tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
IPsec debugging
Hi,
I would like to know if there are any more options to debug an IPsec
connection. I'm establishing the connection as a client using a CA
certificate and a client certificate and key. This is phase 1
"authentication method" "rsasig", as far as I know?
I have IPSEC_DEBUG in the kernel. I'm using "log debug2" in racoon.conf and
I start racoon with "-dddd" options. But everything I get is this:
---8<---
Feb 26 12:16:23 powerbook racoon: INFO: @(#)ipsec-tools cvs
(http://ipsec-tools.sourceforge.net)
Feb 26 12:16:23 powerbook racoon: INFO: @(#)This product linked OpenSSL
1.0.1p 9 Jul 2015 (http://www.openssl.org/)
Feb 26 12:16:23 powerbook racoon: INFO: Reading configuration from
"/etc/racoon/racoon.conf"
Feb 26 12:16:23 powerbook racoon: ERROR: /etc/racoon/racoon.conf:70: "}" no
compression algorithm at loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
Feb 26 12:16:23 powerbook racoon: ERROR: fatal parse failure (1 errors)
Feb 26 12:17:11 powerbook racoon: INFO: @(#)ipsec-tools cvs
(http://ipsec-tools.sourceforge.net)
Feb 26 12:17:11 powerbook racoon: INFO: @(#)This product linked OpenSSL
1.0.1p 9 Jul 2015 (http://www.openssl.org/)
Feb 26 12:17:11 powerbook racoon: INFO: Reading configuration from
"/etc/racoon/racoon.conf"
Feb 26 12:17:11 powerbook racoon: ERROR: /etc/racoon/racoon.conf:70: "}" no
compression algorithm at loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
Feb 26 12:17:11 powerbook racoon: ERROR: fatal parse failure (1 errors)
Feb 26 12:24:52 powerbook racoon: INFO: @(#)ipsec-tools cvs
(http://ipsec-tools.sourceforge.net)
Feb 26 12:24:52 powerbook racoon: INFO: @(#)This product linked OpenSSL
1.0.1p 9 Jul 2015 (http://www.openssl.org/)
Feb 26 12:24:52 powerbook racoon: INFO: Reading configuration from
"/etc/racoon/racoon.conf"
Feb 26 12:24:53 powerbook racoon: INFO: 192.168.1.5[500] used for NAT-T
Feb 26 12:24:53 powerbook racoon: INFO: 192.168.1.5[500] used as isakmp port
(fd=7)
Feb 26 12:24:53 powerbook racoon: INFO: 192.168.1.5[4500] used for NAT-T
Feb 26 12:24:53 powerbook racoon: INFO: 192.168.1.5[4500] used as isakmp
port (fd=8)
Feb 26 12:24:53 powerbook racoon: INFO: 127.0.0.1[500] used for NAT-T
Feb 26 12:24:53 powerbook racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=9)
Feb 26 12:24:53 powerbook racoon: INFO: 127.0.0.1[4500] used for NAT-T
Feb 26 12:24:53 powerbook racoon: INFO: 127.0.0.1[4500] used as isakmp port
(fd=10)
Feb 26 12:26:07 powerbook racoon: INFO: accept a request to establish
IKE-SA: 1.2.3.4
Feb 26 12:26:07 powerbook racoon: INFO: initiate new phase 1 negotiation:
192.168.1.5[500]<=>1.2.3.4[500]
Feb 26 12:26:07 powerbook racoon: INFO: begin Identity Protection mode.
Feb 26 12:26:07 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Feb 26 12:26:07 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-03
Feb 26 12:26:07 powerbook racoon: INFO: received Vendor ID: RFC 3947
Feb 26 12:26:07 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
Feb 26 12:26:07 powerbook racoon: INFO: received Vendor ID: DPD
Feb 26 12:26:07 powerbook racoon: [1.2.3.4] INFO: Selected NAT-T version:
RFC 3947
Feb 26 12:26:07 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with
algo #1
Feb 26 12:26:07 powerbook racoon: [192.168.1.5] INFO: Hashing
192.168.1.5[500] with algo #1
Feb 26 12:26:07 powerbook racoon: INFO: Adding remote and local NAT-D
payloads.
Feb 26 12:26:07 powerbook racoon: [192.168.1.5] INFO: Hashing
192.168.1.5[500] with algo #1
Feb 26 12:26:07 powerbook racoon: INFO: NAT-D payload #0 doesn't match
Feb 26 12:26:07 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with
algo #1
Feb 26 12:26:07 powerbook racoon: INFO: NAT-D payload #1 verified
Feb 26 12:26:07 powerbook racoon: INFO: NAT detected: ME
Feb 26 12:26:07 powerbook racoon: INFO: KA list add:
192.168.1.5[4500]->1.2.3.4[4500]
Feb 26 12:26:08 powerbook racoon: WARNING: unable to get certificate CRL(3)
at depth:0
SubjectName:/postalCode=32052/OU=IT/ST=NRW/L=HERFORD/C=DE/O=WPS/CN=ZENTRALE
Feb 26 12:26:08 powerbook racoon: WARNING: unable to get certificate CRL(3)
at depth:1 SubjectName:/C=DE/O=LANCOM SYSTEMS/CN=LANCOM CA
Feb 26 12:26:08 powerbook racoon: [1.2.3.4] INFO: received INITIAL-CONTACT
Feb 26 12:26:08 powerbook racoon: INFO: ISAKMP-SA established
192.168.1.5[4500]-1.2.3.4[4500] spi:b093a6d4667c8c59:420b8c66dd98416b
Feb 26 12:27:13 powerbook racoon: [1.2.3.4] INFO: DPD: remote (ISAKMP-SA
spi=b093a6d4667c8c59:420b8c66dd98416b) seems to be dead.
Feb 26 12:27:13 powerbook racoon: INFO: purging ISAKMP-SA
spi=b093a6d4667c8c59:420b8c66dd98416b.
Feb 26 12:27:13 powerbook racoon: INFO: purged ISAKMP-SA
spi=b093a6d4667c8c59:420b8c66dd98416b.
Feb 26 12:27:13 powerbook racoon: INFO: ISAKMP-SA deleted
192.168.1.5[4500]-1.2.3.4[4500] spi:b093a6d4667c8c59:420b8c66dd98416b
Feb 26 12:27:13 powerbook racoon: INFO: KA remove:
192.168.1.5[4500]->1.2.3.4[4500]
---8<---
The connection always dies 5 seconds after being established, because DPD
thinks the peer is dead. tcpdump shows that the peer's UDP Port 4500
suddeny became unreachable, although it worked before.
I would like to get some more information to debug the problem.
Here is my racoon.conf (the remote VPN router was replaced with 1.2.3.4 in
these examples):
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
log debug2;
remote "wpsd"
{
remote_address 1.2.3.4;
exchange_mode main,base;
#my_identifier fqdn "arwen.wpsd.lcl";
my_identifier asn1dn;
#peers_identifier asn1dn;
#verify_identifier on;
certificate_type x509 "arwen.wpsd.lcl.crt" "arwen.wpsd.lcl.key";
ca_type x509 "ca.crt";
#initial_contact off;
mode_cfg on; # ISAKMP mode config
dpd_delay 20; # peer detection (alive check)
nat_traversal on; # force
#ike_frag on;
#esp_frag 552;
#script "phase1-up.sh" phase1_up;
#script "phase1-down.sh" phase1_down;
script "test.sh" phase1_up;
script "test.sh" phase1_down;
#lifetime time 8 hour;
# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes;
hash_algorithm md5;
#authentication_method hybrid_rsa_client;
authentication_method rsasig;
dh_group 2;
}
# the configuration could makes racoon (as a responder)
# to obey the initiator's lifetime and PFS group proposal,
# by setting proposal_check to obey.
# this would makes testing "so much easier", but is really
# *not* secure !!!
#proposal_check strict;
proposal_check obey;
}
# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes 128;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
--
Frank Wille
Home |
Main Index |
Thread Index |
Old Index