Hi All, I have been trying for some time now to set up a road warrior VPN client so that I can connect to my home router and administer machines on the LAN.
However, my understanding of IPSec is poor and consequently my configuration of racoon is not working. There are other apps out there like strongswan, but would really like to learn to do it using the vanilla racoon and kernel set up first rather than apply another layer of software to it. Could some kind soul give me a nudge in troubleshooting this? On the home router I have: public IP: 123.456.78.9 LAN: 10.10.10.0/24 router LAN IP: 10.10.10.1 respond anymode local-id fqdn router1_VPN peer any encryption aes-256-cbc authentication pre-share DH group 2 crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp- sha-hmac mode tunnel On the laptop, I have this in the racoon.conf: =========================== # Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries. path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; path script "/etc/racoon"; listen { # socket used for communication between racoon and racoonctl adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660; } remote 123.456.78.9 { exchange_mode aggressive; my_identifier fqdn "dell_xps_VPN"; peers_identifier fqdn "router1_VPN"; mode_cfg on; proposal_check obey; # nat_traversal on; # ike_frag on; # script "/etc/racoon/phase1_up_down.sh" phase1_up; # script "/etc/racoon/phase1_up_downdown.sh" phase1_down; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } =========================== I connect to the Internet using my mobile and I get this from the ISP: # netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 193.30.166.3 0.0.0.0 UG 0 0 0 ppp0 127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo 193.30.166.3 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 Where 193.30.166.3 is the ISP's gateway. The ppp0 ip address is 10.149.124.40: # ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:252 errors:0 dropped:0 overruns:0 frame:0 TX packets:252 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:10678 (10.4 KiB) TX bytes:10678 (10.4 KiB) ppp0 Link encap:Point-to-Point Protocol inet addr:10.149.124.40 P-t-P:193.30.166.3 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:5 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:74 (74.0 B) TX bytes:107 (107.0 B) Now the problem is that upon starting racoon I do not see a tunnel being formed and indeed I cannot connect to machines in the LAN. This from the log: ========================================== Nov 20 13:40:59 dell_xps racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" Nov 20 13:40:59 dell_xps racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7) Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[500] used for NAT-T Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=8) Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[4500] used for NAT-T Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[500] used as isakmp port (fd=9) Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[500] used for NAT-T Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[4500] used as isakmp port (fd=10) Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[4500] used for NAT-T Nov 20 13:40:59 dell_xps racoon: INFO: ::1[500] used as isakmp port (fd=11) Nov 20 13:40:59 dell_xps racoon: INFO: ::1[4500] used as isakmp port (fd=12) ========================================== Why is it not showing the public router address 123.456.78.9 or the router LAN address and shows the loopback instead? I tried including this up/down script but it made no odds: ================================== #!/bin/bash # # manipulate IPSec SA database on behalf of the racoon daemon # Gabriel Somlo <somlo at cmu edu>, 08/27/2007 # #FIXME: read this from, e.g., /etc/sysconfig/racoon NAT_T="yes" shopt -s nocasematch umask 0022 PATH=/bin:/sbin:/usr/bin:/usr/sbin # set up NAT-T case "${NAT_T}" in yes|true|on|enable*|1) LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]" REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]" ;; *) LOCAL="${LOCAL_ADDR}" REMOTE="${REMOTE_ADDR}" ;; esac # determine interface and next-hop for our default route DFLT_RT=$(ip route list | awk '($1 == "default"){print $3 ";" $5}') DFLT_IF=${DFLT_RT#*;} DFLT_GW=${DFLT_RT%;*} # bring up phase1 phase1_up() { # check if VPN address already set up on default interface (dupe script call) ip addr list ${DFLT_IF} | grep -q "${INTERNAL_ADDR4}/32" && { echo "p1_up_down: phase1_up has already run !!!" exit 4 } # save current resolv.conf and create new one based on info from VPN server [ -f /etc/resolv.conf.prevpn ] || cp /etc/resolv.conf /etc/resolv.conf.prevpn { echo "# Generated by racoon on $(date)" echo "search ${DEFAULT_DOMAIN}" for NS in ${INTERNAL_DNS4_LIST}; do echo "nameserver ${NS}" done } > /etc/resolv.conf # add VPN address to default interface ip addr add dev ${DFLT_IF} ${INTERNAL_ADDR4}/32 # set up host route to VPN server ip route add ${REMOTE_ADDR} via ${DFLT_GW} dev ${DFLT_IF} if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then # split tunnel: keep existing default, insert specific tunnel routes for N in ${SPLIT_INCLUDE_CIDR}; do ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4} done else # full tunnel: set up any applicable exceptions for N in ${SPLIT_LOCAL_CIDR}; do ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF} done # ... then replace default route with vpn tunnel ip route del default ip route add default via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4} fi # update SA database setkey -c << EOT spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require; spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require; EOT } # bring down phase1 phase1_down() { # restore previous resolv.conf [ -f /etc/resolv.conf.prevpn ] && mv /etc/resolv.conf.prevpn /etc/resolv.conf if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then # split tunnel: remove specific tunnel routes for N in ${SPLIT_INCLUDE_CIDR}; do ip route del ${N} done else # full tunnel: remove any applicable exceptions for N in ${SPLIT_LOCAL_CIDR}; do ip route del ${N} done # ... then restore original default route ip route del default ip route add default via ${DFLT_GW} dev ${DFLT_IF} fi # remove host route to VPN server ip route del ${REMOTE_ADDR} # remove VPN address from default interface ip addr del dev ${DFLT_IF} ${INTERNAL_ADDR4}/32 # clean up SA database setkey -c << EOT spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require; spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require; deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp; deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; # deleteall still broken on Linux, using 'flush esp' as workaround: flush esp; EOT } # print out parameters we received echo "p1_up_down: $1 starting..." echo "p1_up_down: LOCAL_ADDR = ${LOCAL_ADDR}" echo "p1_up_down: LOCAL_PORT = ${LOCAL_PORT}" echo "p1_up_down: REMOTE_ADDR = ${REMOTE_ADDR}" echo "p1_up_down: REMOTE_PORT = ${REMOTE_PORT}" echo "p1_up_down: DFLT_GW = ${DFLT_GW}" echo "p1_up_down: DFLT_IF = ${DFLT_IF}" echo "p1_up_down: INTERNAL_ADDR4 = ${INTERNAL_ADDR4}" echo "p1_up_down: INTERNAL_DNS4 = ${INTERNAL_DNS4}" echo "p1_up_down: DEFAULT_DOMAIN = ${DEFAULT_DOMAIN}" echo "p1_up_down: SPLIT_INCLUDE_CIDR = ${SPLIT_INCLUDE_CIDR}" echo "p1_up_down: SPLIT_LOCAL_CIDR = ${SPLIT_LOCAL_CIDR}" # check for valid VPN address echo ${INTERNAL_ADDR4} | grep -q '[0-9]' || { echo "p1_up_down: error: invalid INTERNAL_ADDR4." exit 1 } # check for valid default nexthop echo ${DFLT_GW} | grep -q '[0-9]' || { echo "p1_up_down: error: invalid DFLT_GW." exit 2 } # main "program" case "$1" in phase1_up) phase1_up ;; phase1_down) phase1_down ;; *) echo "p1_up_down: error: must be called by racoon w. arg=phase1_[up|down]" exit 3 ;; esac echo "p1_up_down: $1 completed successfully." exit 0 ================================== I've experimented with NAT on/off, etc, in racoon.conf but no joy. Where should I start? -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.