[vpn-help] VPN client questions

Matthew Grooms mgrooms at shrew.net
Wed Mar 29 04:46:37 CST 2006 

Palo Sykora wrote:

Hello,

      Sorry for making you sift through the entire message but I want to 
get your post back in the mailing list as the server needed to be 
restored from a backup :(

> Hi,
> 
> I have removed generic spd entries, and it was solution with 
> generate_policy option for dynamic IPs :)
> For completeness I have corrected mode_cfg (pool and network as you 
> describe, ip x.x.x.0 isn't very nice)
> I have turned off my firewall filters.
> Now it's work fine.
> 
> But errors on logs stays on:
> 
> 2006-03-28 08:49:54: INFO: respond new phase 2 negotiation: 
> 217.118.101.40[500]<=>217.118.101.42[500]
> 2006-03-28 08:49:54: INFO: Update the generated policy : 
> 10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=in
> 2006-03-28 08:49:54: INFO: respond new phase 2 negotiation: 
> 217.118.101.40[500]<=>217.118.101.42[500]
> 2006-03-28 08:49:54: INFO: Update the generated policy : 
> 10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=in
> 2006-03-28 08:49:54: INFO: IPsec-SA established: ESP/Tunnel 
> 217.118.101.42[0]->217.118.101.40[0] spi=161869182(0x9a5ed7e)
> 2006-03-28 08:49:54: INFO: IPsec-SA established: ESP/Tunnel 
> 217.118.101.40[0]->217.118.101.42[0] spi=297473786(0x11bb16fa)
> 2006-03-28 08:49:54: ERROR: such policy does not already exist: 
> "10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=in"
> 2006-03-28 08:49:54: ERROR: such policy does not already exist: 
> "10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=fwd"
> 2006-03-28 08:49:54: ERROR: such policy does not already exist: 
> "10.10.0.0/24[0] 10.111.111.1/32[0] proto=any dir=out"
> 2006-03-28 08:49:54: INFO: IPsec-SA established: ESP/Tunnel 
> 217.118.101.42[0]->217.118.101.40[0] spi=33474934(0x1fec976)
> 2006-03-28 08:49:54: INFO: IPsec-SA established: ESP/Tunnel 
> 217.118.101.40[0]->217.118.101.42[0] spi=1502226327(0x598a2797)
> 2006-03-28 08:49:54: ERROR: such policy does not already exist: 
> "10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=in"
> 2006-03-28 08:49:54: ERROR: such policy does not already exist: 
> "10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=fwd"
> 2006-03-28 08:49:54: ERROR: such policy does not already exist: 
> "10.10.0.0/24[0] 10.111.111.1/32[0] proto=any dir=out"
> 
> I think so it's problem of ipsectools. When tunnel on client is enabled, 
> after few seconds later I can see thats errors. Until this moment I 
> haven't connection through tunnel. After this errors, connection is 
> available.
> 

This is interesting. Would you be able to send me the client debug 
output as well as the racoon output so I can take a them at it please.

> And my next question is, how I can use this great client with 
> autentification oposit some user ID (DN, login name,IP or something else).
> I have seen some options on authentification(Local/Remote Identity?) and 
> it will be very nice to assign individual fixed IP by this ID without 
> generating new CA certtificate.
> 

There is no method that I am aware of to tie a user to a particular IP 
address without statically assigning it in the VPN Client. Of course a 
user can just change this if they want to. Are you trying to restrict 
user traffic based on the IP address that is assigned?

I am working on some patches for racoon that will allow authentication 
and sainfo selection to be optionally based on group membership, but it 
will be some time before I have a chance to finish and test them. The 
bottom line is that support for this is coming, but it will be a little 
while.

> Thanks,
> 
> Pavol
> 
> On Mon, 27 Mar 2006, Matthew Grooms wrote:
> 
>> Pavol Sykora wrote:
>>> Hello
>>>
>>> Nice work, the excellent client, but I have some questions.
>> Thank you for trying out the software and for reporting your problem :)
>>
>>> First I had a problem with make connection with my private network, 
>>> although tunnel have enabled, I cant ping machines on other side of 
>> If the client is displaying 'tunnel enabled', then it believes that phase1 
>> has completed. It looks like from the racoon log output that phase2 is 
>> completing as well. At that point, you should be able to ping through the VPN 
>> Gateway to the private network.
>>
>> Do you have a firewall running on this Gateway? You need to make sure that 
>> you added rules that will allow the dynamic network ( your 10.111.111.0/24 ) 
>> to access your internal network.
>>
>>> tunnel. Then I have corrected policy and everything is OK, but i have error 
>>> messages in logs:
>>>
>>> 2006-03-27 13:05:54: ERROR: phase1 negotiation failed due to time up. 
>>> 92ebb4f04936bced:0000000000000000
>> The phase1 ERROR above is most likely from a previously failed connection 
>> attempt. You would not be able to establish IPsec-SA's ( see the lines below 
>> ) if you had not already completed phase1.
>>
>>> 2006-03-27 13:05:55: INFO: respond new phase 2 negotiation: 
>>> 217.118.101.40[500]<=>217.118.101.42[500]
>>> 2006-03-27 13:05:55: INFO: Update the generated policy : 10.111.111.5/32[0] 
>>> 193.87.224.0/24[0] proto=any dir=in
>>> 2006-03-27 13:05:55: INFO: IPsec-SA established: ESP/Tunnel 
>>> 217.118.101.42[0]->217.118.101.40[0] spi=55549145(0x34f9cd9)
>>> 2006-03-27 13:05:55: INFO: IPsec-SA established: ESP/Tunnel 
>>> 217.118.101.40[0]->217.118.101.42[0] spi=994440598(0x3b45f596)
>> I am not sure what the below lines are complaining about. I don't recall ever 
>> seeing a "fwd" spd entry. Maybe a Linux thing?
>>
>>> 2006-03-27 13:05:55: ERROR: such policy does not already exist: 
>>> "10.111.111.5/32[0] 193.87.224.0/24[0] proto=any dir=in"
>>> 2006-03-27 13:05:55: ERROR: such policy does not already exist: 
>>> "10.111.111.5/32[0] 193.87.224.0/24[0] proto=any dir=fwd"
>>> 2006-03-27 13:05:55: ERROR: such policy does not already exist: 
>>> "193.87.224.0/24[0] 10.111.111.5/32[0] proto=any dir=out"
>>>
>> The SPD entries below could be causing some of your problems. When the 
>> generate_policy option is used, racoon will build the policies in SPD for 
>> you.
>>
>>> my policy:
>>> spdadd 0.0.0.0/0 193.87.224.0/24 any -P in ipsec
>>>          esp/tunnel/217.118.101.42-217.118.101.40/require;
>>> spdadd 193.87.224.0/24 0.0.0.0/0 any -P out ipsec
>>>          esp/tunnel/217.118.101.40-217.118.101.42/require;
>>>
>> The rest of this looks fine.
>>
>>> my racoon config:
>>>
>>> remote anonymous {
>>>          exchange_mode aggressive;
>>>          certificate_type x509 "vpngw.crt" "vpngw.key";
>>>          my_identifier asn1dn;
>>>          proposal_check strict;
>>>          generate_policy on;
>>>          nat_traversal on;
>>>          ike_frag on;
>>>          lifetime time 24 hour;
>>>          esp_frag 552;
>>>          proposal {
>>>                  encryption_algorithm 3des;
>>>                  hash_algorithm md5;
>>>                  authentication_method hybrid_rsa_server;
>>>                  dh_group 2;
>>>          }
>>> }
>> Im not sure, but you may need to change the network4 line to 10.111.111.1 as 
>> I believe it defines the base address for the pool. The pool_size should 
>> probably be shrunk to 253 as the first and last address in the subnet would 
>> typically be treated as a broadcast address.
>>
>>> mode_cfg {
>>>          network4 10.111.111.0;
>>>          pool_size 255;
>>>          netmask4 255.255.255.0;
>>>          auth_source system;
>>>          dns4 193.87.224.4;
>>>          banner "/etc/racoon/motd";
>>> }
>>> info anonymous {
>>>          lifetime time 1 hour;
>>>          encryption_algorithm 3des;
>>>          authentication_algorithm hmac_md5;
>>>          compression_algorithm deflate;
>>> }
>> Ahh, the first Linux related question on the mailing list. Welcome!
>>
>>> I use ipsec-tools 0.6.5 and linux 2.6.14
>>> IPsec gateway is 217.118.101.40, client IP is 217.118.101.42, local private 
>>> network is 193.87.224.0/24, network pool for client is 10.111.111.0/24.
>>> I must set remote networks on client policy settings (193.87.224.0/24), 
>>> without this setting, windows haven't route to this network by IPsec 
>>> interface.
>>>
>> As mentioned above, if you use generate_policy option, you don't need to 
>> pre-define policies in SPD.
>>
>>> My question is, how can I set policy to eliminate this errors and use 
>> The dynamic address of 10.111.111.5/32 is being used by the client as shown 
>> in the racoon log output listed above. This should be very apparent in the 
>> client debug output log ( but no log attached :).
>>
>>> dynamically generated IP addresses for roadwarrior clients
>>> (217.118.101.42 is my temporary testing IP, and how can I set policy for 
>>> dynamic IPs?)
>>> thanx
>>>
>> It would help tremendously if you could also include a debug log output for 
>> the client when reporting future issues.
>>
>> Just to recap ...
>>
>> 1) you may have a firewall issue
>> 2) you may need to remove the generic spd entries
>> 3) you may need to modify the mode_cfg network4 and pool_size
>>
>> Please let me know how things work out for you.
>>
>>> regards
>>>
>>> Pavol
>> Thanks again,
>>
>> -Matthew
>>
>>> _______________________________________________
>>> vpn-help mailing list
>>> vpn-help at lists.shrew.net
>>> http://lists.shrew.net/mailman/listinfo/vpn-help
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help

More information about the vpn-help mailing list