Hi all.

I am not sure whether this is the correct list for my problem, but I could not find a proper mailing list from the complete index at debian.org.

I am trying to set up a VPN between the two offices of the company I
work for but I am having a time up error at phase 1 in the logs. Both
are Debian Sarge boxes acting as gateway and proxy-cache connected to
ADSL routers using kernels 2.6.11:

[EMAIL PROTECTED]:~]# uname -a
Linux soun 2.6.11.10 #1 Wed May 18 16:21:28 CEST 2005 i686 GNU/Linux

[EMAIL PROTECTED]:~]# uname -a
Linux nabiki 2.6.11 #1 Mon Mar 7 12:16:19 CET 2005 i686 GNU/Linux

Here you are the steps I have done:

1. apt-get install ipsec-tools racoon iproute iptables

(selected racoon-tool method for creating racoon.conf file, which is a
perl script available in the Debian package that helps on it and allows
you to use /etc/init.d/racoon restart since it takes care of flushing
the policies and creating the necessary ones)

2. I created this /etc/racoon/racoon-tool.conf file on gateway A:

------------------------------------ /etc/racoon/racoon-tool.conf A
global:
        log: notify

peer(%default):
        verify_identifier: on
        hash_algorithm[0]: sha1
        encryption_algorithm[0]: aes

connection(%default):
        src_ip: 213.96.80.51

peer(80.36.214.182):
        peers_identifier: address

connection(to-nabiki):
        dst_ip: 80.36.214.182
        src_range: 192.168.0.0/24
        dst_range: 192.168.1.0/24
        admin_status: enabled
-------------------------------------

Which generated this /etc/racoon/racoon.conf file:

------------------------------------ /etc/racoon/racoon.conf A
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log notify;

remote 80.36.214.182 {
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }

        verify_identifier on;
        peers_identifier address;
        exchange_mode main;
}

sainfo address 192.168.0.0/24[any] any address 192.168.1.0/24[any] any {
        pfs_group modp1024;
        encryption_algorithm aes,3des;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate;
}
------------------------------------------------
Well, it really created /var/lib/racoon/racoon.conf, but I copied the
file to /etc/racoon/ because it's a bug of the racoon-tool I am afraid.

I also added these entries into /etc/racoon/psk.txt:

80.36.214.182   key1
213.96.80.51    key2

I generated both keys with:

$ dd if=/dev/random count=20 bs=1 | xxd -ps

The /etc/racoon/racoon.conf file at gateway B was generated the same way
(starting from /etc/racoon/racoon-tool.conf):

------------------------------------ /etc/racoon/racoon.conf B
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log notify;

remote 213.96.80.51 {
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }

        verify_identifier on;
        peers_identifier address;
        exchange_mode main;
}

sainfo address 192.168.1.0/24[any] any address 192.168.0.0/24[any] any {
        pfs_group modp1024;
        encryption_algorithm aes,3des;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate;
}
----------------------------------------------------

And the /etc/racoon/psk.txt looks the same way as before. So, I try to
start the server and this is what I get:

$ cat /var/log/syslog
May 20 11:58:37 soun racoon-tool[6532]: loaded IPSEC/crypto modules.
May 20 11:58:37 soun racoon: INFO: @(#)ipsec-tools 0.5.2
(http://ipsec-tools.sourceforge.net)
May 20 11:58:37 soun racoon: INFO: @(#)This product linked OpenSSL
0.9.7e 25 Oct 2004 (http://www.openssl.org/)
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used as isakmp port
(fd=8)
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used as isakmp port
(fd=9)
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=10)
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used for NAT-T
May 20 11:58:37 soun racoon-tool[6532]: racoon started.
May 20 11:58:37 soun racoon-tool[6532]: flushed SAD and SPD.
May 20 11:58:37 soun racoon: INFO: unsupported PF_KEY message REGISTER
May 20 11:58:37 soun last message repeated 2 times
May 20 11:58:37 soun racoon-tool[6532]: loaded SAD and SPD.
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used as isakmp port
(fd=10)
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used as isakmp port
(fd=11)
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=12)
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used for NAT-T
May 20 11:58:37 soun racoon-tool[6532]: configured racoon.
May 20 11:58:38 soun racoon: INFO: respond new phase 1 negotiation:
213.96.80.51[500]<=>80.36.214.182[500]
May 20 11:58:38 soun racoon: INFO: begin Identity Protection mode.
May 20 11:58:38 soun racoon: INFO: received Vendor ID: DPD
May 20 11:59:40 soun racoon: ERROR: phase1 negotiation failed due to
time up. 32 0bb0f9eaea575d:536714fe6ae3cdb5
------------------------------------------------------------

My firewall is configured in the same manner as when i was using
FreeSWAN and worked fine. Anyway, I have tried to restart both racoon
servers after taking the firewall out (/etc/init.d/iptables clear) and
the results are exactly the same.

Any hints? Thanks in advance.

--
Jaume Sabater
http://linuxsilo.net/

"Ubi sapientas ibi libertas"



-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
_______________________________________________
Ipsec-tools-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Ipsec-tools-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to