[gentoo-user] Can't get racoon IPSec going on the client machine

[Mick]

Hi All,

I have been trying for some time now to set up a road warrior VPN client so 
that I can connect to my home router and administer machines on the LAN.

However, my understanding of IPSec is poor and consequently my configuration of 
racoon is not working.  There are other apps out there like strongswan, but 
would really like to learn to do it using the vanilla racoon and kernel set up 
first rather than apply another layer of software to it.

Could some kind soul give me a nudge in troubleshooting this?


On the home router I have:

public IP:  123.456.78.9
LAN:  10.10.10.0/24
router LAN IP:  10.10.10.1
respond anymode
local-id fqdn router1_VPN
peer any
encryption aes-256-cbc
authentication pre-share
DH group 2

crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp-
sha-hmac
mode tunnel


On the laptop, I have this in the racoon.conf:
===========================
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon";

listen {
       # socket used for communication between racoon and racoonctl
        adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660;
       }

remote 123.456.78.9 {
        exchange_mode aggressive;
        my_identifier fqdn "dell_xps_VPN";
        peers_identifier fqdn "router1_VPN";
        mode_cfg on;
        proposal_check obey;
#       nat_traversal on;
#       ike_frag on;
#       script "/etc/racoon/phase1_up_down.sh" phase1_up;
#       script "/etc/racoon/phase1_up_downdown.sh" phase1_down;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
                }
        }

sainfo anonymous {
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        }
===========================


I connect to the Internet using my mobile and I get this from the ISP:

# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         193.30.166.3    0.0.0.0         UG        0 0          0 ppp0
127.0.0.0       127.0.0.1       255.0.0.0       UG        0 0          0 lo
193.30.166.3    0.0.0.0         255.255.255.255 UH        0 0          0 ppp0

Where 193.30.166.3 is the ISP's gateway.  The ppp0 ip address is 
10.149.124.40:

# ifconfig 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:252 errors:0 dropped:0 overruns:0 frame:0
          TX packets:252 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:10678 (10.4 KiB)  TX bytes:10678 (10.4 KiB)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:10.149.124.40  P-t-P:193.30.166.3  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:74 (74.0 B)  TX bytes:107 (107.0 B)


Now the problem is that upon starting racoon I do not see a tunnel being 
formed and indeed I cannot connect to machines in the LAN.  This from the log:

==========================================
Nov 20 13:40:59 dell_xps racoon: INFO: Reading configuration from 
"/etc/racoon/racoon.conf"
Nov 20 13:40:59 dell_xps racoon: NOTIFY: NAT-T is enabled, autoconfiguring 
ports
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[500] used as isakmp port 
(fd=7)
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[500] used for NAT-T
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[4500] used as isakmp port 
(fd=8)
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[4500] used for NAT-T
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[500] used as isakmp port 
(fd=9)
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[500] used for NAT-T
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[4500] used as isakmp port 
(fd=10)
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[4500] used for NAT-T
Nov 20 13:40:59 dell_xps racoon: INFO: ::1[500] used as isakmp port (fd=11)
Nov 20 13:40:59 dell_xps racoon: INFO: ::1[4500] used as isakmp port (fd=12)
==========================================

Why is it not showing the public router address 123.456.78.9 or the router LAN 
address and shows the loopback instead?

I tried including this up/down script but it made no odds:
==================================
#!/bin/bash

#
# manipulate IPSec SA database on behalf of the racoon daemon
# Gabriel Somlo <somlo at cmu edu>, 08/27/2007
#

#FIXME: read this from, e.g., /etc/sysconfig/racoon
NAT_T="yes"


shopt -s nocasematch
umask 0022

PATH=/bin:/sbin:/usr/bin:/usr/sbin

# set up NAT-T
case "${NAT_T}" in
  yes|true|on|enable*|1)
    LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]"
    REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]"
    ;;
  *)
    LOCAL="${LOCAL_ADDR}"
    REMOTE="${REMOTE_ADDR}"
    ;;
esac

# determine interface and next-hop for our default route
DFLT_RT=$(ip route list | awk '($1 == "default"){print $3 ";" $5}')
DFLT_IF=${DFLT_RT#*;}
DFLT_GW=${DFLT_RT%;*}


# bring up phase1
phase1_up() {
  # check if VPN address already set up on default interface (dupe script 
call)
  ip addr list ${DFLT_IF} | grep -q "${INTERNAL_ADDR4}/32" && {
    echo "p1_up_down: phase1_up has already run !!!"
    exit 4
  }

  # save current resolv.conf and create new one based on info from VPN server
  [ -f /etc/resolv.conf.prevpn ] || cp /etc/resolv.conf 
/etc/resolv.conf.prevpn
  {
    echo "# Generated by racoon on $(date)"
    echo "search ${DEFAULT_DOMAIN}"
    for NS in ${INTERNAL_DNS4_LIST}; do
      echo "nameserver ${NS}"
    done
  } > /etc/resolv.conf

  # add VPN address to default interface
  ip addr add dev ${DFLT_IF} ${INTERNAL_ADDR4}/32
  # set up host route to VPN server
  ip route add ${REMOTE_ADDR} via ${DFLT_GW} dev ${DFLT_IF}

  if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then
    # split tunnel: keep existing default, insert specific tunnel routes
    for N in ${SPLIT_INCLUDE_CIDR}; do
      ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4}
    done
  else
    # full tunnel: set up any applicable exceptions
    for N in ${SPLIT_LOCAL_CIDR}; do
      ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF}
    done
    # ... then replace default route with vpn tunnel
    ip route del default
    ip route add default via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4}
  fi

  # update SA database
  setkey -c << EOT
spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec
       esp/tunnel/${LOCAL}-${REMOTE}/require;
spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec
       esp/tunnel/${REMOTE}-${LOCAL}/require;
EOT
}

# bring down phase1
phase1_down() {
  # restore previous resolv.conf
  [ -f /etc/resolv.conf.prevpn ] && mv /etc/resolv.conf.prevpn 
/etc/resolv.conf

  if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then
    # split tunnel: remove specific tunnel routes
    for N in ${SPLIT_INCLUDE_CIDR}; do
      ip route del ${N}
    done
  else
    # full tunnel: remove any applicable exceptions
    for N in ${SPLIT_LOCAL_CIDR}; do
      ip route del ${N}
    done
    # ... then restore original default route
    ip route del default
    ip route add default via ${DFLT_GW} dev ${DFLT_IF}
  fi

  # remove host route to VPN server
  ip route del ${REMOTE_ADDR}
  # remove VPN address from default interface
  ip addr del dev ${DFLT_IF} ${INTERNAL_ADDR4}/32

  # clean up SA database
  setkey -c << EOT
spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec
          esp/tunnel/${LOCAL}-${REMOTE}/require;
spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec
          esp/tunnel/${REMOTE}-${LOCAL}/require;
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; 
# deleteall still broken on Linux, using 'flush esp' as workaround:
flush esp;
EOT
}


# print out parameters we received
echo "p1_up_down: $1 starting..."
echo "p1_up_down: LOCAL_ADDR = ${LOCAL_ADDR}"
echo "p1_up_down: LOCAL_PORT = ${LOCAL_PORT}"
echo "p1_up_down: REMOTE_ADDR = ${REMOTE_ADDR}"
echo "p1_up_down: REMOTE_PORT = ${REMOTE_PORT}"
echo "p1_up_down: DFLT_GW = ${DFLT_GW}"
echo "p1_up_down: DFLT_IF = ${DFLT_IF}"
echo "p1_up_down: INTERNAL_ADDR4 = ${INTERNAL_ADDR4}"
echo "p1_up_down: INTERNAL_DNS4 = ${INTERNAL_DNS4}"
echo "p1_up_down: DEFAULT_DOMAIN = ${DEFAULT_DOMAIN}"
echo "p1_up_down: SPLIT_INCLUDE_CIDR = ${SPLIT_INCLUDE_CIDR}"
echo "p1_up_down: SPLIT_LOCAL_CIDR = ${SPLIT_LOCAL_CIDR}"

# check for valid VPN address
echo ${INTERNAL_ADDR4} | grep -q '[0-9]' || {
  echo "p1_up_down: error: invalid INTERNAL_ADDR4."
  exit 1
}

# check for valid default nexthop
echo ${DFLT_GW} | grep -q '[0-9]' || {
  echo "p1_up_down: error: invalid DFLT_GW."
  exit 2
}

# main "program"
case "$1" in
  phase1_up)
    phase1_up
    ;;
  phase1_down)
    phase1_down
    ;;
  *)
    echo "p1_up_down: error: must be called by racoon w. arg=phase1_[up|down]"
    exit 3
    ;;
esac

echo "p1_up_down: $1 completed successfully."
exit 0
==================================

I've experimented with NAT on/off, etc, in racoon.conf but no joy.

Where should I start?
-- 
Regards,
Mick

signature.asc
Description: This is a digitally signed message part.