Greetings all,
If this is the wrong list for this question please advise where I
should go.
I have a Debian stable box running kernel 2.4 with the FreeSWAN
patches.
This configuration has been working for quite some time. I now have
a need to
move to kernel 2.6 and would like to use the native ipsec stack and
racoon
ike daemon.
I installed 2.6.12-1-k7, ipsec-tools, and racoon. I created a
config that
matched my FreeSwan config using shared keys. I am unable to get
the tunnels
up.
My racoon log shows the connection fails at phase 1. Here is a
snippet:
005-11-22 10:03:02: INFO: request for establishing IPsec-SA was
queued due to
no phase1 found.
2005-11-22 10:03:06: INFO: respond new phase 1 negotiation:
11.22.33.11
[500]<=>11.22.33.182[500]
2005-11-22 10:03:06: INFO: begin Identity Protection mode.
2005-11-22 10:03:06: INFO: received Vendor ID: draft-ietf-ipsec-nat-
t-ike-00
2005-11-22 10:03:06: ERROR: no suitable proposal found.
2005-11-22 10:03:06: ERROR: failed to get valid proposal.
2005-11-22 10:03:06: ERROR: failed to process packet.
My ipsec-tools.conf:
#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.
#
## Flush the SAD and SPD
#
flush;
spdflush;
#Cherrydale
spdadd 10.1.1.0/25 192.168.105.0/24 any -P out ipsec
esp/tunnel/11.22.33.11-11.22.33.182/require;
spdadd 192.168.105.0/24 10.1.1.0/25 any -P in ipsec
esp/tunnel/11.22.33.182-11.22.33.11/require;
My racoon.conf:
#
# NOTE: This file will not be used if you use racoon-tool(8) to
manage your
# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
# generate a configuration (/var/lib/racoon/racoon.conf) and use
it, instead
# of this file.
#
# Simple racoon.conf
#
#
# Please look in /usr/share/doc/racoon/examples for
# examples that come with the source.
#
# Please read racoon.conf(5) for details, and alsoread setkey(8).
#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log notify; # or notify,debug,debug2
# "padding" defines some parameter of padding. You should not
touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
isakmp 11.22.33.11 [500];
strict_address;
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
# Cherrydale to corp
remote 11.22.33.182
{
lifetime time 24 hours;
exchange_mode main;
send_cr off;
send_cert off;
proposal {
#encryption_algorithm blowfish;
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 300 seconds;
}
}
# local net to remote net
sainfo address 10.1.1.0/25 any address 192.168.105.0/24 any {
lifetime time 12 hours;
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
# End Cherrydale to corp
My SonincWall config:
Phase 1:
Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Phase 2
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
Any idea what I am missing?
Thanks,
James
--
James Crow
Ultratan, Inc.
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org