[vpn-help] Policy configuration
Michael Ragusa
michael.ragusa at ai.net
Mon Mar 13 05:01:22 CST 2006
Matthew Grooms wrote:
> Michael Ragusa wrote:
>
>> i was reading the howto and have used a few of the alpha copies and
>> everything works fine but when i connect up to my racoon gateway i
>> get spd errors. how do i configure incoming and outgoing policy in
>> the shrewsoft client
>>
>> _______________________________________________
>> vpn-help mailing list
>> vpn-help at lists.shrew.net
>> http://lists.shrew.net/mailman/listinfo/vpn-help
>
>
> Michael,
>
> Thanks very much for trying out the software. There are two
> methods for configuring client side security policies. Both of these
> methods involve the client using its client address and a remote
> network list to generate the policies.
>
> For the automatic config method ( ipsec-tools CVS only ), you specify
> the list of private networks a client should build policies for using
> the split network include statement of the mode_cfg section in
> racoon.conf. The client will request this list from the gateway after
> authentication completes.
>
> For the manual config method ( ipsec-tools 6.x ), you specify the list
> of private networks a client should build polices for by defining them
> in the policy tab of a site configuration using the VPN Access Manager.
>
> Here is an example setup to get you started. Lets say you have a VPN
> gateway running ipsec-tools and a few remote clients running the VPN
> client with the following network configuration ...
>
> private dns server 10.1.1.2
> private network #1 10.1.1.0/24
> private network #2 10.2.2.0/24
> vpn client address pool 10.99.99.0/24
>
> mode_cfg
> {
> # racoon CVS only
> #
> default_domain "mydomain.net";
> split_network include 10.1.1.0/24,10.2.2.0/24;
>
> # racoon 6.x
> #
> pool_size 253;
> network4 10.99.99.1;
> netmask4 255.255.255.0;
> auth_source system;
> dns4 10.1.1.2;
> }
>
> Lets assume that the first client connects from address x.x.x.x to our
> gateway at address y.y.y.y and gets assigned the client address
> 10.99.99.1 from the mode_cfg pool. The client would then generate the
> equivalent of these SPD policies for its side of the connection ...
>
> spdadd 10.99.99.1 10.1.1.0/24 any -P out ipsec \
> esp/tunnel/x.x.x.x-y.y.y.y/require ;
>
> spdadd 10.1.1.0/24 10.99.99.1 any -P in ipsec \
> esp/tunnel/y.y.y.y-x.x.x.x/require ;
>
> spdadd 10.99.99.1 10.2.2.0/24 any -P out ipsec \
> esp/tunnel/x.x.x.x-y.y.y.y/require ;
>
> spdadd 10.2.2.0/24 10.99.99.1 any -P in ipsec \
> esp/tunnel/y.y.y.y-x.x.x.x/require ;
>
> ... Policies will also be generated in SPD by the gateway for its side
> of the connection ( with inversed parameters of course ). But for this
> to work properly, you _must_ use the generate_policy option in your
> anonymous remote section of the racoon.conf config file.
>
> Also, please use the latest beta. Every release fixes countless bugs
> and offers corrected or increased functionality. I already fixed a
> serious bug in beta 7 so please use this package for any further
> testing ...
>
> http://www.shrew.net/download/vpn-client-1.0-beta-8.exe
>
> I would be more than happy to help trouble shoot the issue you are
> seeing but will need more information about your configuration. It
> would also help to include the debug output from racoon and the client
> software ( mailed directy to me ) so I can see where we are getting
> tripped up.
>
> Thanks,
>
> -Matthew
>
>
>
Ive just tried beta8 and had to revert back to beta2 because beta8 like
beta7 does not establish a tunneled ipsec connection. also once the
tunnels have been establish i can neither ping the internal interface of
the gateway.
my racoon.conf file is
lance# cat /usr/local/etc/racoon/racoon.conf
path certificate "/etc/ssl/certs";
log notify;
padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer
{
counter 5;
interval 20 sec;
persend 1;
natt_keepalive 15 sec;
phase1 45 sec;
phase2 30 sec;
}
listen
{
isakmp 205.134.160.6 [500];
isakmp_natt 205.134.160.6 [4500];
}
remote anonymous
{
exchange_mode aggressive, main, base;
doi ipsec_doi;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "vpngw.crt" "vpngw.key";
passive on;
proposal_check obey;
nat_traversal on;
generate_policy on;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group modp1024;
}
}
mode_cfg
{
conf_source local;
pool_size 254;
network4 10.246.37.1;
netmask4 255.255.255.0;
auth_source system;
dns4 205.134.190.4;
}
sainfo anonymous
{
pfs_group modp1024;
lifetime time 36000 sec;
encryption_algorithm 3des,des;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}
my spd policies are
lance# cat /usr/local/etc/racoon/spd.sh
#!/bin/sh
setkey -FP
setkey -F
setkey -c << EOF
# Road Warrior Setup
spdadd 10.246.38.0/24 0.0.0.0/0 any -P out ipsec
esp/tunnel/205.134.160.6-0.0.0.0/use;
spdadd 0.0.0.0/0 10.246.38.0/24 any -P in ipsec
esp/tunnel/0.0.0.0-205.134.160.6/use;
EOF
When i use the beta8 client this is the output from racoon
2006-03-12 17:45:31: INFO: begin Aggressive mode.
2006-03-12 17:45:31: INFO: received Vendor ID: CISCO-UNITY
2006-03-12 17:45:31: INFO: received Vendor ID: RFC 3947
2006-03-12 17:45:31: INFO: received broken Microsoft ID: FRAGMENTATION
2006-03-12 17:45:31: INFO: Selected NAT-T version: RFC 3947
2006-03-12 17:45:31: INFO: Adding remote and local NAT-D payloads.
2006-03-12 17:45:31: INFO: Hashing 205.134.160.254[500] with algo #1
2006-03-12 17:45:31: INFO: Hashing 205.134.160.6[500] with algo #1
2006-03-12 17:45:36: NOTIFY: the packet is retransmitted by
205.134.160.254[500].
2006-03-12 17:45:37: INFO: NAT not detected
2006-03-12 17:45:37: WARNING: unable to get certificate CRL(3) at
depth:0 SubjectName:/C=US/ST=Maryland/L=Beltsville/O=AiNET/OU=vpn
clients/CN=AiNET VPN Server/emailAddress=michael.ragusa at ai.net
2006-03-12 17:45:37: WARNING: unable to get certificate CRL(3) at
depth:1 SubjectName:/C=US/ST=Maryland/L=Beltsville/O=AiNET/OU=vpn
clients/CN=AiNET VPN CA/emailAddress=michael.ragusa at ai.net
2006-03-12 17:45:37: INFO: ISAKMP-SA established
205.134.160.6[500]-205.134.160.254[500]
spi:9e4adf01eb6d96bc:c4872167c4afee35
2006-03-12 17:45:37: INFO: purging spi=194117601.
2006-03-12 17:45:37: INFO: generated policy, deleting it.
2006-03-12 17:45:37: INFO: purging spi=71632748.
2006-03-12 17:45:37: INFO: Using port 3
When i use beta2 i get
2006-03-12 17:42:01: INFO: begin Aggressive mode.
2006-03-12 17:42:01: INFO: received Vendor ID: CISCO-UNITY
2006-03-12 17:42:01: INFO: received Vendor ID: RFC 3947
2006-03-12 17:42:01: INFO: Selected NAT-T version: RFC 3947
2006-03-12 17:42:01: INFO: Adding remote and local NAT-D payloads.
2006-03-12 17:42:01: INFO: Hashing 205.134.160.254[500] with algo #1
2006-03-12 17:42:01: INFO: Hashing 205.134.160.6[500] with algo #1
2006-03-12 17:42:01: INFO: NAT not detected
2006-03-12 17:42:01: WARNING: unable to get certificate CRL(3) at
depth:0 SubjectName:/C=US/ST=Maryland/L=Beltsville/O=AiNET/OU=vpn
clients/CN=AiNET VPN Server/emailAddress=michael.ragusa at ai.net
2006-03-12 17:42:01: WARNING: unable to get certificate CRL(3) at
depth:1 SubjectName:/C=US/ST=Maryland/L=Beltsville/O=AiNET/OU=vpn
clients/CN=AiNET VPN CA/emailAddress=michael.ragusa at ai.net
2006-03-12 17:42:01: INFO: ISAKMP-SA established
205.134.160.6[500]-205.134.160.254[500]
spi:f03dab91be486703:161fa58e8abeaba6
2006-03-12 17:42:01: INFO: purging spi=1295949086.
2006-03-12 17:42:01: INFO: generated policy, deleting it.
2006-03-12 17:42:01: INFO: purging spi=19315140.
2006-03-12 17:42:01: INFO: Using port 2
2006-03-12 17:42:07: INFO: respond new phase 2 negotiation:
205.134.160.6[500]<=>205.134.160.254[500]
2006-03-12 17:42:07: INFO: Update the generated policy :
10.246.37.3/32[0] 10.246.38.0/24[0] proto=any dir=in
2006-03-12 17:42:08: INFO: IPsec-SA established: ESP/Tunnel
205.134.160.254[0]->205.134.160.6[0] spi=71632748(0x445076c)
2006-03-12 17:42:08: INFO: IPsec-SA established: ESP/Tunnel
205.134.160.6[0]->205.134.160.254[0] spi=194117601(0xb91ffe1)
2006-03-12 17:42:08: ERROR: such policy does not already exist:
"10.246.37.3/32[0] 10.246.38.0/24[0] proto=any dir=in"
2006-03-12 17:42:08: ERROR: such policy does not already exist:
"10.246.38.0/24[0] 10.246.37.3/32[0] proto=any dir=out"
2006-03-12 17:45:31: INFO: respond new phase 1 negotiation:
205.134.160.6[500]<=>205.134.160.254[500]
I have attached the vpn clients logfiles.
any ideas?
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: logfile.beta2.txt
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060313/c598ad56/attachment-0004.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: logfile.beta8.txt
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060313/c598ad56/attachment-0005.txt>
More information about the vpn-help
mailing list