Re: Simple IPSEC client with certificate - phase 1 time out

On Mar 8, 2:26pm, fr...@phoenix.owl.de (Frank Wille) wrote: -- Subject: Re: Simple IPSEC client with certificate - phase 1 time out | http://www.netbsd.org/docs/network/ipsec/ | In section "Configuring IPsec kernel". | | It also mentions IPSEC_ESP, which was removed together with I

Re: Simple IPSEC client with certificate - phase 1 time out

Greg Troxel wrote: > It seems to me that if a kernel with "option IPSEC" and w/o swcrypto > doesn't work, then perhaps it should fail to config, or log an error at > runtime. (Perhaps swcrypto isn't required, and it's just that there > must be some crypto provider.) As far as I understand

Re: Simple IPSEC client with certificate - phase 1 time out

Frank Wille writes: > BTW, my problem with setkey on macppc was caused by the missing swcrypto > pseudo device in the kernel. > > Our IPsec FAQ should mention that you need that, besides "option IPSEC". I > know that amd64, i386 and sparc64 have these enabled by default

Re: Simple IPSEC client with certificate - phase 1 time out

On Mar 8, 12:14pm, fr...@phoenix.owl.de (Frank Wille) wrote: -- Subject: Re: Simple IPSEC client with certificate - phase 1 time out | Christos Zoulas wrote: | | >>| > If your server is behind NAT, I think that got broken at some point. | >>| | >>| Oh no! :( | >> |

Re: Simple IPSEC client with certificate - phase 1 time out

In article <20160305160718.f2ef517f...@rebar.astron.com>, Christos Zoulas <chris...@zoulas.com> wrote: >On Mar 5, 4:32pm, fr...@phoenix.owl.de (Frank Wille) wrote: >-- Subject: Re: Simple IPSEC client with certificate - phase 1 time out > >| Christos Zoulas wrote:

Re: Simple IPSEC client with certificate - phase 1 time out

On Mar 5, 4:32pm, fr...@phoenix.owl.de (Frank Wille) wrote: -- Subject: Re: Simple IPSEC client with certificate - phase 1 time out | Christos Zoulas wrote: | | > If your server is behind NAT, I think that got broken at some point. | | Oh no! :( Yes, it is almost working... The tunnel is

Re: Simple IPSEC client with certificate - phase 1 time out

Christos Zoulas wrote: > If your server is behind NAT, I think that got broken at some point. Oh no! :( > I meant to debug this... I guess I should just do it... That would be so great! I can provide you with any information you need and can do all sorts of tests. Also with big endian

Re: Simple IPSEC client with certificate - phase 1 time out

Brett Lynn wrote: On 04.03.16 09:20:12 you wrote: > Well, let's say packet loss from the point of view of racoon, ipsec can > be very sensitive to lossy networks so it is good the eliminate that as > a cause. The test with the windows client is valuable, it shows that > ipsec can work from

Re: Simple IPSEC client with certificate - phase 1 time out

On Wed, Mar 02, 2016 at 12:40:30PM +0100, Frank Wille wrote: > > > > OK and here is where things fall apart. The client sends an "are you > > there" request and vpn server sends a reply but it seems like the > > packet did not get through and then things go bad from there... > > What makes you

Re: Simple IPSEC client with certificate - phase 1 time out

Thor Lancelot Simon wrote: > Consider disabling dead peer detection? Yes, tried that. The only difference is that "racoonctl vc 1.2.3.4" does not return, as it never realizes that the VPN server is dead. Otherwise the Lancom still terminates my connection after 30s. -- Frank Wille

Re: Simple IPSEC client with certificate - phase 1 time out

Brett Lymn wrote: > Well, there is a chance that the negotiation was failing due to packets > not going where you expect. That doesn't appear to be happening but > checking the simple things can't hurt and can save a lot of grief :) Sure. I will do what I can. Thanks for your detailed

Re: Simple IPSEC client with certificate - phase 1 time out

Consider disabling dead peer detection? Thor

Re: Simple IPSEC client with certificate - phase 1 time out

On Tue, Mar 01, 2016 at 09:09:07AM -0500, Greg Troxel wrote: > > In my experience, SPD entries are added outside of racoon to tell the > kernel that certain traffic should have IPsec protection. I don't > understand how in your setup that's supposed to work, or what is > triggering racoon to

Re: Simple IPSEC client with certificate - phase 1 time out

On Tue, Mar 01, 2016 at 01:11:08PM +0100, Frank Wille wrote: > Brett Lymn wrote: > > > OK, does phase 2 actually complete? > > I doubt that. Currently I'm not even sure whether phase 1 completes, because > the phase1-up script is never called. On the other hand the phase1-down > script is

Re: Simple IPSEC client with certificate - phase 1 time out

Frank Wille writes: >> What does a "setkey -aD" output? > No SAD entries. And no SPD entries either. > I guess they would be added by the phase1-up script...? In my experience, SPD entries are added outside of racoon to tell the kernel that certain traffic should

Re: Simple IPSEC client with certificate - phase 1 time out

Brett Lymn wrote: > OK, does phase 2 actually complete? I doubt that. Currently I'm not even sure whether phase 1 completes, because the phase1-up script is never called. On the other hand the phase1-down script is called, as soon as the connection is terminated. > What does a "setkey -aD"

Re: Simple IPSEC client with certificate - phase 1 time out

On Sun, Feb 28, 2016 at 02:35:26PM +0100, Frank Wille wrote: > > I don't even need hybrid or xauth. Just a plain signed certificate on both > sides. A simple "road-warrior" client. Until now I found no example > configurations for this case. > Yes, it quite frustrating and complex... > > >

Re: Simple IPSEC client with certificate - phase 1 time out

Brett Lymn wrote: On 28.02.16 10:18:13 you wrote: > Once upon a time I did manage to get hybrid xauth working using a > NetBSD server and windows clients, so certificates did work for me. I don't even need hybrid or xauth. Just a plain signed certificate on both sides. A simple "road-warrior"

Re: Simple IPSEC client with certificate - phase 1 time out

On Fri, Feb 26, 2016 at 11:21:09AM +0100, Frank Wille wrote: > > > Would be really nice if there was an IPSEC secret decoder ring for > > device compatibility/setup. > > Indeed. Over the last days I wondered that there is only few information > about IPSEC configuration on the net (especially

Re: Simple IPSEC client with certificate - phase 1 time out

Andy Ruhl wrote: > It might be worth trying some other OS or device just to sanity check > it and make sure it CAN work before you assume it's a NetBSD issue. I know that this Lancom router successfully establishes a connection to several other Lancom routers and to dozends of Windows clients,

Re: Simple IPSEC client with certificate - phase 1 time out

On Thu, Feb 25, 2016 at 3:10 PM, Frank Wille wrote: > Seems I forgot IPSEC_DEBUG, so I missed important information? I tried it > again with a 7.0 kernel and IPSEC_DEBUG on my PowerBook and the cause > turned out to be a bad "authentication_method" in my propsal: > > Feb 25

Re: Simple IPSEC client with certificate - phase 1 time out

On 25.02.16 18:52:52 I wrote: > and the VPN connection > # racoonctl vc 1.2.3.4 > > ...it fails very early: > > [...] > Feb 25 17:24:08 arwen racoon: INFO: begin Identity Protection mode. > Feb 25 17:24:59 arwen racoon: ERROR: phase1 negotiation failed due to > time up.

Simple IPSEC client with certificate - phase 1 time out

Hi, I want to set up an IPSEC client to connect to my office's Lancom router. I was provided with the following details: - Main mode IKEv1 - DH group 2 (1024 bit) - PFS group 2 (1024 bit) - phase 1: IKE AES128, MD5 - phase 2: IPSec AES128, MD5 - phase 2 tunnel mode ESP - remote network