Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Please help! VPN Problems Driving Me Nuts!

60 views
Skip to first unread message

James

unread,
Feb 7, 2004, 10:28:32 PM2/7/04
to
Wow...I don't even know where to begin.

I've been trying for two weeks to get a VPN connection working between
my laptop while I'm at my university and my home private network.
Linux has been my starting point, and since the new kernel (2.6)
supports IPsec natively, I wanted to go with that...

I've heard of lots of PPTP problems and I don't want to risk it. High
security is something I'd like to focus on.

I installed the racoon IKE deamon, and it runs just fine. I'm using
certificates generated with openssl. My Windows XP laptop has the
certificate succesfully installed. I then proceed to connect to the
linux computer (keep in mind while I test all of this, it's internal,
I haven't even tried to connect from the university yet because it
won't even work at home).

I get this error when I try to connect:

---------

Feb 5 18:50:32 [racoon] INFO: isakmp.c:891:isakmp_ph1begin_r():
respond new phase 1 negotiation:
192.168.1.103[500]<=>192.168.1.101[500]_
Feb 5 18:50:32 [racoon] INFO: isakmp.c:896:isakmp_ph1begin_r(): begin
Identity Protection mode._
Feb 5 18:50:32 [racoon] ERROR: ipsec_doi.c:1938:check_attr_isakmp():
invalid auth method 65005._
- Last output repeated 12 times -
Feb 5 18:50:33 [racoon] WARNING:
isakmp_inf.c:1343:isakmp_check_notify(): ignore INITIAL-CONTACT
notification, because it is only accepted after phase1._
Feb 5 18:50:33 [racoon] ERROR: crypto_openssl.c:348:cb_check_cert():
unable to get local issuer certificate(20) at depth:0 [insert my
certificate information here]_
Feb 5 18:50:33 [racoon] ERROR: oakley.c:1335:oakley_validate_auth():
the peer's certificate is not verified._
Feb 5 18:50:52 [racoon] ERROR: isakmp_inf.c:145:isakmp_info_recv():
ignore information because ISAKMP-SA has not been established yet._

---------

Further, I'd like to point out that this error is not generated when
using the Windows native IPsec client.

I then got frustrated, figuring it was the client I was using that
wasn't working with the IPsec config. So I installed the L2TP deamon
on my linux box in order to use my Windows XP native client, and it's
still not working. Strangely, when I try to connect using the
L2TP/IPsec connection, it simply seems to time out. The racoon deamon
on my linux server does *not* even notice the Windows XP client is
trying to connect... It's as though there's no attempt to negotiate
betweent the computers.

A sniffer revealed nothing, although strangely enough I got a bunch of
ICMP "destinateion unreachable" packets floating around. (however,
the IP addresses for the two computers were correctly set in both the
client and the server and obviously the connection and routing is fine
since I can attempt to connect to the server using the 3rd party
client, and racoon complains).

Help would be GREATLY appreciated. I'm going crazy. I'd use PPTP but
I'm too worried about the security level... And IPsec seems like a
perfect solution. I have a friend who simply clicks a button and bam,
he's connected to his corporate intranet using IPsec...not a single
problem. All his traffic is painlessly routed through the connection.

So far, I can't achieve that.

Thanks in advance.

James

unread,
Feb 12, 2004, 5:49:19 PM2/12/04
to
Well...

New problem, kind of. I bought SSH Sentinel 1.4, and here I am trying
to get the thing to work with Racoon/KAME IKE tools (using the 1.6
Kernel for Linux).

Here's the dump that I get from racoon's logging...

[quote]
Feb 12 17:38:49 [racoon] INFO: isakmp.c:891:isakmp_ph1begin_r():


respond new phase 1 negotiation:
192.168.1.103[500]<=>192.168.1.101[500]_

Feb 12 17:38:49 [racoon] INFO: isakmp.c:896:isakmp_ph1begin_r(): begin
Identity Protection mode._
Feb 12 17:38:49 [racoon] WARNING: ipsec_doi.c:1723:check_spi_size():
SPI size isn't zero, but IKE proposal._
Feb 12 17:38:49 [racoon] WARNING: isakmp_ident.c:943:ident_r2recv():
CR received, ignore it. It should be in other exchange._
- Last output repeated 2 times -
Feb 12 17:38:49 [racoon] WARNING:


isakmp_inf.c:1343:isakmp_check_notify(): ignore INITIAL-CONTACT
notification, because it is only accepted after phase1._

Feb 12 17:38:49 [racoon] WARNING:
crypto_openssl.c:348:cb_check_cert(): self signed certificate(18) at


depth:0 [insert my certificate information here]_

Feb 12 17:38:49 [racoon] ERROR: oakley.c:1579:oakley_getsign(): failed
to get private key._
Feb 12 17:38:49 [racoon] ERROR: isakmp.c:624:ph1_main(): failed to
process packet._
Feb 12 17:38:49 [racoon] ERROR: isakmp.c:439:isakmp_main(): phase1
negotiation failed._
Feb 12 17:39:20 [racoon] INFO: isakmp.c:891:isakmp_ph1begin_r():


respond new phase 1 negotiation:
192.168.1.103[500]<=>192.168.1.101[500]_

Feb 12 17:39:20 [racoon] INFO: isakmp.c:896:isakmp_ph1begin_r(): begin
Identity Protection mode._
Feb 12 17:39:20 [racoon] WARNING: ipsec_doi.c:1723:check_spi_size():
SPI size isn't zero, but IKE proposal._
Feb 12 17:39:20 [racoon] WARNING: isakmp_ident.c:943:ident_r2recv():
CR received, ignore it. It should be in other exchange._
- Last output repeated 2 times -
Feb 12 17:39:20 [racoon] WARNING:


isakmp_inf.c:1343:isakmp_check_notify(): ignore INITIAL-CONTACT
notification, because it is only accepted after phase1._

Feb 12 17:39:20 [racoon] WARNING:
crypto_openssl.c:348:cb_check_cert(): self signed certificate(18) at


depth:0 [insert my certificate information here]_

Feb 12 17:39:20 [racoon] ERROR: oakley.c:1579:oakley_getsign(): failed
to get private key._
Feb 12 17:39:20 [racoon] ERROR: isakmp.c:624:ph1_main(): failed to
process packet._
Feb 12 17:39:20 [racoon] ERROR: isakmp.c:439:isakmp_main(): phase1
negotiation failed._
Feb 12 17:39:50 [racoon] INFO: isakmp.c:891:isakmp_ph1begin_r():


respond new phase 1 negotiation:
192.168.1.103[500]<=>192.168.1.101[500]_

Feb 12 17:39:50 [racoon] INFO: isakmp.c:896:isakmp_ph1begin_r(): begin
Identity Protection mode._
Feb 12 17:39:50 [racoon] WARNING: ipsec_doi.c:1723:check_spi_size():
SPI size isn't zero, but IKE proposal._
Feb 12 17:39:50 [racoon] WARNING: isakmp_ident.c:943:ident_r2recv():
CR received, ignore it. It should be in other exchange._
- Last output repeated 2 times -
Feb 12 17:39:50 [racoon] WARNING:


isakmp_inf.c:1343:isakmp_check_notify(): ignore INITIAL-CONTACT
notification, because it is only accepted after phase1._

Feb 12 17:39:50 [racoon] WARNING:
crypto_openssl.c:348:cb_check_cert(): self signed certificate(18) at


depth:0 [insert my certificate information here]_

Feb 12 17:39:50 [racoon] ERROR: oakley.c:1579:oakley_getsign(): failed
to get private key._
Feb 12 17:39:50 [racoon] ERROR: isakmp.c:624:ph1_main(): failed to
process packet._
Feb 12 17:39:50 [racoon] ERROR: isakmp.c:439:isakmp_main(): phase1
negotiation failed._
[/quote]

I don't get it...this client seems to get further than the original
3rd party client I was using...but I don't know what in the world is
going wrong with the connection!

I've followed the HowTo guides to the letter...

Help/thoughts/interpretations of what is really going on would be
GREATLY appreciated. Thanks :)

0 new messages