1 |
On Sun, 17 May 2009 12:07:33 +0100 |
2 |
Mick <michaelkintzios@×××××.com> wrote: |
3 |
|
4 |
> On Sunday 17 May 2009, Mick wrote: |
5 |
> > Thanks Graham, |
6 |
> > |
7 |
> > On Saturday 16 May 2009, Graham Murray wrote: |
8 |
> > > Here are some samples. |
9 |
> > > |
10 |
[8<] |
11 |
> |
12 |
> The more I try to use VPN the more I love SSH! |
13 |
> |
14 |
> http://bugs.gentoo.org/87920 |
15 |
|
16 |
Mick -- |
17 |
|
18 |
This is a *very* old bug. But it still happens. "WTF..." |
19 |
|
20 |
I see you linked to a related bug here in the ML, but you didn't file/reopen a bug. (Is there a reason why?) |
21 |
|
22 |
Anyway, it would appear like there is no Gentoo dev-loving on these packages, so maybe it would be a waste... |
23 |
|
24 |
For myself, I have zero desire to understand VPN technology, but I guess that's not an option if the devs aren't active in making sane choices for, and presenting viable options to, the users. :( |
25 |
|
26 |
So can we agree on the combination of packages that are *supposed* to provide this VPN-IPSEC-L2TP function? The only thing vaguely M$FT about this setup is MS-CHAP. And L2TP, perhaps. (At least, in so far as I understand this crap, that's my conclusion.) |
27 |
|
28 |
I have: |
29 |
|
30 |
net-firewall/ipsec-tools |
31 |
net-dialup/xl2tpd |
32 |
|
33 |
net-dialup/ppp <------is this needed? |
34 |
|
35 |
I don't have * net-misc/openswan ... since that seems to be an alternative to ipsec-tools (KAME). (Or, vice-versa. I'm totally getting sick of reading about VPN.) |
36 |
|
37 |
Is there some other package that should be needed to make this all work? Do I need "ppp" at all? Isn't XL2TPD the full replacement? |
38 |
|
39 |
Anyway, since there doesn't appear to be a Gentoo document for this, I'd be totally willing to take up space on the ML until both of us have this working. Here, I begin: |
40 |
|
41 |
. . . |
42 |
|
43 |
/etc/init.d/xl2tpd start |
44 |
* Starting xl2tpd ... [ ok ] |
45 |
|
46 |
May 19 10:25:04 lappy xl2tpd[5179]: setsockopt recvref[22]: Protocol not available |
47 |
May 19 10:25:04 lappy xl2tpd[5179]: This binary does not support kernel L2TP. |
48 |
May 19 10:25:04 lappy xl2tpd[5180]: xl2tpd version xl2tpd-1.2.3 started on lappy PID:5180 |
49 |
May 19 10:25:04 lappy xl2tpd[5180]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. |
50 |
May 19 10:25:04 lappy xl2tpd[5180]: Forked by Scott Balmos and David Stipp, (C) 2001 |
51 |
May 19 10:25:04 lappy xl2tpd[5180]: Inherited by Jeff McAdams, (C) 2002 |
52 |
May 19 10:25:04 lappy xl2tpd[5180]: Forked again by Xelerance (www.xelerance.com) (C) 2006 |
53 |
May 19 10:25:04 lappy xl2tpd[5180]: Listening on IP address 0.0.0.0, port 1701 |
54 |
|
55 |
|
56 |
|
57 |
So far, there are no errors. (The warning about *kernel* L2TP is a warning, so I understand, not a failure.) |
58 |
|
59 |
|
60 |
/etc/init.d/racoon start |
61 |
* Loading ipsec policies from /etc/ipsec.conf. |
62 |
* Starting racoon ... [ ok ] |
63 |
|
64 |
May 19 10:27:11 lappy hald [ loads additional crypt modules ] |
65 |
|
66 |
Module Size Used by |
67 |
twofish 5568 0 |
68 |
twofish_common 12672 1 twofish |
69 |
serpent 15936 0 |
70 |
blowfish 7104 0 |
71 |
sha256_generic 10240 0 |
72 |
|
73 |
|
74 |
May 19 10:27:12 lappy racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net) |
75 |
May 19 10:27:12 lappy racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/) |
76 |
May 19 10:27:12 lappy racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" |
77 |
May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for AH |
78 |
May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for ESP |
79 |
May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for IPCOMP |
80 |
May 19 10:27:12 lappy racoon: DEBUG: reading config file /etc/racoon/racoon.conf |
81 |
May 19 10:27:12 lappy racoon: DEBUG2: lifetime = 3600 |
82 |
May 19 10:27:12 lappy racoon: DEBUG2: lifebyte = 0 |
83 |
May 19 10:27:12 lappy racoon: DEBUG2: encklen=0 |
84 |
May 19 10:27:12 lappy racoon: DEBUG2: p:1 t:1 |
85 |
May 19 10:27:12 lappy racoon: DEBUG2: 3DES-CBC(5) |
86 |
May 19 10:27:12 lappy racoon: DEBUG2: SHA(2) |
87 |
May 19 10:27:12 lappy racoon: DEBUG2: 1024-bit MODP group(2) |
88 |
May 19 10:27:12 lappy racoon: DEBUG2: pre-shared key(1) |
89 |
May 19 10:27:12 lappy racoon: DEBUG2: |
90 |
May 19 10:27:12 lappy racoon: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. |
91 |
|
92 |
[ And there is only 'deflate' available anyway... ?? ] |
93 |
|
94 |
May 19 10:27:12 lappy racoon: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0 |
95 |
May 19 10:27:12 lappy racoon: DEBUG: getsainfo pass #2 |
96 |
May 19 10:27:12 lappy racoon: DEBUG2: parse successed. |
97 |
May 19 10:27:12 lappy racoon: DEBUG: open /var/lib/racoon/racoon.sock as racoon management. |
98 |
May 19 10:27:12 lappy racoon: DEBUG: my interface: 192.168.1.100 (wlan0) |
99 |
May 19 10:27:12 lappy racoon: DEBUG: my interface: 127.0.0.1 (lo) |
100 |
May 19 10:27:12 lappy racoon: DEBUG: configuring default isakmp port. |
101 |
May 19 10:27:12 lappy racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports |
102 |
May 19 10:27:12 lappy racoon: DEBUG: 4 addrs are configured successfully |
103 |
May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7) |
104 |
May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used for NAT-T |
105 |
May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=8) |
106 |
May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[4500] used for NAT-T |
107 |
May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[500] used as isakmp port (fd=9) |
108 |
May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[500] used for NAT-T |
109 |
May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[4500] used as isakmp port (fd=10) |
110 |
May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[4500] used for NAT-T |
111 |
May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv() |
112 |
May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message |
113 |
|
114 |
|
115 |
May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv() |
116 |
May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message |
117 |
|
118 |
|
119 |
May 19 10:27:12 lappy racoon: DEBUG: sub:0xbfa34dc8: pub.lic.vpn.ip/32[0] 192.168.1.100/32[0] proto=any dir=in |
120 |
May 19 10:27:12 lappy racoon: DEBUG: db :0x80df108: pub.lic.vpn.ip/32[0] 192.168.1.100/32[0] proto=any dir=fwd |
121 |
May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv() |
122 |
May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message |
123 |
|
124 |
... and so on. |
125 |
|
126 |
I've followed a how-to that sets up the client as a separate tunnel device for the network, so I'll have to see if I can't fix the routing... though I think it shouldn't matter, and won't anyway if phase 1 fails... |
127 |
|
128 |
Basically, I don't know WHAT is SUPPOSED to happen. But, pinging a machine inside the network, I get plenty of debug info: |
129 |
|
130 |
May 19 10:35:32 lappy racoon: DEBUG: pk_recv: retry[0] recv() |
131 |
May 19 10:35:32 lappy racoon: DEBUG: get pfkey ACQUIRE message |
132 |
May 19 10:35:32 lappy racoon: DEBUG2: |
133 |
|
134 |
|
135 |
May 19 10:35:32 lappy racoon: DEBUG: suitable outbound SP found: 192.168.1.0/24 |
136 |
|
137 |
May 19 10:35:32 lappy racoon: DEBUG: anonymous configuration selected for pub.add.vpn.ip. |
138 |
|
139 |
May 19 10:35:32 lappy racoon: DEBUG: getsainfo params: loc='192.168.1.0/24', rmt='192.168.243.0/24', peer='NULL', id=0 |
140 |
May 19 10:35:32 lappy racoon: DEBUG: getsainfo pass #2 |
141 |
May 19 10:35:32 lappy racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 |
142 |
May 19 10:35:32 lappy racoon: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 |
143 |
May 19 10:35:32 lappy racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) |
144 |
May 19 10:35:32 lappy racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5) |
145 |
May 19 10:35:32 lappy racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha) |
146 |
May 19 10:35:32 lappy racoon: DEBUG: (trns_id=DES encklen=0 authtype=hmac-md5) |
147 |
May 19 10:35:32 lappy racoon: DEBUG: (trns_id=DES encklen=0 authtype=hmac-sha) |
148 |
May 19 10:35:32 lappy racoon: DEBUG: (trns_id=AES encklen=128 authtype=hmac-md5) |
149 |
May 19 10:35:32 lappy racoon: DEBUG: (trns_id=AES encklen=128 authtype=hmac-sha) |
150 |
May 19 10:35:32 lappy racoon: DEBUG: in post_acquire |
151 |
May 19 10:35:32 lappy racoon: DEBUG: anonymous configuration selected for pub.ip.dev.vpn. |
152 |
|
153 |
Now some errors: |
154 |
|
155 |
May 19 10:35:32 lappy racoon: INFO: IPsec-SA request for pub.ip.dev.vpn queued due to no phase1 found. |
156 |
|
157 |
... which makes sense, I guess. It appears it doesn't try to negotiate phase 1 until traffic is routed to that destination. |
158 |
|
159 |
And I can't find a single explanatory reference for this: |
160 |
|
161 |
May 19 10:35:32 lappy racoon: ERROR: unknown AF: 0 |
162 |
|
163 |
May 19 10:35:32 lappy racoon: DEBUG: === |
164 |
May 19 10:35:32 lappy racoon: INFO: initiate new phase 1 negotiation: 192.168.1.100[500]<=>pub.ip.dev.vpn[500] |
165 |
May 19 10:35:32 lappy racoon: INFO: begin Identity Protection mode. |
166 |
May 19 10:35:32 lappy racoon: DEBUG: new cookie: |
167 |
May 19 10:35:32 lappy 52dcd374fabdaf4d |
168 |
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 48, next type 13 |
169 |
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13 |
170 |
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13 |
171 |
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13 |
172 |
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13 |
173 |
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 0 |
174 |
May 19 10:35:32 lappy racoon: DEBUG: 180 bytes from 192.168.1.100[500] to pub.ip.dev.vpn[500] |
175 |
May 19 10:35:32 lappy racoon: DEBUG: sockname 192.168.1.100[500] |
176 |
May 19 10:35:32 lappy racoon: DEBUG: send packet from 192.168.1.100[500] |
177 |
May 19 10:35:32 lappy racoon: DEBUG: send packet to pub.ip.dev.vpn[500] |
178 |
May 19 10:35:32 lappy racoon: DEBUG: src4 192.168.1.100[500] |
179 |
May 19 10:35:32 lappy racoon: DEBUG: dst4 pub.ip.dev.vpn[500] |
180 |
May 19 10:35:32 lappy racoon: DEBUG: 1 times of 180 bytes message will be sent to pub.ip.dev.vpn[500] |
181 |
|
182 |
|
183 |
May 19 10:35:32 lappy racoon: DEBUG: resend phase1 packet 52dcd374fabdaf4d:0000000000000000 |
184 |
May 19 10:35:32 lappy racoon: phase1(ident I msg1): 0.001421 |
185 |
May 19 10:35:33 lappy racoon: DEBUG: === |
186 |
May 19 10:35:33 lappy racoon: DEBUG: 100 bytes message received from pub.ip.dev.vpn[500] to 192.168.1.100[500] |
187 |
|
188 |
|
189 |
May 19 10:35:33 lappy ec427b1f |
190 |
May 19 10:35:33 lappy racoon: DEBUG: begin. |
191 |
May 19 10:35:33 lappy racoon: DEBUG: seen nptype=1(sa) |
192 |
May 19 10:35:33 lappy racoon: DEBUG: seen nptype=13(vid) |
193 |
May 19 10:35:33 lappy racoon: DEBUG: succeed. |
194 |
May 19 10:35:33 lappy racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 |
195 |
May 19 10:35:33 lappy racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02 |
196 |
May 19 10:35:33 lappy racoon: DEBUG: total SA len=48 |
197 |
May 19 10:35:33 lappy racoon: DEBUG: |
198 |
May 19 10:35:33 lappy 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c0e10 |
199 |
May 19 10:35:33 lappy 80010005 80030001 80020002 80040002 |
200 |
May 19 10:35:33 lappy racoon: DEBUG: begin. |
201 |
May 19 10:35:33 lappy racoon: DEBUG: seen nptype=2(prop) |
202 |
May 19 10:35:33 lappy racoon: DEBUG: succeed. |
203 |
May 19 10:35:33 lappy racoon: DEBUG: proposal #1 len=40 |
204 |
May 19 10:35:33 lappy racoon: DEBUG: begin. |
205 |
May 19 10:35:33 lappy racoon: DEBUG: seen nptype=3(trns) |
206 |
May 19 10:35:33 lappy racoon: DEBUG: succeed. |
207 |
May 19 10:35:33 lappy racoon: DEBUG: transform #1 len=32 |
208 |
May 19 10:35:33 lappy racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds |
209 |
May 19 10:35:33 lappy racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600 |
210 |
May 19 10:35:33 lappy racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC |
211 |
May 19 10:35:33 lappy racoon: DEBUG: encryption(3des) |
212 |
May 19 10:35:33 lappy racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key |
213 |
May 19 10:35:33 lappy racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA |
214 |
May 19 10:35:33 lappy racoon: DEBUG: hash(sha1) |
215 |
May 19 10:35:33 lappy racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group |
216 |
May 19 10:35:33 lappy racoon: DEBUG: hmac(modp1024) |
217 |
May 19 10:35:33 lappy racoon: DEBUG: pair 1: |
218 |
May 19 10:35:33 lappy racoon: DEBUG: 0x80e13f0: next=(nil) tnext=(nil) |
219 |
May 19 10:35:33 lappy racoon: DEBUG: proposal #1: 1 transform |
220 |
May 19 10:35:33 lappy racoon: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 |
221 |
May 19 10:35:33 lappy racoon: DEBUG: trns#=1, trns-id=IKE |
222 |
May 19 10:35:33 lappy racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds |
223 |
May 19 10:35:33 lappy racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600 |
224 |
May 19 10:35:33 lappy racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC |
225 |
May 19 10:35:33 lappy racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key |
226 |
May 19 10:35:33 lappy racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA |
227 |
May 19 10:35:33 lappy racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group |
228 |
May 19 10:35:33 lappy racoon: DEBUG: Compared: DB:Peer |
229 |
May 19 10:35:33 lappy racoon: DEBUG: (lifetime = 3600:3600) |
230 |
May 19 10:35:33 lappy racoon: DEBUG: (lifebyte = 0:0) |
231 |
May 19 10:35:33 lappy racoon: DEBUG: enctype = 3DES-CBC:3DES-CBC |
232 |
May 19 10:35:33 lappy racoon: DEBUG: (encklen = 0:0) |
233 |
May 19 10:35:33 lappy racoon: DEBUG: hashtype = SHA:SHA |
234 |
May 19 10:35:33 lappy racoon: DEBUG: authmethod = pre-shared key:pre-shared key |
235 |
May 19 10:35:33 lappy racoon: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group |
236 |
May 19 10:35:33 lappy racoon: DEBUG: an acceptable proposal found. |
237 |
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
238 |
... so is this good? Sounds good..?? |
239 |
|
240 |
May 19 10:35:33 lappy racoon: DEBUG: hmac(modp1024) |
241 |
May 19 10:35:33 lappy racoon: DEBUG: agreed on pre-shared key auth. |
242 |
May 19 10:35:33 lappy racoon: DEBUG: === |
243 |
May 19 10:35:33 lappy racoon: oakley_dh_generate(MODP1024): 0.027674 |
244 |
May 19 10:35:33 lappy racoon: DEBUG: compute DH's private. |
245 |
|
246 |
|
247 |
May 19 10:35:33 lappy racoon: DEBUG: compute DH's public. |
248 |
May 19 10:35:33 lappy racoon: DEBUG: |
249 |
|
250 |
|
251 |
May 19 10:35:33 lappy racoon: INFO: Hashing pub.ip.dev.vpn[500] with algo #2 |
252 |
May 19 10:35:33 lappy racoon: DEBUG: hash(sha1) |
253 |
May 19 10:35:33 lappy racoon: INFO: Hashing 192.168.1.100[500] with algo #2 |
254 |
May 19 10:35:33 lappy racoon: DEBUG: hash(sha1) |
255 |
May 19 10:35:33 lappy racoon: INFO: Adding remote and local NAT-D payloads. |
256 |
May 19 10:35:33 lappy racoon: DEBUG: add payload of len 128, next type 10 |
257 |
May 19 10:35:33 lappy racoon: DEBUG: add payload of len 16, next type 130 |
258 |
May 19 10:35:33 lappy racoon: DEBUG: add payload of len 20, next type 130 |
259 |
May 19 10:35:33 lappy racoon: DEBUG: add payload of len 20, next type 0 |
260 |
May 19 10:35:33 lappy racoon: DEBUG: 228 bytes from 192.168.1.100[500] to pub.ip.dev.vpn[500] |
261 |
May 19 10:35:33 lappy racoon: DEBUG: sockname 192.168.1.100[500] |
262 |
May 19 10:35:33 lappy racoon: DEBUG: send packet from 192.168.1.100[500] |
263 |
May 19 10:35:33 lappy racoon: DEBUG: send packet to pub.ip.dev.vpn[500] |
264 |
May 19 10:35:33 lappy racoon: DEBUG: src4 192.168.1.100[500] |
265 |
May 19 10:35:33 lappy racoon: DEBUG: dst4 pub.ip.dev.vpn[500] |
266 |
May 19 10:35:33 lappy racoon: DEBUG: 1 times of 228 bytes message will be sent to pub.ip.dev.vpn[500] |
267 |
|
268 |
May 19 11:16:35 lappy racoon: DEBUG: receive Information. |
269 |
May 19 11:16:35 lappy racoon: ERROR: none message must be encrypted |
270 |
|
271 |
And the only *other* error. |
272 |
|
273 |
May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: extract_port. |
274 |
May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: found a ph1 wop. |
275 |
May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found |
276 |
|
277 |
Anyway, it fails. I guess I need to check the ph1 handler is established, but where, how? |
278 |
|
279 |
My next step is to get on the phone with the folks who have access to the "checkpoint" VPN device to see if they can tell me what fails. |
280 |
|
281 |
But, before I go chatting them up, I really would like some confirmation from someone familiar with the DISTRO that I've got all the BINARIES in place I could possibly need to accomplish this, and nothing conflicting. |
282 |
|
283 |
Cheers, |
284 |
|
285 |
-- |
286 |
|\ /| | | ~ ~ |
287 |
| \/ | |---| `|` ? |
288 |
| |ichael | |iggins \^ / |
289 |
michael.higgins[at]evolone[dot]org |