Re: Racoon

To: "Karl E. Jorgensen" <karl@jorgensen.org.uk>, debian-user@lists.debian.org
Subject: Re: Racoon
From: Gokan Atmaca <linux.gokan@gmail.com>
Date: Tue, 30 Sep 2014 01:49:59 +0300
Message-id: <[🔎] CAHg8tECk+bDO3ysn6hM8VxBsPU+hUBXveU_XLdF62gRteNeacg@mail.gmail.com>
In-reply-to: <[🔎] CAHg8tEDgO7WE65OoK66WPa1o6d3YB1iQz9fJMSmkmcHefRhEYA@mail.gmail.com>
References: <[🔎] CAHg8tED_HQfUgZ5bOrpTBdnjPaObXMT-KUeof3SzR-oPEBO-Kw@mail.gmail.com> <[🔎] 20140929183443.GA17498@hawking> <[🔎] CAHg8tEBG05KY-7tqezR=1PTb=xT_tRPub4JXgnio7zbf3Gc6SQ@mail.gmail.com> <[🔎] CAHg8tEDgO7WE65OoK66WPa1o6d3YB1iQz9fJMSmkmcHefRhEYA@mail.gmail.com>
Last state;

root@mx04:/etc/racoon# racoonctl show-event
reload-config : x.x.x.x[500] -> x.x.x.x[500]
Phase 1 deleted : x.x.x.x[500] -> x.x.x.x[500]
Phase 1 established : x.x.x.x[500] -> x.x.x.x[500]
Phase 1 mode configuration done : x.x.x.x[500] -> x.x.x.x.[500]



On Tue, Sep 30, 2014 at 12:49 AM, Gokan Atmaca <linux.gokan@gmail.com> wrote:
> In addition to the logs;
>
> Sep 29 21:46:02 mx04 racoon: [x.x.x.x] ERROR: couldn't find the pskey
> for x.x.x.x.                                                      │
> Sep 29 21:46:02 mx04 racoon: [x.x.x.x] ERROR: failed to process ph1
> packet (side: 1, status: 4).
>    │
> Sep 29 21:46:02 mx04 racoon: [x.x.x.x] ERROR: phase1 negotiation
> failed.
>       │
> Sep 29 21:46:28 mx04 racoon: DEBUG: pfkey X_SPDDUMP failed: No such
> file or directory
>          │
> Sep 29 21:47:17 mx04 racoon: DEBUG: pfkey X_SPDDUMP failed: No such
> file or directory
>
>
>
> On Mon, Sep 29, 2014 at 10:40 PM, Gokan Atmaca <linux.gokan@gmail.com> wrote:
>> Hello
>>
>>>What do you get in the logs?
>>>For a "connection" (by which I assume you mean an established tunnel)
>>>to be established, racoon needs to the the handshakes with the other
>>>side - if these fail, there should be traces of it in the
>>>logs.
>>
>>
>> Debian racoon Logs;
>>
>> Sep 29 17:26:57 mx04 rsyslogd-2177: imuxsock lost 29 messages from pid
>> 2353 due to rate-limiting
>> Sep 29 17:26:57 mx04 racoon: DEBUG: ===
>> Sep 29 17:26:57 mx04 racoon: DEBUG: 84 bytes message received from
>> 2.2.2.2[500] to 1.1.1.1[500]
>> Sep 29 17:26:57 mx04 racoon: DEBUG: #012d023406b 52dfd0b5 abb9799e
>> 9ea312c0 08100501 940797cb 00000054 8b2eaffd#0128f73c0ea 8174951c
>> 9016a691 576c75df 8c598304 4a59b436 84681892 17b9f076#012d50b7bd4
>> 6b7bfd6c 5c38a83d ef4421f7 254a7906
>> Sep 29 17:26:57 mx04 racoon: DEBUG: receive Information.
>> Sep 29 17:26:57 mx04 racoon: DEBUG: compute IV for phase2
>> Sep 29 17:26:57 mx04 racoon: DEBUG: phase1 last IV:
>> Sep 29 17:26:57 mx04 racoon: DEBUG: #012049e3207 97a2f76e 940797cb
>> Sep 29 17:26:57 mx04 racoon: DEBUG: hash(md5)
>> Sep 29 17:26:57 mx04 racoon: DEBUG: encryption(3des)
>> Sep 29 17:26:57 mx04 racoon: DEBUG: phase2 IV computed:
>> Sep 29 17:26:57 mx04 racoon: DEBUG: #0126ee4bc2f 792ffba2
>> Sep 29 17:26:57 mx04 racoon: DEBUG: begin decryption.
>> Sep 29 17:26:57 mx04 racoon: DEBUG: encryption(3des)
>> Sep 29 17:26:57 mx04 racoon: DEBUG: IV was saved for next processing:
>> Sep 29 17:26:57 mx04 racoon: DEBUG: #012ef4421f7 254a7906
>> Sep 29 17:26:57 mx04 racoon: DEBUG: encryption(3des)
>> Sep 29 17:26:57 mx04 racoon: DEBUG: with key:
>> Sep 29 17:26:57 mx04 racoon: DEBUG: #0121158b894 fcf8cc8f b7963aff
>> 9f508c30 40f85979 1d9148c3
>> Sep 29 17:26:57 mx04 racoon: DEBUG: decrypted payload by IV:
>> Sep 29 17:26:57 mx04 racoon: DEBUG: #0126ee4bc2f 792ffba2
>> Sep 29 17:26:57 mx04 racoon: DEBUG: decrypted payload, but not trimed.
>> Sep 29 17:26:57 mx04 racoon: DEBUG: #0120c000014 2c306481 245bb895
>> c7569e24 15af84bc 0000001c 00000001 01100001#012d023406b 52dfd0b5
>> abb9799e 9ea312c0 2c7f01b2 ab9d2807
>> Sep 29 17:26:57 mx04 racoon: DEBUG: padding len=8
>> Sep 29 17:26:57 mx04 racoon: DEBUG: skip to trim padding.
>> Sep 29 17:26:57 mx04 racoon: DEBUG: decrypted.
>> Sep 29 17:26:57 mx04 racoon: DEBUG: #012d023406b 52dfd0b5 abb9799e
>> 9ea312c0 08100501 940797cb 00000054 0c000014#0122c306481 245bb895
>> c7569e24 15af84bc 0000001c 00000001 01100001 d023406b#01252dfd0b5
>> abb9799e 9ea312c0 2c7f01b2 ab9d2807
>> Sep 29 17:26:57 mx04 racoon: DEBUG: IV freed
>> Sep 29 17:26:57 mx04 racoon: DEBUG: HASH with:
>> Sep 29 17:26:57 mx04 racoon: DEBUG: #012940797cb 0000001c 00000001
>> 01100001 d023406b 52dfd0b5 abb9799e 9ea312c0
>> Sep 29 17:26:57 mx04 racoon: DEBUG: hmac(hmac_md5)
>> Sep 29 17:26:57 mx04 racoon: DEBUG: HASH computed:
>> Sep 29 17:26:57 mx04 racoon: DEBUG: #0122c306481 245bb895 c7569e24 15af84bc
>> Sep 29 17:26:57 mx04 racoon: DEBUG: hash validated.
>> Sep 29 17:26:57 mx04 racoon: DEBUG: begin.
>> Sep 29 17:26:57 mx04 racoon: DEBUG: seen nptype=8(hash)
>> Sep 29 17:26:57 mx04 racoon: DEBUG: seen nptype=12(delete)
>> Sep 29 17:26:57 mx04 racoon: DEBUG: succeed.
>> Sep 29 17:26:57 mx04 racoon: [2.2.2.2.] DEBUG: delete payload for
>> protocol ISAKMP
>> Sep 29 17:26:57 mx04 racoon: INFO: ISAKMP-SA expired
>> 1.1.1.1[500]-2.2.2.2[500] spi:d023406b52dfd0b5:abb9799e9ea312c0
>> Sep 29 17:26:57 mx04 racoon: INFO: ISAKMP-SA deleted
>> 1.1.1.1[500]-2.2.2.2[500] spi:d023406b52dfd0b5:abb9799e9ea312c0
>> Sep 29 17:26:57 mx04 racoon: DEBUG: IV freed
>> Sep 29 17:26:57 mx04 racoon: DEBUG: purged SAs.
>>
>> ============
>>
>>> This looks like a bad copy/paste?? You have spaces in it? Really??
>> Yes , bad paste...
>> ===========
>>
>>
>>> Which version of racoon is this?
>>
>>
>> Racoon informaiton;
>>
>> root@mx04:/etc/racoon# dpkg -s racoon
>> Package: racoon
>> Status: install ok installed
>> Priority: extra
>> Section: net
>> Installed-Size: 1120
>> Maintainer: Matthew Grant <matthewgrant5@gmail.com>
>> Architecture: amd64
>> Source: ipsec-tools
>> Version: 1:0.8.0-14
>> Provides: ike-server
>> Depends: debconf (>= 0.5) | debconf-2.0, ipsec-tools (= 1:0.8.0-14),
>> libc6 (>= 2.8), libcomerr2 (>= 1.01), libgssapi-krb5-2 (>=
>> 1.10+dfsg~), libk5crypto3 (>= 1.6.dfsg.2), libkrb5-3 (>= 1.6.dfsg.2),
>> libldap-2.4-2 (>= 2.4.7), libpam0g (>= 0.99.7.1), libssl1.0.0 (>=
>> 1.0.0), adduser, perl
>> Conflicts: ike-server
>> Conffiles:
>>  /etc/init.d/racoon 249ef4dcc91c0b3f05fdda8c13b9d5ac
>>  /etc/racoon/psk.txt 8912f9ec996ab814f11c45064e80b749
>>  /etc/racoon/racoon-tool.conf dd682434a9e4bfa828c3595510874e15
>>  /etc/racoon/racoon.conf 4f91882b325d8ab11361171ef0e56c5d
>> Description: IPsec Internet Key Exchange daemon
>>  IPsec (Internet Protocol security) offers end-to-end security for
>>  network traffic at the IP layer.
>> =================
>>
>> B site logs;
>>
>> 01108d29 6f187d06
>> 22:27:11 ipsec,debug,packet e00903ea 2d309a93 7021a75d 000006ec 9db78703
>> 22:27:11 ipsec,debug,packet HASH with:
>> 22:27:11 ipsec,debug,packet b3c284d5 00000020 00000001 01108d29
>> 6f187d06 e00903ea
>> 2d309a93 7021a75d
>> 22:27:11 ipsec,debug,packet 000006ec
>> 22:27:11 ipsec,debug,packet hmac(hmac_md5)
>> 22:27:11 ipsec,debug,packet HASH computed:
>> 22:27:11 ipsec,debug,packet a020f2a8 63d1e2eb 09deec37 eca91b36
>> 22:27:11 ipsec,debug,packet hash validated.
>> 22:27:11 ipsec,debug,packet begin.
>> 22:27:11 ipsec,debug,packet seen nptype=8(hash)
>> 22:27:11 ipsec,debug,packet seen nptype=11(notify)
>> 22:27:11 ipsec,debug,packet succeed.
>> 22:27:11 ipsec,debug,packet DPD R-U-There-Ack received
>> 22:27:11 ipsec,debug,packet received an R-U-THERE-ACK
>> 22:29:11 ipsec,debug,packet DPD monitoring....
>> 22:29:11 ipsec,debug,packet compute IV for phase2
>> 22:29:11 ipsec,debug,packet phase1 last IV:
>> 22:29:11 ipsec,debug,packet c5dfab82 921ed132 b6fcee44
>> 22:29:11 ipsec,debug,packet hash(md5)
>> 22:29:11 ipsec,debug,packet encryption(3des)
>> 22:29:11 ipsec,debug,packet phase2 IV computed:
>> 22:29:11 ipsec,debug,packet 493da261 2debdfc4
>> 22:29:11 ipsec,debug,packet HASH with:
>> 22:29:11 ipsec,debug,packet b6fcee44 00000020 00000001 01108d28
>> 6f187d06 e00903ea
>> 2d309a93 7021a75d
>> 22:29:11 ipsec,debug,packet 000006ed
>> 22:29:11 ipsec,debug,packet hmac(hmac_md5)
>> 22:29:11 ipsec,debug,packet HASH computed:
>> 22:29:11 ipsec,debug,packet 32fee3ae b91d25a6 b9a87f84 d7c297c3
>> 22:29:11 ipsec,debug,packet begin encryption.
>> 22:29:11 ipsec,debug,packet encryption(3des)
>> 22:29:11 ipsec,debug,packet pad length = 4
>> 22:29:11 ipsec,debug,packet 0b000014 32fee3ae b91d25a6 b9a87f84
>> d7c297c3 00000020
>> 00000001 01108d28
>> ==============
>>
>> Seems to be no problem according to the system log.
>>
>> cat /etc/ipsec cat-tools.conf
>>
>> #
>> -P out ipsec spdadd any 2.2.2.2/24 4.4.4.4/24
>>             esp / tunnel / 1.1.1.1-3.3.3.3 / required;
>>
>> -P out ipsec spdadd any 4.4.4.4/24 2.2.2.2/24
>>             esp / tunnel / 3.3.3.3-1.1.1.1 / required;
>>
>>
>>
>> On Mon, Sep 29, 2014 at 9:34 PM, Karl E. Jorgensen
>> <karl@jorgensen.org.uk> wrote:
>>> Hi
>>>
>>> On Mon, Sep 29, 2014 at 08:30:31PM +0300, Gokan Atmaca wrote:
>>>> Hello
>>>>
>>>> I want to make using racoon IPSEC connection. My configuration is as
>>>> follows. B site RouterOS (Mikrotik) are available. A kind of
>>>> connection can not be established.
>>>
>>> What do you get in the logs?
>>>
>>> For a "connection" (by which I assume you mean an established tunnel)
>>> to be established, racoon needs to the the handshakes with the other
>>> side - if these fail, there should be traces of it in the
>>> logs.
>>>
>>> Usually, there will be logging even if it is successfull.  Racoon
>>> should log via syslog, hence (depending on your syslog configuration)
>>> /var/log/daemon.log would be the place to look.
>>>
>>>> Note: IP addresses are shown as examples.
>>>>
>>>> WAN sites: 1.1.1.1
>>>> LAN sites: 2.2.2.2
>>>> B's: 3.3.3.3
>>>> B's: 4.4.4.4
>>>>
>>>>
>>>>
>>>> - A site config;
>>>>
>>>> pre_shared_key path "/etc/racoon/psk.txt";
>>>> path certificate "/ etc / racoon / certs";
>>>
>>> This looks like a bad copy/paste?? You have spaces in it? Really??
>>>
>>>> remote 3.3.3.3 {
>>>>         exchange_mo in the main;
>>>
>>> This does not look like valid syntax. More bad copy/paste? Looks like
>>> it was an attempt at "exchange_mode" ...
>>>
>>>>         initial_contact one;
>>>>         proposal_check obey;
>>>>         proposal {
>>>>                  encryption_algorithm 3DES;
>>>>                  hash_algorithm md5;
>>>>                  authentication_method pre_shared_key;
>>>>                  dh_group modp1024;
>>>>          }
>>>> }
>>>
>>> You may want to avoid 3DES...
>>>
>>>>
>>>>
>>>> Sainfoin any address 2.2.2.2/24 4.4.4.4/24 address any {
>>>
>>> "Sainfoin" .. hm...
>>>
>>> Which version of racoon is this?
>>>
>>>>          lifetime time 24 hour;
>>>>          encryption_algorithm 3DES;
>>>>          authentication_algorithm hmac_md5;
>>>>          compression_algorithm deflate;
>>>>          pfs_group modp1024;
>>>> }
>>>
>>> I'd recommend looking in the logs to start with, and getting rid of
>>> the syntax errors in the config before going further...
>>>
>>> Hope this helps
>>> --
>>> Karl E. Jorgensen
>>>
>>>
>>> --
>>> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
>>> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>>> Archive: [🔎] 20140929183443.GA17498@hawking">https://lists.debian.org/[🔎] 20140929183443.GA17498@hawking
>>>
Reply to:
References:
- Racoon
  - From: Gokan Atmaca <linux.gokan@gmail.com>
- Re: Racoon
  - From: "Karl E. Jorgensen" <karl@jorgensen.org.uk>
- Re: Racoon
  - From: Gokan Atmaca <linux.gokan@gmail.com>
- Re: Racoon
  - From: Gokan Atmaca <linux.gokan@gmail.com>
Prev by Date: Re: apt-get errors
Next by Date: Re: Let's have a vote!
Previous by thread: Re: Racoon
Next by thread: apt-get errors
Index(es):
- Date
- Thread