On 25.02.16 18:52:52 I wrote: > and the VPN connection > # racoonctl vc 1.2.3.4 > > ...it fails very early: > > [...] > Feb 25 17:24:08 arwen racoon: INFO: begin Identity Protection mode. > Feb 25 17:24:59 arwen racoon: ERROR: phase1 negotiation failed due to > time up. 05349d3fe352e138:0000000000000000
Seems I forgot IPSEC_DEBUG, so I missed important information? I tried it again with a 7.0 kernel and IPSEC_DEBUG on my PowerBook and the cause turned out to be a bad "authentication_method" in my propsal: Feb 25 22:30:08 powerbook racoon: [1.2.3.4] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. I had to replace "hybrid_rsa_client" by "rsasig" - although I'm not completely sure about the difference. I have a signed certificate and don't want to use any username or password authentication with xauth, so "rsasig" is probably ok...? Now I reach phase 2 and it looks to me that the VPN connection is established for a second, but a few seconds later I get "DPD: remote seems to be dead". No idea at the moment. Do I have to worry about "WARNING: unable to get certificate CRL(3)" ? What does "KA" mean? ---8<--- Feb 25 22:31:25 powerbook racoon: INFO: @(#)ipsec-tools cvs (http://ipsec-tools.sourceforge.net) Feb 25 22:31:25 powerbook racoon: INFO: @(#)This product linked OpenSSL 1.0.1p 9 Jul 2015 (http://www.openssl.org/) Feb 25 22:31:25 powerbook racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[500] used for NAT-T Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[500] used as isakmp port (fd=7) Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[4500] used for NAT-T Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[4500] used as isakmp port (fd=8) Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[500] used for NAT-T Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[4500] used for NAT-T Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=10) Feb 25 22:31:35 powerbook racoon: INFO: accept a request to establish IKE-SA: 1.2.3.4 Feb 25 22:31:35 powerbook racoon: INFO: initiate new phase 1 negotiation: 192.168.1.5[500]<=>1.2.3.4[500] Feb 25 22:31:35 powerbook racoon: INFO: begin Identity Protection mode. Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: RFC 3947 Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: DPD Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Selected NAT-T version: RFC 3947 Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #1 Feb 25 22:31:35 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1 Feb 25 22:31:35 powerbook racoon: INFO: Adding remote and local NAT-D payloads. Feb 25 22:31:35 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1 Feb 25 22:31:35 powerbook racoon: INFO: NAT-D payload #0 doesn't match Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #1 Feb 25 22:31:35 powerbook racoon: INFO: NAT-D payload #1 verified Feb 25 22:31:35 powerbook racoon: INFO: NAT detected: ME Feb 25 22:31:35 powerbook racoon: INFO: KA list add: 192.168.1.5[4500]->1.2.3.4[4500] Feb 25 22:31:36 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/postalCode=32052/OU=IT/ST=NRW/L=HERFORD/C=DE/O=WPS/CN=ZENTRALE Feb 25 22:31:36 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=DE/O=LANCOM SYSTEMS/CN=LANCOM CA Feb 25 22:31:36 powerbook racoon: [1.2.3.4] INFO: received INITIAL-CONTACT Feb 25 22:31:36 powerbook racoon: INFO: ISAKMP-SA established 192.168.1.5[4500]-1.2.3.4[4500] spi:554e0ed2b394bee9:df77769896bfb2bd Feb 25 22:32:42 powerbook racoon: [1.2.3.4] INFO: DPD: remote (ISAKMP-SA spi=554e0ed2b394bee9:df77769896bfb2bd) seems to be dead. Feb 25 22:32:42 powerbook racoon: INFO: purging ISAKMP-SA spi=554e0ed2b394bee9:df77769896bfb2bd. Feb 25 22:32:42 powerbook racoon: INFO: purged ISAKMP-SA spi=554e0ed2b394bee9:df77769896bfb2bd. Feb 25 22:32:42 powerbook racoon: INFO: ISAKMP-SA deleted 192.168.1.5[4500]-1.2.3.4[4500] spi:554e0ed2b394bee9:df77769896bfb2bd Feb 25 22:32:42 powerbook racoon: INFO: KA remove: 192.168.1.5[4500]->1.2.3.4[4500] ---8<--- -- Frank Wille
