In article <47cda77073c.607dc...@mail.owl.de>, Frank Wille <fr...@phoenix.owl.de> wrote: >Brett Lynn wrote: > >On 04.03.16 09:20:12 you wrote: > >> Well, let's say packet loss from the point of view of racoon, ipsec can >> be very sensitive to lossy networks so it is good the eliminate that as >> a cause. The test with the windows client is valuable, it shows that >> ipsec can work from where you are. > >Indeed. And I guess we can ignore a potential packet loss for now. I >debugged Racoon and studied the source over several hours and came to the >conclusion that IKE mode config only works with Hybrid authentication >modes. No plain "rsasig", which is a pity. > >Might not be too difficult to add... > > >> As for the keep alives, the >> handling of those depends on the client and/or its configuration - >> maybe the windows client is configured to ignore the keep alives? > >Now I guess that keep-alives are just sent to have some traffic, but no need >to reply them. The Lancom gateway does not sent them itself My own NetBSD >gateway generates them, but does not reply either. > > >> I do recall being able to get logging out of racoon. Have you tried >> running racoon in the foreground > >Correct. I discovered that in the meantime. "debug" output is never written >to syslog for security reasons (contains hexdumps of keys and >certificates). > > >>> Also I'm getting doubt whether "authentication_method rsasig" is >>> working at all. Until now I found no success stories with such a >>> configuration on the net, especially when using mode_cfg. >>> >> >> As for a lot of things, it is hard to find success stories on the net - > >True, but unfortunately I was right here. :| > > >> I have only done hybrid-xauth, part of that was validating a >> certificate. > >Now I tried "hybrid_rsa_client", which perfectly does mode config, calls my >phase1-up script and adds the appropriate SPD entries. > >There is no phase 2 negotiation before I try to connect to any VPN address, >but I think that's normal. > >Unfortunately even the proven hybrid authentication fails for me. The kernel >cannot update or add keys for SAD: > >racoon: INFO: initiate new phase 2 negotiation: >192.168.1.5[4500]<=>77.182.71.224[4500] >racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3). >racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel >racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) >/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500 >/netbsd: key_update: no SA index found. >/netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500 >/netbsd: key_setsaval: unable to initialize SA type 3. >racoon: ERROR: pfkey UPDATE failed: No such file or directory >racoon: ERROR: pfkey ADD failed: Invalid argument >racoon: ERROR: 77.182.71.224 give up to get IPsec-SA due to time up to wait. > > >On the other hand, the Racoon server/gateway has no problem. It may have >something to do with NAT-T...?
If your server is behind NAT, I think that got broken at some point. I meant to debug this... I guess I should just do it... christos
