[vpn-help] VPN client questions
Matthew Grooms
mgrooms at shrew.net
Wed Mar 29 04:46:37 CST 2006
Palo Sykora wrote:
Hello,
Sorry for making you sift through the entire message but I want to
get your post back in the mailing list as the server needed to be
restored from a backup :(
> Hi,
>
> I have removed generic spd entries, and it was solution with
> generate_policy option for dynamic IPs :)
> For completeness I have corrected mode_cfg (pool and network as you
> describe, ip x.x.x.0 isn't very nice)
> I have turned off my firewall filters.
> Now it's work fine.
>
> But errors on logs stays on:
>
> 2006-03-28 08:49:54: INFO: respond new phase 2 negotiation:
> 217.118.101.40[500]<=>217.118.101.42[500]
> 2006-03-28 08:49:54: INFO: Update the generated policy :
> 10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=in
> 2006-03-28 08:49:54: INFO: respond new phase 2 negotiation:
> 217.118.101.40[500]<=>217.118.101.42[500]
> 2006-03-28 08:49:54: INFO: Update the generated policy :
> 10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=in
> 2006-03-28 08:49:54: INFO: IPsec-SA established: ESP/Tunnel
> 217.118.101.42[0]->217.118.101.40[0] spi=161869182(0x9a5ed7e)
> 2006-03-28 08:49:54: INFO: IPsec-SA established: ESP/Tunnel
> 217.118.101.40[0]->217.118.101.42[0] spi=297473786(0x11bb16fa)
> 2006-03-28 08:49:54: ERROR: such policy does not already exist:
> "10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=in"
> 2006-03-28 08:49:54: ERROR: such policy does not already exist:
> "10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=fwd"
> 2006-03-28 08:49:54: ERROR: such policy does not already exist:
> "10.10.0.0/24[0] 10.111.111.1/32[0] proto=any dir=out"
> 2006-03-28 08:49:54: INFO: IPsec-SA established: ESP/Tunnel
> 217.118.101.42[0]->217.118.101.40[0] spi=33474934(0x1fec976)
> 2006-03-28 08:49:54: INFO: IPsec-SA established: ESP/Tunnel
> 217.118.101.40[0]->217.118.101.42[0] spi=1502226327(0x598a2797)
> 2006-03-28 08:49:54: ERROR: such policy does not already exist:
> "10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=in"
> 2006-03-28 08:49:54: ERROR: such policy does not already exist:
> "10.111.111.1/32[0] 10.10.0.0/24[0] proto=any dir=fwd"
> 2006-03-28 08:49:54: ERROR: such policy does not already exist:
> "10.10.0.0/24[0] 10.111.111.1/32[0] proto=any dir=out"
>
> I think so it's problem of ipsectools. When tunnel on client is enabled,
> after few seconds later I can see thats errors. Until this moment I
> haven't connection through tunnel. After this errors, connection is
> available.
>
This is interesting. Would you be able to send me the client debug
output as well as the racoon output so I can take a them at it please.
> And my next question is, how I can use this great client with
> autentification oposit some user ID (DN, login name,IP or something else).
> I have seen some options on authentification(Local/Remote Identity?) and
> it will be very nice to assign individual fixed IP by this ID without
> generating new CA certtificate.
>
There is no method that I am aware of to tie a user to a particular IP
address without statically assigning it in the VPN Client. Of course a
user can just change this if they want to. Are you trying to restrict
user traffic based on the IP address that is assigned?
I am working on some patches for racoon that will allow authentication
and sainfo selection to be optionally based on group membership, but it
will be some time before I have a chance to finish and test them. The
bottom line is that support for this is coming, but it will be a little
while.
> Thanks,
>
> Pavol
>
> On Mon, 27 Mar 2006, Matthew Grooms wrote:
>
>> Pavol Sykora wrote:
>>> Hello
>>>
>>> Nice work, the excellent client, but I have some questions.
>> Thank you for trying out the software and for reporting your problem :)
>>
>>> First I had a problem with make connection with my private network,
>>> although tunnel have enabled, I cant ping machines on other side of
>> If the client is displaying 'tunnel enabled', then it believes that phase1
>> has completed. It looks like from the racoon log output that phase2 is
>> completing as well. At that point, you should be able to ping through the VPN
>> Gateway to the private network.
>>
>> Do you have a firewall running on this Gateway? You need to make sure that
>> you added rules that will allow the dynamic network ( your 10.111.111.0/24 )
>> to access your internal network.
>>
>>> tunnel. Then I have corrected policy and everything is OK, but i have error
>>> messages in logs:
>>>
>>> 2006-03-27 13:05:54: ERROR: phase1 negotiation failed due to time up.
>>> 92ebb4f04936bced:0000000000000000
>> The phase1 ERROR above is most likely from a previously failed connection
>> attempt. You would not be able to establish IPsec-SA's ( see the lines below
>> ) if you had not already completed phase1.
>>
>>> 2006-03-27 13:05:55: INFO: respond new phase 2 negotiation:
>>> 217.118.101.40[500]<=>217.118.101.42[500]
>>> 2006-03-27 13:05:55: INFO: Update the generated policy : 10.111.111.5/32[0]
>>> 193.87.224.0/24[0] proto=any dir=in
>>> 2006-03-27 13:05:55: INFO: IPsec-SA established: ESP/Tunnel
>>> 217.118.101.42[0]->217.118.101.40[0] spi=55549145(0x34f9cd9)
>>> 2006-03-27 13:05:55: INFO: IPsec-SA established: ESP/Tunnel
>>> 217.118.101.40[0]->217.118.101.42[0] spi=994440598(0x3b45f596)
>> I am not sure what the below lines are complaining about. I don't recall ever
>> seeing a "fwd" spd entry. Maybe a Linux thing?
>>
>>> 2006-03-27 13:05:55: ERROR: such policy does not already exist:
>>> "10.111.111.5/32[0] 193.87.224.0/24[0] proto=any dir=in"
>>> 2006-03-27 13:05:55: ERROR: such policy does not already exist:
>>> "10.111.111.5/32[0] 193.87.224.0/24[0] proto=any dir=fwd"
>>> 2006-03-27 13:05:55: ERROR: such policy does not already exist:
>>> "193.87.224.0/24[0] 10.111.111.5/32[0] proto=any dir=out"
>>>
>> The SPD entries below could be causing some of your problems. When the
>> generate_policy option is used, racoon will build the policies in SPD for
>> you.
>>
>>> my policy:
>>> spdadd 0.0.0.0/0 193.87.224.0/24 any -P in ipsec
>>> esp/tunnel/217.118.101.42-217.118.101.40/require;
>>> spdadd 193.87.224.0/24 0.0.0.0/0 any -P out ipsec
>>> esp/tunnel/217.118.101.40-217.118.101.42/require;
>>>
>> The rest of this looks fine.
>>
>>> my racoon config:
>>>
>>> remote anonymous {
>>> exchange_mode aggressive;
>>> certificate_type x509 "vpngw.crt" "vpngw.key";
>>> my_identifier asn1dn;
>>> proposal_check strict;
>>> generate_policy on;
>>> nat_traversal on;
>>> ike_frag on;
>>> lifetime time 24 hour;
>>> esp_frag 552;
>>> proposal {
>>> encryption_algorithm 3des;
>>> hash_algorithm md5;
>>> authentication_method hybrid_rsa_server;
>>> dh_group 2;
>>> }
>>> }
>> Im not sure, but you may need to change the network4 line to 10.111.111.1 as
>> I believe it defines the base address for the pool. The pool_size should
>> probably be shrunk to 253 as the first and last address in the subnet would
>> typically be treated as a broadcast address.
>>
>>> mode_cfg {
>>> network4 10.111.111.0;
>>> pool_size 255;
>>> netmask4 255.255.255.0;
>>> auth_source system;
>>> dns4 193.87.224.4;
>>> banner "/etc/racoon/motd";
>>> }
>>> info anonymous {
>>> lifetime time 1 hour;
>>> encryption_algorithm 3des;
>>> authentication_algorithm hmac_md5;
>>> compression_algorithm deflate;
>>> }
>> Ahh, the first Linux related question on the mailing list. Welcome!
>>
>>> I use ipsec-tools 0.6.5 and linux 2.6.14
>>> IPsec gateway is 217.118.101.40, client IP is 217.118.101.42, local private
>>> network is 193.87.224.0/24, network pool for client is 10.111.111.0/24.
>>> I must set remote networks on client policy settings (193.87.224.0/24),
>>> without this setting, windows haven't route to this network by IPsec
>>> interface.
>>>
>> As mentioned above, if you use generate_policy option, you don't need to
>> pre-define policies in SPD.
>>
>>> My question is, how can I set policy to eliminate this errors and use
>> The dynamic address of 10.111.111.5/32 is being used by the client as shown
>> in the racoon log output listed above. This should be very apparent in the
>> client debug output log ( but no log attached :).
>>
>>> dynamically generated IP addresses for roadwarrior clients
>>> (217.118.101.42 is my temporary testing IP, and how can I set policy for
>>> dynamic IPs?)
>>> thanx
>>>
>> It would help tremendously if you could also include a debug log output for
>> the client when reporting future issues.
>>
>> Just to recap ...
>>
>> 1) you may have a firewall issue
>> 2) you may need to remove the generic spd entries
>> 3) you may need to modify the mode_cfg network4 and pool_size
>>
>> Please let me know how things work out for you.
>>
>>> regards
>>>
>>> Pavol
>> Thanks again,
>>
>> -Matthew
>>
>>> _______________________________________________
>>> vpn-help mailing list
>>> vpn-help at lists.shrew.net
>>> http://lists.shrew.net/mailman/listinfo/vpn-help
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> http://lists.shrew.net/mailman/listinfo/vpn-help
More information about the vpn-help
mailing list