NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Simple IPSEC client with certificate - phase 1 time out
On 25.02.16 18:52:52 I wrote:
> and the VPN connection
> # racoonctl vc 1.2.3.4
>
> ...it fails very early:
>
> [...]
> Feb 25 17:24:08 arwen racoon: INFO: begin Identity Protection mode.
> Feb 25 17:24:59 arwen racoon: ERROR: phase1 negotiation failed due to
> time up. 05349d3fe352e138:0000000000000000
Seems I forgot IPSEC_DEBUG, so I missed important information? I tried it
again with a 7.0 kernel and IPSEC_DEBUG on my PowerBook and the cause
turned out to be a bad "authentication_method" in my propsal:
Feb 25 22:30:08 powerbook racoon: [1.2.3.4] ERROR: notification
NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
I had to replace "hybrid_rsa_client" by "rsasig" - although I'm not
completely sure about the difference. I have a signed certificate and don't
want to use any username or password authentication with xauth, so "rsasig"
is probably ok...?
Now I reach phase 2 and it looks to me that the VPN connection is
established for a second, but a few seconds later I get "DPD: remote seems
to be dead". No idea at the moment.
Do I have to worry about "WARNING: unable to get certificate CRL(3)" ?
What does "KA" mean?
---8<---
Feb 25 22:31:25 powerbook racoon: INFO: @(#)ipsec-tools cvs
(http://ipsec-tools.sourceforge.net)
Feb 25 22:31:25 powerbook racoon: INFO: @(#)This product linked OpenSSL
1.0.1p 9 Jul 2015 (http://www.openssl.org/)
Feb 25 22:31:25 powerbook racoon: INFO: Reading configuration from
"/etc/racoon/racoon.conf"
Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[500] used for NAT-T
Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[500] used as isakmp port
(fd=7)
Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[4500] used for NAT-T
Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[4500] used as isakmp
port (fd=8)
Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[500] used for NAT-T
Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=9)
Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[4500] used for NAT-T
Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[4500] used as isakmp port
(fd=10)
Feb 25 22:31:35 powerbook racoon: INFO: accept a request to establish
IKE-SA: 1.2.3.4
Feb 25 22:31:35 powerbook racoon: INFO: initiate new phase 1 negotiation:
192.168.1.5[500]<=>1.2.3.4[500]
Feb 25 22:31:35 powerbook racoon: INFO: begin Identity Protection mode.
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-03
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: RFC 3947
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: DPD
Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Selected NAT-T version:
RFC 3947
Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with
algo #1
Feb 25 22:31:35 powerbook racoon: [192.168.1.5] INFO: Hashing
192.168.1.5[500] with algo #1
Feb 25 22:31:35 powerbook racoon: INFO: Adding remote and local NAT-D
payloads.
Feb 25 22:31:35 powerbook racoon: [192.168.1.5] INFO: Hashing
192.168.1.5[500] with algo #1
Feb 25 22:31:35 powerbook racoon: INFO: NAT-D payload #0 doesn't match
Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with
algo #1
Feb 25 22:31:35 powerbook racoon: INFO: NAT-D payload #1 verified
Feb 25 22:31:35 powerbook racoon: INFO: NAT detected: ME
Feb 25 22:31:35 powerbook racoon: INFO: KA list add:
192.168.1.5[4500]->1.2.3.4[4500]
Feb 25 22:31:36 powerbook racoon: WARNING: unable to get certificate CRL(3)
at depth:0
SubjectName:/postalCode=32052/OU=IT/ST=NRW/L=HERFORD/C=DE/O=WPS/CN=ZENTRALE
Feb 25 22:31:36 powerbook racoon: WARNING: unable to get certificate CRL(3)
at depth:1 SubjectName:/C=DE/O=LANCOM SYSTEMS/CN=LANCOM CA
Feb 25 22:31:36 powerbook racoon: [1.2.3.4] INFO: received INITIAL-CONTACT
Feb 25 22:31:36 powerbook racoon: INFO: ISAKMP-SA established
192.168.1.5[4500]-1.2.3.4[4500] spi:554e0ed2b394bee9:df77769896bfb2bd
Feb 25 22:32:42 powerbook racoon: [1.2.3.4] INFO: DPD: remote (ISAKMP-SA
spi=554e0ed2b394bee9:df77769896bfb2bd) seems to be dead.
Feb 25 22:32:42 powerbook racoon: INFO: purging ISAKMP-SA
spi=554e0ed2b394bee9:df77769896bfb2bd.
Feb 25 22:32:42 powerbook racoon: INFO: purged ISAKMP-SA
spi=554e0ed2b394bee9:df77769896bfb2bd.
Feb 25 22:32:42 powerbook racoon: INFO: ISAKMP-SA deleted
192.168.1.5[4500]-1.2.3.4[4500] spi:554e0ed2b394bee9:df77769896bfb2bd
Feb 25 22:32:42 powerbook racoon: INFO: KA remove:
192.168.1.5[4500]->1.2.3.4[4500]
---8<---
--
Frank Wille
Home |
Main Index |
Thread Index |
Old Index