Re: Simple IPSEC client with certificate - phase 1 time out
On Mar 8, 2:26pm, fr...@phoenix.owl.de (Frank Wille) wrote: -- Subject: Re: Simple IPSEC client with certificate - phase 1 time out | http://www.netbsd.org/docs/network/ipsec/ | In section "Configuring IPsec kernel". | | It also mentions IPSEC_ESP, which was removed together with IPSEC_NAT_T | after netbsd-6. Fixed. christos
Re: Simple IPSEC client with certificate - phase 1 time out
Greg Troxel wrote: > It seems to me that if a kernel with "option IPSEC" and w/o swcrypto > doesn't work, then perhaps it should fail to config, or log an error at > runtime. (Perhaps swcrypto isn't required, and it's just that there > must be some crypto provider.) As far as I understand swcrypto registers software encryption algorithms in the kernel for 3des, aes, blowfish, etc.. They are not explicitely required as you may also use hardware for that. -- Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
Frank Willewrites: > BTW, my problem with setkey on macppc was caused by the missing swcrypto > pseudo device in the kernel. > > Our IPsec FAQ should mention that you need that, besides "option IPSEC". I > know that amd64, i386 and sparc64 have these enabled by default now, but no > other port has. It seems to me that if a kernel with "option IPSEC" and w/o swcrypto doesn't work, then perhaps it should fail to config, or log an error at runtime. (Perhaps swcrypto isn't required, and it's just that there must be some crypto provider.) signature.asc Description: PGP signature
Re: Simple IPSEC client with certificate - phase 1 time out
On Mar 8, 12:14pm, fr...@phoenix.owl.de (Frank Wille) wrote: -- Subject: Re: Simple IPSEC client with certificate - phase 1 time out | Christos Zoulas wrote: | | >>| > If your server is behind NAT, I think that got broken at some point. | >>| | >>| Oh no! :( | >> | >>Yes, it is almost working... The tunnel is up, and 3 out of 4 SAD's are | >>present; the 4th one comes up as larval and then times out... | > | >And it is now fixed and tested on little endian. I have done no testing | >on big endian. I guess I could boot my sparc64 box and see if the extended | >rest made the hardware more reliable :-) | | Indeed. It is! Many thanks for your great work! Much appreciated. :) Great! | IPsec with Racoon behind NAT is confirmed to work now. Tested on macppc, so | there is no endian problem. | | Do we get a pullup for netbsd-7, and maybe netbsd-6? I asked for them just now. | BTW, my problem with setkey on macppc was caused by the missing swcrypto | pseudo device in the kernel. | | Our IPsec FAQ should mention that you need that, besides "option IPSEC". I | know that amd64, i386 and sparc64 have these enabled by default now, but no | other port has. URL? christos
Re: Simple IPSEC client with certificate - phase 1 time out
In article <20160305160718.f2ef517f...@rebar.astron.com>, Christos Zoulas <chris...@zoulas.com> wrote: >On Mar 5, 4:32pm, fr...@phoenix.owl.de (Frank Wille) wrote: >-- Subject: Re: Simple IPSEC client with certificate - phase 1 time out > >| Christos Zoulas wrote: >| >| > If your server is behind NAT, I think that got broken at some point. >| >| Oh no! :( > >Yes, it is almost working... The tunnel is up, and 3 out of 4 SAD's are >present; the 4th one comes up as larval and then times out... And it is now fixed and tested on little endian. I have done no testing on big endian. I guess I could boot my sparc64 box and see if the extended rest made the hardware more reliable :-) christos
Re: Simple IPSEC client with certificate - phase 1 time out
On Mar 5, 4:32pm, fr...@phoenix.owl.de (Frank Wille) wrote: -- Subject: Re: Simple IPSEC client with certificate - phase 1 time out | Christos Zoulas wrote: | | > If your server is behind NAT, I think that got broken at some point. | | Oh no! :( Yes, it is almost working... The tunnel is up, and 3 out of 4 SAD's are present; the 4th one comes up as larval and then times out... | > I meant to debug this... I guess I should just do it... | | That would be so great! I can provide you with any information you need | and can do all sorts of tests. Also with big endian hardware. | | BTW, there is a strange problem with adding SAs in the 7.0 kernel. | Maybe it doesn't work on big endian? I don't know. make sure you have IPSEC_DEBUG in your kernel and you'll get a lot of useful info. | 1. NetBSD/macppc 7.0 (PowerBook G4): | # setkey -c | add 10.0.0.1 10.0.0.2 esp 1234 -E aes-cbc "testtesttesttest"; | Invalid argument. | # setkey -D | No SAD entries. | | 2. NetBSD/amd64 7.0 (Asus i3): | # setkey -c | add 10.0.0.1 10.0.0.2 esp 1234 -E aes-cbc "testtesttesttest"; | # setkey -D | 10.0.0.1 10.0.0.2 | esp mode=any spi=1234(0x04d2) reqid=0(0x) | E: aes-cbc 74657374 74657374 74657374 74657374 | seq=0x replay=0 flags=0x0040 state=mature | created: Mar 5 15:53:31 2016 current: Mar 5 16:20:54 2016 | diff: 1643(s) hard: 0(s) soft: 0(s) | last: Mar 5 11:41:33 2016 hard: 0(s) soft: 0(s) | current: 0(bytes) hard: 0(bytes) soft: 0(bytes) | allocated: 0hard: 0 soft: 0 | sadb_seq=0 pid=2037 refcnt=1 | | | So the "pfkey ADD failed" is not present on x86, but the "pfkey UPDATED | failed" is still there. I was able to see the SA to be updated for a short | time in "larval" state when phase 2 was established: The updated failed is fine (No such file or directory means it was not present), and then it succeeds adding it. | # setkey -D | 192.168.0.21[4500] 78.48.238.147[4500] | esp-udp mode=tunnel spi=17572466(0x010c2272) reqid=0(0x) | E: aes-cbc d5bd6bf8 2d5fd2f7 49c5ebdc d20c6299 | A: hmac-md5 3bd33ccd cd06e211 b5b7b926 399089e7 | seq=0x0002 replay=4 flags=0x state=mature | created: Mar 5 14:57:06 2016 current: Mar 5 14:57:14 2016 | diff: 8(s) hard: 28800(s) soft: 23040(s) | last: Mar 5 14:57:07 2016 hard: 0(s) soft: 0(s) | current: 320(bytes) hard: 0(bytes) soft: 0(bytes) | allocated: 2hard: 0 soft: 0 | sadb_seq=1 pid=660 refcnt=2 | 78.48.238.147 192.168.0.21 | esp mode=tunnel spi=120588728(0x073009b8) reqid=0(0x) | seq=0x replay=0 flags=0x state=larval | sadb_seq=0 pid=660 refcnt=1 I hope to fix the problem soon... It has been broken forever. christos
Re: Simple IPSEC client with certificate - phase 1 time out
Christos Zoulas wrote: > If your server is behind NAT, I think that got broken at some point. Oh no! :( > I meant to debug this... I guess I should just do it... That would be so great! I can provide you with any information you need and can do all sorts of tests. Also with big endian hardware. BTW, there is a strange problem with adding SAs in the 7.0 kernel. Maybe it doesn't work on big endian? 1. NetBSD/macppc 7.0 (PowerBook G4): # setkey -c add 10.0.0.1 10.0.0.2 esp 1234 -E aes-cbc "testtesttesttest"; Invalid argument. # setkey -D No SAD entries. 2. NetBSD/amd64 7.0 (Asus i3): # setkey -c add 10.0.0.1 10.0.0.2 esp 1234 -E aes-cbc "testtesttesttest"; # setkey -D 10.0.0.1 10.0.0.2 esp mode=any spi=1234(0x04d2) reqid=0(0x) E: aes-cbc 74657374 74657374 74657374 74657374 seq=0x replay=0 flags=0x0040 state=mature created: Mar 5 15:53:31 2016 current: Mar 5 16:20:54 2016 diff: 1643(s) hard: 0(s) soft: 0(s) last: Mar 5 11:41:33 2016 hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0hard: 0 soft: 0 sadb_seq=0 pid=2037 refcnt=1 So the "pfkey ADD failed" is not present on x86, but the "pfkey UPDATED failed" is still there. I was able to see the SA to be updated for a short time in "larval" state when phase 2 was established: # setkey -D 192.168.0.21[4500] 78.48.238.147[4500] esp-udp mode=tunnel spi=17572466(0x010c2272) reqid=0(0x) E: aes-cbc d5bd6bf8 2d5fd2f7 49c5ebdc d20c6299 A: hmac-md5 3bd33ccd cd06e211 b5b7b926 399089e7 seq=0x0002 replay=4 flags=0x state=mature created: Mar 5 14:57:06 2016 current: Mar 5 14:57:14 2016 diff: 8(s) hard: 28800(s) soft: 23040(s) last: Mar 5 14:57:07 2016 hard: 0(s) soft: 0(s) current: 320(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 2hard: 0 soft: 0 sadb_seq=1 pid=660 refcnt=2 78.48.238.147 192.168.0.21 esp mode=tunnel spi=120588728(0x073009b8) reqid=0(0x) seq=0x replay=0 flags=0x state=larval sadb_seq=0 pid=660 refcnt=1 -- Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
Brett Lynn wrote: On 04.03.16 09:20:12 you wrote: > Well, let's say packet loss from the point of view of racoon, ipsec can > be very sensitive to lossy networks so it is good the eliminate that as > a cause. The test with the windows client is valuable, it shows that > ipsec can work from where you are. Indeed. And I guess we can ignore a potential packet loss for now. I debugged Racoon and studied the source over several hours and came to the conclusion that IKE mode config only works with Hybrid authentication modes. No plain "rsasig", which is a pity. Might not be too difficult to add... > As for the keep alives, the > handling of those depends on the client and/or its configuration - > maybe the windows client is configured to ignore the keep alives? Now I guess that keep-alives are just sent to have some traffic, but no need to reply them. The Lancom gateway does not sent them itself My own NetBSD gateway generates them, but does not reply either. > I do recall being able to get logging out of racoon. Have you tried > running racoon in the foreground Correct. I discovered that in the meantime. "debug" output is never written to syslog for security reasons (contains hexdumps of keys and certificates). >> Also I'm getting doubt whether "authentication_method rsasig" is >> working at all. Until now I found no success stories with such a >> configuration on the net, especially when using mode_cfg. >> > > As for a lot of things, it is hard to find success stories on the net - True, but unfortunately I was right here. :| > I have only done hybrid-xauth, part of that was validating a > certificate. Now I tried "hybrid_rsa_client", which perfectly does mode config, calls my phase1-up script and adds the appropriate SPD entries. There is no phase 2 negotiation before I try to connect to any VPN address, but I think that's normal. Unfortunately even the proven hybrid authentication fails for me. The kernel cannot update or add keys for SAD: racoon: INFO: initiate new phase 2 negotiation: 192.168.1.5[4500]<=>77.182.71.224[4500] racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3). racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) /netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500 /netbsd: key_update: no SA index found. /netbsd: key_set_natt_ports: type 2, sport = 4500, dport = 4500 /netbsd: key_setsaval: unable to initialize SA type 3. racoon: ERROR: pfkey UPDATE failed: No such file or directory racoon: ERROR: pfkey ADD failed: Invalid argument racoon: ERROR: 77.182.71.224 give up to get IPsec-SA due to time up to wait. On the other hand, the Racoon server/gateway has no problem. It may have something to do with NAT-T...? -- Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
On Wed, Mar 02, 2016 at 12:40:30PM +0100, Frank Wille wrote: > > > > OK and here is where things fall apart. The client sends an "are you > > there" request and vpn server sends a reply but it seems like the > > packet did not get through and then things go bad from there... > > What makes you think so? Looking at the tcpdump directly from the NetBSD > client shows that the ACK from the Lancom router arrived (those were the > only packets at 11:52:27): > > 11:52:27.567012 IP 192.168.1.5.4500 > 1.2.3.4.4500: NONESP-encap: isakmp: > phase 2/others I inf[E] > 11:52:27.609318 IP 1.2.3.4.4500 > 192.168.1.5.4500: NONESP-encap: isakmp: > phase 2/others R inf[E] > > IMHO, DPD works fine. > Because racoon says that it didn't receive the ack from the lancom - either it received the packet and didn't like it or racoon didn't see it for some reason. It is good that the packet made it all the way back, it would be better if we could understand what, if anything, racoon did with it. > > >> [VPN-Status] 2016/03/01 11:52:37,096 > >> VPN: connection for VPNCLIENT15EF90 (91.56.237.127) timed out: no > >> response > > BTW, this timeout is always 30 seconds after phase1 has been established. No > matter what I do. With of without DPD. With or without mode_cfg. > Right, that is the lancom losing patience and tearing down its side of the connection. > > > OK so what we can see here is that there seems to be some packet loss > > that is causing the NetBSD client to wait for an answer but during that > > time the vpn server decides nothing is happening and tears the > > connection down. So, some things to consider: > > I'm not so sure about that packet loss. The only possible packet loss, which > Greg already noticed in a parallel thread on tech-net, seems to be with > NAT-T keepalive. But a test with a working Windows client using the same > certificate on the same LAN showed that those keepalive messages are not > replied either. > Well, let's say packet loss from the point of view of racoon, ipsec can be very sensitive to lossy networks so it is good the eliminate that as a cause. The test with the windows client is valuable, it shows that ipsec can work from where you are. As for the keep alives, the handling of those depends on the client and/or its configuration - maybe the windows client is configured to ignore the keep alives? > > > 0) How reliable is the internet connection on the client side? It > > seems these days there is an assumption the connection is fast. > > ADSL with approx. 6 MBit down and 1 MBit up. But our DSLAM is already > capable of 50 or 100 MBit, and only 30m away. > > I do not remember having any reliability problems. > Good - another thing we can tick off as not being a cause. > > > 1) Since one side is doing NAT-T, do you have port forwarding on the > > router so that the IKE packets (udp 500 and 4500) are forwarded back to > > the vpn client? Though it seems you must already have this right to > > get the phase 1 done... > > That's an interesting question. No, I don't have port forwarding enabled. Do > I really need that? I thought one of the reasons for using NAT-T is to work > around such problems? > Yes, I think you are correct... my flaky memory is probably throwing that up because I was running a vpn server behind a NAT and had to do the port forwarding. As you have stated, NAT-T is supposed to work around those issues. > But, as you said, I see UDP 500 and 4500 packets coming through on both > sides, and the Windows client is working over the same router. So I guess > everything is fine... > Yes, at a network infrastructure level it seems so given that the windows client just works. > > without. Now I did: > > pass in from any to any > pass out from any to any > > ...for a test. But it didn't change anything. So I don't think there is a > firewall problem. > OK, that sounds like it eliminates a firewall issue. > > > 3) some firewalls/routers don't like large udp packets, there are some > > racoon settings for fragmenting packets - perhaps you need those. > > I already had "ike_frag on" in my config. Now I also added "esp_frag 552", > without making any difference. > Try dropping the esp_frag to, say, 352 just to see what happens. I know the man page says 552 should be safe but that seems a bit close to the minimum mtu which is 576. At least a very low frag value will eliminate the possibility of the packet getting fragmented. Also, does the NetBSD client network interface have any tcp checksum offload turned on? > My current racoon.conf: > That all looks fairly sensible to me... > > Unfortunately "log debug" doesn't work at all. I get no debug messages out > of racoon. > I do recall being able to get logging out of racoon. Have you tried running racoon in the foreground (i.e. using the -F flag along with multiple -d) also have you used the -l flag to log to a file instead of syslog? > Also I'm getting doubt whether
Re: Simple IPSEC client with certificate - phase 1 time out
Thor Lancelot Simon wrote: > Consider disabling dead peer detection? Yes, tried that. The only difference is that "racoonctl vc 1.2.3.4" does not return, as it never realizes that the VPN server is dead. Otherwise the Lancom still terminates my connection after 30s. -- Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
Brett Lymn wrote: > Well, there is a chance that the negotiation was failing due to packets > not going where you expect. That doesn't appear to be happening but > checking the simple things can't hurt and can save a lot of grief :) Sure. I will do what I can. Thanks for your detailed analyzation, BTW. >> [VPN-Status] 2016/03/01 11:52:07,121 >> IKE info: Phase-1 [responder] for peer VPNCLIENT15EF90 initiator id >> [...] > > This is good - we have a phase 1 done here, note the initiator and > responder cookies match the SPI numbers from the NetBSD side. Looking > good at this point. Besides that IKE mode config is not requested by the NetBSD client, although explicitely stated in the racoon.conf. >> [VPN-Status] 2016/03/01 11:52:27,223 >> IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer >> VPNCLIENT15EF90 Seq-Nr 0xe8, expected 0xe8 > >> >> [VPN-Status] 2016/03/01 11:52:27,224 >> IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer >> VPNCLIENT15EF90, sequence nr 0xe8 > > > OK and here is where things fall apart. The client sends an "are you > there" request and vpn server sends a reply but it seems like the > packet did not get through and then things go bad from there... What makes you think so? Looking at the tcpdump directly from the NetBSD client shows that the ACK from the Lancom router arrived (those were the only packets at 11:52:27): 11:52:27.567012 IP 192.168.1.5.4500 > 1.2.3.4.4500: NONESP-encap: isakmp: phase 2/others I inf[E] 11:52:27.609318 IP 1.2.3.4.4500 > 192.168.1.5.4500: NONESP-encap: isakmp: phase 2/others R inf[E] IMHO, DPD works fine. >> [VPN-Status] 2016/03/01 11:52:37,096 >> VPN: connection for VPNCLIENT15EF90 (91.56.237.127) timed out: no >> response BTW, this timeout is always 30 seconds after phase1 has been established. No matter what I do. With of without DPD. With or without mode_cfg. > OK so what we can see here is that there seems to be some packet loss > that is causing the NetBSD client to wait for an answer but during that > time the vpn server decides nothing is happening and tears the > connection down. So, some things to consider: I'm not so sure about that packet loss. The only possible packet loss, which Greg already noticed in a parallel thread on tech-net, seems to be with NAT-T keepalive. But a test with a working Windows client using the same certificate on the same LAN showed that those keepalive messages are not replied either. > 0) How reliable is the internet connection on the client side? It > seems these days there is an assumption the connection is fast. ADSL with approx. 6 MBit down and 1 MBit up. But our DSLAM is already capable of 50 or 100 MBit, and only 30m away. I do not remember having any reliability problems. > 1) Since one side is doing NAT-T, do you have port forwarding on the > router so that the IKE packets (udp 500 and 4500) are forwarded back to > the vpn client? Though it seems you must already have this right to > get the phase 1 done... That's an interesting question. No, I don't have port forwarding enabled. Do I really need that? I thought one of the reasons for using NAT-T is to work around such problems? But, as you said, I see UDP 500 and 4500 packets coming through on both sides, and the Windows client is working over the same router. So I guess everything is fine... > 2) any firewall rules blocking the incoming traffic? Again, just check > though it doesn't make much sense give you have managed to get so far > along. My home router is a Soekris running NetBSD. A few days ago I added the following ipf rules: pass in quick proto 4 from any to any pass in quick proto esp from any to any pass in quick proto ah from any to any pass in quick proto udp from any port = 500 to any port = 500 pass in quick proto udp from any port = 4500 to any port = 4500 pass out quick proto 4 from any to any pass out quick proto esp from any to any pass out quick proto ah from any to any pass out quick proto udp from any port = 500 to any port = 500 pass out quick proto udp from any port = 4500 to any port = 4500 But I don't think they are required, as the Windows VPN-client worked without. Now I did: pass in from any to any pass out from any to any ...for a test. But it didn't change anything. So I don't think there is a firewall problem. > 3) some firewalls/routers don't like large udp packets, there are some > racoon settings for fragmenting packets - perhaps you need those. I already had "ike_frag on" in my config. Now I also added "esp_frag 552", without making any difference. My current racoon.conf: path include "/etc/racoon"; path certificate "/etc/racoon/certs"; path script "/etc/racoon/scripts"; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log debug; #timer #{ # natt_keepalive 15 seconds; #} remote "wpsd" { remote_address 1.2.3.4; exchange_mode main,base; my_identifier asn1dn;
Re: Simple IPSEC client with certificate - phase 1 time out
Consider disabling dead peer detection? Thor
Re: Simple IPSEC client with certificate - phase 1 time out
On Tue, Mar 01, 2016 at 09:09:07AM -0500, Greg Troxel wrote: > > In my experience, SPD entries are added outside of racoon to tell the > kernel that certain traffic should have IPsec protection. I don't > understand how in your setup that's supposed to work, or what is > triggering racoon to start the negotiation. > A SPD sets the policy for encrypting an outgoing packet. If you are simply creating a tunnel between two machines I think you don't need it but if you have a machine that wants to access a network on the other side of a tunnel then you need a SPD to tell ipsec to use a particular SAD to encrypt and send the packet. I cannot recall myself but I think raccoon should set up the SPD if you have told it there is a network range on the remote end. If racoon is configured with passive off then it will attempt negotiation when it starts, I expect this is what is happening. -- Brett Lymn Let go, or be dragged - Zen proverb.
Re: Simple IPSEC client with certificate - phase 1 time out
On Tue, Mar 01, 2016 at 01:11:08PM +0100, Frank Wille wrote: > Brett Lymn wrote: > > > OK, does phase 2 actually complete? > > I doubt that. Currently I'm not even sure whether phase 1 completes, because > the phase1-up script is never called. On the other hand the phase1-down > script is called, as soon as the connection is terminated. > Well, it does seem to get close see below. > > > What does a "setkey -aD" output? > > No SAD entries. And no SPD entries either. > I guess they would be added by the phase1-up script...? > In the logs you can see the SAD entries get created but they get removed when the connection gets torn down. > > > Have you tried a tcpdump to see what is going on at the network level? > > Yes, always. I have attached the tcpdump from my client and the vpn-status > log of the Lancom-router (the VPN "server"). > That's helpful. I normally use -s 0 -x with my tcpdump so I can see what is in the packets but it may not be very useful here. > > > You should expect encrypted packets, if you are seeing stuff in the > > clear then check your routing and ensure the packets are properly > > routed to the vpn tunnel end point. > > This is something to worry about as soon as both phases have been completed, > which definitely is not the case. ;) > Well, there is a chance that the negotiation was failing due to packets not going where you expect. That doesn't appear to be happening but checking the simple things can't hurt and can save a lot of grief :) > > > It has been a long while since I played with this but I seem to recall > > that you do get a log of what is being proposed by both sides. > > The proposal is accepted (refer to the Lancom VPN log). > Yes and by NetBSD too, you can actually see the phase 1 has completed in the racoon logs but then the SA gets removed. > Looking at the tcpdump I wonder why the NetBSD client says it is exchanging > "isakmp: phase 2" packets, while the Lancom still calls these isakmp > notifies "Phase-1 SA"? > As Greg said, this is probably just terminology, I wouldn't get hung up on that too much. OK, lets have a bit of a look at the logs and see what is going on... > Mar 1 11:52:07 powerbook racoon: [1.2.3.4] INFO: received INITIAL-CONTACT > Mar 1 11:52:07 powerbook racoon: INFO: ISAKMP-SA established > 192.168.1.5[4500]-1.2.3.4[4500] spi:4da2f5f910bbdf44:444ae08dd7de45a5 This is good - we have a security association here, note the SPI numbers here, they will be useful later. > Mar 1 11:53:12 powerbook racoon: [1.2.3.4] INFO: DPD: remote (ISAKMP-SA > spi=4da2f5f910bbdf44:444ae08dd7de45a5) seems to be dead. > Mar 1 11:53:12 powerbook racoon: INFO: purging ISAKMP-SA > spi=4da2f5f910bbdf44:444ae08dd7de45a5. > Mar 1 11:53:12 powerbook racoon: INFO: purged ISAKMP-SA > spi=4da2f5f910bbdf44:444ae08dd7de45a5. > Mar 1 11:53:12 powerbook racoon: INFO: ISAKMP-SA deleted > 192.168.1.5[4500]-1.2.3.4[4500] spi:4da2f5f910bbdf44:444ae08dd7de45a5 > Mar 1 11:53:12 powerbook racoon: INFO: KA remove: > 192.168.1.5[4500]->1.2.3.4[4500] Then the SA gets torn down. > 11:52:06.441891 IP 192.168.1.5.500 > 1.2.3.4.500: isakmp: phase 1 I ident Nothing really out of place in the tcpdump... the log from the other side is interesting: > > [VPN-Status] 2016/03/01 11:52:07,096 > IKE info: exchange_finalize: assuming identified for road-warrior with cert, > id=VPNCLIENT15EF90, RemoteGW=91.56.237.127 > > > [VPN-Status] 2016/03/01 11:52:07,121 > IKE info: Phase-1 [responder] for peer VPNCLIENT15EF90 initiator id > CN=VPNCLIENT15,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052, responder > id CN=ZENTRALE,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052 > IKE info: initiator cookie: 0x4da2f5f910bbdf44, responder cookie: > 0x444ae08dd7de45a5 > IKE info: NAT-T enabled in mode rfc, we are not behind a nat, the remote side > is behind a nat > IKE info: SA ISAKMP for peer VPNCLIENT15EF90 encryption aes-cbc > authentication MD5 > IKE info: life time ( 28800 sec/ 0 kb) DPD 0 sec > This is good - we have a phase 1 done here, note the initiator and responder cookies match the SPI numbers from the NetBSD side. Looking good at this point. > > [VPN-Status] 2016/03/01 11:52:23,541 > IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE sent for Phase-1 SA to peer > VPNCLIENT15EF90, sequence nr 0x7a8b3f4b > > > [VPN-Status] 2016/03/01 11:52:23,614 > IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE_ACK for peer > VPNCLIENT15EF90 Seq-Nr 0x7a8b3f4b, expected 0x7a8b3f4b > This is good, we see a query and response > > [VPN-Status] 2016/03/01 11:52:27,223 > IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer > VPNCLIENT15EF90 Seq-Nr 0xe8, expected 0xe8 > > > [VPN-Status] 2016/03/01 11:52:27,224 > IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer > VPNCLIENT15EF90, sequence nr 0xe8 > OK and here is where things fall apart. The client sends an "are you there" request and vpn server sends
Re: Simple IPSEC client with certificate - phase 1 time out
Frank Willewrites: >> What does a "setkey -aD" output? > No SAD entries. And no SPD entries either. > I guess they would be added by the phase1-up script...? In my experience, SPD entries are added outside of racoon to tell the kernel that certain traffic should have IPsec protection. I don't understand how in your setup that's supposed to work, or what is triggering racoon to start the negotiation. > Looking at the tcpdump I wonder why the NetBSD client says it is exchanging > "isakmp: phase 2" packets, while the Lancom still calls these isakmp > notifies "Phase-1 SA"? > > IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE sent for Phase-1 SA to peer > VPNCLIENT15EF90, sequence nr 0x7a8b3f4b I think this is ok. I have not read the specs in a long time, but I think that notifications (INITIAL_CONTACT, DPD, etc.) are sent as phase 2 other messages (meaning they are protected in the phase 1 SA), but are considered control messages about the phase 1 SA. Other phase 2 messages are used to create a phase 2 SA, which is loaded into the kernel, and then data flows over that. So I don't think the 1/2 terminology difference about notifies is a problem. signature.asc Description: PGP signature
Re: Simple IPSEC client with certificate - phase 1 time out
Brett Lymn wrote: > OK, does phase 2 actually complete? I doubt that. Currently I'm not even sure whether phase 1 completes, because the phase1-up script is never called. On the other hand the phase1-down script is called, as soon as the connection is terminated. > What does a "setkey -aD" output? No SAD entries. And no SPD entries either. I guess they would be added by the phase1-up script...? > Have you tried a tcpdump to see what is going on at the network level? Yes, always. I have attached the tcpdump from my client and the vpn-status log of the Lancom-router (the VPN "server"). > You should expect encrypted packets, if you are seeing stuff in the > clear then check your routing and ensure the packets are properly > routed to the vpn tunnel end point. This is something to worry about as soon as both phases have been completed, which definitely is not the case. ;) > It has been a long while since I played with this but I seem to recall > that you do get a log of what is being proposed by both sides. The proposal is accepted (refer to the Lancom VPN log). Looking at the tcpdump I wonder why the NetBSD client says it is exchanging "isakmp: phase 2" packets, while the Lancom still calls these isakmp notifies "Phase-1 SA"? IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE sent for Phase-1 SA to peer VPNCLIENT15EF90, sequence nr 0x7a8b3f4b -- Frank Wille Mar 1 11:40:50 powerbook racoon: INFO: @(#)ipsec-tools cvs (http://ipsec-tools.sourceforge.net) Mar 1 11:40:50 powerbook racoon: INFO: @(#)This product linked OpenSSL 1.0.1p 9 Jul 2015 (http://www.openssl.org/) Mar 1 11:40:50 powerbook racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" Mar 1 11:40:50 powerbook racoon: INFO: 192.168.1.5[500] used for NAT-T Mar 1 11:40:50 powerbook racoon: INFO: 192.168.1.5[500] used as isakmp port (fd=7) Mar 1 11:40:50 powerbook racoon: INFO: 192.168.1.5[4500] used for NAT-T Mar 1 11:40:50 powerbook racoon: INFO: 192.168.1.5[4500] used as isakmp port (fd=8) Mar 1 11:40:50 powerbook racoon: INFO: 127.0.0.1[500] used for NAT-T Mar 1 11:40:50 powerbook racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) Mar 1 11:40:50 powerbook racoon: INFO: 127.0.0.1[4500] used for NAT-T Mar 1 11:40:50 powerbook racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=10) Mar 1 11:52:06 powerbook racoon: INFO: accept a request to establish IKE-SA: 1.2.3.4 Mar 1 11:52:06 powerbook racoon: INFO: initiate new phase 1 negotiation: 192.168.1.5[500]<=>1.2.3.4[500] Mar 1 11:52:06 powerbook racoon: INFO: begin Identity Protection mode. Mar 1 11:52:06 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Mar 1 11:52:06 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Mar 1 11:52:06 powerbook racoon: INFO: received Vendor ID: RFC 3947 Mar 1 11:52:06 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Mar 1 11:52:06 powerbook racoon: INFO: received Vendor ID: DPD Mar 1 11:52:06 powerbook racoon: [1.2.3.4] INFO: Selected NAT-T version: RFC 3947 Mar 1 11:52:06 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #1 Mar 1 11:52:06 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1 Mar 1 11:52:06 powerbook racoon: INFO: Adding remote and local NAT-D payloads. Mar 1 11:52:06 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1 Mar 1 11:52:06 powerbook racoon: INFO: NAT-D payload #0 doesn't match Mar 1 11:52:06 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #1 Mar 1 11:52:06 powerbook racoon: INFO: NAT-D payload #1 verified Mar 1 11:52:06 powerbook racoon: INFO: NAT detected: ME Mar 1 11:52:06 powerbook racoon: INFO: KA list add: 192.168.1.5[4500]->1.2.3.4[4500] Mar 1 11:52:07 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/postalCode=32052/OU=IT/ST=NRW/L=HERFORD/C=DE/O=WPS/CN=ZENTRALE Mar 1 11:52:07 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=DE/O=LANCOM SYSTEMS/CN=LANCOM CA Mar 1 11:52:07 powerbook racoon: [1.2.3.4] INFO: received INITIAL-CONTACT Mar 1 11:52:07 powerbook racoon: INFO: ISAKMP-SA established 192.168.1.5[4500]-1.2.3.4[4500] spi:4da2f5f910bbdf44:444ae08dd7de45a5 Mar 1 11:53:12 powerbook racoon: [1.2.3.4] INFO: DPD: remote (ISAKMP-SA spi=4da2f5f910bbdf44:444ae08dd7de45a5) seems to be dead. Mar 1 11:53:12 powerbook racoon: INFO: purging ISAKMP-SA spi=4da2f5f910bbdf44:444ae08dd7de45a5. Mar 1 11:53:12 powerbook racoon: INFO: purged ISAKMP-SA spi=4da2f5f910bbdf44:444ae08dd7de45a5. Mar 1 11:53:12 powerbook racoon: INFO: ISAKMP-SA deleted 192.168.1.5[4500]-1.2.3.4[4500] spi:4da2f5f910bbdf44:444ae08dd7de45a5 Mar 1 11:53:12 powerbook racoon: INFO: KA remove: 192.168.1.5[4500]->1.2.3.4[4500] 11:52:06.441891 IP 192.168.1.5.500 > 1.2.3.4.500: isakmp: phase 1 I ident 11:52:06.500027 IP 1.2.3.4.500 >
Re: Simple IPSEC client with certificate - phase 1 time out
On Sun, Feb 28, 2016 at 02:35:26PM +0100, Frank Wille wrote: > > I don't even need hybrid or xauth. Just a plain signed certificate on both > sides. A simple "road-warrior" client. Until now I found no example > configurations for this case. > Yes, it quite frustrating and complex... > > > IIRC, looping in phase 1 means both ends cannot agree on an > > authentication method or the credentials presented are not correct. > > Yes. But phase 1 is definitely ok in my case. I have now access to the > VPN-status log of my office's Lancom router and it accepted everything: > That is a good start. > > But after 30 seconds and a few Phase 2 Inf messages it just says: > OK, does phase 2 actually complete? What does a "setkey -aD" output? Have you tried a tcpdump to see what is going on at the network level? You should expect encrypted packets, if you are seeing stuff in the clear then check your routing and ensure the packets are properly routed to the vpn tunnel end point. > > Try increasing the debug level on raccoon and see what it is offering > > to the remote end and see if that matches what you expect. > > I tried everything. IPSEC_DEBUG in the kernel. "log debug2" in racoon.conf > and starting the racoon daemon with -. I don't get any more information > out of it. > It has been a long while since I played with this but I seem to recall that you do get a log of what is being proposed by both sides. I know that it doesn't give any clear messages like "we failed because I didn't like this option" but there should be a lot of transactional information that can point to a solution. Are you seeing this? > > Unfortunately that's not possible. I cannot change the configuration of my > office's router, because it will break the working VPN connection of all > Windows notebooks. > Yes, that is not surprising but it seems that you are doing phase 1 ok anyway so I guess there is not much point. -- Brett Lymn Let go, or be dragged - Zen proverb.
Re: Simple IPSEC client with certificate - phase 1 time out
Brett Lymn wrote: On 28.02.16 10:18:13 you wrote: > Once upon a time I did manage to get hybrid xauth working using a > NetBSD server and windows clients, so certificates did work for me. I don't even need hybrid or xauth. Just a plain signed certificate on both sides. A simple "road-warrior" client. Until now I found no example configurations for this case. > IIRC, looping in phase 1 means both ends cannot agree on an > authentication method or the credentials presented are not correct. Yes. But phase 1 is definitely ok in my case. I have now access to the VPN-status log of my office's Lancom router and it accepted everything: [VPN-Status] 2016/02/29 12:31:52,304 IKE info: Phase-1 [responder] for peer VPNCLIENT15EF90 initiator id CN=VPNCLIENT15,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052, responder id CN=ZENTRALE,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052 IKE info: initiator cookie: 0x4f5e1f08e12bd21c, responder cookie: 0x2e8dc875b4e07c26 IKE info: NAT-T enabled in mode rfc, we are not behind a nat, the remote side is behind a nat IKE info: SA ISAKMP for peer VPNCLIENT15EF90 encryption aes-cbc authentication MD5 IKE info: life time ( 28800 sec/ 0 kb) DPD 0 sec But after 30 seconds and a few Phase 2 Inf messages it just says: [VPN-Status] 2016/02/29 12:32:22,284 VPN: connection for VPNCLIENT15EF90 (91.56.236.148) timed out: no response [VPN-Status] 2016/02/29 12:32:22,284 VPN: Error: IFC-R-Connection-timeout-dynamic (0x1205) for VPNCLIENT15EF90 (91.56.236.148) > Try increasing the debug level on raccoon and see what it is offering > to the remote end and see if that matches what you expect. I tried everything. IPSEC_DEBUG in the kernel. "log debug2" in racoon.conf and starting the racoon daemon with -. I don't get any more information out of it. > If you have > control over the other end then try simplifying things by using a > pre-shared key (PSK) method of authentication Unfortunately that's not possible. I cannot change the configuration of my office's router, because it will break the working VPN connection of all Windows notebooks. Thanks, -- Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
On Fri, Feb 26, 2016 at 11:21:09AM +0100, Frank Wille wrote: > > > Would be really nice if there was an IPSEC secret decoder ring for > > device compatibility/setup. > > Indeed. Over the last days I wondered that there is only few information > about IPSEC configuration on the net (especially with signed certificates), > although the same Racoon software is used in all BSDs, Linux, Android and > Mac OSX ... :| > It would be nice but ipsec is such a hairy beast and things can change between firmware vesions of the same device which makes it difficult. Once upon a time I did manage to get hybrid xauth working using a NetBSD server and windows clients, so certificates did work for me. IIRC, looping in phase 1 means both ends cannot agree on an authentication method or the credentials presented are not correct. Try increasing the debug level on raccoon and see what it is offering to the remote end and see if that matches what you expect. If you have control over the other end then try simplifying things by using a pre-shared key (PSK) method of authentication, get that working first and then move on to certificates after. That way you can start from a known working setup and focus on certificate problems. Debugging ipsec is quite awful to do, you don't get a lot of logging and what you do get can be downright confusing. -- Brett Lymn Let go, or be dragged - Zen proverb.
Re: Simple IPSEC client with certificate - phase 1 time out
Andy Ruhl wrote: > It might be worth trying some other OS or device just to sanity check > it and make sure it CAN work before you assume it's a NetBSD issue. I know that this Lancom router successfully establishes a connection to several other Lancom routers and to dozends of Windows clients, running the Windows Lancom VPN client software. So the problem is the Racoon configuration under NetBSD. > Would be really nice if there was an IPSEC secret decoder ring for > device compatibility/setup. Indeed. Over the last days I wondered that there is only few information about IPSEC configuration on the net (especially with signed certificates), although the same Racoon software is used in all BSDs, Linux, Android and Mac OSX ... :| -- Frank Wille
Re: Simple IPSEC client with certificate - phase 1 time out
On Thu, Feb 25, 2016 at 3:10 PM, Frank Willewrote: > Seems I forgot IPSEC_DEBUG, so I missed important information? I tried it > again with a 7.0 kernel and IPSEC_DEBUG on my PowerBook and the cause > turned out to be a bad "authentication_method" in my propsal: > > Feb 25 22:30:08 powerbook racoon: [1.2.3.4] ERROR: notification > NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. > > I had to replace "hybrid_rsa_client" by "rsasig" - although I'm not > completely sure about the difference. I have a signed certificate and don't > want to use any username or password authentication with xauth, so "rsasig" > is probably ok...? > > > Now I reach phase 2 and it looks to me that the VPN connection is > established for a second, but a few seconds later I get "DPD: remote seems > to be dead". No idea at the moment. > > Do I have to worry about "WARNING: unable to get certificate CRL(3)" ? > > What does "KA" mean? Sorry, not a lot of help here, I just felt like replying. I've been trying to get IPSEC transport mode set up between NetBSD and a stupid router who's name I won't mention and it's not working. I tried it with Linux and it's not working. I tried it with another brand of router and it's not working. I tried the same brand of router and it works. Probably because all the names of the toggles line up or something ridiculous like that. It might be worth trying some other OS or device just to sanity check it and make sure it CAN work before you assume it's a NetBSD issue. Would be really nice if there was an IPSEC secret decoder ring for device compatibility/setup. Andy
Re: Simple IPSEC client with certificate - phase 1 time out
On 25.02.16 18:52:52 I wrote: > and the VPN connection > # racoonctl vc 1.2.3.4 > > ...it fails very early: > > [...] > Feb 25 17:24:08 arwen racoon: INFO: begin Identity Protection mode. > Feb 25 17:24:59 arwen racoon: ERROR: phase1 negotiation failed due to > time up. 05349d3fe352e138: Seems I forgot IPSEC_DEBUG, so I missed important information? I tried it again with a 7.0 kernel and IPSEC_DEBUG on my PowerBook and the cause turned out to be a bad "authentication_method" in my propsal: Feb 25 22:30:08 powerbook racoon: [1.2.3.4] ERROR: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. I had to replace "hybrid_rsa_client" by "rsasig" - although I'm not completely sure about the difference. I have a signed certificate and don't want to use any username or password authentication with xauth, so "rsasig" is probably ok...? Now I reach phase 2 and it looks to me that the VPN connection is established for a second, but a few seconds later I get "DPD: remote seems to be dead". No idea at the moment. Do I have to worry about "WARNING: unable to get certificate CRL(3)" ? What does "KA" mean? ---8<--- Feb 25 22:31:25 powerbook racoon: INFO: @(#)ipsec-tools cvs (http://ipsec-tools.sourceforge.net) Feb 25 22:31:25 powerbook racoon: INFO: @(#)This product linked OpenSSL 1.0.1p 9 Jul 2015 (http://www.openssl.org/) Feb 25 22:31:25 powerbook racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[500] used for NAT-T Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[500] used as isakmp port (fd=7) Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[4500] used for NAT-T Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[4500] used as isakmp port (fd=8) Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[500] used for NAT-T Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[4500] used for NAT-T Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=10) Feb 25 22:31:35 powerbook racoon: INFO: accept a request to establish IKE-SA: 1.2.3.4 Feb 25 22:31:35 powerbook racoon: INFO: initiate new phase 1 negotiation: 192.168.1.5[500]<=>1.2.3.4[500] Feb 25 22:31:35 powerbook racoon: INFO: begin Identity Protection mode. Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: RFC 3947 Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: DPD Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Selected NAT-T version: RFC 3947 Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #1 Feb 25 22:31:35 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1 Feb 25 22:31:35 powerbook racoon: INFO: Adding remote and local NAT-D payloads. Feb 25 22:31:35 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1 Feb 25 22:31:35 powerbook racoon: INFO: NAT-D payload #0 doesn't match Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #1 Feb 25 22:31:35 powerbook racoon: INFO: NAT-D payload #1 verified Feb 25 22:31:35 powerbook racoon: INFO: NAT detected: ME Feb 25 22:31:35 powerbook racoon: INFO: KA list add: 192.168.1.5[4500]->1.2.3.4[4500] Feb 25 22:31:36 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/postalCode=32052/OU=IT/ST=NRW/L=HERFORD/C=DE/O=WPS/CN=ZENTRALE Feb 25 22:31:36 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=DE/O=LANCOM SYSTEMS/CN=LANCOM CA Feb 25 22:31:36 powerbook racoon: [1.2.3.4] INFO: received INITIAL-CONTACT Feb 25 22:31:36 powerbook racoon: INFO: ISAKMP-SA established 192.168.1.5[4500]-1.2.3.4[4500] spi:554e0ed2b394bee9:df77769896bfb2bd Feb 25 22:32:42 powerbook racoon: [1.2.3.4] INFO: DPD: remote (ISAKMP-SA spi=554e0ed2b394bee9:df77769896bfb2bd) seems to be dead. Feb 25 22:32:42 powerbook racoon: INFO: purging ISAKMP-SA spi=554e0ed2b394bee9:df77769896bfb2bd. Feb 25 22:32:42 powerbook racoon: INFO: purged ISAKMP-SA spi=554e0ed2b394bee9:df77769896bfb2bd. Feb 25 22:32:42 powerbook racoon: INFO: ISAKMP-SA deleted 192.168.1.5[4500]-1.2.3.4[4500] spi:554e0ed2b394bee9:df77769896bfb2bd Feb 25 22:32:42 powerbook racoon: INFO: KA remove: 192.168.1.5[4500]->1.2.3.4[4500] ---8<--- -- Frank Wille