun 19 14:47:36 ave pppd[18742]: Sent 740946 bytes, received 371972 bytes.
Jun 19 14:47:36 ave pppd[18742]: Exit.
Jun 19 14:47:36 ave iked: [INFO]: ike_pfkey.c:407:sadb_delete(): SADB_DELETE ul_proto=48 src=192.168.1.254[4500] dst=216.58.194.142[4500] satype=ESP spi=0xe733fb2c
Jun 19 14:47:36 ave iked: [INFO]: ike_pfkey.c:646:sadb_delete_callback(): received PFKEY_DELETE seq=0 satype=ESP spi=0xe733fb2c
Jun 19 14:47:36 ave iked: [INFO]: handler.c:1529:purge_remote(): purging ISAKMP-SA spi=bfac45b62d3ac730:016d48662ac9b5f9.
