Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Michael Higgins <linux@×××××××.org>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup
Date: Tue, 19 May 2009 18:25:48
Message-Id: 20090519112245.5ea79852@lappy.evolone.org
In Reply to: Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup by Mick
1 On Sun, 17 May 2009 12:07:33 +0100
2 Mick <michaelkintzios@×××××.com> wrote:
3
4 > On Sunday 17 May 2009, Mick wrote:
5 > > Thanks Graham,
6 > >
7 > > On Saturday 16 May 2009, Graham Murray wrote:
8 > > > Here are some samples.
9 > > >
10 [8<]
11 >
12 > The more I try to use VPN the more I love SSH!
13 >
14 > http://bugs.gentoo.org/87920
15
16 Mick --
17
18 This is a *very* old bug. But it still happens. "WTF..."
19
20 I see you linked to a related bug here in the ML, but you didn't file/reopen a bug. (Is there a reason why?)
21
22 Anyway, it would appear like there is no Gentoo dev-loving on these packages, so maybe it would be a waste...
23
24 For myself, I have zero desire to understand VPN technology, but I guess that's not an option if the devs aren't active in making sane choices for, and presenting viable options to, the users. :(
25
26 So can we agree on the combination of packages that are *supposed* to provide this VPN-IPSEC-L2TP function? The only thing vaguely M$FT about this setup is MS-CHAP. And L2TP, perhaps. (At least, in so far as I understand this crap, that's my conclusion.)
27
28 I have:
29
30 net-firewall/ipsec-tools
31 net-dialup/xl2tpd
32
33 net-dialup/ppp <------is this needed?
34
35 I don't have * net-misc/openswan ... since that seems to be an alternative to ipsec-tools (KAME). (Or, vice-versa. I'm totally getting sick of reading about VPN.)
36
37 Is there some other package that should be needed to make this all work? Do I need "ppp" at all? Isn't XL2TPD the full replacement?
38
39 Anyway, since there doesn't appear to be a Gentoo document for this, I'd be totally willing to take up space on the ML until both of us have this working. Here, I begin:
40
41 . . .
42
43 /etc/init.d/xl2tpd start
44 * Starting xl2tpd ... [ ok ]
45
46 May 19 10:25:04 lappy xl2tpd[5179]: setsockopt recvref[22]: Protocol not available
47 May 19 10:25:04 lappy xl2tpd[5179]: This binary does not support kernel L2TP.
48 May 19 10:25:04 lappy xl2tpd[5180]: xl2tpd version xl2tpd-1.2.3 started on lappy PID:5180
49 May 19 10:25:04 lappy xl2tpd[5180]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
50 May 19 10:25:04 lappy xl2tpd[5180]: Forked by Scott Balmos and David Stipp, (C) 2001
51 May 19 10:25:04 lappy xl2tpd[5180]: Inherited by Jeff McAdams, (C) 2002
52 May 19 10:25:04 lappy xl2tpd[5180]: Forked again by Xelerance (www.xelerance.com) (C) 2006
53 May 19 10:25:04 lappy xl2tpd[5180]: Listening on IP address 0.0.0.0, port 1701
54
55
56
57 So far, there are no errors. (The warning about *kernel* L2TP is a warning, so I understand, not a failure.)
58
59
60 /etc/init.d/racoon start
61 * Loading ipsec policies from /etc/ipsec.conf.
62 * Starting racoon ... [ ok ]
63
64 May 19 10:27:11 lappy hald [ loads additional crypt modules ]
65
66 Module Size Used by
67 twofish 5568 0
68 twofish_common 12672 1 twofish
69 serpent 15936 0
70 blowfish 7104 0
71 sha256_generic 10240 0
72
73
74 May 19 10:27:12 lappy racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
75 May 19 10:27:12 lappy racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
76 May 19 10:27:12 lappy racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
77 May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for AH
78 May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for ESP
79 May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for IPCOMP
80 May 19 10:27:12 lappy racoon: DEBUG: reading config file /etc/racoon/racoon.conf
81 May 19 10:27:12 lappy racoon: DEBUG2: lifetime = 3600
82 May 19 10:27:12 lappy racoon: DEBUG2: lifebyte = 0
83 May 19 10:27:12 lappy racoon: DEBUG2: encklen=0
84 May 19 10:27:12 lappy racoon: DEBUG2: p:1 t:1
85 May 19 10:27:12 lappy racoon: DEBUG2: 3DES-CBC(5)
86 May 19 10:27:12 lappy racoon: DEBUG2: SHA(2)
87 May 19 10:27:12 lappy racoon: DEBUG2: 1024-bit MODP group(2)
88 May 19 10:27:12 lappy racoon: DEBUG2: pre-shared key(1)
89 May 19 10:27:12 lappy racoon: DEBUG2:
90 May 19 10:27:12 lappy racoon: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
91
92 [ And there is only 'deflate' available anyway... ?? ]
93
94 May 19 10:27:12 lappy racoon: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0
95 May 19 10:27:12 lappy racoon: DEBUG: getsainfo pass #2
96 May 19 10:27:12 lappy racoon: DEBUG2: parse successed.
97 May 19 10:27:12 lappy racoon: DEBUG: open /var/lib/racoon/racoon.sock as racoon management.
98 May 19 10:27:12 lappy racoon: DEBUG: my interface: 192.168.1.100 (wlan0)
99 May 19 10:27:12 lappy racoon: DEBUG: my interface: 127.0.0.1 (lo)
100 May 19 10:27:12 lappy racoon: DEBUG: configuring default isakmp port.
101 May 19 10:27:12 lappy racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
102 May 19 10:27:12 lappy racoon: DEBUG: 4 addrs are configured successfully
103 May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
104 May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used for NAT-T
105 May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=8)
106 May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[4500] used for NAT-T
107 May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[500] used as isakmp port (fd=9)
108 May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[500] used for NAT-T
109 May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[4500] used as isakmp port (fd=10)
110 May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[4500] used for NAT-T
111 May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv()
112 May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message
113
114
115 May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv()
116 May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message
117
118
119 May 19 10:27:12 lappy racoon: DEBUG: sub:0xbfa34dc8: pub.lic.vpn.ip/32[0] 192.168.1.100/32[0] proto=any dir=in
120 May 19 10:27:12 lappy racoon: DEBUG: db :0x80df108: pub.lic.vpn.ip/32[0] 192.168.1.100/32[0] proto=any dir=fwd
121 May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv()
122 May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message
123
124 ... and so on.
125
126 I've followed a how-to that sets up the client as a separate tunnel device for the network, so I'll have to see if I can't fix the routing... though I think it shouldn't matter, and won't anyway if phase 1 fails...
127
128 Basically, I don't know WHAT is SUPPOSED to happen. But, pinging a machine inside the network, I get plenty of debug info:
129
130 May 19 10:35:32 lappy racoon: DEBUG: pk_recv: retry[0] recv()
131 May 19 10:35:32 lappy racoon: DEBUG: get pfkey ACQUIRE message
132 May 19 10:35:32 lappy racoon: DEBUG2:
133
134
135 May 19 10:35:32 lappy racoon: DEBUG: suitable outbound SP found: 192.168.1.0/24
136
137 May 19 10:35:32 lappy racoon: DEBUG: anonymous configuration selected for pub.add.vpn.ip.
138
139 May 19 10:35:32 lappy racoon: DEBUG: getsainfo params: loc='192.168.1.0/24', rmt='192.168.243.0/24', peer='NULL', id=0
140 May 19 10:35:32 lappy racoon: DEBUG: getsainfo pass #2
141 May 19 10:35:32 lappy racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
142 May 19 10:35:32 lappy racoon: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
143 May 19 10:35:32 lappy racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
144 May 19 10:35:32 lappy racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5)
145 May 19 10:35:32 lappy racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha)
146 May 19 10:35:32 lappy racoon: DEBUG: (trns_id=DES encklen=0 authtype=hmac-md5)
147 May 19 10:35:32 lappy racoon: DEBUG: (trns_id=DES encklen=0 authtype=hmac-sha)
148 May 19 10:35:32 lappy racoon: DEBUG: (trns_id=AES encklen=128 authtype=hmac-md5)
149 May 19 10:35:32 lappy racoon: DEBUG: (trns_id=AES encklen=128 authtype=hmac-sha)
150 May 19 10:35:32 lappy racoon: DEBUG: in post_acquire
151 May 19 10:35:32 lappy racoon: DEBUG: anonymous configuration selected for pub.ip.dev.vpn.
152
153 Now some errors:
154
155 May 19 10:35:32 lappy racoon: INFO: IPsec-SA request for pub.ip.dev.vpn queued due to no phase1 found.
156
157 ... which makes sense, I guess. It appears it doesn't try to negotiate phase 1 until traffic is routed to that destination.
158
159 And I can't find a single explanatory reference for this:
160
161 May 19 10:35:32 lappy racoon: ERROR: unknown AF: 0
162
163 May 19 10:35:32 lappy racoon: DEBUG: ===
164 May 19 10:35:32 lappy racoon: INFO: initiate new phase 1 negotiation: 192.168.1.100[500]<=>pub.ip.dev.vpn[500]
165 May 19 10:35:32 lappy racoon: INFO: begin Identity Protection mode.
166 May 19 10:35:32 lappy racoon: DEBUG: new cookie:
167 May 19 10:35:32 lappy 52dcd374fabdaf4d
168 May 19 10:35:32 lappy racoon: DEBUG: add payload of len 48, next type 13
169 May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13
170 May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13
171 May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13
172 May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13
173 May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 0
174 May 19 10:35:32 lappy racoon: DEBUG: 180 bytes from 192.168.1.100[500] to pub.ip.dev.vpn[500]
175 May 19 10:35:32 lappy racoon: DEBUG: sockname 192.168.1.100[500]
176 May 19 10:35:32 lappy racoon: DEBUG: send packet from 192.168.1.100[500]
177 May 19 10:35:32 lappy racoon: DEBUG: send packet to pub.ip.dev.vpn[500]
178 May 19 10:35:32 lappy racoon: DEBUG: src4 192.168.1.100[500]
179 May 19 10:35:32 lappy racoon: DEBUG: dst4 pub.ip.dev.vpn[500]
180 May 19 10:35:32 lappy racoon: DEBUG: 1 times of 180 bytes message will be sent to pub.ip.dev.vpn[500]
181
182
183 May 19 10:35:32 lappy racoon: DEBUG: resend phase1 packet 52dcd374fabdaf4d:0000000000000000
184 May 19 10:35:32 lappy racoon: phase1(ident I msg1): 0.001421
185 May 19 10:35:33 lappy racoon: DEBUG: ===
186 May 19 10:35:33 lappy racoon: DEBUG: 100 bytes message received from pub.ip.dev.vpn[500] to 192.168.1.100[500]
187
188
189 May 19 10:35:33 lappy ec427b1f
190 May 19 10:35:33 lappy racoon: DEBUG: begin.
191 May 19 10:35:33 lappy racoon: DEBUG: seen nptype=1(sa)
192 May 19 10:35:33 lappy racoon: DEBUG: seen nptype=13(vid)
193 May 19 10:35:33 lappy racoon: DEBUG: succeed.
194 May 19 10:35:33 lappy racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
195 May 19 10:35:33 lappy racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
196 May 19 10:35:33 lappy racoon: DEBUG: total SA len=48
197 May 19 10:35:33 lappy racoon: DEBUG:
198 May 19 10:35:33 lappy 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c0e10
199 May 19 10:35:33 lappy 80010005 80030001 80020002 80040002
200 May 19 10:35:33 lappy racoon: DEBUG: begin.
201 May 19 10:35:33 lappy racoon: DEBUG: seen nptype=2(prop)
202 May 19 10:35:33 lappy racoon: DEBUG: succeed.
203 May 19 10:35:33 lappy racoon: DEBUG: proposal #1 len=40
204 May 19 10:35:33 lappy racoon: DEBUG: begin.
205 May 19 10:35:33 lappy racoon: DEBUG: seen nptype=3(trns)
206 May 19 10:35:33 lappy racoon: DEBUG: succeed.
207 May 19 10:35:33 lappy racoon: DEBUG: transform #1 len=32
208 May 19 10:35:33 lappy racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
209 May 19 10:35:33 lappy racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
210 May 19 10:35:33 lappy racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
211 May 19 10:35:33 lappy racoon: DEBUG: encryption(3des)
212 May 19 10:35:33 lappy racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
213 May 19 10:35:33 lappy racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
214 May 19 10:35:33 lappy racoon: DEBUG: hash(sha1)
215 May 19 10:35:33 lappy racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
216 May 19 10:35:33 lappy racoon: DEBUG: hmac(modp1024)
217 May 19 10:35:33 lappy racoon: DEBUG: pair 1:
218 May 19 10:35:33 lappy racoon: DEBUG: 0x80e13f0: next=(nil) tnext=(nil)
219 May 19 10:35:33 lappy racoon: DEBUG: proposal #1: 1 transform
220 May 19 10:35:33 lappy racoon: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
221 May 19 10:35:33 lappy racoon: DEBUG: trns#=1, trns-id=IKE
222 May 19 10:35:33 lappy racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
223 May 19 10:35:33 lappy racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
224 May 19 10:35:33 lappy racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
225 May 19 10:35:33 lappy racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
226 May 19 10:35:33 lappy racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
227 May 19 10:35:33 lappy racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
228 May 19 10:35:33 lappy racoon: DEBUG: Compared: DB:Peer
229 May 19 10:35:33 lappy racoon: DEBUG: (lifetime = 3600:3600)
230 May 19 10:35:33 lappy racoon: DEBUG: (lifebyte = 0:0)
231 May 19 10:35:33 lappy racoon: DEBUG: enctype = 3DES-CBC:3DES-CBC
232 May 19 10:35:33 lappy racoon: DEBUG: (encklen = 0:0)
233 May 19 10:35:33 lappy racoon: DEBUG: hashtype = SHA:SHA
234 May 19 10:35:33 lappy racoon: DEBUG: authmethod = pre-shared key:pre-shared key
235 May 19 10:35:33 lappy racoon: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group
236 May 19 10:35:33 lappy racoon: DEBUG: an acceptable proposal found.
237 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
238 ... so is this good? Sounds good..??
239
240 May 19 10:35:33 lappy racoon: DEBUG: hmac(modp1024)
241 May 19 10:35:33 lappy racoon: DEBUG: agreed on pre-shared key auth.
242 May 19 10:35:33 lappy racoon: DEBUG: ===
243 May 19 10:35:33 lappy racoon: oakley_dh_generate(MODP1024): 0.027674
244 May 19 10:35:33 lappy racoon: DEBUG: compute DH's private.
245
246
247 May 19 10:35:33 lappy racoon: DEBUG: compute DH's public.
248 May 19 10:35:33 lappy racoon: DEBUG:
249
250
251 May 19 10:35:33 lappy racoon: INFO: Hashing pub.ip.dev.vpn[500] with algo #2
252 May 19 10:35:33 lappy racoon: DEBUG: hash(sha1)
253 May 19 10:35:33 lappy racoon: INFO: Hashing 192.168.1.100[500] with algo #2
254 May 19 10:35:33 lappy racoon: DEBUG: hash(sha1)
255 May 19 10:35:33 lappy racoon: INFO: Adding remote and local NAT-D payloads.
256 May 19 10:35:33 lappy racoon: DEBUG: add payload of len 128, next type 10
257 May 19 10:35:33 lappy racoon: DEBUG: add payload of len 16, next type 130
258 May 19 10:35:33 lappy racoon: DEBUG: add payload of len 20, next type 130
259 May 19 10:35:33 lappy racoon: DEBUG: add payload of len 20, next type 0
260 May 19 10:35:33 lappy racoon: DEBUG: 228 bytes from 192.168.1.100[500] to pub.ip.dev.vpn[500]
261 May 19 10:35:33 lappy racoon: DEBUG: sockname 192.168.1.100[500]
262 May 19 10:35:33 lappy racoon: DEBUG: send packet from 192.168.1.100[500]
263 May 19 10:35:33 lappy racoon: DEBUG: send packet to pub.ip.dev.vpn[500]
264 May 19 10:35:33 lappy racoon: DEBUG: src4 192.168.1.100[500]
265 May 19 10:35:33 lappy racoon: DEBUG: dst4 pub.ip.dev.vpn[500]
266 May 19 10:35:33 lappy racoon: DEBUG: 1 times of 228 bytes message will be sent to pub.ip.dev.vpn[500]
267
268 May 19 11:16:35 lappy racoon: DEBUG: receive Information.
269 May 19 11:16:35 lappy racoon: ERROR: none message must be encrypted
270
271 And the only *other* error.
272
273 May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: extract_port.
274 May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.
275 May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found
276
277 Anyway, it fails. I guess I need to check the ph1 handler is established, but where, how?
278
279 My next step is to get on the phone with the folks who have access to the "checkpoint" VPN device to see if they can tell me what fails.
280
281 But, before I go chatting them up, I really would like some confirmation from someone familiar with the DISTRO that I've got all the BINARIES in place I could possibly need to accomplish this, and nothing conflicting.
282
283 Cheers,
284
285 --
286 |\ /| | | ~ ~
287 | \/ | |---| `|` ?
288 | |ichael | |iggins \^ /
289 michael.higgins[at]evolone[dot]org

Replies

Subject Author
Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup Paul Hartman <paul.hartman+gentoo@×××××.com>
Report Message
Find on MARC Find on Google Groups