[vpn-help] Policy configuration

Michael Ragusa michael.ragusa at ai.net
Mon Mar 13 05:01:22 CST 2006 

Matthew Grooms wrote:

> Michael Ragusa wrote:
>
>> i was reading the howto and have used a few of the alpha copies and 
>> everything works fine but when i connect up to my racoon gateway i 
>> get spd errors. how do i configure incoming and outgoing policy in 
>> the shrewsoft client
>>
>> _______________________________________________
>> vpn-help mailing list
>> vpn-help at lists.shrew.net
>> http://lists.shrew.net/mailman/listinfo/vpn-help
>
>
> Michael,
>
>      Thanks very much for trying out the software. There are two 
> methods for configuring client side security policies. Both of these 
> methods involve the client using its client address and a remote 
> network list to generate the policies.
>
> For the automatic config method ( ipsec-tools CVS only ), you specify 
> the list of private networks a client should build policies for using 
> the split network include statement of the mode_cfg section in 
> racoon.conf. The client will request this list from the gateway after 
> authentication completes.
>
> For the manual config method ( ipsec-tools 6.x ), you specify the list 
> of private networks a client should build polices for by defining them 
> in the policy tab of a site configuration using the VPN Access Manager.
>
> Here is an example setup to get you started. Lets say you have a VPN 
> gateway running ipsec-tools and a few remote clients running the VPN 
> client with the following network configuration ...
>
> private dns server 10.1.1.2
> private network #1 10.1.1.0/24
> private network #2 10.2.2.0/24
> vpn client address pool 10.99.99.0/24
>
> mode_cfg
> {
>     # racoon CVS only
>     #
>     default_domain "mydomain.net";
>     split_network include 10.1.1.0/24,10.2.2.0/24;
>
>     # racoon 6.x
>     #
>     pool_size 253;
>     network4 10.99.99.1;
>     netmask4 255.255.255.0;
>     auth_source system;
>     dns4 10.1.1.2;
> }
>
> Lets assume that the first client connects from address x.x.x.x to our 
> gateway at address y.y.y.y and gets assigned the client address 
> 10.99.99.1 from the mode_cfg pool. The client would then generate the 
> equivalent of these SPD policies for its side of the connection ...
>
> spdadd 10.99.99.1 10.1.1.0/24 any -P out ipsec \
>     esp/tunnel/x.x.x.x-y.y.y.y/require ;
>
> spdadd 10.1.1.0/24 10.99.99.1 any -P in ipsec \
>     esp/tunnel/y.y.y.y-x.x.x.x/require ;
>
> spdadd 10.99.99.1 10.2.2.0/24 any -P out ipsec \
>     esp/tunnel/x.x.x.x-y.y.y.y/require ;
>
> spdadd 10.2.2.0/24 10.99.99.1 any -P in ipsec \
>     esp/tunnel/y.y.y.y-x.x.x.x/require ;
>
> ... Policies will also be generated in SPD by the gateway for its side 
> of the connection ( with inversed parameters of course ). But for this 
> to work properly, you _must_ use the generate_policy option in your 
> anonymous remote section of the racoon.conf config file.
>
> Also, please use the latest beta. Every release fixes countless bugs 
> and offers corrected or increased functionality. I already fixed a 
> serious bug in beta 7 so please use this package for any further 
> testing ...
>
> http://www.shrew.net/download/vpn-client-1.0-beta-8.exe
>
> I would be more than happy to help trouble shoot the issue you are 
> seeing but will need more information about your configuration. It 
> would also help to include the debug output from racoon and the client 
> software ( mailed directy to me ) so I can see where we are getting 
> tripped up.
>
> Thanks,
>
> -Matthew
>
>
>
Ive just tried beta8 and had to revert back to beta2 because beta8 like 
beta7 does not establish a tunneled ipsec connection. also once the 
tunnels have been establish i can neither ping the internal interface of 
the gateway.

my racoon.conf file is
lance# cat /usr/local/etc/racoon/racoon.conf
path    certificate     "/etc/ssl/certs";
log     notify;

padding
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer
{
        counter         5;
        interval        20 sec;
        persend         1;
        natt_keepalive  15 sec;
        phase1          45 sec;
        phase2          30 sec;
}

listen
{
        isakmp          205.134.160.6 [500];
        isakmp_natt     205.134.160.6 [4500];
}
remote  anonymous
{
        exchange_mode   aggressive, main, base;
        doi             ipsec_doi;
        my_identifier   asn1dn;
        peers_identifier        asn1dn;
        certificate_type        x509    "vpngw.crt"     "vpngw.key";
        passive         on;
        proposal_check  obey;
        nat_traversal   on;
        generate_policy on;

                        proposal {
                                encryption_algorithm    3des;
                                hash_algorithm          md5;
                                authentication_method   rsasig;
                                dh_group                modp1024;

                        }

}

mode_cfg
{
        conf_source     local;
        pool_size       254;
        network4        10.246.37.1;
        netmask4        255.255.255.0;
        auth_source     system;
        dns4            205.134.190.4;
}

sainfo  anonymous
{
        pfs_group       modp1024;
        lifetime        time    36000 sec;
        encryption_algorithm    3des,des;
        authentication_algorithm        hmac_md5,hmac_sha1;
        compression_algorithm   deflate;
}

my spd policies are
lance# cat /usr/local/etc/racoon/spd.sh
#!/bin/sh
setkey -FP
setkey -F
setkey -c << EOF
# Road Warrior Setup
spdadd 10.246.38.0/24 0.0.0.0/0 any -P out ipsec 
esp/tunnel/205.134.160.6-0.0.0.0/use;
spdadd 0.0.0.0/0 10.246.38.0/24 any -P in ipsec 
esp/tunnel/0.0.0.0-205.134.160.6/use;
EOF


When i use the beta8 client this is the output from racoon
2006-03-12 17:45:31: INFO: begin Aggressive mode.
2006-03-12 17:45:31: INFO: received Vendor ID: CISCO-UNITY
2006-03-12 17:45:31: INFO: received Vendor ID: RFC 3947
2006-03-12 17:45:31: INFO: received broken Microsoft ID: FRAGMENTATION
2006-03-12 17:45:31: INFO: Selected NAT-T version: RFC 3947
2006-03-12 17:45:31: INFO: Adding remote and local NAT-D payloads.
2006-03-12 17:45:31: INFO: Hashing 205.134.160.254[500] with algo #1
2006-03-12 17:45:31: INFO: Hashing 205.134.160.6[500] with algo #1
2006-03-12 17:45:36: NOTIFY: the packet is retransmitted by 
205.134.160.254[500].
2006-03-12 17:45:37: INFO: NAT not detected
2006-03-12 17:45:37: WARNING: unable to get certificate CRL(3) at 
depth:0 SubjectName:/C=US/ST=Maryland/L=Beltsville/O=AiNET/OU=vpn 
clients/CN=AiNET VPN Server/emailAddress=michael.ragusa at ai.net
2006-03-12 17:45:37: WARNING: unable to get certificate CRL(3) at 
depth:1 SubjectName:/C=US/ST=Maryland/L=Beltsville/O=AiNET/OU=vpn 
clients/CN=AiNET VPN CA/emailAddress=michael.ragusa at ai.net
2006-03-12 17:45:37: INFO: ISAKMP-SA established 
205.134.160.6[500]-205.134.160.254[500] 
spi:9e4adf01eb6d96bc:c4872167c4afee35
2006-03-12 17:45:37: INFO: purging spi=194117601.
2006-03-12 17:45:37: INFO: generated policy, deleting it.
2006-03-12 17:45:37: INFO: purging spi=71632748.
2006-03-12 17:45:37: INFO: Using port 3


When i use beta2 i get
2006-03-12 17:42:01: INFO: begin Aggressive mode.
2006-03-12 17:42:01: INFO: received Vendor ID: CISCO-UNITY
2006-03-12 17:42:01: INFO: received Vendor ID: RFC 3947
2006-03-12 17:42:01: INFO: Selected NAT-T version: RFC 3947
2006-03-12 17:42:01: INFO: Adding remote and local NAT-D payloads.
2006-03-12 17:42:01: INFO: Hashing 205.134.160.254[500] with algo #1
2006-03-12 17:42:01: INFO: Hashing 205.134.160.6[500] with algo #1
2006-03-12 17:42:01: INFO: NAT not detected
2006-03-12 17:42:01: WARNING: unable to get certificate CRL(3) at 
depth:0 SubjectName:/C=US/ST=Maryland/L=Beltsville/O=AiNET/OU=vpn 
clients/CN=AiNET VPN Server/emailAddress=michael.ragusa at ai.net
2006-03-12 17:42:01: WARNING: unable to get certificate CRL(3) at 
depth:1 SubjectName:/C=US/ST=Maryland/L=Beltsville/O=AiNET/OU=vpn 
clients/CN=AiNET VPN CA/emailAddress=michael.ragusa at ai.net
2006-03-12 17:42:01: INFO: ISAKMP-SA established 
205.134.160.6[500]-205.134.160.254[500] 
spi:f03dab91be486703:161fa58e8abeaba6
2006-03-12 17:42:01: INFO: purging spi=1295949086.
2006-03-12 17:42:01: INFO: generated policy, deleting it.
2006-03-12 17:42:01: INFO: purging spi=19315140.
2006-03-12 17:42:01: INFO: Using port 2
2006-03-12 17:42:07: INFO: respond new phase 2 negotiation: 
205.134.160.6[500]<=>205.134.160.254[500]
2006-03-12 17:42:07: INFO: Update the generated policy : 
10.246.37.3/32[0] 10.246.38.0/24[0] proto=any dir=in
2006-03-12 17:42:08: INFO: IPsec-SA established: ESP/Tunnel 
205.134.160.254[0]->205.134.160.6[0] spi=71632748(0x445076c)
2006-03-12 17:42:08: INFO: IPsec-SA established: ESP/Tunnel 
205.134.160.6[0]->205.134.160.254[0] spi=194117601(0xb91ffe1)
2006-03-12 17:42:08: ERROR: such policy does not already exist: 
"10.246.37.3/32[0] 10.246.38.0/24[0] proto=any dir=in"
2006-03-12 17:42:08: ERROR: such policy does not already exist: 
"10.246.38.0/24[0] 10.246.37.3/32[0] proto=any dir=out"
2006-03-12 17:45:31: INFO: respond new phase 1 negotiation: 
205.134.160.6[500]<=>205.134.160.254[500]


I have attached the vpn clients logfiles.

any ideas?

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: logfile.beta2.txt
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060313/c598ad56/attachment-0004.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: logfile.beta8.txt
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20060313/c598ad56/attachment-0005.txt>

More information about the vpn-help mailing list