1 |
Hi All, |
2 |
|
3 |
I have been trying for some time now to set up a road warrior VPN client so |
4 |
that I can connect to my home router and administer machines on the LAN. |
5 |
|
6 |
However, my understanding of IPSec is poor and consequently my configuration of |
7 |
racoon is not working. There are other apps out there like strongswan, but |
8 |
would really like to learn to do it using the vanilla racoon and kernel set up |
9 |
first rather than apply another layer of software to it. |
10 |
|
11 |
Could some kind soul give me a nudge in troubleshooting this? |
12 |
|
13 |
|
14 |
On the home router I have: |
15 |
|
16 |
public IP: 123.456.78.9 |
17 |
LAN: 10.10.10.0/24 |
18 |
router LAN IP: 10.10.10.1 |
19 |
respond anymode |
20 |
local-id fqdn router1_VPN |
21 |
peer any |
22 |
encryption aes-256-cbc |
23 |
authentication pre-share |
24 |
DH group 2 |
25 |
|
26 |
crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp- |
27 |
sha-hmac |
28 |
mode tunnel |
29 |
|
30 |
|
31 |
On the laptop, I have this in the racoon.conf: |
32 |
=========================== |
33 |
# Racoon IKE daemon configuration file. |
34 |
# See 'man racoon.conf' for a description of the format and entries. |
35 |
|
36 |
path pre_shared_key "/etc/racoon/psk.txt"; |
37 |
path certificate "/etc/racoon/certs"; |
38 |
path script "/etc/racoon"; |
39 |
|
40 |
listen { |
41 |
# socket used for communication between racoon and racoonctl |
42 |
adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660; |
43 |
} |
44 |
|
45 |
remote 123.456.78.9 { |
46 |
exchange_mode aggressive; |
47 |
my_identifier fqdn "dell_xps_VPN"; |
48 |
peers_identifier fqdn "router1_VPN"; |
49 |
mode_cfg on; |
50 |
proposal_check obey; |
51 |
# nat_traversal on; |
52 |
# ike_frag on; |
53 |
# script "/etc/racoon/phase1_up_down.sh" phase1_up; |
54 |
# script "/etc/racoon/phase1_up_downdown.sh" phase1_down; |
55 |
proposal { |
56 |
encryption_algorithm aes; |
57 |
hash_algorithm sha1; |
58 |
authentication_method pre_shared_key; |
59 |
dh_group 2; |
60 |
} |
61 |
} |
62 |
|
63 |
sainfo anonymous { |
64 |
lifetime time 1 hour; |
65 |
encryption_algorithm aes; |
66 |
authentication_algorithm hmac_sha1; |
67 |
compression_algorithm deflate; |
68 |
} |
69 |
=========================== |
70 |
|
71 |
|
72 |
I connect to the Internet using my mobile and I get this from the ISP: |
73 |
|
74 |
# netstat -rn |
75 |
Kernel IP routing table |
76 |
Destination Gateway Genmask Flags MSS Window irtt Iface |
77 |
0.0.0.0 193.30.166.3 0.0.0.0 UG 0 0 0 ppp0 |
78 |
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo |
79 |
193.30.166.3 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 |
80 |
|
81 |
Where 193.30.166.3 is the ISP's gateway. The ppp0 ip address is |
82 |
10.149.124.40: |
83 |
|
84 |
# ifconfig |
85 |
lo Link encap:Local Loopback |
86 |
inet addr:127.0.0.1 Mask:255.0.0.0 |
87 |
inet6 addr: ::1/128 Scope:Host |
88 |
UP LOOPBACK RUNNING MTU:16436 Metric:1 |
89 |
RX packets:252 errors:0 dropped:0 overruns:0 frame:0 |
90 |
TX packets:252 errors:0 dropped:0 overruns:0 carrier:0 |
91 |
collisions:0 txqueuelen:0 |
92 |
RX bytes:10678 (10.4 KiB) TX bytes:10678 (10.4 KiB) |
93 |
|
94 |
ppp0 Link encap:Point-to-Point Protocol |
95 |
inet addr:10.149.124.40 P-t-P:193.30.166.3 Mask:255.255.255.255 |
96 |
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 |
97 |
RX packets:5 errors:0 dropped:0 overruns:0 frame:0 |
98 |
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 |
99 |
collisions:0 txqueuelen:3 |
100 |
RX bytes:74 (74.0 B) TX bytes:107 (107.0 B) |
101 |
|
102 |
|
103 |
Now the problem is that upon starting racoon I do not see a tunnel being |
104 |
formed and indeed I cannot connect to machines in the LAN. This from the log: |
105 |
|
106 |
========================================== |
107 |
Nov 20 13:40:59 dell_xps racoon: INFO: Reading configuration from |
108 |
"/etc/racoon/racoon.conf" |
109 |
Nov 20 13:40:59 dell_xps racoon: NOTIFY: NAT-T is enabled, autoconfiguring |
110 |
ports |
111 |
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[500] used as isakmp port |
112 |
(fd=7) |
113 |
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[500] used for NAT-T |
114 |
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[4500] used as isakmp port |
115 |
(fd=8) |
116 |
Nov 20 13:40:59 dell_xps racoon: INFO: 127.0.0.1[4500] used for NAT-T |
117 |
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[500] used as isakmp port |
118 |
(fd=9) |
119 |
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[500] used for NAT-T |
120 |
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[4500] used as isakmp port |
121 |
(fd=10) |
122 |
Nov 20 13:40:59 dell_xps racoon: INFO: 10.149.124.40[4500] used for NAT-T |
123 |
Nov 20 13:40:59 dell_xps racoon: INFO: ::1[500] used as isakmp port (fd=11) |
124 |
Nov 20 13:40:59 dell_xps racoon: INFO: ::1[4500] used as isakmp port (fd=12) |
125 |
========================================== |
126 |
|
127 |
Why is it not showing the public router address 123.456.78.9 or the router LAN |
128 |
address and shows the loopback instead? |
129 |
|
130 |
I tried including this up/down script but it made no odds: |
131 |
================================== |
132 |
#!/bin/bash |
133 |
|
134 |
# |
135 |
# manipulate IPSec SA database on behalf of the racoon daemon |
136 |
# Gabriel Somlo <somlo at cmu edu>, 08/27/2007 |
137 |
# |
138 |
|
139 |
#FIXME: read this from, e.g., /etc/sysconfig/racoon |
140 |
NAT_T="yes" |
141 |
|
142 |
|
143 |
shopt -s nocasematch |
144 |
umask 0022 |
145 |
|
146 |
PATH=/bin:/sbin:/usr/bin:/usr/sbin |
147 |
|
148 |
# set up NAT-T |
149 |
case "${NAT_T}" in |
150 |
yes|true|on|enable*|1) |
151 |
LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]" |
152 |
REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]" |
153 |
;; |
154 |
*) |
155 |
LOCAL="${LOCAL_ADDR}" |
156 |
REMOTE="${REMOTE_ADDR}" |
157 |
;; |
158 |
esac |
159 |
|
160 |
# determine interface and next-hop for our default route |
161 |
DFLT_RT=$(ip route list | awk '($1 == "default"){print $3 ";" $5}') |
162 |
DFLT_IF=${DFLT_RT#*;} |
163 |
DFLT_GW=${DFLT_RT%;*} |
164 |
|
165 |
|
166 |
# bring up phase1 |
167 |
phase1_up() { |
168 |
# check if VPN address already set up on default interface (dupe script |
169 |
call) |
170 |
ip addr list ${DFLT_IF} | grep -q "${INTERNAL_ADDR4}/32" && { |
171 |
echo "p1_up_down: phase1_up has already run !!!" |
172 |
exit 4 |
173 |
} |
174 |
|
175 |
# save current resolv.conf and create new one based on info from VPN server |
176 |
[ -f /etc/resolv.conf.prevpn ] || cp /etc/resolv.conf |
177 |
/etc/resolv.conf.prevpn |
178 |
{ |
179 |
echo "# Generated by racoon on $(date)" |
180 |
echo "search ${DEFAULT_DOMAIN}" |
181 |
for NS in ${INTERNAL_DNS4_LIST}; do |
182 |
echo "nameserver ${NS}" |
183 |
done |
184 |
} > /etc/resolv.conf |
185 |
|
186 |
# add VPN address to default interface |
187 |
ip addr add dev ${DFLT_IF} ${INTERNAL_ADDR4}/32 |
188 |
# set up host route to VPN server |
189 |
ip route add ${REMOTE_ADDR} via ${DFLT_GW} dev ${DFLT_IF} |
190 |
|
191 |
if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then |
192 |
# split tunnel: keep existing default, insert specific tunnel routes |
193 |
for N in ${SPLIT_INCLUDE_CIDR}; do |
194 |
ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4} |
195 |
done |
196 |
else |
197 |
# full tunnel: set up any applicable exceptions |
198 |
for N in ${SPLIT_LOCAL_CIDR}; do |
199 |
ip route add ${N} via ${DFLT_GW} dev ${DFLT_IF} |
200 |
done |
201 |
# ... then replace default route with vpn tunnel |
202 |
ip route del default |
203 |
ip route add default via ${DFLT_GW} dev ${DFLT_IF} src ${INTERNAL_ADDR4} |
204 |
fi |
205 |
|
206 |
# update SA database |
207 |
setkey -c << EOT |
208 |
spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec |
209 |
esp/tunnel/${LOCAL}-${REMOTE}/require; |
210 |
spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec |
211 |
esp/tunnel/${REMOTE}-${LOCAL}/require; |
212 |
EOT |
213 |
} |
214 |
|
215 |
# bring down phase1 |
216 |
phase1_down() { |
217 |
# restore previous resolv.conf |
218 |
[ -f /etc/resolv.conf.prevpn ] && mv /etc/resolv.conf.prevpn |
219 |
/etc/resolv.conf |
220 |
|
221 |
if [ -n "${SPLIT_INCLUDE_CIDR}" ]; then |
222 |
# split tunnel: remove specific tunnel routes |
223 |
for N in ${SPLIT_INCLUDE_CIDR}; do |
224 |
ip route del ${N} |
225 |
done |
226 |
else |
227 |
# full tunnel: remove any applicable exceptions |
228 |
for N in ${SPLIT_LOCAL_CIDR}; do |
229 |
ip route del ${N} |
230 |
done |
231 |
# ... then restore original default route |
232 |
ip route del default |
233 |
ip route add default via ${DFLT_GW} dev ${DFLT_IF} |
234 |
fi |
235 |
|
236 |
# remove host route to VPN server |
237 |
ip route del ${REMOTE_ADDR} |
238 |
# remove VPN address from default interface |
239 |
ip addr del dev ${DFLT_IF} ${INTERNAL_ADDR4}/32 |
240 |
|
241 |
# clean up SA database |
242 |
setkey -c << EOT |
243 |
spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any -P out ipsec |
244 |
esp/tunnel/${LOCAL}-${REMOTE}/require; |
245 |
spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any -P in ipsec |
246 |
esp/tunnel/${REMOTE}-${LOCAL}/require; |
247 |
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp; |
248 |
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; |
249 |
# deleteall still broken on Linux, using 'flush esp' as workaround: |
250 |
flush esp; |
251 |
EOT |
252 |
} |
253 |
|
254 |
|
255 |
# print out parameters we received |
256 |
echo "p1_up_down: $1 starting..." |
257 |
echo "p1_up_down: LOCAL_ADDR = ${LOCAL_ADDR}" |
258 |
echo "p1_up_down: LOCAL_PORT = ${LOCAL_PORT}" |
259 |
echo "p1_up_down: REMOTE_ADDR = ${REMOTE_ADDR}" |
260 |
echo "p1_up_down: REMOTE_PORT = ${REMOTE_PORT}" |
261 |
echo "p1_up_down: DFLT_GW = ${DFLT_GW}" |
262 |
echo "p1_up_down: DFLT_IF = ${DFLT_IF}" |
263 |
echo "p1_up_down: INTERNAL_ADDR4 = ${INTERNAL_ADDR4}" |
264 |
echo "p1_up_down: INTERNAL_DNS4 = ${INTERNAL_DNS4}" |
265 |
echo "p1_up_down: DEFAULT_DOMAIN = ${DEFAULT_DOMAIN}" |
266 |
echo "p1_up_down: SPLIT_INCLUDE_CIDR = ${SPLIT_INCLUDE_CIDR}" |
267 |
echo "p1_up_down: SPLIT_LOCAL_CIDR = ${SPLIT_LOCAL_CIDR}" |
268 |
|
269 |
# check for valid VPN address |
270 |
echo ${INTERNAL_ADDR4} | grep -q '[0-9]' || { |
271 |
echo "p1_up_down: error: invalid INTERNAL_ADDR4." |
272 |
exit 1 |
273 |
} |
274 |
|
275 |
# check for valid default nexthop |
276 |
echo ${DFLT_GW} | grep -q '[0-9]' || { |
277 |
echo "p1_up_down: error: invalid DFLT_GW." |
278 |
exit 2 |
279 |
} |
280 |
|
281 |
# main "program" |
282 |
case "$1" in |
283 |
phase1_up) |
284 |
phase1_up |
285 |
;; |
286 |
phase1_down) |
287 |
phase1_down |
288 |
;; |
289 |
*) |
290 |
echo "p1_up_down: error: must be called by racoon w. arg=phase1_[up|down]" |
291 |
exit 3 |
292 |
;; |
293 |
esac |
294 |
|
295 |
echo "p1_up_down: $1 completed successfully." |
296 |
exit 0 |
297 |
================================== |
298 |
|
299 |
I've experimented with NAT on/off, etc, in racoon.conf but no joy. |
300 |
|
301 |
Where should I start? |
302 |
-- |
303 |
Regards, |
304 |
Mick |