VPN: Error de time up en fase 1

To: debian-devel-spanish@lists.debian.org
Subject: VPN: Error de time up en fase 1
From: Jaume Sabater <jsabater@linuxsilo.net>
Date: Wed, 25 May 2005 09:40:00 +0200
Message-id: <[🔎] 42942BD0.4090306@linuxsilo.net>

Hola a todos.

No estoy muy seguro de si este es el lugar adecuado, pero es que ando yadesesperado y, de todas las listas de correo de Debian, no he encontradoninguna que pareciese la más adecuada para mi problema.

Estoy intentando configurar una VPN entre las dos oficinas de la empresaen la que trabajo pero tengo un "time up error at phase 1" en los logs.Ambos equipos son Debian Sarge que actúan como gateway y proxy-cachéconectados a routers ADSL y usando kernels 2.6.11.


[root@soun:~]# uname -a
Linux soun 2.6.11.10 #1 Wed May 18 16:21:28 CEST 2005 i686 GNU/Linux

[root@nabiki:~]# uname -a
Linux nabiki 2.6.11 #1 Mon Mar 7 12:16:19 CET 2005 i686 GNU/Linux

Estos son los pasos que he seguido:

1. apt-get install ipsec-tools racoon iproute iptables

(he seleccionado el método racoon-tool para crear el fichero)

2. He creado este fichero /etc/racoon/racoon-tool.conf en el gateway A:

------------------------------------ /etc/racoon/racoon-tool.conf A
global:
        log: notify

peer(%default):
        verify_identifier: on
        hash_algorithm[0]: sha1
        encryption_algorithm[0]: aes

connection(%default):
        src_ip: 213.96.80.51

peer(80.36.214.182):
        peers_identifier: address

connection(to-nabiki):
        dst_ip: 80.36.214.182
        src_range: 192.168.0.0/24
        dst_range: 192.168.1.0/24
        admin_status: enabled
-------------------------------------

Que me ha generado este fichero /etc/racoon/racoon.conf:

------------------------------------ /etc/racoon/racoon.conf A
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log notify;

remote 80.36.214.182 {
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }

        verify_identifier on;
        peers_identifier address;
        exchange_mode main;
}

sainfo address 192.168.0.0/24[any] any address 192.168.1.0/24[any] any {
        pfs_group modp1024;
        encryption_algorithm aes,3des;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate;
}
------------------------------------------------

Bueno, en realidad creó el fichero /var/lib/racoon/racoon.conf, pero locopié manualmente a /etc/racoon/ porque parece ser que es un bug delpaquete.

También añadí las siguientes entradas en /etc/racoon/psk.txt de ambasmáquinas.:


80.36.214.182   key1
213.96.80.51    key2

Donde ambas claves fueron generadas con:

$ dd if=/dev/random count=20 bs=1 | xxd -ps

El fichero /etc/racoon/racoon.conf del gateway B lo he generado de lamisma manera (empezando con /etc/racoon/racoon-tool.conf):


------------------------------------ /etc/racoon/racoon.conf B
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log notify;

remote 213.96.80.51 {
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }

        verify_identifier on;
        peers_identifier address;
        exchange_mode main;
}

sainfo address 192.168.1.0/24[any] any address 192.168.0.0/24[any] any {
        pfs_group modp1024;
        encryption_algorithm aes,3des;
        authentication_algorithm hmac_sha1,hmac_md5;
        compression_algorithm deflate;
}
----------------------------------------------------

Entonces, al intentar arrancar los servidores esto es lo que obtengo:

$ cat /var/log/syslog
May 20 11:58:37 soun racoon-tool[6532]: loaded IPSEC/crypto modules.
May 20 11:58:37 soun racoon: INFO: @(#)ipsec-tools 0.5.2
(http://ipsec-tools.sourceforge.net)
May 20 11:58:37 soun racoon: INFO: @(#)This product linked OpenSSL
0.9.7e 25 Oct 2004 (http://www.openssl.org/)
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used as isakmp port
(fd=8)
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used as isakmp port
(fd=9)
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=10)
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used for NAT-T
May 20 11:58:37 soun racoon-tool[6532]: racoon started.
May 20 11:58:37 soun racoon-tool[6532]: flushed SAD and SPD.
May 20 11:58:37 soun racoon: INFO: unsupported PF_KEY message REGISTER
May 20 11:58:37 soun last message repeated 2 times
May 20 11:58:37 soun racoon-tool[6532]: loaded SAD and SPD.
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used as isakmp port
(fd=10)
May 20 11:58:37 soun racoon: INFO: 192.168.0.4[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used as isakmp port
(fd=11)
May 20 11:58:37 soun racoon: INFO: 213.96.80.51[500] used for NAT-T
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=12)
May 20 11:58:37 soun racoon: INFO: 127.0.0.1[500] used for NAT-T
May 20 11:58:37 soun racoon-tool[6532]: configured racoon.
May 20 11:58:38 soun racoon: INFO: respond new phase 1 negotiation:
213.96.80.51[500]<=>80.36.214.182[500]
May 20 11:58:38 soun racoon: INFO: begin Identity Protection mode.
May 20 11:58:38 soun racoon: INFO: received Vendor ID: DPD
May 20 11:59:40 soun racoon: ERROR: phase1 negotiation failed due to
time up. 32 0bb0f9eaea575d:536714fe6ae3cdb5
------------------------------------------------------------

My firewall (iptables) está configurado de la misma manera que cuandousaba FreeSWAN y funcionaba bien. De todos modos, he probado reiniciandoambos servidores racoon tras bajar el firewall (/etc/init.d/iptablesclear) y los resultados son exactamente los mismos.


¿Alguna idea o consejo? Gracias por adelantado.

--
Jaume Sabater
http://linuxsilo.net/

"Ubi sapientas ibi libertas"



-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel

Reply to:

Prev by Date: Re: Desaparecen los logs... una vez a la semana
Next by Date: Re: Desaparecen los logs... una vez a la semana
Previous by thread: Re: Desaparecen los logs... una vez a la semana
Next by thread: Solicitud de ingreso en comunidad
Index(es):
- Date
- Thread