[vpn-help] VPN client questions
Palo Sykora
tick at ynet.sk
Sat Apr 1 16:51:47 CST 2006
Hello,
sorry for my delay, I was some time offline.
Log from client is ok:
config loaded for site '217.118.101.40'
configuring client settings ...
attached to IPSEC daemon ...
configured peer parameters
configured client parameters
server certificate loaded
configured policy
configured policy
configured policy
enabling tunnel
peer certifcate authentication succeeded
sending authentication credentials
user authentication succeeded
virtual network device enabled
tunnel enabled
I have determined, that errors on racoon log occure, when I make first
connection to remote network - when are policies generating.
Yes, I want to filter particular IPs, with individual firewall rules. It
will by very usefull to control remote clients on firewall rules by
assigned IP.
Regards,
Pavol
On Wed, 29 Mar 2006, Matthew Grooms wrote:
> Palo Sykora wrote:
>
> Hello,
>
> Sorry for making you sift through the entire message but I want to get
> your post back in the mailing list as the server needed to be restored from a
> backup :(
>
>> Hi,
>>
>> I have removed generic spd entries, and it was solution with
>> generate_policy option for dynamic IPs :)
>> For completeness I have corrected mode_cfg (pool and network as you
>> describe, ip x.x.x.0 isn't very nice)
>> I have turned off my firewall filters.
>> Now it's work fine.
>>
>> But errors on logs stays on:
>>
>> 2006-03-28 08:49:54: INFO: respond new phase 2 negotiation:
>> 217.118.101.40[500]<=>217.118.101.42[500]
>> 2006-03-28 08:49:54: INFO: Update the generated policy : 10.111.111.1/32[0]
>> 10.10.0.0/24[0] proto=any dir=in
>> 2006-03-28 08:49:54: INFO: respond new phase 2 negotiation:
>> 217.118.101.40[500]<=>217.118.101.42[500]
>> 2006-03-28 08:49:54: INFO: Update the generated policy : 10.111.111.1/32[0]
>> 10.10.0.0/24[0] proto=any dir=in
>> 2006-03-28 08:49:54: INFO: IPsec-SA established: ESP/Tunnel
>> 217.118.101.42[0]->217.118.101.40[0] spi=161869182(0x9a5ed7e)
>> 2006-03-28 08:49:54: INFO: IPsec-SA established: ESP/Tunnel
>> 217.118.101.40[0]->217.118.101.42[0] spi=297473786(0x11bb16fa)
>> 2006-03-28 08:49:54: ERROR: such policy does not already exist:
>> "10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=in"
>> 2006-03-28 08:49:54: ERROR: such policy does not already exist:
>> "10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=fwd"
>> 2006-03-28 08:49:54: ERROR: such policy does not already exist:
>> "10.10.0.0/24[0] 10.111.111.1/32[0] proto=any dir=out"
>> 2006-03-28 08:49:54: INFO: IPsec-SA established: ESP/Tunnel
>> 217.118.101.42[0]->217.118.101.40[0] spi=33474934(0x1fec976)
>> 2006-03-28 08:49:54: INFO: IPsec-SA established: ESP/Tunnel
>> 217.118.101.40[0]->217.118.101.42[0] spi=1502226327(0x598a2797)
>> 2006-03-28 08:49:54: ERROR: such policy does not already exist:
>> "10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=in"
>> 2006-03-28 08:49:54: ERROR: such policy does not already exist:
>> "10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=fwd"
>> 2006-03-28 08:49:54: ERROR: such policy does not already exist:
>> "10.10.0.0/24[0] 10.111.111.1/32[0] proto=any dir=out"
>>
>> I think so it's problem of ipsectools. When tunnel on client is enabled,
>> after few seconds later I can see thats errors. Until this moment I haven't
>> connection through tunnel. After this errors, connection is available.
>>
>
> This is interesting. Would you be able to send me the client debug output as
> well as the racoon output so I can take a them at it please.
>
>> And my next question is, how I can use this great client with
>> autentification oposit some user ID (DN, login name,IP or something else).
>> I have seen some options on authentification(Local/Remote Identity?) and it
>> will be very nice to assign individual fixed IP by this ID without
>> generating new CA certtificate.
>>
>
> There is no method that I am aware of to tie a user to a particular IP
> address without statically assigning it in the VPN Client. Of course a user
> can just change this if they want to. Are you trying to restrict user traffic
> based on the IP address that is assigned?
>
> I am working on some patches for racoon that will allow authentication and
> sainfo selection to be optionally based on group membership, but it will be
> some time before I have a chance to finish and test them. The bottom line is
> that support for this is coming, but it will be a little while.
>
>> Thanks,
>>
>> Pavol
>>
>> On Mon, 27 Mar 2006, Matthew Grooms wrote:
>>
>>> Pavol Sykora wrote:
>>>> Hello
>>>>
>>>> Nice work, the excellent client, but I have some questions.
>>> Thank you for trying out the software and for reporting your problem :)
>>>
>>>> First I had a problem with make connection with my private network,
>>>> although tunnel have enabled, I cant ping machines on other side of
>>> If the client is displaying 'tunnel enabled', then it believes that phase1
>>> has completed. It looks like from the racoon log output that phase2 is
>>> completing as well. At that point, you should be able to ping through the
>>> VPN Gateway to the private network.
>>>
>>> Do you have a firewall running on this Gateway? You need to make sure that
>>> you added rules that will allow the dynamic network ( your 10.111.111.0/24
>>> ) to access your internal network.
>>>
>>>> tunnel. Then I have corrected policy and everything is OK, but i have
>>>> error messages in logs:
>>>>
>>>> 2006-03-27 13:05:54: ERROR: phase1 negotiation failed due to time up.
>>>> 92ebb4f04936bced:0000000000000000
>>> The phase1 ERROR above is most likely from a previously failed connection
>>> attempt. You would not be able to establish IPsec-SA's ( see the lines
>>> below ) if you had not already completed phase1.
>>>
>>>> 2006-03-27 13:05:55: INFO: respond new phase 2 negotiation:
>>>> 217.118.101.40[500]<=>217.118.101.42[500]
>>>> 2006-03-27 13:05:55: INFO: Update the generated policy :
>>>> 10.111.111.5/32[0] 193.87.224.0/24[0] proto=any dir=in
>>>> 2006-03-27 13:05:55: INFO: IPsec-SA established: ESP/Tunnel
>>>> 217.118.101.42[0]->217.118.101.40[0] spi=55549145(0x34f9cd9)
>>>> 2006-03-27 13:05:55: INFO: IPsec-SA established: ESP/Tunnel
>>>> 217.118.101.40[0]->217.118.101.42[0] spi=994440598(0x3b45f596)
>>> I am not sure what the below lines are complaining about. I don't recall
>>> ever seeing a "fwd" spd entry. Maybe a Linux thing?
>>>
>>>> 2006-03-27 13:05:55: ERROR: such policy does not already exist:
>>>> "10.111.111.5/32[0] 193.87.224.0/24[0] proto=any dir=in"
>>>> 2006-03-27 13:05:55: ERROR: such policy does not already exist:
>>>> "10.111.111.5/32[0] 193.87.224.0/24[0] proto=any dir=fwd"
>>>> 2006-03-27 13:05:55: ERROR: such policy does not already exist:
>>>> "193.87.224.0/24[0] 10.111.111.5/32[0] proto=any dir=out"
>>>>
>>> The SPD entries below could be causing some of your problems. When the
>>> generate_policy option is used, racoon will build the policies in SPD for
>>> you.
>>>
>>>> my policy:
>>>> spdadd 0.0.0.0/0 193.87.224.0/24 any -P in ipsec
>>>> esp/tunnel/217.118.101.42-217.118.101.40/require;
>>>> spdadd 193.87.224.0/24 0.0.0.0/0 any -P out ipsec
>>>> esp/tunnel/217.118.101.40-217.118.101.42/require;
>>>>
>>> The rest of this looks fine.
>>>
>>>> my racoon config:
>>>>
>>>> remote anonymous {
>>>> exchange_mode aggressive;
>>>> certificate_type x509 "vpngw.crt" "vpngw.key";
>>>> my_identifier asn1dn;
>>>> proposal_check strict;
>>>> generate_policy on;
>>>> nat_traversal on;
>>>> ike_frag on;
>>>> lifetime time 24 hour;
>>>> esp_frag 552;
>>>> proposal {
>>>> encryption_algorithm 3des;
>>>> hash_algorithm md5;
>>>> authentication_method hybrid_rsa_server;
>>>> dh_group 2;
>>>> }
>>>> }
>>> Im not sure, but you may need to change the network4 line to 10.111.111.1
>>> as I believe it defines the base address for the pool. The pool_size
>>> should probably be shrunk to 253 as the first and last address in the
>>> subnet would typically be treated as a broadcast address.
>>>
>>>> mode_cfg {
>>>> network4 10.111.111.0;
>>>> pool_size 255;
>>>> netmask4 255.255.255.0;
>>>> auth_source system;
>>>> dns4 193.87.224.4;
>>>> banner "/etc/racoon/motd";
>>>> }
>>>> info anonymous {
>>>> lifetime time 1 hour;
>>>> encryption_algorithm 3des;
>>>> authentication_algorithm hmac_md5;
>>>> compression_algorithm deflate;
>>>> }
>>> Ahh, the first Linux related question on the mailing list. Welcome!
>>>
>>>> I use ipsec-tools 0.6.5 and linux 2.6.14
>>>> IPsec gateway is 217.118.101.40, client IP is 217.118.101.42, local
>>>> private network is 193.87.224.0/24, network pool for client is
>>>> 10.111.111.0/24.
>>>> I must set remote networks on client policy settings (193.87.224.0/24),
>>>> without this setting, windows haven't route to this network by IPsec
>>>> interface.
>>>>
>>> As mentioned above, if you use generate_policy option, you don't need to
>>> pre-define policies in SPD.
>>>
>>>> My question is, how can I set policy to eliminate this errors and use
>>> The dynamic address of 10.111.111.5/32 is being used by the client as
>>> shown in the racoon log output listed above. This should be very apparent
>>> in the client debug output log ( but no log attached :).
>>>
>>>> dynamically generated IP addresses for roadwarrior clients
>>>> (217.118.101.42 is my temporary testing IP, and how can I set policy for
>>>> dynamic IPs?)
>>>> thanx
>>>>
>>> It would help tremendously if you could also include a debug log output
>>> for the client when reporting future issues.
>>>
>>> Just to recap ...
>>>
>>> 1) you may have a firewall issue
>>> 2) you may need to remove the generic spd entries
>>> 3) you may need to modify the mode_cfg network4 and pool_size
>>>
>>> Please let me know how things work out for you.
>>>
>>>> regards
>>>>
>>>> Pavol
>>> Thanks again,
>>>
>>> -Matthew
>>>
>>>> _______________________________________________
>>>> vpn-help mailing list
>>>> vpn-help at lists.shrew.net
>>>> http://lists.shrew.net/mailman/listinfo/vpn-help
>> _______________________________________________
>> vpn-help mailing list
>> vpn-help at lists.shrew.net
>> http://lists.shrew.net/mailman/listinfo/vpn-help
>
More information about the vpn-help
mailing list