| View previous topic :: View next topic |
| Author |
Message |
SimbioS
n00b
Joined: 01 Mar 2011
Posts: 2
|
 Posted: Wed Jun 08, 2011 12:00 pm Post subject: Trouble with Ipsec (Racoon) |
 |
|
Hi all.
I have a problem with setup "racoon" for my mobile clients (like iPhone)
My conf:
setkey.conf | Code: |
spdflush;
spdadd 0.0.0.0/0 78.46.79.232/27 any -P out ipsec esp/tunnel/78.46.79.232-0.0.0.0/require;
spdadd 78.46.79.232/27 0.0.0.0/0 any -P in ipsec esp/tunnel/0.0.0.0-78.46.79.232/require;
|
racoon.conf | Code: |
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
log notify;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 78.46.79.232 [500];
isakmp_natt 78.46.79.232 [4500];
adminsock disabled;
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 78.46.79.232;
peers_identifier fqdn "elastix.flexicam.com";
nonce_size 16;
lifetime time 3600 sec;
### lifetime time 24 hour;
initial_contact on;
proposal_check obey; # obey, strict, or claim
proposal {
encryption_algorithm 3des;
### hash_algorithm md5;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 3600 sec;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 3600 sec;
### lifetime time 24 hour;
encryption_algorithm 3des;
### authentication_algorithm hmac_md5;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
|
psk.txt | Code: |
pizdec.net password
|
After start racoon in debug mode, i see next:
2011-06-08 13:57:02: ERROR: no policy found: 10.71.10.71/32[0] 78.46.79.232/32[0] proto=any dir=in
2011-06-08 13:57:02: ERROR: failed to get proposal for responder.
2011-06-08 13:57:02: ERROR: failed to pre-process packet.
Where 10.71.10.71 IP adress my local PC. I tested from PC (IPsec client "TheGreenBow IPSec VPN Client").
Many thanks for your help |
|
| Back to top |
|
 |
AngelKnight
Tux's lil' helper
Joined: 14 Jan 2003
Posts: 127
|
| Posted: Fri Jun 10, 2011 2:38 am Post subject: Re: Trouble with Ipsec (Racoon) |
|
|
| SimbioS wrote: | Hi all.
I have a problem with setup "racoon" for my mobile clients (like iPhone)
My conf:
setkey.conf | Code: |
spdflush;
spdadd 0.0.0.0/0 78.46.79.232/27 any -P out ipsec esp/tunnel/78.46.79.232-0.0.0.0/require;
spdadd 78.46.79.232/27 0.0.0.0/0 any -P in ipsec esp/tunnel/0.0.0.0-78.46.79.232/require;
|
After start racoon in debug mode, i see next:
2011-06-08 13:57:02: ERROR: no policy found: 10.71.10.71/32[0] 78.46.79.232/32[0] proto=any dir=in
2011-06-08 13:57:02: ERROR: failed to get proposal for responder.
2011-06-08 13:57:02: ERROR: failed to pre-process packet.
Where 10.71.10.71 IP adress my local PC. I tested from PC (IPsec client "TheGreenBow IPSec VPN Client"). |
Racoon's debug has told you exactly: the policy it tried to negotiate was for 10.71.10.71/32 on one end and 78.46.79.232/32 on the racoon end. The Security Policy Database doesn't behave like a routing lookup at all. I think there are a large number of misunderstandings in your approach.
If you're trying to make the racoon box be a VPN concentrator for dynamic clients, then you need racoon to add the Security Policy Database entries dynamically. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
