tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

racoon2 IKEv1 is working!



I have been experimenting with racoon2 since I learned of the new patches to make it compile successfully on current.

It is possible to make an IKEv1 L2TP/IPSec connection through a NAT device from a Windows 10 client to a NetBSD current VPN server starting with the recent patches by Christos to the current branch of pkgsrc/security/racoon2 package and adding one more small patch (apply after extracting and applying existing patches for the package but before building and installing):

--- pskgen/pskgen.in.orig    2005-09-16 06:52:20.000000000 +0000
+++ pskgen/pskgen.in
@@ -59,8 +59,8 @@ EOD
     exit 0;
 }

-require 'getopts.pl';
-do Getopts('rs:o:di:he:d');
+require Getopt::Std;
+Getopt::Std::getopts('rs:o:di:he:d');
 $output = '-';
 $output = $opt_o if ($opt_o);

Racoon2 is still rudimentary, but it is now functional (see attached log snippets showing a successful connection below). Next is to try and get it working as a server for IKEv2 connections. This would be a BSD licensed solution for IKEv2 that racoon does not have.

It is not necessary to include the little patch shown in Christos' June 13 message to iked/isakmp.c:751 to get it functional. But to fully install the package and to be able to generate a pre-shared key file that is compatible with racoon2, it was necessary to update the pskgen perl script to a supported version of perl5's getopts function, as shown in the aforementioned patch.

It was also necessary to tweak the configuration files quite a lot, and I plan on patching the sample configuration files so they are closer to what actually works in today's world and making them available in the near future.

Some of the gotchas that need to be solved to get an IKEv1 connection working using racoon2:

1) If you are using a pre-shared key for the phase 1 authentication, you need to generate it with the pskgen perl script that is installed with the package and usable after applying the aforementioned patch. Without doing this and trying to create the psk file with an editor such as vi, there will be a newline character appended that invalidates the key. You can use pskgen to strip away the newline character so the key will exactly match the peer's key.

2) The sample configurations don't have anything close enough to what will work for a transport mode IKEv1 connection to a modern client, even if NAT traversal is not needed. The proposals of the samples and default configuration do not result in successful matches with the proposals of a default Windows 10 client, so those proposals need to be tweaked in the configuration files to more closely match what modern clients will accept.

3) For NAT traversal in transport mode, which is the mode the built-in Windows and IOS L2TP/IPsec clients use, in addition to turning on port 4500 in racoon2.conf, as mentioned in the racoon2.conf sample configuration file, it is necessary to add selectors for the NAT original addresses to the configuration.

4) I have not yet tested multiple connections or roaming connections from any IP address, but according to the documentation it should be able to be configured for the "road warrior" scenario. Also, I noticed the hook scripts were not working as expected and when disconnecting only the outgoing phase 2 security association was deleted and I had to delete the incoming phase 2 security association manually using the setkey tool. I was able to use the ph1-up script to start the L2TP service, but I had to start it from the ph1-up script instead of from a script in the ph1-up.d directory. I also had to manually stop the L2TP service after disconnecting.

It looks like Christos' recent patches successfully interface with the new openssl 1.1 API on NetBSD current which appear to be incompatible with openssl 1.0.x on NetBSD 7, so this package will not work on NetBSD 7. It looks like NetBSD 8 does not have the new API yet so for now I think this only works on NetBSD current.

Are there plans to upgrade NetBSD 8 to the new openssl? If not, it might be possible to get racoon2 working on NetBSD 7/8 by reversing some of the recent patches that were added to support the new openssl on NetBSD current.

Chuck


On 06/13/2018 03:52 PM, Christos Zoulas wrote:
On Jun 13,  2:20pm, frchuckz%gmail.com@localhost (Chuck Zmudzinski) wrote:
-- Subject: Re: Testing racoon

| I saw your comment, Buck Rogers, when you made the racoon2
| package compile again in the 25th century!
|
| I will have some time to debug it and try to find out why IKEv1 isn't
| working in the next few weeks. It will probably take me a little
| while to learn how to setup the configuration files in racoon2.

My progress there is that doing this:

--- work.x86_64/racoon2-20100526a/iked/isakmp.c 2008-04-20 22:42:00.000000000 -0400
+++ work.x86_64/racoon2-20100526a/iked/isakmp.c     2018-05-29 13:51:52.991346267 -0400
@@ -748,7 +748,7 @@
                 goto end;
         }
- if (extralen > 0) {
+       if (extralen > 0 && 0) {
                 rc_vchar_t *tmpbuf;
TRACE((PLOGLOC, "chopping %d bytes\n", extralen));

gets a little further on phase 1.

| I looked at the racoon2 project page. The most recent version is
| 8 years old. Oh My!

Yes, ouch.

christos

Jun 19 14:42:03 ave spmd: [INFO]: main.c:171: Racoon Spmd - Security Policy Management Daemon - Started 
Jun 19 14:42:03 ave spmd: [INFO]: main.c:172: Spmd Version: 20100526a 
Jun 19 14:42:03 ave spmd: [INFO]: main.c:451: 'files' found in nsswitch.conf hosts line, we will read hosts file 
Jun 19 14:42:03 ave spmd: [INFO]: main.c:460: 'dns' found in nsswitch.conf hosts line, we will start dns proxy service 
Jun 19 14:42:04 ave iked: [INFO]: main.c:305:main(): starting iked for racoon2 20100526a 
Jun 19 14:42:04 ave iked: [INFO]: main.c:308:main(): OPENSSLDIR: "/etc/openssl" 
Jun 19 14:42:04 ave iked: [INFO]: main.c:319:main(): reading config /usr/pkg/etc/racoon2/racoon2.conf 
Jun 19 14:42:04 ave iked: [INFO]: isakmp.c:546:isakmp_open_address(): 192.168.1.254[4500] used for NAT-T 
Jun 19 14:42:04 ave iked: [INFO]: isakmp.c:546:isakmp_open_address(): 127.0.0.1[4500] used for NAT-T 
Jun 19 14:42:04 ave iked: [INFO]: main.c:433:main(): starting iked for racoon2 20100526a 
Jun 19 14:43:28 ave iked: [INFO]: ikev1.c:997:isakmp_ph1begin_r(): respond new phase 1 negotiation: 192.168.1.254[500]<=>216.58.194.142[500] 
Jun 19 14:43:28 ave iked: [INFO]: ikev1.c:1002:isakmp_ph1begin_r(): begin Identity Protection mode. 
Jun 19 14:43:28 ave iked: [INFO]: vendorid.c:222:check_vendorid(): received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 
Jun 19 14:43:28 ave iked: [INFO]: vendorid.c:226:check_vendorid(): received Vendor ID: RFC 3947 
Jun 19 14:43:28 ave iked: [INFO]: vendorid.c:226:check_vendorid(): received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
Jun 19 14:43:28 ave iked: [INFO]: vendorid.c:226:check_vendorid(): received Vendor ID: FRAGMENTATION 
Jun 19 14:43:28 ave iked: [INFO]: isakmp_ident.c:889:ident_r1recv(): Selected NAT-T version: RFC 3947 
Jun 19 14:43:28 ave iked: [PROTO_ERR]: ipsec_doi.c:2074:check_attr_isakmp(): invalid DH group 20. 
Jun 19 14:43:28 ave iked: [PROTO_ERR]: ipsec_doi.c:2074:check_attr_isakmp(): invalid DH group 19. 
Jun 19 14:43:28 ave iked: [INFO]: ikev1_natt.c:135:ikev1_natt_hash_addr(): Hashing 192.168.1.254[500] with algo #2  
Jun 19 14:43:28 ave iked: [INFO]: isakmp_ident.c:1099:ident_r2recv(): NAT-D payload #0 doesn't match 
Jun 19 14:43:28 ave iked: [INFO]: ikev1_natt.c:135:ikev1_natt_hash_addr(): Hashing 216.58.194.142[500] with algo #2  
Jun 19 14:43:28 ave iked: [INFO]: isakmp_ident.c:1099:ident_r2recv(): NAT-D payload #1 verified 
Jun 19 14:43:28 ave iked: [INFO]: isakmp_ident.c:1122:ident_r2recv(): NAT detected: ME  
Jun 19 14:43:28 ave iked: [INFO]: ikev1_natt.c:135:ikev1_natt_hash_addr(): Hashing 216.58.194.142[500] with algo #2  
Jun 19 14:43:28 ave iked: [INFO]: ikev1_natt.c:135:ikev1_natt_hash_addr(): Hashing 192.168.1.254[500] with algo #2  
Jun 19 14:43:28 ave iked: [INFO]: isakmp_ident.c:1662:ident_ir2mx(): Adding remote and local NAT-D payloads. 
Jun 19 14:43:29 ave iked: [INFO]: ikev1.c:1930:log_ph1established(): ISAKMP-SA established 192.168.1.254[4500]-216.58.194.142[4500] spi:bfac45b62d3ac730:016d48662ac9b5f9 
Jun 19 14:43:29 ave iked: [INFO]: ikev1.c:1199:isakmp_ph2begin_r(): respond new phase 2 negotiation: 192.168.1.254[4500]<=>216.58.194.142[4500] 
Jun 19 14:43:29 ave iked: [INFO]: proposal.c:410:cmpsaprop_alloc(): Adjusting peer's encmode UDP-Transport(4)->Transport(2) 
Jun 19 14:43:29 ave iked: [INFO]: ike_pfkey.c:313:sadb_log_add(): SADB_UPDATE ul_proto=255 src=216.58.194.142[4500] dst=192.168.1.254[4500] satype=ESP samode=transport spi=0x0bfdb708 authtype=HMAC-SHA-1 enctype=AES256-CBC lifetime soft time=3600 bytes=0 hard time=3600 bytes=0 
Jun 19 14:43:29 ave iked: [INFO]: ike_pfkey.c:313:sadb_log_add(): SADB_ADD ul_proto=255 src=192.168.1.254[4500] dst=216.58.194.142[4500] satype=ESP samode=transport spi=0xe733fb2c authtype=HMAC-SHA-1 enctype=AES256-CBC lifetime soft time=3600 bytes=0 hard time=3600 bytes=0 
Jun 19 14:43:29 ave iked: [INFO]: pfkey.c:1104:ikev1_update_response(): IPsec-SA established: ESP/Transport 216.58.194.142[4500]->192.168.1.254[4500] spi=201176840(0xbfdb708) 
Jun 19 14:43:29 ave iked: [INFO]: ikev1.c:555:ikev1_initiate(): 0:192.168.1.254[0] - 216.58.194.142[0]:0x0:remote ike_trans_remote passive mode specified for IKEv1, dropping acquire request 
Jun 19 14:43:30 ave pppd[18742]: pppd 2.4.7 started by chuckz, uid 0
Jun 19 14:43:30 ave pppd[18742]: set_up_tty: Changed queue size of 7 from 1024 to 32768
Jun 19 14:43:30 ave pppd[18742]: tty_establish_ppp: Changed queue size of 7 from 1024 to 32768
Jun 19 14:43:30 ave pppd[18742]: Using interface ppp0
Jun 19 14:43:30 ave pppd[18742]: Connect: ppp0 <--> /dev/pts/2
Jun 19 14:43:33 ave pppd[18742]: local  IP address 192.168.0.x
Jun 19 14:43:33 ave pppd[18742]: remote IP address 192.168.0.y
Jun 19 14:47:35 ave pppd[18742]: LCP terminated by peer (^T^?Lt^@<M-Mt^@^@^@^@)
Jun 19 14:47:35 ave pppd[18742]: Connect time 4.1 minutes.
Jun 19 14:47:35 ave pppd[18742]: Sent 740946 bytes, received 371972 bytes.
Jun 19 14:47:36 ave pppd[18742]: Modem hangup
Jun 19 14:47:36 ave pppd[18742]: Connection terminated.
Jun 19 14:47:36 ave pppd[18742]: Connect time 4.1 minutes.
Jun 19 14:47:36 ave pppd[18742]: Sent 740946 bytes, received 371972 bytes.
Jun 19 14:47:36 ave pppd[18742]: Exit.
Jun 19 14:47:36 ave iked: [INFO]: ike_pfkey.c:407:sadb_delete(): SADB_DELETE ul_proto=48 src=192.168.1.254[4500] dst=216.58.194.142[4500] satype=ESP spi=0xe733fb2c 
Jun 19 14:47:36 ave iked: [INFO]: ike_pfkey.c:646:sadb_delete_callback(): received PFKEY_DELETE seq=0 satype=ESP spi=0xe733fb2c 
Jun 19 14:47:36 ave iked: [INFO]: handler.c:1529:purge_remote(): purging ISAKMP-SA spi=bfac45b62d3ac730:016d48662ac9b5f9. 



Home | Main Index | Thread Index | Old Index