NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Simple IPSEC client with certificate - phase 1 time out
Brett Lymn wrote:
On 28.02.16 10:18:13 you wrote:
> Once upon a time I did manage to get hybrid xauth working using a
> NetBSD server and windows clients, so certificates did work for me.
I don't even need hybrid or xauth. Just a plain signed certificate on both
sides. A simple "road-warrior" client. Until now I found no example
configurations for this case.
> IIRC, looping in phase 1 means both ends cannot agree on an
> authentication method or the credentials presented are not correct.
Yes. But phase 1 is definitely ok in my case. I have now access to the
VPN-status log of my office's Lancom router and it accepted everything:
[VPN-Status] 2016/02/29 12:31:52,304
IKE info: Phase-1 [responder] for peer VPNCLIENT15EF90 initiator id
CN=VPNCLIENT15,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052,
responder id CN=ZENTRALE,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052
IKE info: initiator cookie: 0x4f5e1f08e12bd21c, responder cookie:
0x2e8dc875b4e07c26
IKE info: NAT-T enabled in mode rfc, we are not behind a nat, the remote
side is behind a nat
IKE info: SA ISAKMP for peer VPNCLIENT15EF90 encryption aes-cbc
authentication MD5
IKE info: life time ( 28800 sec/ 0 kb) DPD 0 sec
But after 30 seconds and a few Phase 2 Inf messages it just says:
[VPN-Status] 2016/02/29 12:32:22,284
VPN: connection for VPNCLIENT15EF90 (91.56.236.148) timed out: no response
[VPN-Status] 2016/02/29 12:32:22,284
VPN: Error: IFC-R-Connection-timeout-dynamic (0x1205) for VPNCLIENT15EF90
(91.56.236.148)
> Try increasing the debug level on raccoon and see what it is offering
> to the remote end and see if that matches what you expect.
I tried everything. IPSEC_DEBUG in the kernel. "log debug2" in racoon.conf
and starting the racoon daemon with -dddd. I don't get any more information
out of it.
> If you have
> control over the other end then try simplifying things by using a
> pre-shared key (PSK) method of authentication
Unfortunately that's not possible. I cannot change the configuration of my
office's router, because it will break the working VPN connection of all
Windows notebooks.
Thanks,
--
Frank Wille
Home |
Main Index |
Thread Index |
Old Index