On Sun, 17 May 2009 12:07:33 +0100 Mick <michaelkintz...@gmail.com> wrote:
> On Sunday 17 May 2009, Mick wrote: > > Thanks Graham, > > > > On Saturday 16 May 2009, Graham Murray wrote: > > > Here are some samples. > > > [8<] > > The more I try to use VPN the more I love SSH! > > http://bugs.gentoo.org/87920 Mick -- This is a *very* old bug. But it still happens. "WTF..." I see you linked to a related bug here in the ML, but you didn't file/reopen a bug. (Is there a reason why?) Anyway, it would appear like there is no Gentoo dev-loving on these packages, so maybe it would be a waste... For myself, I have zero desire to understand VPN technology, but I guess that's not an option if the devs aren't active in making sane choices for, and presenting viable options to, the users. :( So can we agree on the combination of packages that are *supposed* to provide this VPN-IPSEC-L2TP function? The only thing vaguely M$FT about this setup is MS-CHAP. And L2TP, perhaps. (At least, in so far as I understand this crap, that's my conclusion.) I have: net-firewall/ipsec-tools net-dialup/xl2tpd net-dialup/ppp <------is this needed? I don't have * net-misc/openswan ... since that seems to be an alternative to ipsec-tools (KAME). (Or, vice-versa. I'm totally getting sick of reading about VPN.) Is there some other package that should be needed to make this all work? Do I need "ppp" at all? Isn't XL2TPD the full replacement? Anyway, since there doesn't appear to be a Gentoo document for this, I'd be totally willing to take up space on the ML until both of us have this working. Here, I begin: . . . /etc/init.d/xl2tpd start * Starting xl2tpd ... [ ok ] May 19 10:25:04 lappy xl2tpd[5179]: setsockopt recvref[22]: Protocol not available May 19 10:25:04 lappy xl2tpd[5179]: This binary does not support kernel L2TP. May 19 10:25:04 lappy xl2tpd[5180]: xl2tpd version xl2tpd-1.2.3 started on lappy PID:5180 May 19 10:25:04 lappy xl2tpd[5180]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. May 19 10:25:04 lappy xl2tpd[5180]: Forked by Scott Balmos and David Stipp, (C) 2001 May 19 10:25:04 lappy xl2tpd[5180]: Inherited by Jeff McAdams, (C) 2002 May 19 10:25:04 lappy xl2tpd[5180]: Forked again by Xelerance (www.xelerance.com) (C) 2006 May 19 10:25:04 lappy xl2tpd[5180]: Listening on IP address 0.0.0.0, port 1701 So far, there are no errors. (The warning about *kernel* L2TP is a warning, so I understand, not a failure.) /etc/init.d/racoon start * Loading ipsec policies from /etc/ipsec.conf. * Starting racoon ... [ ok ] May 19 10:27:11 lappy hald [ loads additional crypt modules ] Module Size Used by twofish 5568 0 twofish_common 12672 1 twofish serpent 15936 0 blowfish 7104 0 sha256_generic 10240 0 May 19 10:27:12 lappy racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net) May 19 10:27:12 lappy racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/) May 19 10:27:12 lappy racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for AH May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for ESP May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for IPCOMP May 19 10:27:12 lappy racoon: DEBUG: reading config file /etc/racoon/racoon.conf May 19 10:27:12 lappy racoon: DEBUG2: lifetime = 3600 May 19 10:27:12 lappy racoon: DEBUG2: lifebyte = 0 May 19 10:27:12 lappy racoon: DEBUG2: encklen=0 May 19 10:27:12 lappy racoon: DEBUG2: p:1 t:1 May 19 10:27:12 lappy racoon: DEBUG2: 3DES-CBC(5) May 19 10:27:12 lappy racoon: DEBUG2: SHA(2) May 19 10:27:12 lappy racoon: DEBUG2: 1024-bit MODP group(2) May 19 10:27:12 lappy racoon: DEBUG2: pre-shared key(1) May 19 10:27:12 lappy racoon: DEBUG2: May 19 10:27:12 lappy racoon: DEBUG: compression algorithm can not be checked because sadb message doesn't support it. [ And there is only 'deflate' available anyway... ?? ] May 19 10:27:12 lappy racoon: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0 May 19 10:27:12 lappy racoon: DEBUG: getsainfo pass #2 May 19 10:27:12 lappy racoon: DEBUG2: parse successed. May 19 10:27:12 lappy racoon: DEBUG: open /var/lib/racoon/racoon.sock as racoon management. May 19 10:27:12 lappy racoon: DEBUG: my interface: 192.168.1.100 (wlan0) May 19 10:27:12 lappy racoon: DEBUG: my interface: 127.0.0.1 (lo) May 19 10:27:12 lappy racoon: DEBUG: configuring default isakmp port. May 19 10:27:12 lappy racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports May 19 10:27:12 lappy racoon: DEBUG: 4 addrs are configured successfully May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7) May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used for NAT-T May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=8) May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[4500] used for NAT-T May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[500] used as isakmp port (fd=9) May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[500] used for NAT-T May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[4500] used as isakmp port (fd=10) May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[4500] used for NAT-T May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv() May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv() May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message May 19 10:27:12 lappy racoon: DEBUG: sub:0xbfa34dc8: pub.lic.vpn.ip/32[0] 192.168.1.100/32[0] proto=any dir=in May 19 10:27:12 lappy racoon: DEBUG: db :0x80df108: pub.lic.vpn.ip/32[0] 192.168.1.100/32[0] proto=any dir=fwd May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv() May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message ... and so on. I've followed a how-to that sets up the client as a separate tunnel device for the network, so I'll have to see if I can't fix the routing... though I think it shouldn't matter, and won't anyway if phase 1 fails... Basically, I don't know WHAT is SUPPOSED to happen. But, pinging a machine inside the network, I get plenty of debug info: May 19 10:35:32 lappy racoon: DEBUG: pk_recv: retry[0] recv() May 19 10:35:32 lappy racoon: DEBUG: get pfkey ACQUIRE message May 19 10:35:32 lappy racoon: DEBUG2: May 19 10:35:32 lappy racoon: DEBUG: suitable outbound SP found: 192.168.1.0/24 May 19 10:35:32 lappy racoon: DEBUG: anonymous configuration selected for pub.add.vpn.ip. May 19 10:35:32 lappy racoon: DEBUG: getsainfo params: loc='192.168.1.0/24', rmt='192.168.243.0/24', peer='NULL', id=0 May 19 10:35:32 lappy racoon: DEBUG: getsainfo pass #2 May 19 10:35:32 lappy racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 May 19 10:35:32 lappy racoon: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 May 19 10:35:32 lappy racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) May 19 10:35:32 lappy racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5) May 19 10:35:32 lappy racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha) May 19 10:35:32 lappy racoon: DEBUG: (trns_id=DES encklen=0 authtype=hmac-md5) May 19 10:35:32 lappy racoon: DEBUG: (trns_id=DES encklen=0 authtype=hmac-sha) May 19 10:35:32 lappy racoon: DEBUG: (trns_id=AES encklen=128 authtype=hmac-md5) May 19 10:35:32 lappy racoon: DEBUG: (trns_id=AES encklen=128 authtype=hmac-sha) May 19 10:35:32 lappy racoon: DEBUG: in post_acquire May 19 10:35:32 lappy racoon: DEBUG: anonymous configuration selected for pub.ip.dev.vpn. Now some errors: May 19 10:35:32 lappy racoon: INFO: IPsec-SA request for pub.ip.dev.vpn queued due to no phase1 found. ... which makes sense, I guess. It appears it doesn't try to negotiate phase 1 until traffic is routed to that destination. And I can't find a single explanatory reference for this: May 19 10:35:32 lappy racoon: ERROR: unknown AF: 0 May 19 10:35:32 lappy racoon: DEBUG: === May 19 10:35:32 lappy racoon: INFO: initiate new phase 1 negotiation: 192.168.1.100[500]<=>pub.ip.dev.vpn[500] May 19 10:35:32 lappy racoon: INFO: begin Identity Protection mode. May 19 10:35:32 lappy racoon: DEBUG: new cookie: May 19 10:35:32 lappy 52dcd374fabdaf4d May 19 10:35:32 lappy racoon: DEBUG: add payload of len 48, next type 13 May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13 May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13 May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13 May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13 May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 0 May 19 10:35:32 lappy racoon: DEBUG: 180 bytes from 192.168.1.100[500] to pub.ip.dev.vpn[500] May 19 10:35:32 lappy racoon: DEBUG: sockname 192.168.1.100[500] May 19 10:35:32 lappy racoon: DEBUG: send packet from 192.168.1.100[500] May 19 10:35:32 lappy racoon: DEBUG: send packet to pub.ip.dev.vpn[500] May 19 10:35:32 lappy racoon: DEBUG: src4 192.168.1.100[500] May 19 10:35:32 lappy racoon: DEBUG: dst4 pub.ip.dev.vpn[500] May 19 10:35:32 lappy racoon: DEBUG: 1 times of 180 bytes message will be sent to pub.ip.dev.vpn[500] May 19 10:35:32 lappy racoon: DEBUG: resend phase1 packet 52dcd374fabdaf4d:0000000000000000 May 19 10:35:32 lappy racoon: phase1(ident I msg1): 0.001421 May 19 10:35:33 lappy racoon: DEBUG: === May 19 10:35:33 lappy racoon: DEBUG: 100 bytes message received from pub.ip.dev.vpn[500] to 192.168.1.100[500] May 19 10:35:33 lappy ec427b1f May 19 10:35:33 lappy racoon: DEBUG: begin. May 19 10:35:33 lappy racoon: DEBUG: seen nptype=1(sa) May 19 10:35:33 lappy racoon: DEBUG: seen nptype=13(vid) May 19 10:35:33 lappy racoon: DEBUG: succeed. May 19 10:35:33 lappy racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 May 19 10:35:33 lappy racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02 May 19 10:35:33 lappy racoon: DEBUG: total SA len=48 May 19 10:35:33 lappy racoon: DEBUG: May 19 10:35:33 lappy 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c0e10 May 19 10:35:33 lappy 80010005 80030001 80020002 80040002 May 19 10:35:33 lappy racoon: DEBUG: begin. May 19 10:35:33 lappy racoon: DEBUG: seen nptype=2(prop) May 19 10:35:33 lappy racoon: DEBUG: succeed. May 19 10:35:33 lappy racoon: DEBUG: proposal #1 len=40 May 19 10:35:33 lappy racoon: DEBUG: begin. May 19 10:35:33 lappy racoon: DEBUG: seen nptype=3(trns) May 19 10:35:33 lappy racoon: DEBUG: succeed. May 19 10:35:33 lappy racoon: DEBUG: transform #1 len=32 May 19 10:35:33 lappy racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds May 19 10:35:33 lappy racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600 May 19 10:35:33 lappy racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC May 19 10:35:33 lappy racoon: DEBUG: encryption(3des) May 19 10:35:33 lappy racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key May 19 10:35:33 lappy racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA May 19 10:35:33 lappy racoon: DEBUG: hash(sha1) May 19 10:35:33 lappy racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group May 19 10:35:33 lappy racoon: DEBUG: hmac(modp1024) May 19 10:35:33 lappy racoon: DEBUG: pair 1: May 19 10:35:33 lappy racoon: DEBUG: 0x80e13f0: next=(nil) tnext=(nil) May 19 10:35:33 lappy racoon: DEBUG: proposal #1: 1 transform May 19 10:35:33 lappy racoon: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1 May 19 10:35:33 lappy racoon: DEBUG: trns#=1, trns-id=IKE May 19 10:35:33 lappy racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds May 19 10:35:33 lappy racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600 May 19 10:35:33 lappy racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC May 19 10:35:33 lappy racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key May 19 10:35:33 lappy racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA May 19 10:35:33 lappy racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group May 19 10:35:33 lappy racoon: DEBUG: Compared: DB:Peer May 19 10:35:33 lappy racoon: DEBUG: (lifetime = 3600:3600) May 19 10:35:33 lappy racoon: DEBUG: (lifebyte = 0:0) May 19 10:35:33 lappy racoon: DEBUG: enctype = 3DES-CBC:3DES-CBC May 19 10:35:33 lappy racoon: DEBUG: (encklen = 0:0) May 19 10:35:33 lappy racoon: DEBUG: hashtype = SHA:SHA May 19 10:35:33 lappy racoon: DEBUG: authmethod = pre-shared key:pre-shared key May 19 10:35:33 lappy racoon: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group May 19 10:35:33 lappy racoon: DEBUG: an acceptable proposal found. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ... so is this good? Sounds good..?? May 19 10:35:33 lappy racoon: DEBUG: hmac(modp1024) May 19 10:35:33 lappy racoon: DEBUG: agreed on pre-shared key auth. May 19 10:35:33 lappy racoon: DEBUG: === May 19 10:35:33 lappy racoon: oakley_dh_generate(MODP1024): 0.027674 May 19 10:35:33 lappy racoon: DEBUG: compute DH's private. May 19 10:35:33 lappy racoon: DEBUG: compute DH's public. May 19 10:35:33 lappy racoon: DEBUG: May 19 10:35:33 lappy racoon: INFO: Hashing pub.ip.dev.vpn[500] with algo #2 May 19 10:35:33 lappy racoon: DEBUG: hash(sha1) May 19 10:35:33 lappy racoon: INFO: Hashing 192.168.1.100[500] with algo #2 May 19 10:35:33 lappy racoon: DEBUG: hash(sha1) May 19 10:35:33 lappy racoon: INFO: Adding remote and local NAT-D payloads. May 19 10:35:33 lappy racoon: DEBUG: add payload of len 128, next type 10 May 19 10:35:33 lappy racoon: DEBUG: add payload of len 16, next type 130 May 19 10:35:33 lappy racoon: DEBUG: add payload of len 20, next type 130 May 19 10:35:33 lappy racoon: DEBUG: add payload of len 20, next type 0 May 19 10:35:33 lappy racoon: DEBUG: 228 bytes from 192.168.1.100[500] to pub.ip.dev.vpn[500] May 19 10:35:33 lappy racoon: DEBUG: sockname 192.168.1.100[500] May 19 10:35:33 lappy racoon: DEBUG: send packet from 192.168.1.100[500] May 19 10:35:33 lappy racoon: DEBUG: send packet to pub.ip.dev.vpn[500] May 19 10:35:33 lappy racoon: DEBUG: src4 192.168.1.100[500] May 19 10:35:33 lappy racoon: DEBUG: dst4 pub.ip.dev.vpn[500] May 19 10:35:33 lappy racoon: DEBUG: 1 times of 228 bytes message will be sent to pub.ip.dev.vpn[500] May 19 11:16:35 lappy racoon: DEBUG: receive Information. May 19 11:16:35 lappy racoon: ERROR: none message must be encrypted And the only *other* error. May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: extract_port. May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: found a ph1 wop. May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found Anyway, it fails. I guess I need to check the ph1 handler is established, but where, how? My next step is to get on the phone with the folks who have access to the "checkpoint" VPN device to see if they can tell me what fails. But, before I go chatting them up, I really would like some confirmation from someone familiar with the DISTRO that I've got all the BINARIES in place I could possibly need to accomplish this, and nothing conflicting. Cheers, -- |\ /| | | ~ ~ | \/ | |---| `|` ? | |ichael | |iggins \^ / michael.higgins[at]evolone[dot]org
