| 1 |
Hi All, |
| 2 |
|
| 3 |
I have been trying for some time now to set up a road warrior VPN client so |
| 4 |
that I can connect to my home router and administer machines on the LAN. |
| 5 |
|
| 6 |
However, my understanding of IPSec is poor and consequently my configuration of |
| 7 |
racoon is not working. There are other apps out there like strongswan, but |
| 8 |
would really like to learn to do it using the vanilla racoon and kernel set up |
| 9 |
first rather than apply another layer of software to it. |
| 10 |
|
| 11 |
Could some kind soul give me a nudge in troubleshooting this? |
| 12 |
|
| 13 |
|
| 14 |
On the home router I have: |
| 15 |
|
| 16 |
public IP: 123.456.78.9 |
| 17 |
LAN: 10.10.10.0/24 |
| 18 |
router LAN IP: 10.10.10.1 |
| 19 |
respond anymode |
| 20 |
local-id fqdn router1_VPN |
| 21 |
peer any |
| 22 |
encryption aes-256-cbc |
| 23 |
authentication pre-share |
| 24 |
DH group 2 |
| 25 |
|
| 26 |
crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp- |
| 27 |
sha-hmac |
| 28 |
mode tunnel |
| 29 |
|
| 30 |
|
| 31 |
On the laptop, I have this in the racoon.conf: |
| 32 |
=========================== |
| 33 |
# Racoon IKE daemon configuration file. |
| 34 |
# See 'man racoon.conf' for a description of the format and entries. |
| 35 |
|
| 36 |
path pre_shared_key "/etc/racoon/psk.txt"; |
| 37 |
path certificate "/etc/racoon/certs"; |
| 38 |
path script "/etc/racoon"; |
| 39 |
|
| 40 |
listen { |
| 41 |
# socket used for communication between racoon and racoonctl |
| 42 |
adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660; |
| 43 |
} |
| 44 |
|
| 45 |
remote 123.456.78.9 { |
| 46 |
exchange_mode aggressive; |
| 47 |
my_identifier fqdn "dell_xps_VPN"; |
| 48 |
peers_identifier fqdn "router1_VPN"; |
| 49 |
mode_cfg on; |
| 50 |
proposal_check obey; |
| 51 |
# nat_traversal on; |
| 52 |
# ike_frag on; |
| 53 |
# script "/etc/racoon/phase1_up_down.sh" phase1_up; |
| 54 |
# script "/etc/racoon/phase1_up_downdown.sh" phase1_down; |
| 55 |
proposal { |
| 56 |
encryption_algorithm aes; |
| 57 |
hash_algorithm sha1; |
| 58 |
authentication_method pre_shared_key; |
| 59 |
dh_group 2; |
| 60 |
} |
| 61 |
} |
| 62 |
|
| 63 |
sainfo anonymous { |
| 64 |
lifetime time 1 hour; |
| 65 |
encryption_algorithm aes; |
| 66 |
authentication_algorithm hmac_sha1; |
| 67 |
compression_algorithm deflate; |
| 68 |
} |
| 69 |
=========================== |
| 70 |
|
| 71 |
|
| 72 |
I connect to the Internet using my mobile and I get this from the ISP: |
| 73 |
|
| 74 |
# netstat -rn |
| 75 |
Kernel IP routing table |
| 76 |
Destination Gateway Genmask Flags MSS Window irtt Iface |
| 77 |
0.0.0.0 193.30.166.3 0.0.0.0 UG 0 0 0 ppp0 |
| 78 |
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo |
| 79 |
193.30.166.3 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 |
| 80 |
|
| 81 |
Where 193.30.166.3 is the ISP's gateway. The ppp0 ip address is |
| 82 |
10.149.124.40: |
| 83 |
|
| 84 |
# ifconfig |
| 85 |
lo Link encap:Local Loopback |
| 86 |
inet addr:127.0.0.1 Mask:255.0.0.0 |
| 87 |
inet6 addr: ::1/128 Scope:Host |
| 88 |
UP LOOPBACK RUNNING MTU:16436 Metric:1 |
| 89 |
RX packets:252 errors:0 dropped:0 overruns:0 frame:0 |
| 90 |
TX packets:252 errors:0 dropped:0 overruns:0 carrier:0 |
| 91 |
collisions:0 txqueuelen:0 |
| 92 |
RX bytes:10678 (10.4 KiB) TX bytes:10678 (10.4 KiB) |
| 93 |
|
| 94 |
ppp0 Link encap:Point-to-Point Protocol |
| 95 |
inet addr:10.149.124.40 P-t-P:193.30.166.3 Mask:255.255.255.255 |
| 96 |
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 |
| 97 |
RX packets:5 errors:0 dropped:0 overruns:0 frame:0 |
| 98 |
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 |
| 99 |
collisions:0 txqueuelen:3 |
| 100 |
RX bytes:74 (74.0 B) TX bytes:107 (107.0 B) |
| 101 |
|
| 102 |
|
| 103 |
Now the problem is that upon starting racoon I do not see a tunnel being |
| 104 |
formed and indeed I cannot connect to machines in the LAN. This from the log: |
| 105 |
|
| 106 |
========================================== |
| 107 |
Nov 20 13:40:59 dell_xps racoon: INFO: Reading configuration from |
| 108 |
"/etc/racoon/racoon.conf" |
| 109 |
Nov 20 13:40:59 dell_xps racoon: NOTIFY: NAT-T is enabled, autoconfiguring |
| 110 |
ports |
| 111 |
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[500] used as isakmp port |
| 112 |
(fd=7) |
| 113 |
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[500] used for NAT-T |
| 114 |
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[4500] used as isakmp port |
| 115 |
(fd=8) |
| 116 |
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[4500] used for NAT-T |
| 117 |
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[500] used as isakmp port |
| 118 |
(fd=9) |
| 119 |
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[500] used for NAT-T |
| 120 |
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[4500] used as isakmp port |
| 121 |
(fd=10) |
| 122 |
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[4500] used for NAT-T |
| 123 |
Nov 20 13:40:59 dell_xps racoon: INFO: ::1[500] used as isakmp port (fd=11) |
| 124 |
Nov 20 13:40:59 dell_xps racoon: INFO: ::1[4500] used as isakmp port (fd=12) |
| 125 |
========================================== |
| 126 |
|
| 127 |
Why is it not showing the public router address 123.456.78.9 or the router LAN |
| 128 |
address and shows the loopback instead? |
| 129 |
|
| 130 |
I tried including this up/down script but it made no odds: |
| 131 |
================================== |
| 132 |
#!/bin/bash |
| 133 |
|
| 134 |
# |
| 135 |
# manipulate IPSec SA database on behalf of the racoon daemon |
| 136 |
# Gabriel Somlo <somlo at cmu edu>, 08/27/2007 |
| 137 |
# |
| 138 |
|
| 139 |
#FIXME: read this from, e.g., /etc/sysconfig/racoon |
| 140 |
NAT_T="yes" |
| 141 |
|
| 142 |
|
| 143 |
shopt -s nocasematch |
| 144 |
umask 0022 |
| 145 |
|
| 146 |
PATH=/bin:/sbin:/usr/bin:/usr/sbin |
| 147 |
|
| 148 |
# set up NAT-T |
| 149 |
case "${NAT_T}" in |
| 150 |
yes|true|on|enable*|1) |
| 151 |
LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]" |
| 152 |
REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]" |
| 153 |
;; |
| 154 |
*) |
| 155 |
LOCAL="${LOCAL_ADDR}" |
| 156 |
REMOTE="${REMOTE_ADDR}" |
| 157 |
;; |
| 158 |
esac |
| 159 |
|
| 160 |
# determine interface and next-hop for our default route |
| 161 |
DFLT_RT=$(ip route list | awk '($1 == "default"){print $3 ";" $5}') |
| 162 |
DFLT_IF=${DFLT_RT#*;} |
| 163 |
DFLT_GW=${DFLT_RT%;*} |
| 164 |
|
| 165 |
|
| 166 |
# bring up phase1 |
| 167 |
phase1_up() { |
| 168 |
# check if VPN address already set up on default interface (dupe script |
| 169 |
call) |
| 170 |
ip addr list ${DFLT_IF} | grep -q "${INTERNAL_ADDR4}/32" && { |
| 171 |
echo "p1_up_down: phase1_up has already run !!!" |
| 172 |
exit 4 |
| 173 |
} |
| 174 |
|
| 175 |
# save current resolv.conf and create new one based on info from VPN server |
| 176 |
[ -f /etc/resolv.conf.prevpn ] || cp /etc/resolv.conf |
| 177 |
/etc/resolv.conf.prevpn |
| 178 |
{ |
| 179 |
echo "# Generated by racoon on $(date)" |
| 180 |
echo "search ${DEFAULT_DOMAIN}" |
| 181 |
for NS in ${INTERNAL_DNS4_LIST}; do |
| 182 |
echo "nameserver ${NS}" |
| 183 |
done |
| 184 |
} > /etc/resolv.conf |
| 185 |
|
| 186 |
# add VPN address to default interface |
| 187 |
ip addr add dev ${DFLT_IF} ${INTERNAL_ADDR4}/32 |
| 188 |
# set up host route to VPN server |
| 189 |
ip route add ${REMOTE_ADDR} via ${DFLT_GW} dev ${DFLT_IF} |
| 190 |
|
| 191 |
if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then |
| 192 |
# split tunnel: keep existing default, insert specific tunnel routes |
| 193 |
for N in ${SPLIT_INCLUDE_CIDR}; do |
| 194 |
ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4} |
| 195 |
done |
| 196 |
else |
| 197 |
# full tunnel: set up any applicable exceptions |
| 198 |
for N in ${SPLIT_LOCAL_CIDR}; do |
| 199 |
ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF} |
| 200 |
done |
| 201 |
# ... then replace default route with vpn tunnel |
| 202 |
ip route del default |
| 203 |
ip route add default via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4} |
| 204 |
fi |
| 205 |
|
| 206 |
# update SA database |
| 207 |
setkey -c << EOT |
| 208 |
spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec |
| 209 |
esp/tunnel/${LOCAL}-${REMOTE}/require; |
| 210 |
spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec |
| 211 |
esp/tunnel/${REMOTE}-${LOCAL}/require; |
| 212 |
EOT |
| 213 |
} |
| 214 |
|
| 215 |
# bring down phase1 |
| 216 |
phase1_down() { |
| 217 |
# restore previous resolv.conf |
| 218 |
[ -f /etc/resolv.conf.prevpn ] && mv /etc/resolv.conf.prevpn |
| 219 |
/etc/resolv.conf |
| 220 |
|
| 221 |
if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then |
| 222 |
# split tunnel: remove specific tunnel routes |
| 223 |
for N in ${SPLIT_INCLUDE_CIDR}; do |
| 224 |
ip route del ${N} |
| 225 |
done |
| 226 |
else |
| 227 |
# full tunnel: remove any applicable exceptions |
| 228 |
for N in ${SPLIT_LOCAL_CIDR}; do |
| 229 |
ip route del ${N} |
| 230 |
done |
| 231 |
# ... then restore original default route |
| 232 |
ip route del default |
| 233 |
ip route add default via ${DFLT_GW} dev ${DFLT_IF} |
| 234 |
fi |
| 235 |
|
| 236 |
# remove host route to VPN server |
| 237 |
ip route del ${REMOTE_ADDR} |
| 238 |
# remove VPN address from default interface |
| 239 |
ip addr del dev ${DFLT_IF} ${INTERNAL_ADDR4}/32 |
| 240 |
|
| 241 |
# clean up SA database |
| 242 |
setkey -c << EOT |
| 243 |
spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec |
| 244 |
esp/tunnel/${LOCAL}-${REMOTE}/require; |
| 245 |
spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec |
| 246 |
esp/tunnel/${REMOTE}-${LOCAL}/require; |
| 247 |
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp; |
| 248 |
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; |
| 249 |
# deleteall still broken on Linux, using 'flush esp' as workaround: |
| 250 |
flush esp; |
| 251 |
EOT |
| 252 |
} |
| 253 |
|
| 254 |
|
| 255 |
# print out parameters we received |
| 256 |
echo "p1_up_down: $1 starting..." |
| 257 |
echo "p1_up_down: LOCAL_ADDR = ${LOCAL_ADDR}" |
| 258 |
echo "p1_up_down: LOCAL_PORT = ${LOCAL_PORT}" |
| 259 |
echo "p1_up_down: REMOTE_ADDR = ${REMOTE_ADDR}" |
| 260 |
echo "p1_up_down: REMOTE_PORT = ${REMOTE_PORT}" |
| 261 |
echo "p1_up_down: DFLT_GW = ${DFLT_GW}" |
| 262 |
echo "p1_up_down: DFLT_IF = ${DFLT_IF}" |
| 263 |
echo "p1_up_down: INTERNAL_ADDR4 = ${INTERNAL_ADDR4}" |
| 264 |
echo "p1_up_down: INTERNAL_DNS4 = ${INTERNAL_DNS4}" |
| 265 |
echo "p1_up_down: DEFAULT_DOMAIN = ${DEFAULT_DOMAIN}" |
| 266 |
echo "p1_up_down: SPLIT_INCLUDE_CIDR = ${SPLIT_INCLUDE_CIDR}" |
| 267 |
echo "p1_up_down: SPLIT_LOCAL_CIDR = ${SPLIT_LOCAL_CIDR}" |
| 268 |
|
| 269 |
# check for valid VPN address |
| 270 |
echo ${INTERNAL_ADDR4} | grep -q '[0-9]' || { |
| 271 |
echo "p1_up_down: error: invalid INTERNAL_ADDR4." |
| 272 |
exit 1 |
| 273 |
} |
| 274 |
|
| 275 |
# check for valid default nexthop |
| 276 |
echo ${DFLT_GW} | grep -q '[0-9]' || { |
| 277 |
echo "p1_up_down: error: invalid DFLT_GW." |
| 278 |
exit 2 |
| 279 |
} |
| 280 |
|
| 281 |
# main "program" |
| 282 |
case "$1" in |
| 283 |
phase1_up) |
| 284 |
phase1_up |
| 285 |
;; |
| 286 |
phase1_down) |
| 287 |
phase1_down |
| 288 |
;; |
| 289 |
*) |
| 290 |
echo "p1_up_down: error: must be called by racoon w. arg=phase1_[up|down]" |
| 291 |
exit 3 |
| 292 |
;; |
| 293 |
esac |
| 294 |
|
| 295 |
echo "p1_up_down: $1 completed successfully." |
| 296 |
exit 0 |
| 297 |
================================== |
| 298 |
|
| 299 |
I've experimented with NAT on/off, etc, in racoon.conf but no joy. |
| 300 |
|
| 301 |
Where should I start? |
| 302 |
-- |
| 303 |
Regards, |
| 304 |
Mick |
Archives