Re: [gentoo-user] How to IPSEC M$oft VPN client setup
On Tue, May 19, 2009 at 3:29 PM, Michael Higgins li...@evolone.org wrote: Thanks, Paul. I've already the solution, as I'm not so much trying to get something accomplished (access machines inside which I can do just fine with SSH tunnel), as to figure out why we have these various, related, open source software packages available but no basic client-to-corporate real-world implementations specifically outlined for the Gentoo community -- that I can find. :( Well I am by no means an expert but I think the big problem in finding answers is that a VPN has no specific definition... it's a general term used for dozens of different and mostly incompatible technologies. See here for someone's list (from 2006) of different types of VPN servers: http://lists.virus.org/vpn-0604/msg5.html I've been happily connecting to a Cisco ipsec VPN for years in linux using either the proprietary cisco-vpnclient-3des or the open-source vpnc and it works just fine. In fact it works better tha on Windows, because there is no 64-bit Cisco VPN client on Windows! I've also connected Windows XP and Linux using a PPTP (known to be insecure) VPN without problems (using poptop? or something. it was a long time ago). If your VPN uses Checkpoint SecuRemote then that's a very specific implementation you need to focus on. Wikipedia's page on Checkpoint VPN has some info that may be useful: http://en.wikipedia.org/wiki/Check_Point_VPN-1 The wiki page mentions Nokia using Checkpoint in their own branded VPN solution. On Nokia's mobile VPN client page, there are some PDFs that contain set-up info for Checkpoint VPNs which may give you some clues as to what settings you need to use in your linux implementation: http://www.businesssoftware.nokia.com/mobile_vpn_downloads.php I did some more googling and found what appears to be the actual Checkpoint client for Linux. YMMV, use at your own risk, etc :) http://students.ee.sun.ac.za/~15312704/linux/sc_linux_1-53328_36.tgz I don't know if it'll even work on a modern Gentoo... it seems to be geared toward Redhat 7, which isn't exactly a new release. But maybe redhat in a vmware is better than Windows in a vmware. :) Good luck!
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
On Sun, 17 May 2009 12:07:33 +0100 Mick michaelkintz...@gmail.com wrote: On Sunday 17 May 2009, Mick wrote: Thanks Graham, On Saturday 16 May 2009, Graham Murray wrote: Here are some samples. [8] The more I try to use VPN the more I love SSH! http://bugs.gentoo.org/87920 Mick -- This is a *very* old bug. But it still happens. WTF... I see you linked to a related bug here in the ML, but you didn't file/reopen a bug. (Is there a reason why?) Anyway, it would appear like there is no Gentoo dev-loving on these packages, so maybe it would be a waste... For myself, I have zero desire to understand VPN technology, but I guess that's not an option if the devs aren't active in making sane choices for, and presenting viable options to, the users. :( So can we agree on the combination of packages that are *supposed* to provide this VPN-IPSEC-L2TP function? The only thing vaguely M$FT about this setup is MS-CHAP. And L2TP, perhaps. (At least, in so far as I understand this crap, that's my conclusion.) I have: net-firewall/ipsec-tools net-dialup/xl2tpd net-dialup/ppp --is this needed? I don't have * net-misc/openswan ... since that seems to be an alternative to ipsec-tools (KAME). (Or, vice-versa. I'm totally getting sick of reading about VPN.) Is there some other package that should be needed to make this all work? Do I need ppp at all? Isn't XL2TPD the full replacement? Anyway, since there doesn't appear to be a Gentoo document for this, I'd be totally willing to take up space on the ML until both of us have this working. Here, I begin: . . . /etc/init.d/xl2tpd start * Starting xl2tpd ...[ ok ] May 19 10:25:04 lappy xl2tpd[5179]: setsockopt recvref[22]: Protocol not available May 19 10:25:04 lappy xl2tpd[5179]: This binary does not support kernel L2TP. May 19 10:25:04 lappy xl2tpd[5180]: xl2tpd version xl2tpd-1.2.3 started on lappy PID:5180 May 19 10:25:04 lappy xl2tpd[5180]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. May 19 10:25:04 lappy xl2tpd[5180]: Forked by Scott Balmos and David Stipp, (C) 2001 May 19 10:25:04 lappy xl2tpd[5180]: Inherited by Jeff McAdams, (C) 2002 May 19 10:25:04 lappy xl2tpd[5180]: Forked again by Xelerance (www.xelerance.com) (C) 2006 May 19 10:25:04 lappy xl2tpd[5180]: Listening on IP address 0.0.0.0, port 1701 So far, there are no errors. (The warning about *kernel* L2TP is a warning, so I understand, not a failure.) /etc/init.d/racoon start * Loading ipsec policies from /etc/ipsec.conf. * Starting racoon ...[ ok ] May 19 10:27:11 lappy hald [ loads additional crypt modules ] Module Size Used by twofish 5568 0 twofish_common 12672 1 twofish serpent15936 0 blowfish7104 0 sha256_generic 10240 0 May 19 10:27:12 lappy racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net) May 19 10:27:12 lappy racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/) May 19 10:27:12 lappy racoon: INFO: Reading configuration from /etc/racoon/racoon.conf May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for AH May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for ESP May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for IPCOMP May 19 10:27:12 lappy racoon: DEBUG: reading config file /etc/racoon/racoon.conf May 19 10:27:12 lappy racoon: DEBUG2: lifetime = 3600 May 19 10:27:12 lappy racoon: DEBUG2: lifebyte = 0 May 19 10:27:12 lappy racoon: DEBUG2: encklen=0 May 19 10:27:12 lappy racoon: DEBUG2: p:1 t:1 May 19 10:27:12 lappy racoon: DEBUG2: 3DES-CBC(5) May 19 10:27:12 lappy racoon: DEBUG2: SHA(2) May 19 10:27:12 lappy racoon: DEBUG2: 1024-bit MODP group(2) May 19 10:27:12 lappy racoon: DEBUG2: pre-shared key(1) May 19 10:27:12 lappy racoon: DEBUG2: May 19 10:27:12 lappy racoon: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. [ And there is only 'deflate' available anyway... ?? ] May 19 10:27:12 lappy racoon: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0 May 19 10:27:12 lappy racoon: DEBUG: getsainfo pass #2 May 19 10:27:12 lappy racoon: DEBUG2: parse successed. May 19 10:27:12 lappy racoon: DEBUG: open /var/lib/racoon/racoon.sock as racoon management. May 19 10:27:12 lappy racoon: DEBUG: my interface: 192.168.1.100 (wlan0) May 19 10:27:12 lappy racoon: DEBUG: my interface: 127.0.0.1 (lo) May 19 10:27:12 lappy racoon: DEBUG: configuring default isakmp port. May 19 10:27:12 lappy racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports May 19 10:27:12 lappy racoon: DEBUG: 4 addrs are configured successfully May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7) May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used for NAT-T May 19 10:27:12 lappy
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
On Tue, May 19, 2009 at 1:22 PM, Michael Higgins li...@evolone.org wrote: My next step is to get on the phone with the folks who have access to the checkpoint VPN device to see if they can tell me what fails. Based on a brief googling I didn't see anyone who has a working connection to a Checkpoint VPN. They (used to?) have a linux version of their Checkpoint Securemote client but that seems to be gone from their site now with only Windows and Mac OS X versions showing. The accepted solution seemed to be to use SSH to tunnel your traffic through a Windows machine (either real or virtual) which is connected to the VPN.
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
On Tue, 19 May 2009 13:57:21 -0500 Paul Hartman paul.hartman+gen...@gmail.com wrote: Based on a brief googling I didn't see anyone who has a working connection to a Checkpoint VPN. Thanks, Paul. I've already the solution, as I'm not so much trying to get something accomplished (access machines inside which I can do just fine with SSH tunnel), as to figure out why we have these various, related, open source software packages available but no basic client-to-corporate real-world implementations specifically outlined for the Gentoo community -- that I can find. :( Just a definitive answer to which Gentoo packages and USE flags to I need to emerge so to do this? .. would be a HUGE help (as weeks later I *still* don't know for sure). And if 60%+ of the folks following it got lucky with cut-n-paste from a how-to, then... great! Say if all the related items were configured, tested and ultimately failed, if documented publicly it'd at the least serve as a good template for anyone else trying to troubleshoot a VPN connection when using Gentoo on a client machine. Or, should I instead, just go outside and play? I thought someone else here had hoped to make something like this work... ;-) Anyway, thanks again for taking a look. Cheers, -- |\ /|| | ~ ~ | \/ ||---| `|` ? ||ichael | |iggins\^ / michael.higgins[at]evolone[dot]org
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
On Tuesday 19 May 2009, Michael Higgins wrote: On Tue, 19 May 2009 13:57:21 -0500 Paul Hartman paul.hartman+gen...@gmail.com wrote: Based on a brief googling I didn't see anyone who has a working connection to a Checkpoint VPN. Thanks, Paul. I've already the solution, as I'm not so much trying to get something accomplished (access machines inside which I can do just fine with SSH tunnel), as to figure out why we have these various, related, open source software packages available but no basic client-to-corporate real-world implementations specifically outlined for the Gentoo community -- that I can find. :( Just a definitive answer to which Gentoo packages and USE flags to I need to emerge so to do this? .. would be a HUGE help (as weeks later I *still* don't know for sure). And if 60%+ of the folks following it got lucky with cut-n-paste from a how-to, then... great! Say if all the related items were configured, tested and ultimately failed, if documented publicly it'd at the least serve as a good template for anyone else trying to troubleshoot a VPN connection when using Gentoo on a client machine. Or, should I instead, just go outside and play? I thought someone else here had hoped to make something like this work... ;-) I very much share your frustration. On and off (OK, mostly off) I have been trying to get a VPN connection to my router going, and have tried vnpc, kvpn and racoon all of which failed. Meanwhile, a friend tried the shrew VPN client and succeeded after a couple of hours of tweaking his Vista box! Arrrgh! I assume that I have all the right components installed (judging from the wiki pages) but I am not sure about my configuration. Unlike your set up which seems to be almost there, mine won't even complete stage 1 handshake. Very, very, very frustrating ... Sorry that I can't be of much help with this. :( -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
On Tue, 19 May 2009 22:08:10 +0100 Mick michaelkintz...@gmail.com wrote: On Tuesday 19 May 2009, Michael Higgins wrote: On Tue, 19 May 2009 13:57:21 -0500 Paul Hartman paul.hartman+gen...@gmail.com wrote: Based on a brief googling I didn't see anyone who has a working connection to a Checkpoint VPN. Thanks, Paul. I've already the solution, as I'm not so much trying to get something accomplished (access machines inside which I can do just fine with SSH tunnel), as to figure out why we have these various, related, open source software packages available but no basic client-to-corporate real-world implementations specifically outlined for the Gentoo community -- that I can find. :( [...] Or, should I instead, just go outside and play? I thought someone else here had hoped to make something like this work... ;-) I very much share your frustration. On and off (OK, mostly off) I have been trying to get a VPN connection to my router going, and have tried vnpc, kvpn and racoon all of which failed. Meanwhile, a friend tried the shrew VPN client and succeeded after a couple of hours of tweaking his Vista box! Arrrgh! Yeah, I have no problem to get to working, with XP on VMWare. Naturally, I haven't given up. Seems like it's nearly there... also, there are some examples and docs installed. I assume that I have all the right components installed (judging from the wiki pages) Wiki pages? Hmm. Which ones? but I am not sure about my configuration. Unlike your set up which seems to be almost there, mine won't even complete stage 1 handshake. Very, very, very frustrating ... Well, racoon now claims it has started the connexion. It could have been as trivial as a trailing ' ' on my pre-shared secret. Or not... Either way, it's still not working... just a bit closer. racoonctl vc pub.vpn.ip.add VPN connexion established And still nothing useful happens. ping -c 1 192.168.243.140 PING 192.168.243.140 (192.168.243.140) 56(84) bytes of data. --- 192.168.243.140 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms And tons of debug info. Well, it's more than I had, but less than useful. Sorry that I can't be of much help with this. :( No worries. It seems like this really *should* be possible, though. I'll try to post my findings if I get it working. DEBUG: pfkey UPDATE succeeded: ESP/Tunnel pub.vpn.ip.add[0]-192.168.1.100[0] spi=53896550(0x3366566) May 19 16:00:21 lappy racoon: INFO: IPsec-SA established: ESP/Tunnel 198.145.243.130[0]-192.168.1.100[0] spi=53896550(0x3366566) May 19 16:00:21 lappy racoon: phase2(quick): 0.337284 May 19 16:00:21 lappy racoon: DEBUG: === May 19 16:00:21 lappy racoon: DEBUG: pk_recv: retry[0] recv() May 19 16:00:21 lappy racoon: DEBUG: get pfkey ADD message May 19 16:00:21 lappy racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.100[4500]-pub.vpn.ip.add[4500] spi=1021286747(0x3cdf995b) Not much showing for the failure to communicate, though. :( Cheers, -- |\ /|| | ~ ~ | \/ ||---| `|` ? ||ichael | |iggins\^ / michael.higgins[at]evolone[dot]org
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
On Sunday 17 May 2009, Mick wrote: Thanks Graham, On Saturday 16 May 2009, Graham Murray wrote: Here are some samples. /etc/racoon/racoon.conf /etc/racoon/psk.txt /etc/ipsec.conf Do I need a /etc/setkey.conf file? How do I create it? When I run '/etc/init.d/racoon start' this is what I get: === # /etc/init.d/racoon --verbose restart * Loading ipsec policies from /etc/ipsec.conf. * Starting racoon ... /usr/sbin/racoon: invalid option -- '4' usage: racoon [-BdFv] [-a (port)] [-f (file)] [-l (file)] [-p (port)] -B: install SA to the kernel from the file specified by the configuration file. -d: debug level, more -d will generate more debug message. -C: dump parsed config file. -L: include location in debug messages -F: run in foreground, do not become daemon. -v: be more verbose -a: port number for admin port. -f: pathname for configuration file. -l: pathname for log file. -p: port number for isakmp (default: 500). -P: port number for NAT-T (default: 4500). [ !! ] === I am not sure I do this right. The remote router's LAN is 10.10.10.0/24. This is the same like my local LAN's subnet. My local LAN ip is 10.10.10.5. The remote router is giving (or is it expecting?) addresses for clients in the 172.16.1.0/24 subnet. How should I configure the /etc/ipsec.conf file? The more I try to use VPN the more I love SSH! http://bugs.gentoo.org/87920 -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
On Monday 11 May 2009, Michael Higgins wrote: On Tue, 05 May 2009 17:49:06 +0100 Graham Murray gra...@gmurray.org.uk wrote: Michael Higgins li...@evolone.org writes: Is there a useful Gentoo document anyone might suggest describing how one *connects to* a VPN device of the 'Microsoft' flavour with IPSEC? I do not know about a Gentoo document, I've been working on this for *way* too long, with no apparent success. I have racoon and l2tpt running, but no network addresses in the VPN. Does anyone understand the actual procedure(s) for making a VPN like, l2tp, IPSEC pre-shared secret connection, and wish to elaborate just a bit on the issues (config files, possible values) involved? I mean, the ebuild for ipsec-tools doesn't even put in half the config files... as if any of this could work at all without them? Any help appreciated. :( Any progress with this guys? I am also trying to get something running between a router and my laptop (using kvnc) but I am failing with this error: = info: Gateway hostname (my.remote_router.com) resolved to XX.XXX.XXX.XX. error: [racoon helper err] /home/michael/.kde3.5/share/apps/kvpnc//setkey.ROUTER.sh: line 6: -f: command not found error: [racoon err] racoon: must be root to invoke this program. = I am not sure that I want to run kvnc as root - after all it is a GUI application ... Worth nothing that unlike the OP my remote router is not running MS l2tp, but IPSec with PSK. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
Mick michaelkintz...@gmail.com writes: Any progress with this guys? I am also trying to get something running between a router and my laptop (using kvnc) but I am failing with this error: Here are some samples. /etc/racoon/racoon.conf path pre_shared_key /etc/racoon/psk.txt; remote anonymous { exchange_mode main; proposal { encryption_algorithm aes; hash_algorithm sha1; lifetime time 24 hour; dh_group 2; authentication_method pre_shared_key; } } sainfo anonymous { encryption_algorithm aes, 3des; authentication_algorithm hmac_sha256, hmac_sha1; compression_algorithm deflate; } /etc/racoon/psk.txt 10.0.1.2This is the shared secret /etc/ipsec.conf flush; spdflush; spdadd 10.0.0.1/32 10.0.1.2/32 any -P out ipsec esp/transport//require; spdadd 10.0.1.2/32 10.0.0.1/32 any -P in ipsec esp/transport//require;
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
Thanks Graham, On Saturday 16 May 2009, Graham Murray wrote: Here are some samples. /etc/racoon/racoon.conf /etc/racoon/psk.txt /etc/ipsec.conf Do I need a /etc/setkey.conf file? How do I create it? When I run '/etc/init.d/racoon start' this is what I get: === # /etc/init.d/racoon --verbose restart * Loading ipsec policies from /etc/ipsec.conf. * Starting racoon ... /usr/sbin/racoon: invalid option -- '4' usage: racoon [-BdFv] [-a (port)] [-f (file)] [-l (file)] [-p (port)] -B: install SA to the kernel from the file specified by the configuration file. -d: debug level, more -d will generate more debug message. -C: dump parsed config file. -L: include location in debug messages -F: run in foreground, do not become daemon. -v: be more verbose -a: port number for admin port. -f: pathname for configuration file. -l: pathname for log file. -p: port number for isakmp (default: 500). -P: port number for NAT-T (default: 4500). [ !! ] === I am not sure I do this right. The remote router's LAN is 10.10.10.0/24. This is the same like my local LAN's subnet. My local LAN ip is 10.10.10.5. The remote router is giving (or is it expecting?) addresses for clients in the 172.16.1.0/24 subnet. How should I configure the /etc/ipsec.conf file? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
On Tue, 05 May 2009 17:49:06 +0100 Graham Murray gra...@gmurray.org.uk wrote: Michael Higgins li...@evolone.org writes: Is there a useful Gentoo document anyone might suggest describing how one *connects to* a VPN device of the 'Microsoft' flavour with IPSEC? I do not know about a Gentoo document, I've been working on this for *way* too long, with no apparent success. I have racoon and l2tpt running, but no network addresses in the VPN. Does anyone understand the actual procedure(s) for making a VPN like, l2tp, IPSEC pre-shared secret connection, and wish to elaborate just a bit on the issues (config files, possible values) involved? I mean, the ebuild for ipsec-tools doesn't even put in half the config files... as if any of this could work at all without them? Any help appreciated. :( Cheers, -- |\ /|| | ~ ~ | \/ ||---| `|` ? ||ichael | |iggins\^ / michael.higgins[at]evolone[dot]org
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
On Tue, May 5, 2009 at 11:00 AM, Michael Higgins li...@evolone.org wrote: Is there a useful Gentoo document anyone might suggest describing how one *connects to* a VPN device of the 'Microsoft' flavour with IPSEC? Haven't tried it (i use vpnc to connect to a Cisco VPN) but this page may give you some clues: http://www.jacco2.dds.nl/networking/linux-l2tp.html
Re: [gentoo-user] How to IPSEC M$oft VPN client setup
Michael Higgins li...@evolone.org writes: Is there a useful Gentoo document anyone might suggest describing how one *connects to* a VPN device of the 'Microsoft' flavour with IPSEC? I do not know about a Gentoo document, but I have connected a Gentoo system and Windows PC using racoon on the Gentoo system in exactly the same way as I use to connect Gentoo systems. I define a shared secret in /etc/racoon/psk.txt and in /etc/ipsec.conf have entries of the form spdadd gentoo_ip/32 windows_ip/32 any -P out ipsec esp/transport//require; spdadd windows_ip/32 gentoo_ip/32 any -P in ipsec esp/transport//require; As I am not at work, where the Windows system is, I cannot remember exactly how I configured that.