Hi all.
I am not sure whether this is the correct list for my problem, but I
could not find a proper mailing list from the complete index at debian.org.
I am trying to set up a VPN between the two offices of the company I
work for but I am having a time up error at phase 1 in the logs. Both
are Debian Sarge boxes acting as gateway and proxy-cache connected to
ADSL routers using kernels 2.6.11:
[EMAIL PROTECTED]:~]# uname -a
Linux soun 2.6.11.10 #1 Wed May 18 16:21:28 CEST 2005 i686 GNU/Linux
[EMAIL PROTECTED]:~]# uname -a
Linux nabiki 2.6.11 #1 Mon Mar 7 12:16:19 CET 2005 i686 GNU/Linux
Here you are the steps I have done:
1. apt-get install ipsec-tools racoon iproute iptables
(selected racoon-tool method for creating racoon.conf file, which is a
perl script available in the Debian package that helps on it and allows
you to use /etc/init.d/racoon restart since it takes care of flushing
the policies and creating the necessary ones)
2. I created this /etc/racoon/racoon-tool.conf file on gateway A:
------------------------------------ /etc/racoon/racoon-tool.conf A
global:
log: notify
peer(%default):
verify_identifier: on
hash_algorithm[0]: sha1
encryption_algorithm[0]: aes
connection(%default):
src_ip: 213.96.80.51
peer(80.36.214.182):
peers_identifier: address
connection(to-nabiki):
dst_ip: 80.36.214.182
src_range: 192.168.0.0/24
dst_range: 192.168.1.0/24
admin_status: enabled
-------------------------------------
Which generated this /etc/racoon/racoon.conf file:
------------------------------------ /etc/racoon/racoon.conf A
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log notify;
remote 80.36.214.182 {
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
verify_identifier on;
peers_identifier address;
exchange_mode main;
}
sainfo address 192.168.0.0/24[any] any address 192.168.1.0/24[any] any {
pfs_group modp1024;
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
}
------------------------------------------------
Well, it really created /var/lib/racoon/racoon.conf, but I copied the
file to /etc/racoon/ because it's a bug of the racoon-tool I am afraid.
I also added these entries into /etc/racoon/psk.txt:
80.36.214.182 key1
213.96.80.51 key2
I generated both keys with:
$ dd if=/dev/random count=20 bs=1 | xxd -ps
The /etc/racoon/racoon.conf file at gateway B was generated the same way
(starting from /etc/racoon/racoon-tool.conf):
------------------------------------ /etc/racoon/racoon.conf B
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log notify;
remote 213.96.80.51 {
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
verify_identifier on;
peers_identifier address;
exchange_mode main;
}
sainfo address 192.168.1.0/24[any] any address 192.168.0.0/24[any] any {
pfs_group modp1024;
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
}
----------------------------------------------------
And the /etc/racoon/psk.txt looks the same way as before. So, I try to
start the server and this is what I get:
$ cat /var/log/syslog
May 20 11:58:37 soun racoon-tool[6532]: loaded IPSEC/crypto modules.
May 20 11:58:37 soun racoon: INFO: @(#)ipsec-tools 0.5.2
(http://ipsec-tools.sourceforge.net)
May 20 11:58:37 soun racoon: INFO: @(#)This product linked OpenSSL
0.9.7e 25 Oct 2004 (http://www.openssl.org/)
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used as isakmp port
(fd=8)
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used as isakmp port
(fd=9)
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=10)
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used for NAT-T
May 20 11:58:37 soun racoon-tool[6532]: racoon started.
May 20 11:58:37 soun racoon-tool[6532]: flushed SAD and SPD.
May 20 11:58:37 soun racoon: INFO: unsupported PF_KEY message REGISTER
May 20 11:58:37 soun last message repeated 2 times
May 20 11:58:37 soun racoon-tool[6532]: loaded SAD and SPD.
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used as isakmp port
(fd=10)
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used as isakmp port
(fd=11)
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=12)
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used for NAT-T
May 20 11:58:37 soun racoon-tool[6532]: configured racoon.
May 20 11:58:38 soun racoon: INFO: respond new phase 1 negotiation:
213.96.80.51[500]<=>80.36.214.182[500]
May 20 11:58:38 soun racoon: INFO: begin Identity Protection mode.
May 20 11:58:38 soun racoon: INFO: received Vendor ID: DPD
May 20 11:59:40 soun racoon: ERROR: phase1 negotiation failed due to
time up. 32 0bb0f9eaea575d:536714fe6ae3cdb5
------------------------------------------------------------
My firewall is configured in the same manner as when i was using
FreeSWAN and worked fine. Anyway, I have tried to restart both racoon
servers after taking the firewall out (/etc/init.d/iptables clear) and
the results are exactly the same.
Any hints? Thanks in advance.
--
Jaume Sabater
http://linuxsilo.net/
"Ubi sapientas ibi libertas"
-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
_______________________________________________
Ipsec-tools-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Ipsec-tools-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
