Hi, I want to set up an IPSEC client to connect to my office's Lancom router. I was provided with the following details:
- Main mode IKEv1 - DH group 2 (1024 bit) - PFS group 2 (1024 bit) - phase 1: IKE AES128, MD5 - phase 2: IPSec AES128, MD5 - phase 2 tunnel mode ESP - remote network 192.168.0.0/24, configuring with ISAKMP mode config - supports NAT-T UDP port 4500 - using x509 certificate/key I got a PKCS12 archive, where I extracted my client certificate/key and the CA-certificate. # openssl pkcs12 -cacerts -nokeys -in vpnclient15.p12 -out ca.crt # openssl pkcs12 -clcerts -nokeys -in vpnclient15.p12 -out arwen.wpsd.lcl.crt # openssl pkcs12 -nocerts -in vpnclient15.p12 -out arwen.rsa # openssl rsa -in arwen.rsa -out arwen.wpsd.lcl.key After a lot of reading I came up with the following racoon.conf for the task (remote address of the Lancom replaced by 1.2.3.4 here): ---8<--- path include "/etc/racoon"; path certificate "/etc/racoon/certs"; path script "/etc/racoon/scripts"; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log debug2; #timer #{ # natt_keepalive 15 seconds; #} remote 1.2.3.4 { #exchange_mode main,aggressive,base; exchange_mode main,base; #my_identifier fqdn "arwen.wpsd.lcl"; my_identifier asn1dn; #peers_identifier asn1dn; #verify_identifier on; certificate_type x509 "arwen.wpsd.lcl.crt" "arwen.wpsd.lcl.key"; ca_type x509 "ca.crt"; #initial_contact off; mode_cfg on; # ISAKMP mode config dpd_delay 20; # peer detection (alive check) nat_traversal on; # force #ike_frag on; #esp_frag 552; #script "phase1-up.sh" phase1_up; #script "phase1-down.sh" phase1_down; script "test.sh" phase1_up; script "test.sh" phase1_down; lifetime time 8 hour; # phase 1 proposal (for ISAKMP SA) proposal { encryption_algorithm aes 128; hash_algorithm md5; authentication_method hybrid_rsa_client; #authentication_method rsasig; dh_group 2; } # the configuration could makes racoon (as a responder) # to obey the initiator's lifetime and PFS group proposal, # by setting proposal_check to obey. # this would makes testing "so much easier", but is really # *not* secure !!! #proposal_check strict; proposal_check obey; } # phase 2 proposal (for IPsec SA). # actual phase 2 proposal will obey the following items: # - kernel IPsec policy configuration (like "esp/transport//use) # - permutation of the crypto/hash/compression algorithms presented below sainfo anonymous { pfs_group 2; lifetime time 8 hour; encryption_algorithm aes 128; authentication_algorithm hmac_md5; compression_algorithm deflate; } ---8<--- Are there any serious problems left in it? I'm testing on a Soekris router, running NetBSD 6.1.5, having IPSEC, IPSEC_ESP and IPSEC_NAT_T enabled in the kernel. It has a WAN interface, so NAT-T is not really needed for now. Unfortunately after starting Racoon # /etc/rc.d/racoon onestart and the VPN connection # racoonctl vc 1.2.3.4 ...it fails very early: Feb 25 17:23:38 arwen racoon: INFO: @(#)ipsec-tools cvs (http://ipsec-tools.sourceforge.net) Feb 25 17:23:38 arwen racoon: INFO: @(#)This product linked OpenSSL 1.0.1i 6 Aug 2014 (http://www.openssl.org/) Feb 25 17:23:38 arwen racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" Feb 25 17:23:38 arwen racoon: INFO: 192.168.0.254[500] used for NAT-T Feb 25 17:23:38 arwen racoon: INFO: 192.168.0.254[500] used as isakmp port (fd=8) Feb 25 17:23:38 arwen racoon: INFO: 192.168.0.254[4500] used for NAT-T Feb 25 17:23:38 arwen racoon: INFO: 192.168.0.254[4500] used as isakmp port (fd=9) Feb 25 17:23:38 arwen racoon: INFO: 127.0.0.1[500] used for NAT-T Feb 25 17:23:38 arwen racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10) Feb 25 17:23:38 arwen racoon: INFO: 127.0.0.1[4500] used for NAT-T Feb 25 17:23:38 arwen racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=11) Feb 25 17:23:38 arwen racoon: INFO: 91.56.242.176[500] used for NAT-T Feb 25 17:23:38 arwen racoon: INFO: 91.56.242.176[500] used as isakmp port (fd=12) Feb 25 17:23:38 arwen racoon: INFO: 91.56.242.176[4500] used for NAT-T Feb 25 17:23:38 arwen racoon: INFO: 91.56.242.176[4500] used as isakmp port (fd=13) Feb 25 17:24:08 arwen racoon: INFO: accept a request to establish IKE-SA: 1.2.3.4 Feb 25 17:24:08 arwen racoon: INFO: initiate new phase 1 negotiation: 91.56.242.176[4500]<=>1.2.3.4[500] Feb 25 17:24:08 arwen racoon: INFO: begin Identity Protection mode. Feb 25 17:24:59 arwen racoon: ERROR: phase1 negotiation failed due to time up. 05349d3fe352e138:0000000000000000 ---8<--- arwen# tcpdump -i pppoe0 host 212.62.95.76 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pppoe0, link-type PPP_ETHER (PPPoE), capture size 65535 bytes 17:24:08.847578 PPPoE [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t > 212.62.95.76.isakmp: isakmp: 17:24:08.884661 PPPoE [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP 212.62.95.76 udp port isakmp unreachable, length 36 17:24:08.885322 PPPoE [ses 0x9b9] IP 212.62.95.76.isakmp > 91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf 17:24:18.906170 PPPoE [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t > 212.62.95.76.isakmp: isakmp: 17:24:18.943086 PPPoE [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP 212.62.95.76 udp port isakmp unreachable, length 36 17:24:18.943549 PPPoE [ses 0x9b9] IP 212.62.95.76.isakmp > 91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf 17:24:28.966408 PPPoE [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t > 212.62.95.76.isakmp: isakmp: 17:24:29.005141 PPPoE [ses 0x9b9] IP 212.62.95.76.isakmp > 91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf 17:24:29.005186 PPPoE [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP 212.62.95.76 udp port isakmp unreachable, length 36 17:24:39.027346 PPPoE [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t > 212.62.95.76.isakmp: isakmp: 17:24:39.064511 PPPoE [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP 212.62.95.76 udp port isakmp unreachable, length 36 17:24:39.066388 PPPoE [ses 0x9b9] IP 212.62.95.76.isakmp > 91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf 17:24:49.126577 PPPoE [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t > 212.62.95.76.isakmp: isakmp: 17:24:49.163077 PPPoE [ses 0x9b9] IP 212.62.95.76 > 91.56.242.176: ICMP 212.62.95.76 udp port isakmp unreachable, length 36 17:24:49.163787 PPPoE [ses 0x9b9] IP 212.62.95.76.isakmp > 91.56.242.176.ipsec-nat-t: isakmp: phase 1 I inf Regards, -- Frank Wille