On Sun, 17 May 2009 12:07:33 +0100
Mick <michaelkintz...@gmail.com> wrote:

> On Sunday 17 May 2009, Mick wrote:
> > Thanks Graham,
> >
> > On Saturday 16 May 2009, Graham Murray wrote:
> > > Here are some samples.
> > >
[8<]
> 
> The more I try to use VPN the more I love SSH!
> 
> http://bugs.gentoo.org/87920

Mick --

This is a *very* old bug. But it still happens. "WTF..."

I see you linked to a related bug here in the ML, but you didn't file/reopen a 
bug. (Is there a reason why?)

Anyway, it would appear like there is no Gentoo dev-loving on these packages, 
so maybe it would be a waste...

For myself, I have zero desire to understand VPN technology, but I guess that's 
not an option if the devs aren't active in making sane choices for, and 
presenting viable options to, the users. :(

So can we agree on the combination of packages that are *supposed* to provide 
this VPN-IPSEC-L2TP function? The only thing vaguely M$FT about this setup is 
MS-CHAP. And L2TP, perhaps. (At least, in so far as I understand this crap, 
that's my conclusion.)

I have:

net-firewall/ipsec-tools
net-dialup/xl2tpd

net-dialup/ppp <------is this needed?

I don't have * net-misc/openswan ... since that seems to be an alternative to 
ipsec-tools (KAME). (Or, vice-versa. I'm totally getting sick of reading about 
VPN.)

Is there some other package that should be needed to make this all work? Do I 
need "ppp" at all? Isn't XL2TPD the full replacement?

Anyway, since there doesn't appear to be a Gentoo document for this, I'd be 
totally willing to take up space on the ML until both of us have this working. 
Here, I begin:

. . .

/etc/init.d/xl2tpd start
 * Starting xl2tpd ...                                                    [ ok ]

May 19 10:25:04 lappy xl2tpd[5179]: setsockopt recvref[22]: Protocol not 
available
May 19 10:25:04 lappy xl2tpd[5179]: This binary does not support kernel L2TP.
May 19 10:25:04 lappy xl2tpd[5180]: xl2tpd version xl2tpd-1.2.3 started on 
lappy PID:5180
May 19 10:25:04 lappy xl2tpd[5180]: Written by Mark Spencer, Copyright (C) 
1998, Adtran, Inc.
May 19 10:25:04 lappy xl2tpd[5180]: Forked by Scott Balmos and David Stipp, (C) 
2001
May 19 10:25:04 lappy xl2tpd[5180]: Inherited by Jeff McAdams, (C) 2002
May 19 10:25:04 lappy xl2tpd[5180]: Forked again by Xelerance 
(www.xelerance.com) (C) 2006
May 19 10:25:04 lappy xl2tpd[5180]: Listening on IP address 0.0.0.0, port 1701



So far, there are no errors. (The warning about *kernel* L2TP is a warning, so 
I understand, not a failure.)


 /etc/init.d/racoon start
 * Loading ipsec policies from /etc/ipsec.conf.
 * Starting racoon ...                                                    [ ok ]

May 19 10:27:11 lappy hald [ loads additional crypt modules ]

Module                  Size  Used by
twofish                 5568  0 
twofish_common         12672  1 twofish
serpent                15936  0 
blowfish                7104  0 
sha256_generic         10240  0 


May 19 10:27:12 lappy racoon: INFO: @(#)ipsec-tools 0.7.2 
(http://ipsec-tools.sourceforge.net)
May 19 10:27:12 lappy racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 
Mar 2009 (http://www.openssl.org/)
May 19 10:27:12 lappy racoon: INFO: Reading configuration from 
"/etc/racoon/racoon.conf"
May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for AH
May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for ESP
May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for IPCOMP
May 19 10:27:12 lappy racoon: DEBUG: reading config file /etc/racoon/racoon.conf
May 19 10:27:12 lappy racoon: DEBUG2: lifetime = 3600
May 19 10:27:12 lappy racoon: DEBUG2: lifebyte = 0
May 19 10:27:12 lappy racoon: DEBUG2: encklen=0
May 19 10:27:12 lappy racoon: DEBUG2: p:1 t:1
May 19 10:27:12 lappy racoon: DEBUG2: 3DES-CBC(5)
May 19 10:27:12 lappy racoon: DEBUG2: SHA(2)
May 19 10:27:12 lappy racoon: DEBUG2: 1024-bit MODP group(2)
May 19 10:27:12 lappy racoon: DEBUG2: pre-shared key(1)
May 19 10:27:12 lappy racoon: DEBUG2: 
May 19 10:27:12 lappy racoon: DEBUG: compression algorithm can not be checked 
because sadb message doesn't support it.

[ And there is only 'deflate' available anyway... ?? ]

May 19 10:27:12 lappy racoon: DEBUG: getsainfo params: loc='ANONYMOUS', 
rmt='ANONYMOUS', peer='NULL', id=0
May 19 10:27:12 lappy racoon: DEBUG: getsainfo pass #2
May 19 10:27:12 lappy racoon: DEBUG2: parse successed.
May 19 10:27:12 lappy racoon: DEBUG: open /var/lib/racoon/racoon.sock as racoon 
management.
May 19 10:27:12 lappy racoon: DEBUG: my interface: 192.168.1.100 (wlan0)
May 19 10:27:12 lappy racoon: DEBUG: my interface: 127.0.0.1 (lo)
May 19 10:27:12 lappy racoon: DEBUG: configuring default isakmp port.
May 19 10:27:12 lappy racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
May 19 10:27:12 lappy racoon: DEBUG: 4 addrs are configured successfully
May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used for NAT-T
May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=8)
May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[4500] used for NAT-T
May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[500] used as isakmp port 
(fd=9)
May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[500] used for NAT-T
May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[4500] used as isakmp port 
(fd=10)
May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[4500] used for NAT-T
May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv() 
May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message


May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv() 
May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message


May 19 10:27:12 lappy racoon: DEBUG: sub:0xbfa34dc8: pub.lic.vpn.ip/32[0] 
192.168.1.100/32[0] proto=any dir=in
May 19 10:27:12 lappy racoon: DEBUG: db :0x80df108: pub.lic.vpn.ip/32[0] 
192.168.1.100/32[0] proto=any dir=fwd
May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv() 
May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message

... and so on.

I've followed a how-to that sets up the client as a separate tunnel device for 
the network, so I'll have to see if I can't fix the routing... though I think 
it shouldn't matter, and won't anyway if phase 1 fails...

Basically, I don't know WHAT is SUPPOSED to happen. But, pinging a machine 
inside the network, I get plenty of debug info:

May 19 10:35:32 lappy racoon: DEBUG: pk_recv: retry[0] recv() 
May 19 10:35:32 lappy racoon: DEBUG: get pfkey ACQUIRE message
May 19 10:35:32 lappy racoon: DEBUG2: 


May 19 10:35:32 lappy racoon: DEBUG: suitable outbound SP found: 192.168.1.0/24

May 19 10:35:32 lappy racoon: DEBUG: anonymous configuration selected for 
pub.add.vpn.ip.

May 19 10:35:32 lappy racoon: DEBUG: getsainfo params: loc='192.168.1.0/24', 
rmt='192.168.243.0/24', peer='NULL', id=0
May 19 10:35:32 lappy racoon: DEBUG: getsainfo pass #2
May 19 10:35:32 lappy racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', 
rmt='ANONYMOUS', peer='ANY', id=0
May 19 10:35:32 lappy racoon: DEBUG: selected sainfo: loc='ANONYMOUS', 
rmt='ANONYMOUS', peer='ANY', id=0
May 19 10:35:32 lappy racoon: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 
spi_p=00000000 encmode=Tunnel reqid=0:0)
May 19 10:35:32 lappy racoon: DEBUG:   (trns_id=3DES encklen=0 
authtype=hmac-md5)
May 19 10:35:32 lappy racoon: DEBUG:   (trns_id=3DES encklen=0 
authtype=hmac-sha)
May 19 10:35:32 lappy racoon: DEBUG:   (trns_id=DES encklen=0 authtype=hmac-md5)
May 19 10:35:32 lappy racoon: DEBUG:   (trns_id=DES encklen=0 authtype=hmac-sha)
May 19 10:35:32 lappy racoon: DEBUG:   (trns_id=AES encklen=128 
authtype=hmac-md5)
May 19 10:35:32 lappy racoon: DEBUG:   (trns_id=AES encklen=128 
authtype=hmac-sha)
May 19 10:35:32 lappy racoon: DEBUG: in post_acquire
May 19 10:35:32 lappy racoon: DEBUG: anonymous configuration selected for 
pub.ip.dev.vpn.

Now some errors:

May 19 10:35:32 lappy racoon: INFO: IPsec-SA request for pub.ip.dev.vpn queued 
due to no phase1 found.

... which makes sense, I guess. It appears it doesn't try to negotiate phase 1 
until traffic is routed to that destination.

And I can't find a single explanatory reference for this:

May 19 10:35:32 lappy racoon: ERROR: unknown AF: 0

May 19 10:35:32 lappy racoon: DEBUG: ===
May 19 10:35:32 lappy racoon: INFO: initiate new phase 1 negotiation: 
192.168.1.100[500]<=>pub.ip.dev.vpn[500]
May 19 10:35:32 lappy racoon: INFO: begin Identity Protection mode.
May 19 10:35:32 lappy racoon: DEBUG: new cookie:
May 19 10:35:32 lappy 52dcd374fabdaf4d 
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 48, next type 13
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 0
May 19 10:35:32 lappy racoon: DEBUG: 180 bytes from 192.168.1.100[500] to 
pub.ip.dev.vpn[500]
May 19 10:35:32 lappy racoon: DEBUG: sockname 192.168.1.100[500]
May 19 10:35:32 lappy racoon: DEBUG: send packet from 192.168.1.100[500]
May 19 10:35:32 lappy racoon: DEBUG: send packet to pub.ip.dev.vpn[500]
May 19 10:35:32 lappy racoon: DEBUG: src4 192.168.1.100[500]
May 19 10:35:32 lappy racoon: DEBUG: dst4 pub.ip.dev.vpn[500]
May 19 10:35:32 lappy racoon: DEBUG: 1 times of 180 bytes message will be sent 
to pub.ip.dev.vpn[500]


May 19 10:35:32 lappy racoon: DEBUG: resend phase1 packet 
52dcd374fabdaf4d:0000000000000000
May 19 10:35:32 lappy racoon: phase1(ident I msg1): 0.001421
May 19 10:35:33 lappy racoon: DEBUG: ===
May 19 10:35:33 lappy racoon: DEBUG: 100 bytes message received from 
pub.ip.dev.vpn[500] to 192.168.1.100[500]


May 19 10:35:33 lappy ec427b1f
May 19 10:35:33 lappy racoon: DEBUG: begin.
May 19 10:35:33 lappy racoon: DEBUG: seen nptype=1(sa)
May 19 10:35:33 lappy racoon: DEBUG: seen nptype=13(vid)
May 19 10:35:33 lappy racoon: DEBUG: succeed.
May 19 10:35:33 lappy racoon: INFO: received Vendor ID: 
draft-ietf-ipsec-nat-t-ike-02
May 19 10:35:33 lappy racoon: INFO: Selected NAT-T version: 
draft-ietf-ipsec-nat-t-ike-02
May 19 10:35:33 lappy racoon: DEBUG: total SA len=48
May 19 10:35:33 lappy racoon: DEBUG: 
May 19 10:35:33 lappy 00000001 00000001 00000028 01010001 00000020 01010000 
800b0001 800c0e10
May 19 10:35:33 lappy 80010005 80030001 80020002 80040002
May 19 10:35:33 lappy racoon: DEBUG: begin.
May 19 10:35:33 lappy racoon: DEBUG: seen nptype=2(prop)
May 19 10:35:33 lappy racoon: DEBUG: succeed.
May 19 10:35:33 lappy racoon: DEBUG: proposal #1 len=40
May 19 10:35:33 lappy racoon: DEBUG: begin.
May 19 10:35:33 lappy racoon: DEBUG: seen nptype=3(trns)
May 19 10:35:33 lappy racoon: DEBUG: succeed.
May 19 10:35:33 lappy racoon: DEBUG: transform #1 len=32
May 19 10:35:33 lappy racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
May 19 10:35:33 lappy racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
May 19 10:35:33 lappy racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, 
lorv=3DES-CBC
May 19 10:35:33 lappy racoon: DEBUG: encryption(3des)
May 19 10:35:33 lappy racoon: DEBUG: type=Authentication Method, flag=0x8000, 
lorv=pre-shared key
May 19 10:35:33 lappy racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
May 19 10:35:33 lappy racoon: DEBUG: hash(sha1)
May 19 10:35:33 lappy racoon: DEBUG: type=Group Description, flag=0x8000, 
lorv=1024-bit MODP group
May 19 10:35:33 lappy racoon: DEBUG: hmac(modp1024)
May 19 10:35:33 lappy racoon: DEBUG: pair 1:
May 19 10:35:33 lappy racoon: DEBUG:  0x80e13f0: next=(nil) tnext=(nil)
May 19 10:35:33 lappy racoon: DEBUG: proposal #1: 1 transform
May 19 10:35:33 lappy racoon: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, 
#trns=1
May 19 10:35:33 lappy racoon: DEBUG: trns#=1, trns-id=IKE
May 19 10:35:33 lappy racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
May 19 10:35:33 lappy racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
May 19 10:35:33 lappy racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, 
lorv=3DES-CBC
May 19 10:35:33 lappy racoon: DEBUG: type=Authentication Method, flag=0x8000, 
lorv=pre-shared key
May 19 10:35:33 lappy racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
May 19 10:35:33 lappy racoon: DEBUG: type=Group Description, flag=0x8000, 
lorv=1024-bit MODP group
May 19 10:35:33 lappy racoon: DEBUG: Compared: DB:Peer
May 19 10:35:33 lappy racoon: DEBUG: (lifetime = 3600:3600)
May 19 10:35:33 lappy racoon: DEBUG: (lifebyte = 0:0)
May 19 10:35:33 lappy racoon: DEBUG: enctype = 3DES-CBC:3DES-CBC
May 19 10:35:33 lappy racoon: DEBUG: (encklen = 0:0)
May 19 10:35:33 lappy racoon: DEBUG: hashtype = SHA:SHA
May 19 10:35:33 lappy racoon: DEBUG: authmethod = pre-shared key:pre-shared key
May 19 10:35:33 lappy racoon: DEBUG: dh_group = 1024-bit MODP group:1024-bit 
MODP group
May 19 10:35:33 lappy racoon: DEBUG: an acceptable proposal found.
                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
... so is this good? Sounds good..??

May 19 10:35:33 lappy racoon: DEBUG: hmac(modp1024)
May 19 10:35:33 lappy racoon: DEBUG: agreed on pre-shared key auth.
May 19 10:35:33 lappy racoon: DEBUG: ===
May 19 10:35:33 lappy racoon: oakley_dh_generate(MODP1024): 0.027674
May 19 10:35:33 lappy racoon: DEBUG: compute DH's private.


May 19 10:35:33 lappy racoon: DEBUG: compute DH's public.
May 19 10:35:33 lappy racoon: DEBUG: 


May 19 10:35:33 lappy racoon: INFO: Hashing pub.ip.dev.vpn[500] with algo #2 
May 19 10:35:33 lappy racoon: DEBUG: hash(sha1)
May 19 10:35:33 lappy racoon: INFO: Hashing 192.168.1.100[500] with algo #2 
May 19 10:35:33 lappy racoon: DEBUG: hash(sha1)
May 19 10:35:33 lappy racoon: INFO: Adding remote and local NAT-D payloads.
May 19 10:35:33 lappy racoon: DEBUG: add payload of len 128, next type 10
May 19 10:35:33 lappy racoon: DEBUG: add payload of len 16, next type 130
May 19 10:35:33 lappy racoon: DEBUG: add payload of len 20, next type 130
May 19 10:35:33 lappy racoon: DEBUG: add payload of len 20, next type 0
May 19 10:35:33 lappy racoon: DEBUG: 228 bytes from 192.168.1.100[500] to 
pub.ip.dev.vpn[500]
May 19 10:35:33 lappy racoon: DEBUG: sockname 192.168.1.100[500]
May 19 10:35:33 lappy racoon: DEBUG: send packet from 192.168.1.100[500]
May 19 10:35:33 lappy racoon: DEBUG: send packet to pub.ip.dev.vpn[500]
May 19 10:35:33 lappy racoon: DEBUG: src4 192.168.1.100[500]
May 19 10:35:33 lappy racoon: DEBUG: dst4 pub.ip.dev.vpn[500]
May 19 10:35:33 lappy racoon: DEBUG: 1 times of 228 bytes message will be sent 
to pub.ip.dev.vpn[500]

May 19 11:16:35 lappy racoon: DEBUG: receive Information.
May 19 11:16:35 lappy racoon: ERROR: none message must be encrypted

And the only *other* error.

May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: extract_port.
May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.
May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: no established ph1 handler 
found

Anyway, it fails. I guess I need to check the ph1 handler is established, but 
where, how?

My next step is to get on the phone with the folks who have access to the 
"checkpoint" VPN device to see if they can tell me what fails. 

But, before I go chatting them up, I really would like some confirmation from 
someone familiar with the DISTRO that I've got all the BINARIES in place I 
could possibly need to accomplish this, and nothing conflicting.

Cheers,

-- 
 |\  /|        |   |          ~ ~  
 | \/ |        |---|          `|` ?
 |    |ichael  |   |iggins    \^ /
 michael.higgins[at]evolone[dot]org

Reply via email to