Package: racoon
Version: 1:0.8.2+20140711-8
Severity: normal
Dear Maintainer,
I am configuring a roadwarrior-like scenario which works however I've
encounterd a strange problem. When configuring racoon to use AES 128
CBC as encryption algorithm with SHA256 as authentication algorighm
(and PFS with DH group 2048) for SA proposal the traffic is not
correctly authenticated. The phase 1 and 2 completes successfully,
SA's are installed properly and I even see encrypted traffic leaving
the box (and arriving to it) with correct SPI's however looks like
the traffic is dropped both by my Linux server and my remote MikroTik
router. Issue goes away immediately when I change to SHA1 as an
authentication algorithm in racoon for SA proposal.
I have tested the same setup on the same server with strongSwan and there
SHA256 works fine.
If you need any more information let me know with some minor advice on how to
gather them.
In summary: 1. racoon configuration with aes128-cbc, sha256 and
pfs2048 doesn't work with MikroTik. 2. changing only sha256 to sha1
on racoon and MikroTik solves the problem immediately. 3. MikroTik to
MikroTik and MikroTik to strongSwan works as expected.
4. PSK is fine, phase 1 and 2 completes properly, setkey -D and setkey -DP
shows expected values but packets are dropped.
-- System Information:
Debian Release: 9.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages racoon depends on:
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.61
ii init-system-helpers 1.48
ii ipsec-tools 1:0.8.2+20140711-8
ii libc6 2.24-11+deb9u1
ii libcomerr2 1.43.4-2
ii libgssapi-krb5-2 1.15-1
ii libk5crypto3 1.15-1
ii libkrb5-3 1.15-1
ii libldap-2.4-2 2.4.44+dfsg-5
ii libpam0g 1.1.8-3.6
ii libssl1.0.2 1.0.2l-2
ii lsb-base 9.20161125
ii perl 5.24.1-3+deb9u2
racoon recommends no packages.
racoon suggests no packages.
-- Configuration Files:
/etc/racoon/psk.txt changed:
* xxxxxxx
/etc/racoon/racoon.conf changed:
log info;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
listen {
isakmp 217.182.74.61 [500];
isakmp_natt 217.182.74.61 [4500];
}
remote anonymous {
exchange_mode main,aggressive,base;
my_identifier address;
lifetime time 24 hour;
passive on;
proposal_check obey;
generate_policy require;
nat_traversal on;
dpd_delay 120;
dpd_retry 5;
dpd_maxfail 5;
proposal {
encryption_algorithm aes;
hash_algorithm sha256;
authentication_method pre_shared_key;
dh_group modp3072;
}
}
sainfo anonymous {
lifetime time 4 hours;
pfs_group modp3072;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
-- debconf information:
* racoon/config_mode: direct
