[gentoo-user] How to IPSEC "M$oft" VPN client setup

[gentoo-user] How to IPSEC "M$oft" VPN client setup

[Michael Higgins]

Is there a useful Gentoo document anyone might suggest describing how one *connects to* a VPN device of the 'Microsoft' flavour "with IPSEC"? 

Cheers,

-- 
 |\  /|        |   |          ~ ~  
 | \/ |        |---|          `|` ?
 |    |ichael  |   |iggins    \^ /
 michael.higgins[at]evolone[dot]org

Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup

[Paul Hartman]

On Tue, May 5, 2009 at 11:00 AM, Michael Higgins <linux@evolone.org> wrote:
>
> Is there a useful Gentoo document anyone might suggest describing how one *connects to* a VPN device of the 'Microsoft' flavour "with IPSEC"?

Haven't tried it (i use vpnc to connect to a Cisco VPN) but this page
may give you some clues:

http://www.jacco2.dds.nl/networking/linux-l2tp.html

Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup

[Graham Murray]

Michael Higgins <linux@evolone.org> writes:

> Is there a useful Gentoo document anyone might suggest describing how one *connects to* a VPN device of the 'Microsoft' flavour "with IPSEC"? 

I do not know about a Gentoo document, but I have connected a Gentoo
system and Windows PC using  racoon on the Gentoo system in exactly the
same way as I use to connect Gentoo systems. I define a shared secret in
/etc/racoon/psk.txt and in /etc/ipsec.conf have entries of the form

spdadd gentoo_ip/32 windows_ip/32 any -P out ipsec
 esp/transport//require;

spdadd windows_ip/32 gentoo_ip/32 any -P in ipsec
 esp/transport//require;

As I am not at work, where the Windows system is, I cannot remember
exactly how I configured that.

Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup

[Michael Higgins]

On Tue, 05 May 2009 17:49:06 +0100
Graham Murray <graham@gmurray.org.uk> wrote:

> Michael Higgins <linux@evolone.org> writes:
> 
> > Is there a useful Gentoo document anyone might suggest describing
> > how one *connects to* a VPN device of the 'Microsoft' flavour "with
> > IPSEC"? 
> 
> I do not know about a Gentoo document, 

I've been working on this for *waaaaay* too long, with no apparent success. I have racoon and l2tpt running, but no network addresses in the VPN.

Does anyone understand the actual procedure(s) for making a VPN like, l2tp, IPSEC "pre-shared secret" connection, and wish to elaborate just a bit on the issues (config files, possible values) involved?

I mean, the ebuild for ipsec-tools doesn't even put in half the config files... as if any of this could work at all without them?

Any help appreciated. :(

Cheers,

-- 
 |\  /|        |   |          ~ ~  
 | \/ |        |---|          `|` ?
 |    |ichael  |   |iggins    \^ /
 michael.higgins[at]evolone[dot]org

Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1645 bytes --]

On Monday 11 May 2009, Michael Higgins wrote:
> On Tue, 05 May 2009 17:49:06 +0100
>
> Graham Murray <graham@gmurray.org.uk> wrote:
> > Michael Higgins <linux@evolone.org> writes:
> > > Is there a useful Gentoo document anyone might suggest describing
> > > how one *connects to* a VPN device of the 'Microsoft' flavour "with
> > > IPSEC"?
> >
> > I do not know about a Gentoo document,
>
> I've been working on this for *waaaaay* too long, with no apparent success.
> I have racoon and l2tpt running, but no network addresses in the VPN.
>
> Does anyone understand the actual procedure(s) for making a VPN like, l2tp,
> IPSEC "pre-shared secret" connection, and wish to elaborate just a bit on
> the issues (config files, possible values) involved?
>
> I mean, the ebuild for ipsec-tools doesn't even put in half the config
> files... as if any of this could work at all without them?
>
> Any help appreciated. :(

Any progress with this guys?  I am also trying to get something running 
between a router and my laptop (using kvnc) but I am failing with this error:
=====================================
info: Gateway hostname (my.remote_router.com) resolved to "XX.XXX.XXX.XX".
error: [racoon helper 
err] /home/michael/.kde3.5/share/apps/kvpnc//setkey.ROUTER.sh: line 6: -f: 
command not found 
error: [racoon err] racoon: must be root to invoke this program. 
=====================================

I am not sure that I want to run kvnc as root - after all it is a GUI 
application ...

Worth nothing that unlike the OP my remote router is not running MS l2tp, but 
IPSec with PSK.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup

[Graham Murray]

Mick <michaelkintzios@gmail.com> writes:

> Any progress with this guys?  I am also trying to get something running 
> between a router and my laptop (using kvnc) but I am failing with this error:

Here are some samples.

/etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";

remote anonymous
{
        exchange_mode main;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                lifetime time 24 hour;
                dh_group 2;
                authentication_method pre_shared_key;
        }
}

sainfo anonymous
{
        encryption_algorithm aes, 3des;
        authentication_algorithm hmac_sha256, hmac_sha1;
        compression_algorithm deflate;
}

/etc/racoon/psk.txt
10.0.1.2        This is the shared secret

/etc/ipsec.conf
flush;
spdflush;

spdadd 10.0.0.1/32 10.0.1.2/32 any -P out ipsec
        esp/transport//require;

spdadd 10.0.1.2/32 10.0.0.1/32 any -P in ipsec
        esp/transport//require;

Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1458 bytes --]

Thanks Graham,

On Saturday 16 May 2009, Graham Murray wrote:

> Here are some samples.
>
> /etc/racoon/racoon.conf

> /etc/racoon/psk.txt

> /etc/ipsec.conf

Do I need a /etc/setkey.conf file?  How do I create it?

When I run '/etc/init.d/racoon start' this is what I get:
===========================================
# /etc/init.d/racoon --verbose restart
 * Loading ipsec policies from /etc/ipsec.conf.
 * Starting racoon ...
/usr/sbin/racoon: invalid option -- '4'
usage: racoon [-BdFv] [-a (port)] [-f (file)] [-l (file)] [-p (port)]
   -B: install SA to the kernel from the file specified by the configuration 
file.
   -d: debug level, more -d will generate more debug message.
   -C: dump parsed config file.
   -L: include location in debug messages
   -F: run in foreground, do not become daemon.
   -v: be more verbose
   -a: port number for admin port.
   -f: pathname for configuration file.
   -l: pathname for log file.
   -p: port number for isakmp (default: 500).
   -P: port number for NAT-T (default: 4500).              [ !! ]
===========================================

I am not sure I do this right.  The remote router's LAN is 10.10.10.0/24.  
This is the same like my local LAN's subnet.  My local LAN ip is 10.10.10.5.

The remote router is giving (or is it expecting?) addresses for clients in the 
172.16.1.0/24 subnet.  How should I configure the /etc/ipsec.conf file?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1648 bytes --]

On Sunday 17 May 2009, Mick wrote:
> Thanks Graham,
>
> On Saturday 16 May 2009, Graham Murray wrote:
> > Here are some samples.
> >
> > /etc/racoon/racoon.conf
> >
> > /etc/racoon/psk.txt
> >
> > /etc/ipsec.conf
>
> Do I need a /etc/setkey.conf file?  How do I create it?
>
> When I run '/etc/init.d/racoon start' this is what I get:
> ===========================================
> # /etc/init.d/racoon --verbose restart
>  * Loading ipsec policies from /etc/ipsec.conf.
>  * Starting racoon ...
> /usr/sbin/racoon: invalid option -- '4'
> usage: racoon [-BdFv] [-a (port)] [-f (file)] [-l (file)] [-p (port)]
>    -B: install SA to the kernel from the file specified by the
> configuration file.
>    -d: debug level, more -d will generate more debug message.
>    -C: dump parsed config file.
>    -L: include location in debug messages
>    -F: run in foreground, do not become daemon.
>    -v: be more verbose
>    -a: port number for admin port.
>    -f: pathname for configuration file.
>    -l: pathname for log file.
>    -p: port number for isakmp (default: 500).
>    -P: port number for NAT-T (default: 4500).              [ !! ]
> ===========================================
>
> I am not sure I do this right.  The remote router's LAN is 10.10.10.0/24.
> This is the same like my local LAN's subnet.  My local LAN ip is
> 10.10.10.5.
>
> The remote router is giving (or is it expecting?) addresses for clients in
> the 172.16.1.0/24 subnet.  How should I configure the /etc/ipsec.conf file?

The more I try to use VPN the more I love SSH!

http://bugs.gentoo.org/87920
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup

[Michael Higgins]

On Sun, 17 May 2009 12:07:33 +0100
Mick <michaelkintzios@gmail.com> wrote:

> On Sunday 17 May 2009, Mick wrote:
> > Thanks Graham,
> >
> > On Saturday 16 May 2009, Graham Murray wrote:
> > > Here are some samples.
> > >
[8<]
> 
> The more I try to use VPN the more I love SSH!
> 
> http://bugs.gentoo.org/87920

Mick --

This is a *very* old bug. But it still happens. "WTF..."

I see you linked to a related bug here in the ML, but you didn't file/reopen a bug. (Is there a reason why?)

Anyway, it would appear like there is no Gentoo dev-loving on these packages, so maybe it would be a waste...

For myself, I have zero desire to understand VPN technology, but I guess that's not an option if the devs aren't active in making sane choices for, and presenting viable options to, the users. :(

So can we agree on the combination of packages that are *supposed* to provide this VPN-IPSEC-L2TP function? The only thing vaguely M$FT about this setup is MS-CHAP. And L2TP, perhaps. (At least, in so far as I understand this crap, that's my conclusion.)

I have:

net-firewall/ipsec-tools
net-dialup/xl2tpd

net-dialup/ppp <------is this needed?

I don't have * net-misc/openswan ... since that seems to be an alternative to ipsec-tools (KAME). (Or, vice-versa. I'm totally getting sick of reading about VPN.)

Is there some other package that should be needed to make this all work? Do I need "ppp" at all? Isn't XL2TPD the full replacement?

Anyway, since there doesn't appear to be a Gentoo document for this, I'd be totally willing to take up space on the ML until both of us have this working. Here, I begin:

. . .

/etc/init.d/xl2tpd start
 * Starting xl2tpd ...                                                    [ ok ]

May 19 10:25:04 lappy xl2tpd[5179]: setsockopt recvref[22]: Protocol not available
May 19 10:25:04 lappy xl2tpd[5179]: This binary does not support kernel L2TP.
May 19 10:25:04 lappy xl2tpd[5180]: xl2tpd version xl2tpd-1.2.3 started on lappy PID:5180
May 19 10:25:04 lappy xl2tpd[5180]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
May 19 10:25:04 lappy xl2tpd[5180]: Forked by Scott Balmos and David Stipp, (C) 2001
May 19 10:25:04 lappy xl2tpd[5180]: Inherited by Jeff McAdams, (C) 2002
May 19 10:25:04 lappy xl2tpd[5180]: Forked again by Xelerance (www.xelerance.com) (C) 2006
May 19 10:25:04 lappy xl2tpd[5180]: Listening on IP address 0.0.0.0, port 1701



So far, there are no errors. (The warning about *kernel* L2TP is a warning, so I understand, not a failure.)


 /etc/init.d/racoon start
 * Loading ipsec policies from /etc/ipsec.conf.
 * Starting racoon ...                                                    [ ok ]

May 19 10:27:11 lappy hald [ loads additional crypt modules ]

Module                  Size  Used by
twofish                 5568  0 
twofish_common         12672  1 twofish
serpent                15936  0 
blowfish                7104  0 
sha256_generic         10240  0 


May 19 10:27:12 lappy racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
May 19 10:27:12 lappy racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
May 19 10:27:12 lappy racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for AH
May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for ESP
May 19 10:27:12 lappy racoon: DEBUG: call pfkey_send_register for IPCOMP
May 19 10:27:12 lappy racoon: DEBUG: reading config file /etc/racoon/racoon.conf
May 19 10:27:12 lappy racoon: DEBUG2: lifetime = 3600
May 19 10:27:12 lappy racoon: DEBUG2: lifebyte = 0
May 19 10:27:12 lappy racoon: DEBUG2: encklen=0
May 19 10:27:12 lappy racoon: DEBUG2: p:1 t:1
May 19 10:27:12 lappy racoon: DEBUG2: 3DES-CBC(5)
May 19 10:27:12 lappy racoon: DEBUG2: SHA(2)
May 19 10:27:12 lappy racoon: DEBUG2: 1024-bit MODP group(2)
May 19 10:27:12 lappy racoon: DEBUG2: pre-shared key(1)
May 19 10:27:12 lappy racoon: DEBUG2: 
May 19 10:27:12 lappy racoon: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.

[ And there is only 'deflate' available anyway... ?? ]

May 19 10:27:12 lappy racoon: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0
May 19 10:27:12 lappy racoon: DEBUG: getsainfo pass #2
May 19 10:27:12 lappy racoon: DEBUG2: parse successed.
May 19 10:27:12 lappy racoon: DEBUG: open /var/lib/racoon/racoon.sock as racoon management.
May 19 10:27:12 lappy racoon: DEBUG: my interface: 192.168.1.100 (wlan0)
May 19 10:27:12 lappy racoon: DEBUG: my interface: 127.0.0.1 (lo)
May 19 10:27:12 lappy racoon: DEBUG: configuring default isakmp port.
May 19 10:27:12 lappy racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
May 19 10:27:12 lappy racoon: DEBUG: 4 addrs are configured successfully
May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[500] used for NAT-T
May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=8)
May 19 10:27:12 lappy racoon: INFO: 127.0.0.1[4500] used for NAT-T
May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[500] used as isakmp port (fd=9)
May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[500] used for NAT-T
May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[4500] used as isakmp port (fd=10)
May 19 10:27:12 lappy racoon: INFO: 192.168.1.100[4500] used for NAT-T
May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv() 
May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message


May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv() 
May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message


May 19 10:27:12 lappy racoon: DEBUG: sub:0xbfa34dc8: pub.lic.vpn.ip/32[0] 192.168.1.100/32[0] proto=any dir=in
May 19 10:27:12 lappy racoon: DEBUG: db :0x80df108: pub.lic.vpn.ip/32[0] 192.168.1.100/32[0] proto=any dir=fwd
May 19 10:27:12 lappy racoon: DEBUG: pk_recv: retry[0] recv() 
May 19 10:27:12 lappy racoon: DEBUG: get pfkey X_SPDDUMP message

... and so on.

I've followed a how-to that sets up the client as a separate tunnel device for the network, so I'll have to see if I can't fix the routing... though I think it shouldn't matter, and won't anyway if phase 1 fails...

Basically, I don't know WHAT is SUPPOSED to happen. But, pinging a machine inside the network, I get plenty of debug info:

May 19 10:35:32 lappy racoon: DEBUG: pk_recv: retry[0] recv() 
May 19 10:35:32 lappy racoon: DEBUG: get pfkey ACQUIRE message
May 19 10:35:32 lappy racoon: DEBUG2: 


May 19 10:35:32 lappy racoon: DEBUG: suitable outbound SP found: 192.168.1.0/24

May 19 10:35:32 lappy racoon: DEBUG: anonymous configuration selected for pub.add.vpn.ip.

May 19 10:35:32 lappy racoon: DEBUG: getsainfo params: loc='192.168.1.0/24', rmt='192.168.243.0/24', peer='NULL', id=0
May 19 10:35:32 lappy racoon: DEBUG: getsainfo pass #2
May 19 10:35:32 lappy racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
May 19 10:35:32 lappy racoon: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
May 19 10:35:32 lappy racoon: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
May 19 10:35:32 lappy racoon: DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-md5)
May 19 10:35:32 lappy racoon: DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-sha)
May 19 10:35:32 lappy racoon: DEBUG:   (trns_id=DES encklen=0 authtype=hmac-md5)
May 19 10:35:32 lappy racoon: DEBUG:   (trns_id=DES encklen=0 authtype=hmac-sha)
May 19 10:35:32 lappy racoon: DEBUG:   (trns_id=AES encklen=128 authtype=hmac-md5)
May 19 10:35:32 lappy racoon: DEBUG:   (trns_id=AES encklen=128 authtype=hmac-sha)
May 19 10:35:32 lappy racoon: DEBUG: in post_acquire
May 19 10:35:32 lappy racoon: DEBUG: anonymous configuration selected for pub.ip.dev.vpn.

Now some errors:

May 19 10:35:32 lappy racoon: INFO: IPsec-SA request for pub.ip.dev.vpn queued due to no phase1 found.

... which makes sense, I guess. It appears it doesn't try to negotiate phase 1 until traffic is routed to that destination.

And I can't find a single explanatory reference for this:

May 19 10:35:32 lappy racoon: ERROR: unknown AF: 0

May 19 10:35:32 lappy racoon: DEBUG: ===
May 19 10:35:32 lappy racoon: INFO: initiate new phase 1 negotiation: 192.168.1.100[500]<=>pub.ip.dev.vpn[500]
May 19 10:35:32 lappy racoon: INFO: begin Identity Protection mode.
May 19 10:35:32 lappy racoon: DEBUG: new cookie:
May 19 10:35:32 lappy 52dcd374fabdaf4d 
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 48, next type 13
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 13
May 19 10:35:32 lappy racoon: DEBUG: add payload of len 16, next type 0
May 19 10:35:32 lappy racoon: DEBUG: 180 bytes from 192.168.1.100[500] to pub.ip.dev.vpn[500]
May 19 10:35:32 lappy racoon: DEBUG: sockname 192.168.1.100[500]
May 19 10:35:32 lappy racoon: DEBUG: send packet from 192.168.1.100[500]
May 19 10:35:32 lappy racoon: DEBUG: send packet to pub.ip.dev.vpn[500]
May 19 10:35:32 lappy racoon: DEBUG: src4 192.168.1.100[500]
May 19 10:35:32 lappy racoon: DEBUG: dst4 pub.ip.dev.vpn[500]
May 19 10:35:32 lappy racoon: DEBUG: 1 times of 180 bytes message will be sent to pub.ip.dev.vpn[500]


May 19 10:35:32 lappy racoon: DEBUG: resend phase1 packet 52dcd374fabdaf4d:0000000000000000
May 19 10:35:32 lappy racoon: phase1(ident I msg1): 0.001421
May 19 10:35:33 lappy racoon: DEBUG: ===
May 19 10:35:33 lappy racoon: DEBUG: 100 bytes message received from pub.ip.dev.vpn[500] to 192.168.1.100[500]


May 19 10:35:33 lappy ec427b1f
May 19 10:35:33 lappy racoon: DEBUG: begin.
May 19 10:35:33 lappy racoon: DEBUG: seen nptype=1(sa)
May 19 10:35:33 lappy racoon: DEBUG: seen nptype=13(vid)
May 19 10:35:33 lappy racoon: DEBUG: succeed.
May 19 10:35:33 lappy racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 19 10:35:33 lappy racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
May 19 10:35:33 lappy racoon: DEBUG: total SA len=48
May 19 10:35:33 lappy racoon: DEBUG: 
May 19 10:35:33 lappy 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c0e10
May 19 10:35:33 lappy 80010005 80030001 80020002 80040002
May 19 10:35:33 lappy racoon: DEBUG: begin.
May 19 10:35:33 lappy racoon: DEBUG: seen nptype=2(prop)
May 19 10:35:33 lappy racoon: DEBUG: succeed.
May 19 10:35:33 lappy racoon: DEBUG: proposal #1 len=40
May 19 10:35:33 lappy racoon: DEBUG: begin.
May 19 10:35:33 lappy racoon: DEBUG: seen nptype=3(trns)
May 19 10:35:33 lappy racoon: DEBUG: succeed.
May 19 10:35:33 lappy racoon: DEBUG: transform #1 len=32
May 19 10:35:33 lappy racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
May 19 10:35:33 lappy racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
May 19 10:35:33 lappy racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
May 19 10:35:33 lappy racoon: DEBUG: encryption(3des)
May 19 10:35:33 lappy racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
May 19 10:35:33 lappy racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
May 19 10:35:33 lappy racoon: DEBUG: hash(sha1)
May 19 10:35:33 lappy racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
May 19 10:35:33 lappy racoon: DEBUG: hmac(modp1024)
May 19 10:35:33 lappy racoon: DEBUG: pair 1:
May 19 10:35:33 lappy racoon: DEBUG:  0x80e13f0: next=(nil) tnext=(nil)
May 19 10:35:33 lappy racoon: DEBUG: proposal #1: 1 transform
May 19 10:35:33 lappy racoon: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
May 19 10:35:33 lappy racoon: DEBUG: trns#=1, trns-id=IKE
May 19 10:35:33 lappy racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
May 19 10:35:33 lappy racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
May 19 10:35:33 lappy racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
May 19 10:35:33 lappy racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=pre-shared key
May 19 10:35:33 lappy racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
May 19 10:35:33 lappy racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
May 19 10:35:33 lappy racoon: DEBUG: Compared: DB:Peer
May 19 10:35:33 lappy racoon: DEBUG: (lifetime = 3600:3600)
May 19 10:35:33 lappy racoon: DEBUG: (lifebyte = 0:0)
May 19 10:35:33 lappy racoon: DEBUG: enctype = 3DES-CBC:3DES-CBC
May 19 10:35:33 lappy racoon: DEBUG: (encklen = 0:0)
May 19 10:35:33 lappy racoon: DEBUG: hashtype = SHA:SHA
May 19 10:35:33 lappy racoon: DEBUG: authmethod = pre-shared key:pre-shared key
May 19 10:35:33 lappy racoon: DEBUG: dh_group = 1024-bit MODP group:1024-bit MODP group
May 19 10:35:33 lappy racoon: DEBUG: an acceptable proposal found.
                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
... so is this good? Sounds good..??

May 19 10:35:33 lappy racoon: DEBUG: hmac(modp1024)
May 19 10:35:33 lappy racoon: DEBUG: agreed on pre-shared key auth.
May 19 10:35:33 lappy racoon: DEBUG: ===
May 19 10:35:33 lappy racoon: oakley_dh_generate(MODP1024): 0.027674
May 19 10:35:33 lappy racoon: DEBUG: compute DH's private.


May 19 10:35:33 lappy racoon: DEBUG: compute DH's public.
May 19 10:35:33 lappy racoon: DEBUG: 


May 19 10:35:33 lappy racoon: INFO: Hashing pub.ip.dev.vpn[500] with algo #2 
May 19 10:35:33 lappy racoon: DEBUG: hash(sha1)
May 19 10:35:33 lappy racoon: INFO: Hashing 192.168.1.100[500] with algo #2 
May 19 10:35:33 lappy racoon: DEBUG: hash(sha1)
May 19 10:35:33 lappy racoon: INFO: Adding remote and local NAT-D payloads.
May 19 10:35:33 lappy racoon: DEBUG: add payload of len 128, next type 10
May 19 10:35:33 lappy racoon: DEBUG: add payload of len 16, next type 130
May 19 10:35:33 lappy racoon: DEBUG: add payload of len 20, next type 130
May 19 10:35:33 lappy racoon: DEBUG: add payload of len 20, next type 0
May 19 10:35:33 lappy racoon: DEBUG: 228 bytes from 192.168.1.100[500] to pub.ip.dev.vpn[500]
May 19 10:35:33 lappy racoon: DEBUG: sockname 192.168.1.100[500]
May 19 10:35:33 lappy racoon: DEBUG: send packet from 192.168.1.100[500]
May 19 10:35:33 lappy racoon: DEBUG: send packet to pub.ip.dev.vpn[500]
May 19 10:35:33 lappy racoon: DEBUG: src4 192.168.1.100[500]
May 19 10:35:33 lappy racoon: DEBUG: dst4 pub.ip.dev.vpn[500]
May 19 10:35:33 lappy racoon: DEBUG: 1 times of 228 bytes message will be sent to pub.ip.dev.vpn[500]

May 19 11:16:35 lappy racoon: DEBUG: receive Information.
May 19 11:16:35 lappy racoon: ERROR: none message must be encrypted

And the only *other* error.

May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: extract_port.
May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: found a ph1 wop.
May 19 10:35:43 lappy racoon: DEBUG2: CHKPH1THERE: no established ph1 handler found

Anyway, it fails. I guess I need to check the ph1 handler is established, but where, how?

My next step is to get on the phone with the folks who have access to the "checkpoint" VPN device to see if they can tell me what fails. 

But, before I go chatting them up, I really would like some confirmation from someone familiar with the DISTRO that I've got all the BINARIES in place I could possibly need to accomplish this, and nothing conflicting.

Cheers,

-- 
 |\  /|        |   |          ~ ~  
 | \/ |        |---|          `|` ?
 |    |ichael  |   |iggins    \^ /
 michael.higgins[at]evolone[dot]org

Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup

[Paul Hartman]

On Tue, May 19, 2009 at 1:22 PM, Michael Higgins <linux@evolone.org> wrote:
> My next step is to get on the phone with the folks who have access to the "checkpoint" VPN device to see if they can tell me what fails.

Based on a brief googling I didn't see anyone who has a working
connection to a Checkpoint VPN. They (used to?) have a linux version
of their Checkpoint Securemote client but that seems to be gone from
their site now with only Windows and Mac OS X versions showing. The
accepted "solution" seemed to be to use SSH to tunnel your traffic
through a Windows machine (either real or virtual) which is connected
to the VPN.

Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup

[Michael Higgins]

On Tue, 19 May 2009 13:57:21 -0500
Paul Hartman <paul.hartman+gentoo@gmail.com> wrote:

> Based on a brief googling I didn't see anyone who has a working
> connection to a Checkpoint VPN. 

Thanks, Paul. I've already the "solution", as I'm not so much trying to get something accomplished (access machines "inside" which I can do just fine with SSH tunnel), as to figure out why we have these various, related, open source software packages available but no basic client-to-corporate "real-world" implementations specifically outlined for the Gentoo community -- that I can find. :(

Just a definitive answer to "which Gentoo packages and USE flags to I need to emerge so to do this"? .. would be a HUGE help (as weeks later I *still* don't know for sure). And if 60%+ of the folks following it got lucky with cut-n-paste from a how-to, then... great!

Say if all the related items were configured, tested and ultimately failed, if documented publicly it'd at the least serve as a good template for anyone else trying to troubleshoot a VPN connection when using Gentoo on a client machine.

Or, should I instead, just go outside and play? I thought someone else here had hoped to make something like this work... ;-)

Anyway, thanks again for taking a look.

Cheers,

-- 
 |\  /|        |   |          ~ ~  
 | \/ |        |---|          `|` ?
 |    |ichael  |   |iggins    \^ /
 michael.higgins[at]evolone[dot]org

Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1994 bytes --]

On Tuesday 19 May 2009, Michael Higgins wrote:
> On Tue, 19 May 2009 13:57:21 -0500
>
> Paul Hartman <paul.hartman+gentoo@gmail.com> wrote:
> > Based on a brief googling I didn't see anyone who has a working
> > connection to a Checkpoint VPN.
>
> Thanks, Paul. I've already the "solution", as I'm not so much trying to get
> something accomplished (access machines "inside" which I can do just fine
> with SSH tunnel), as to figure out why we have these various, related, open
> source software packages available but no basic client-to-corporate
> "real-world" implementations specifically outlined for the Gentoo community
> -- that I can find. :(
>
> Just a definitive answer to "which Gentoo packages and USE flags to I need
> to emerge so to do this"? .. would be a HUGE help (as weeks later I *still*
> don't know for sure). And if 60%+ of the folks following it got lucky with
> cut-n-paste from a how-to, then... great!
>
> Say if all the related items were configured, tested and ultimately failed,
> if documented publicly it'd at the least serve as a good template for
> anyone else trying to troubleshoot a VPN connection when using Gentoo on a
> client machine.
>
> Or, should I instead, just go outside and play? I thought someone else here
> had hoped to make something like this work... ;-)

I very much share your frustration.  On and off (OK, mostly off) I have been 
trying to get a VPN connection to my router going, and have tried vnpc, kvpn 
and racoon all of which failed.  Meanwhile, a friend tried the shrew VPN 
client and succeeded after a couple of hours of tweaking his Vista box!  
Arrrgh!

I assume that I have all the right components installed (judging from the wiki 
pages) but I am not sure about my configuration.  Unlike your set up which 
seems to be almost there, mine won't even complete stage 1 handshake.  Very, 
very, very frustrating ...

Sorry that I can't be of much help with this.  :(
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup

[Michael Higgins]

On Tue, 19 May 2009 22:08:10 +0100
Mick <michaelkintzios@gmail.com> wrote:

> On Tuesday 19 May 2009, Michael Higgins wrote:
> > On Tue, 19 May 2009 13:57:21 -0500
> >
> > Paul Hartman <paul.hartman+gentoo@gmail.com> wrote:
> > > Based on a brief googling I didn't see anyone who has a working
> > > connection to a Checkpoint VPN.
> >
> > Thanks, Paul. I've already the "solution", as I'm not so much
> > trying to get something accomplished (access machines "inside"
> > which I can do just fine with SSH tunnel), as to figure out why we
> > have these various, related, open source software packages
> > available but no basic client-to-corporate "real-world"
> > implementations specifically outlined for the Gentoo community --
> > that I can find. :(

[...]

> > Or, should I instead, just go outside and play? I thought someone
> > else here had hoped to make something like this work... ;-)
> 
> I very much share your frustration.  On and off (OK, mostly off) I
> have been trying to get a VPN connection to my router going, and have
> tried vnpc, kvpn and racoon all of which failed.  Meanwhile, a friend
> tried the shrew VPN client and succeeded after a couple of hours of
> tweaking his Vista box! Arrrgh!

Yeah, I have no problem to get to "working", with XP on VMWare.

Naturally, I haven't given up. Seems like it's nearly there... also, there are some examples and docs installed.

> 
> I assume that I have all the right components installed (judging from
> the wiki pages) 

Wiki pages? Hmm. Which ones?

> but I am not sure about my configuration.  Unlike
> your set up which seems to be almost there, mine won't even complete
> stage 1 handshake.  Very, very, very frustrating ...

Well, racoon now claims it has started the connexion. It could have been as trivial as a trailing ' ' on my pre-shared secret. Or not...

Either way, it's still not working... just a bit closer.

racoonctl vc pub.vpn.ip.add
VPN connexion established

And still nothing useful happens.

ping -c 1 192.168.243.140
PING 192.168.243.140 (192.168.243.140) 56(84) bytes of data.

--- 192.168.243.140 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

And tons of debug info. Well, it's more than I had, but less than useful.

> 
> Sorry that I can't be of much help with this.  :(

No worries.

It seems like this really *should* be possible, though. I'll try to post my findings if I get it working.

 DEBUG: pfkey UPDATE succeeded: ESP/Tunnel pub.vpn.ip.add[0]->192.168.1.100[0] spi=53896550(0x3366566)
May 19 16:00:21 lappy racoon: INFO: IPsec-SA established: ESP/Tunnel 198.145.243.130[0]->192.168.1.100[0] spi=53896550(0x3366566)
May 19 16:00:21 lappy racoon: phase2(quick): 0.337284
May 19 16:00:21 lappy racoon: DEBUG: ===
May 19 16:00:21 lappy racoon: DEBUG: pk_recv: retry[0] recv() 
May 19 16:00:21 lappy racoon: DEBUG: get pfkey ADD message

May 19 16:00:21 lappy racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.100[4500]->pub.vpn.ip.add[4500] spi=1021286747(0x3cdf995b)

Not much showing for the failure to communicate, though. :(

Cheers,

-- 
 |\  /|        |   |          ~ ~  
 | \/ |        |---|          `|` ?
 |    |ichael  |   |iggins    \^ /
 michael.higgins[at]evolone[dot]org

Re: [gentoo-user] How to IPSEC "M$oft" VPN client setup

[Paul Hartman]

On Tue, May 19, 2009 at 3:29 PM, Michael Higgins <linux@evolone.org> wrote:
>
> Thanks, Paul. I've already the "solution", as I'm not so much trying to get something accomplished (access machines "inside" which I can do just fine with SSH tunnel), as to figure out why we have these various, related, open source software packages available but no basic client-to-corporate "real-world" implementations specifically outlined for the Gentoo community -- that I can find. :(

Well I am by no means an expert but I think the big problem in finding
answers is that a "VPN" has no specific definition... it's a general
term used for dozens of different and mostly incompatible
technologies. See here for someone's list (from 2006) of different
types of VPN servers: http://lists.virus.org/vpn-0604/msg00005.html

I've been happily connecting to a Cisco ipsec VPN for years in linux
using either the proprietary cisco-vpnclient-3des or the open-source
vpnc and it works just fine. In fact it works better tha on Windows,
because there is no 64-bit Cisco VPN client on Windows! I've also
connected Windows XP and Linux using a PPTP (known to be insecure) VPN
without problems (using poptop? or something. it was a long time ago).
If your VPN uses Checkpoint SecuRemote then that's a very specific
implementation you need to focus on.

Wikipedia's page on Checkpoint VPN has some info that may be useful:
http://en.wikipedia.org/wiki/Check_Point_VPN-1

The wiki page mentions Nokia using Checkpoint in their own branded VPN
solution. On Nokia's mobile VPN client page, there are some PDFs that
contain set-up info for Checkpoint VPNs which may give you some clues
as to what settings you need to use in your linux implementation:
http://www.businesssoftware.nokia.com/mobile_vpn_downloads.php

I did some more googling and found what appears to be the actual
Checkpoint client for Linux. YMMV, use at your own risk, etc :)
http://students.ee.sun.ac.za/~15312704/linux/sc_linux_1-53328_36.tgz

I don't know if it'll even work on a modern Gentoo... it seems to be
geared toward Redhat 7, which isn't exactly a new release. But maybe
redhat in a vmware is better than Windows in a vmware. :)

Good luck!