NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Simple IPSEC client with certificate - phase 1 time out
Brett Lynn wrote:
On 04.03.16 09:20:12 you wrote:
> Well, let's say packet loss from the point of view of racoon, ipsec can
> be very sensitive to lossy networks so it is good the eliminate that as
> a cause. The test with the windows client is valuable, it shows that
> ipsec can work from where you are.
Indeed. And I guess we can ignore a potential packet loss for now. I
debugged Racoon and studied the source over several hours and came to the
conclusion that IKE mode config only works with Hybrid authentication
modes. No plain "rsasig", which is a pity.
Might not be too difficult to add...
> As for the keep alives, the
> handling of those depends on the client and/or its configuration -
> maybe the windows client is configured to ignore the keep alives?
Now I guess that keep-alives are just sent to have some traffic, but no need
to reply them. The Lancom gateway does not sent them itself My own NetBSD
gateway generates them, but does not reply either.
> I do recall being able to get logging out of racoon. Have you tried
> running racoon in the foreground
Correct. I discovered that in the meantime. "debug" output is never written
to syslog for security reasons (contains hexdumps of keys and
certificates).
>> Also I'm getting doubt whether "authentication_method rsasig" is
>> working at all. Until now I found no success stories with such a
>> configuration on the net, especially when using mode_cfg.
>>
>
> As for a lot of things, it is hard to find success stories on the net -
True, but unfortunately I was right here. :|
> I have only done hybrid-xauth, part of that was validating a
> certificate.
Now I tried "hybrid_rsa_client", which perfectly does mode config, calls my
phase1-up script and adds the appropriate SPD entries.
There is no phase 2 negotiation before I try to connect to any VPN address,
but I think that's normal.
Unfortunately even the proven hybrid authentication fails for me. The kernel
cannot update or add keys for SAD:
racoon: INFO: initiate new phase 2 negotiation:
192.168.1.5[4500]<=>77.182.71.224[4500]
racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
/netbsd: key_update: no SA index found.
/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500
/netbsd: key_setsaval: unable to initialize SA type 3.
racoon: ERROR: pfkey UPDATE failed: No such file or directory
racoon: ERROR: pfkey ADD failed: Invalid argument
racoon: ERROR: 77.182.71.224 give up to get IPsec-SA due to time up to wait.
On the other hand, the Racoon server/gateway has no problem. It may have
something to do with NAT-T...?
--
Frank Wille
Home |
Main Index |
Thread Index |
Old Index