Friday, April 16, 2010

HOWTO connect Nokia VPN to GNU/Linux

Overview

This HOWTO describes how to setup a GNU/Linux box as an IPSec gateway and a Nokia VPN client as a road-warrior so that they can talk to each other. The protocol used is IPSec with RSA authentication.
While most of the procedures described here are documented somewhere or other, I could not find them summarized under one roof, so I decided to do it myself.

To get this setup going, you will have to setup a certificate authority (CA) to issue certificates, hack the racoon IKE daemon to account for a problematic nat-t negotiation protocol by the Nokia VPN client, and configure both the racoon daemon and the Nokia vpn client so that they will be able to talk to each other and recognize the certificates.

This HOWTO assumes intermediate knowledge of GNU/Linux. You are assumed to know your shell, and have no problems in compiling packages from source. I do not assume any specific GNU/Linux distribution, just a 2.6.x kernel.

Prerequisites

GNU/Linux

  • openssl
  • ipsec-tools modified for Nokia (see this post)
  • possibly open the firewall to the IPsec packets (see this post)
  • 2.6 kernel



Nokia

(get it from Nokia)
  • Mobile VPN Client version >= 3.1
  • A compatible phone

Setting up a certificate infrastructure

Generating CA certificate

First we need to setup a certificate authority (CA) to sign all the certificates used for authenticating the gateway and clients. 
# set certificate_dir to the directory you wish to keep all the certificates in:
mkdir ${certificate_dir} && cd ${certificate_dir}

# generate 2 2048 bit rsa key for the CA
openssl genrsa 2048 > ca.key

# generate the CA bookkeeping files
mkdir -p demoCA/newcerts
touch demoCA/index.txt
echo "00" > demoCA/serial 
echo "00" > demoCA/crlnumber

# generate the CA certificate and make link a hash to it
openssl req -days 1825 -x509 -new -key ca.key > ca.crt
ln -s ca.crt `openssl x509 -noout -hash -in ca.crt`.0

# generate the certificate revocation list (CRL) and hash
openssl ca -gencrl -cert ca.crt -keyfile ca.key -out crl.pem
ln -s crl.pem `openssl crl -noout -hash < crl.pem`.r0
At this stage we setup a CA which has enough function to support all of our IPSec needs.

Creating the gateway certificates

We now create the certificates for our gateway: we create a 2048 bit key, make a request and get it signed by our CA 
cd ${certificate_dir}
openssl genrsa 2048 > vpngw.key
openssl req -new -key vpngw.key > vpngw.csr
openssl ca -keyfile ca.key -cert ca.crt -in vpngw.csr -out vpngw.crt

Creating certificates for Nokia clients

For each client (or group of clients), we need to create a private key and certificate in a format that Symbian will recognize: 
cd ${certificate_dir}
mkdir -p Nokia/vpn

# key and certificate as for the client
openssl genrsa 2048 > client.key
openssl req -new -key client.key > client.csr
openssl ca -keyfile ca.key -cert ca.crt -in client.csr -out client.crt

# convert them into Nokia compatible format:
openssl x509 -outform der -in client.crt -out Nokia/vpn/client.cer
## MUST enter an encryption passwd! ##
openssl pkcs8 -outform DER -v2 des-ede3-cbc -topk8 -in client.key -out Nokia/vpn/client.key
# convert the CA certificate into Nokia compatible format:
openssl x509 -outform der -in ca.crt -out Nokia/vpn/ca.crt
Note: you must supply an encryption password for the client key!

Setting up IKE on GNU/Linux

Use the following raccon.conf file as a template: 
#path to the certificate -- use the above defined certificate_dir
path certificate "/etc/racoon/certs";

## uncommend to get a lot of debug output
#log debug; 

#option of controlling racoon by racoonctl tool is disabled
# substituted the network address of the relevant (external) interface here
listen {
 adminsock disabled;
 isakmp 192.168.10.1 [500];
 isakmp_natt 192.168.10.1 [4500];
}

#remote section – anonymous address of road-warrior client
#any change in this section should be reflected in the Nokia vpn policy file
remote anonymous {
 exchange_mode main;
 certificate_type x509 "vpngw.crt" "vpngw.key";
 ca_type x509 "ca.crt";
 verify_cert on;
 proposal_check claim;
 generate_policy on;
 nat_traversal on;
 dpd_delay 20;
 ike_frag on;
 passive on;

 verify_identifier on;
 my_identifier asn1dn;
 peers_identifier asn1dn;
 
 #agreement proposal in IKE first phase
 proposal {
  encryption_algorithm aes 256;
  hash_algorithm sha1;
  authentication_method rsasig;
  dh_group modp1024;
 }
}

#SA information for IKE second phase
#any change in this section should be reflected in the Nokia vpn policy file
sainfo anonymous {
 pfs_group modp1024;
 lifetime time 1 hour;
 encryption_algorithm aes;
 authentication_algorithm hmac_sha1;
 compression_algorithm deflate;
}

#############################################################
## local network information
## change the settings in this section to suit your own network setup
mode_cfg {
 #starting address of the IP address pool
 network4 192.168.10.20;
 #maximum number of clients
 pool_size 20;
 #network mask
 netmask4 255.255.255.0; 
 #authentication source – user database on the system
 auth_source system;
 #configuration source – from data given in this section
 conf_source local;
 #DNS and WINS servers IP addresses
 dns4 192.168.10.1;
 wins4 192.168.10.1;
 #banner file – welcome message
 banner "/etc/racoon/motd";
}
Things to remember
  • At the top of the file, set "path certificate" to the path of your CA and vpngw certificates
  • You would mostly need to change the things in the mode_cfg section to suit you own network. Other sections should be good as-is.
  • The "remote" and "sainfo" sections are especially tailored to fit the nokia vpn profile, so changing them will induce a change in the nokia vpn policy.

Setting up the Nokia VPN policy

The Nokia VPN policy file is really a zip archive containing two configuration files (.pol & ..pin), the client key and certificate and the CA certificate. We will construct this archive in the ${certificate_dir}/Nokia/vpn directory. The contents of the directory:
  • my-vpn.pin: policy information
  • my-vpn.pol: policy configuration
  • ca.crt: CA certificate. See above for info on how to create
  • client.cer: client certificate. See above for info on how to create
  • client.key: client key. See above for info on how to create
The policy information file contains information to be shown about the policy in the phone: 
[POLICYNAME]
My First VPN Policy
[POLICYVERSION]
1.0
[POLICYDESCRIPTION]
This is my first policy. Lets see if it works
[ISSUERNAME]
Me LTD.
[CONTACTINFO]
me@me.org, +44-11111111
The policy configuration file contains all the config info. The following file is compatible with the racoon config given above: 
SECURITY_FILE_VERSION: 1

[INFO]
My First VPN

[POLICY]
sa my-vpn = {
 esp 
 
 ## AES-256
 encrypt_alg 12   
 max_encrypt_bits 256
 ## SHA-1
 auth_alg 3
 identity_remote 0.0.0.0/0
 src_specific
 hard_lifetime_bytes 0
 hard_lifetime_addtime 3600
 hard_lifetime_usetime 3600
 soft_lifetime_bytes 0
 soft_lifetime_addtime 3600
 soft_lifetime_usetime 3600
 replay_win_len 0
 ## prefect forward secracy (see also IKE section)
 pfs
}



remote 0.0.0.0 0.0.0.0 = { my-vpn(**GATEWAY_IP**) }
inbound = { }
outbound = { }

[IKE]
ADDR: **GATEWAY_IP** 255.255.255.255
IKE_VERSION: 1
MODE: Main
ID_TYPE: 9
REPLAY_STATUS: FALSE
USE_MODE_CFG: TRUE
IPSEC_EXPIRE: TRUE
USE_XAUTH: FALSE
USE_COMMIT: FALSE
ESP_UDP_PORT: 0
SEND_NOTIFICATION: TRUE
INITIAL_CONTACT: TRUE
USE_INTERNAL_ADDR: TRUE
DPD_HEARTBEAT: 90
NAT_KEEPALIVE: 60
REKEYING_THRESHOLD: 90
GROUP_DESCRIPTION_II: MODP_1024

### Proposal
PROPOSALS: 1
ENC_ALG: AES256-CBC
AUTH_METHOD: RSA_SIGNATURES
HASH_ALG: SHA1
GROUP_DESCRIPTION: MODP_1024
GROUP_TYPE: DEFAULT
LIFETIME_KBYTES: 0
LIFETIME_SECONDS: 86400
PRF: NONE

### CA
CAs: 1
  FORMAT: BIN
  DATA: ca.crt

### CLient credentials
OWN_CERT_TYPE: USER
OWN_CERTS: 
  FORMAT: BIN
  DATA: client.cer
  PRIVATE_KEY_FORMAT: BIN
  PRIVATE_KEY_DATA: client.key
Notes:
  • Replace the 2 occurences of **GATEWAY_IP** with you actual gateway's IP
  • Set USE_XAUTH=TRUE for another password verification before connection
  • Set OWN_CERT_TYPE: DEVICE to allow for password-less access to the client key
Zip the above 5 files into my-vpn.vpn: 
zip my-vpn.vpn bioc-vpn.pin bioc-vpn.pol ca.crt client.cer client.key
copy the my-vpn.vpn to the phone and install it. There should be no errors reported.

Enjoy the VPN
Posted by at
Labels: , , , ,

44 comments:

  1. Mary ShaneJuly 6, 2010 at 2:54 PM

    How do I turn on the firewall for my notebook? I am using a Dell Latitude. I hope you could help me with this. Your response will be highly appreciated! More power to you and your site!


    vpn

    ReplyDelete
  2. James MartinJuly 12, 2010 at 9:39 PM

    The CA cert installed successfully on my phone (E72) but then client cert fails with "Failed to install Certificate. Reason Codde -6, certificate: Type: USER, Labe: James E, Subject: James E. Issuer Tes."

    Followed by an error "Failed to install Policy 'unknwon', reason code - 5235". From the Nokia documentation this means "-5235
    User certificate file defined in the POL file is not found. See reference document [3] for details."

    Any ideas?

    ReplyDelete
  3. UnknownJuly 12, 2010 at 10:56 PM

    James,

    Did you password protect the client key?

    Shai

    ReplyDelete
  4. James MartinJuly 13, 2010 at 12:51 PM

    Shai,
    Yeh the key was password protected, the issue that caused these errors was that I'd used an apostrophe in the subject name e.g "James's E72". Recreating the cert without punctuation in the subject name fixed this error.

    However I next encountered another issue. Now it would install both certificates, but fail with the usual "Failed to install, see vpn log" message. This time however there was nothing in the log to indicate an error. The last message being "Installed certificate".

    I worked it out in the end, it seems my provider had locked my network destinations. Any attempt to edit a destination would result in a message saying "Unable to edit protected destination". This appears to be what was preventing the policy from installing.

    I solved this problem by:-
    1) Flashing with generic euro firmware
    2) Performing hard reset
    3) Flashing my operators firmware back on (I like their theme!).

    Now policies install and I can connect to my VPN. Trying to get my head around how to configure it so it actually routes somewhere now!

    ReplyDelete
  5. UnknownJuly 13, 2010 at 2:39 PM

    James,

    Glad it worked for you. Are you connecting to a linux gateway?

    ReplyDelete
  6. UnknownJuly 23, 2010 at 7:10 PM

    Excellent article!
    I can confirm this worked with a Nokia e75, and Ubuntu 10.04. Pity we need to patch racoon though.
    But I can finally shutdown my crappy PPTP VPN and have a nice secure certificate based vpn.
    Thankyou!

    ReplyDelete
  7. UnknownJuly 26, 2010 at 7:27 AM

    Gino,

    I'm glad I helped.
    I'm having disconnect problems with e72 phones which I didn't have with e51 phones (i.e. the vpn disconnects after ~2 minuets). What is your experience with the e75?

    ReplyDelete
  8. getleAugust 17, 2010 at 2:29 AM

    Can anybody help me to solve this?

    2010-08-17 01:08:55: INFO: begin Identity Protection mode.
    2010-08-17 01:08:55: INFO: received Vendor ID: DPD
    2010-08-17 01:08:55: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    2010-08-17 01:08:55: INFO: received Vendor ID: RFC 3947
    2010-08-17 01:08:55: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    2010-08-17 01:08:55: INFO: received Vendor ID: CISCO-UNITY
    2010-08-17 01:08:55: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-03
    2010-08-17 01:08:55: INFO: Adding xauth VID payload.
    2010-08-17 01:08:55: INFO: Hashing 192.168.1.25[500] with algo #2
    2010-08-17 01:08:55: INFO: NAT-D payload #0 doesn't match
    2010-08-17 01:08:55: INFO: Hashing 90.186.XXX.XXX[500] with algo #2
    2010-08-17 01:08:55: INFO: NAT-D payload #1 verified
    2010-08-17 01:08:55: INFO: NAT detected: ME
    2010-08-17 01:08:55: INFO: Hashing 90.186.XXX.XXX[500] with algo #2
    2010-08-17 01:08:55: INFO: Hashing 192.168.1.25[500] with algo #2
    2010-08-17 01:08:55: INFO: Adding remote and local NAT-D payloads.
    2010-08-17 01:08:56: INFO: NAT-T: ports changed to: 90.186.XXX.XXX[4500]<->192.168.1.25[4500]
    2010-08-17 01:08:56: INFO: KA list add: 192.168.1.25[4500]->90.186.XXX.XXX[4500]
    2010-08-17 01:08:56: ERROR: 5356:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 5356:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:697:
    2010-08-17 01:08:56: ERROR: Invalid SIG.

    With preshared keys it works.

    ReplyDelete
  9. UnknownAugust 29, 2010 at 2:24 AM

    Hi shaiay,
    not having any disconnects with the e75 - I'm even able to make voip calls quite nicely without any real latency through my vpn.

    - Gino

    ReplyDelete
  10. UnknownAugust 29, 2010 at 10:02 AM

    Gino,

    I found out that the disconnects on the e72 are actually the fault of the native IMAP client, not the VPN.

    Shai

    ReplyDelete
  11. Eric Y.September 20, 2010 at 10:47 PM

    James,
    the same for me - "Unable to install" without anything relevant in VPN logs, then after phone restart policy visible in VPN policies.

    Now unsuccessful part: I can't add destination to "Intranet" because of the same "Unable to edit protected destination" - too bad, because of broken backup/restore in Nokia Suite (does not restore java apps settings) I'm not gonna to try to do hard reset - mostly because week ago I have installed brand new, unbranded (totally clear) firmware.

    E72-1 (RM-530), 031.023 (yes, I know that there is newer fw, but I have hacked one, so I'm not gonna to drop it :) )

    ReplyDelete
  12. UnknownOctober 5, 2010 at 10:48 AM

    Hi Shai - yeah the nokia native IMAP client is rubbish. You might want to try a third party app called profimail - it's quite nice, handles attachments better - and uses the microsd card rather than phone memory to keep its cached copy of your emails.

    ReplyDelete
  13. ymaxonlineNovember 1, 2010 at 11:30 PM

    hi,
    i have done the above procedure almost word to word with E71 but when i try to connect with linux gate way the mobile shows the message :

    "Error: Unsspecified error, source 'Acu',
    error code - 104011 , state code 6"

    any idea????

    ReplyDelete
  14. UnknownNovember 2, 2010 at 7:13 AM

    Hi ymaxonline,

    I never got this error but to debug, you might want to:
    1. check in the linux gateway racoon.log if the E71 even tries to connect
    2. Try to determine which E71 application issues this error:
    Try to connect with different applications - (e.g web browser, email client, putty for s60) and see if you get the same error

    and also what do you mean "almost word to word"?

    Shai

    ReplyDelete
  15. ymaxonlineNovember 2, 2010 at 10:37 AM

    hey,
    thanks for the reply. i tried the procedure stated above except one thing " ipsec-tools fix for Nokia VPN NAT-T " honestly saying i didnt understand what to change in 'ipsec-tools-0.7.1/src/racoon/nattraversal.c' before compiling........ i think thats why i cannot find racoon.log & when i run these commands they give me output :

    1) # racoonctl reload-config
    #send: Bad file descriptor

    2) # racoon -l /var/log/racoon.log
    # racoon: failed to parse configuration file.

    and my racoon.conf
    ###############################################
    # racoon IKE daemon configuration file.
    # See 'man racoon.conf' for a description of the format and entries.
    path include "/etc/racoon";
    #path pre_shared_key "/etc/racoon/psk.txt";
    path certificate "/home/certificate/";

    # substituted the network address of the relevant (external) interface here
    listen {
    adminsock disabled;
    isakmp 192.168.10.1 [500];
    isakmp_natt 192.168.10.1 [4500];
    }
    #remote section . anonymous address of road-warrior client
    #any change in this section should be reflected in the Nokia vpn policy file
    remote anonymous {
    exchange_mode main;
    certificate_type x509 "vpngw.crt" "vpngw.key";
    ca_type x509 "ca.crt";
    ############################################
    and so on .

    can you tell me in the listen box the isakmp address : is it one of my linux box interface address or a virtual address i should put there.

    ReplyDelete
  16. ymaxonlineNovember 2, 2010 at 7:12 PM

    Hi shaiay ,

    i can connect to the linux box with putty (for S60). and i stated the racoon config. now i dont know how to fix it.!!!!

    ReplyDelete
  17. UnknownNovember 2, 2010 at 11:24 PM

    ymaxonline,

    Did you manage to connect with putty using the vpn -- i.e. choosing the vpn as the network access point?
    If you can, than the vpn is ok and the error is coming from another application
    If you can't then there is an error with the vpn.

    To get the racoon log, you must run racoon with the "-l logfile" command line option.

    What linux distro do you use?

    ReplyDelete
  18. ymaxonlineNovember 3, 2010 at 11:35 AM

    shaiay,

    i managed to re config the racoon deamon & now its working fine but whenever i try to synchronize with the VPN server from Nokia E71 it says the same

    "Error: Unsspecified error, source 'Acu',
    error code - 104011 , state code 6"

    & i use centos 5.5

    ReplyDelete
  19. thameemJanuary 26, 2011 at 11:19 PM

    Can you please define the configuration of the ipsec server part. I followed this tutorial and created the certificates and policy file. Its installed in my nokia E51 without any issue. But I would like to know how to configure the ipsec server side. I am using Centos 5.2

    ReplyDelete
  20. UnknownJanuary 27, 2011 at 6:24 AM

    Hi thameem,
    ipsec on the server is handled by the kernel and ipsec authentication by racoon from the ipsec-tools package.
    Tthe racoon configuration file is posted above in the section "Setting up IKE on GNU/Linux"

    Also, in the "prerequisite" section, see the note on customizing ipsec-tools to workaround a nokia bug.

    ReplyDelete
  21. PaldaJanuary 7, 2012 at 2:28 PM

    Hello, I tried your tutorial with OpenSUSE 12.1, and only thing I had to do was to install novell-ipsec-tools, (did not try it with the normal ipsec-tools). And I did not needed to patch it for the Nokia.

    I followed it thoroughly and I have a working Nokia N8 with me here :)

    And many thanks for the iptables part as well :)

    ReplyDelete
  22. UnknownJanuary 7, 2012 at 10:36 PM

    Palda,

    Since the ipsec-tools version in novell-ipsec-tools looks to be 0.7.3-9, which is not so new, Maybe it's Nokia who fixed their ipsec implementation.

    Anyway, glad to hear you got it working
    Shai

    ReplyDelete
  23. KaiJanuary 12, 2012 at 8:26 PM

    One little problem..
    I've set up racoon on Debian and VPN client on my N95. When I log into the VPN everything works, but I can't get any connections, the web browser says no gateway found, putty doesn't work either.
    In the firewall logs I didn't see anything blocked..
    I rechecked everything but the config seems to be as mentioned above.
    Any ideas where I made mistakes?
    Thanks..

    ReplyDelete
    Replies
    1. UnknownJanuary 12, 2012 at 9:22 PM

      Just to make sure, you did:
      Replace the 2 occurences of **GATEWAY_IP** with you actual gateway's IP

      Also, how do you know that "everything works"? it sounds to me that nothing works ...

      Delete
    2. KaiJanuary 12, 2012 at 10:04 PM

      Of course I replaced it, I used a dyndns hostname.
      Ok everything was a wrong word for it, the connection to VPN was successful.
      But what I noticed now is that the firewall recommend firewall rules don't include portforwardings, I have used one. The router and the racoon server are the same machine, so this normally wouldn't be necessary so I removed it.
      Now I don't get any connection established, the racoon service seems not to notice any incoming requests.
      But isakmp 192.168.10.1 [500]; and isakmp_natt 192.168.10.1 [4500]; really need the local address and not any provider IPs?
      And portforwarding is normally not necessary right? ssh also working without portforwarding..
      Thanks

      Delete
    3. UnknownJanuary 12, 2012 at 10:13 PM

      1. isakmp addresses should be the addresses of the external interface of the router (the address returned by ifconfig)
      2. The racoon server should be able to forward ip packets -- if it's the gateway in your network than it's already doing that.
      3. I'm not sure what is the meaning of port forwarding in this context.

      If you give me some more details on your network maybe I can help -- how many interfaces do you have on the router/racoon server? is this your firewall and router?

      Delete
  24. KaiJanuary 12, 2012 at 10:27 PM

    Ok I'll try to explain:
    The racoon server also contains the firewall and the router, the external interface to internet is ppp0, then I have a regular internal interface.
    So, I changed the isakmp addresses in racoon.conf to my external IP from provider, now I get the following log:
    Jan 12 21:19:04 localhost racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
    Jan 12 21:19:06 localhost racoon: INFO: Resize address pool from 0 to 255
    Jan 12 21:19:06 localhost racoon: INFO: Resize address pool from 255 to 20
    Jan 12 21:19:06 localhost racoon: INFO: 87.xx.xx.xx[4500] used as isakmp port (fd=6)
    Jan 12 21:19:06 localhost racoon: INFO: 87.xx.xx.xx[4500] used for NAT-T
    Jan 12 21:19:06 localhost racoon: INFO: 87.xx.xx.xx[500] used as isakmp port (fd=7)
    Jan 12 21:19:06 localhost racoon: INFO: 87.xx.xx.xx[500] used for NAT-T
    Jan 12 21:19:57 localhost racoon: INFO: respond new phase 1 negotiation: 87.xx.xx.xx[500]<=>85.xx.xx.xx[500]
    Jan 12 21:19:57 localhost racoon: INFO: begin Identity Protection mode.
    Jan 12 21:19:57 localhost racoon: INFO: received Vendor ID: DPD
    Jan 12 21:19:57 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jan 12 21:19:57 localhost racoon: INFO: received Vendor ID: RFC 3947
    Jan 12 21:19:57 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Jan 12 21:19:57 localhost racoon: INFO: received Vendor ID: CISCO-UNITY
    Jan 12 21:19:57 localhost racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-03
    Jan 12 21:19:57 localhost racoon: INFO: Adding xauth VID payload.
    Jan 12 21:19:57 localhost racoon: INFO: Hashing 87.xx.xx.xx[500] with algo #2
    Jan 12 21:19:57 localhost racoon: INFO: NAT-D payload #0 verified
    Jan 12 21:19:57 localhost racoon: INFO: Hashing 85.xx.xx.xx[500] with algo #2
    Jan 12 21:19:57 localhost racoon: INFO: NAT-D payload #1 doesn't match
    Jan 12 21:19:57 localhost racoon: INFO: NAT detected: PEER
    Jan 12 21:19:57 localhost racoon: INFO: Hashing 85.xx.xx.xx[500] with algo #2
    Jan 12 21:19:57 localhost racoon: INFO: Hashing 87.xx.xx.xx[500] with algo #2
    Jan 12 21:19:57 localhost racoon: INFO: Adding remote and local NAT-D payloads.
    Jan 12 21:19:57 localhost racoon: INFO: NAT-T: ports changed to: 85.xx.xx.xx[4500]<->87.xx.xx.xx[4500]
    Jan 12 21:19:57 localhost racoon: INFO: KA list add: 87.xx.xx.xx[4500]->85.xx.xx.xx[4500]
    Jan 12 21:20:47 localhost racoon: ERROR: phase1 negotiation failed due to time up. 2ac1fc0c1b8a38a9:f5138309361f427b
    Jan 12 21:20:47 localhost racoon: INFO: KA remove: 87.xx.xx.xx[4500]->85.xx.xx.xx[4500]
    Jan 12 21:20:48 localhost racoon: ERROR: unknown Informational exchange received.

    ReplyDelete
    Replies
    1. UnknownJanuary 12, 2012 at 10:30 PM

      So, now racoon is listening on the correct interface, but can't go past phase 1 (The ERROR at the end). It is using NAT-T, which means you have NAT somewhere in your route.
      Did you recompile racoon with the patch as explained in the post?

      Delete
    2. KaiJanuary 12, 2012 at 10:48 PM

      Ok, I get some step forward.. I built a Debian package, patched the c-file, but I only added "--enable-natt-versions=0,1,2,3,4,5,6,7,8" to the rules-file and there were missing other parameters out of the list above.

      Now the phone gets a connection established again, but when I go to a web site with it I get the message that the gateway doesn't respond.

      I get the following log:
      Jan 12 21:40:48 localhost racoon: INFO: respond new phase 1 negotiation: 87.xx.xx.xx[500]<=>85.xx.xx.xx[500]
      Jan 12 21:40:48 localhost racoon: INFO: begin Identity Protection mode.
      Jan 12 21:40:48 localhost racoon: INFO: received Vendor ID: DPD
      Jan 12 21:40:48 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Jan 12 21:40:48 localhost racoon: INFO: received Vendor ID: RFC 3947
      Jan 12 21:40:48 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
      Jan 12 21:40:48 localhost racoon: INFO: received Vendor ID: CISCO-UNITY
      Jan 12 21:40:48 localhost racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-03
      Jan 12 21:40:48 localhost racoon: INFO: Adding xauth VID payload.
      Jan 12 21:40:48 localhost racoon: phase1(ident R msg1): 0.003745
      Jan 12 21:40:48 localhost racoon: INFO: Hashing 87.xx.xx.xx[500] with algo #2
      Jan 12 21:40:48 localhost racoon: INFO: NAT-D payload #0 verified
      Jan 12 21:40:48 localhost racoon: INFO: Hashing 85.xx.xx.xx[500] with algo #2
      Jan 12 21:40:48 localhost racoon: INFO: NAT-D payload #1 doesn't match
      Jan 12 21:40:48 localhost racoon: INFO: NAT detected: PEER
      Jan 12 21:40:48 localhost racoon: oakley_dh_generate(MODP1024): 0.005577
      Jan 12 21:40:48 localhost racoon: INFO: Hashing 85.xx.xx.xx[500] with algo #2
      Jan 12 21:40:48 localhost racoon: INFO: Hashing 87.xx.xx.xx[500] with algo #2
      Jan 12 21:40:48 localhost racoon: INFO: Adding remote and local NAT-D payloads.
      Jan 12 21:40:48 localhost racoon: oakley_dh_compute(MODP1024): 0.005533
      Jan 12 21:40:48 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=128): 0.000127
      Jan 12 21:40:48 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=145): 0.000013
      Jan 12 21:40:48 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000011
      Jan 12 21:40:48 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000011
      Jan 12 21:40:48 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=1): 0.000010
      Jan 12 21:40:48 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000011
      Jan 12 21:40:48 localhost racoon: phase1(ident R msg2): 0.012573
      Jan 12 21:40:49 localhost racoon: INFO: NAT-T: ports changed to: 85.xx.xx.xx[4500]<->87.xx.xx.xx[4500]

      Delete
    3. KaiJanuary 12, 2012 at 10:49 PM

      .. continued ..
      Jan 12 21:40:49 localhost racoon: INFO: KA list add: 87.xx.xx.xx[4500]->85.xx.xx.xx[4500]
      Jan 12 21:40:49 localhost racoon: alg_oakley_encdef_decrypt(aes klen=256 size=1488): 0.000267
      Jan 12 21:40:49 localhost racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
      Jan 12 21:40:49 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=428): 0.000019
      Jan 12 21:40:49 localhost racoon: oakley_validate_auth(RSA signatures): 0.004132
      Jan 12 21:40:49 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=428): 0.000024
      Jan 12 21:40:49 localhost racoon: alg_oakley_encdef_encrypt(aes klen=256 size=1344): 0.000079
      Jan 12 21:40:49 localhost racoon: phase1(ident R msg3): 0.021857
      Jan 12 21:40:49 localhost racoon: phase1(Identity Protection): 0.900088
      Jan 12 21:40:49 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000016
      Jan 12 21:40:49 localhost racoon: alg_oakley_encdef_encrypt(aes klen=256 size=64): 0.000016
      Jan 12 21:40:49 localhost racoon: INFO: ISAKMP-SA established 87.xx.xx.xx[4500]-85.xx.xx.xx[4500] spi:23eb3ecd7c539774:78bab0cae6332b0d
      Jan 12 21:40:59 localhost racoon: NOTIFY: the packet is retransmitted by 85.xx.xx.xx[4500].
      Jan 12 21:40:59 localhost racoon: alg_oakley_encdef_decrypt(aes klen=256 size=48): 0.000092
      Jan 12 21:40:59 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000028
      Jan 12 21:40:59 localhost racoon: INFO: Using port 0
      Jan 12 21:40:59 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=28): 0.000011
      Jan 12 21:40:59 localhost racoon: alg_oakley_encdef_encrypt(aes klen=256 size=64): 0.000011
      Jan 12 21:41:01 localhost racoon: INFO: respond new phase 2 negotiation: 87.xx.xx.xx[4500]<=>85.xx.xx.xx[4500]
      Jan 12 21:41:01 localhost racoon: alg_oakley_encdef_decrypt(aes klen=256 size=272): 0.000037
      Jan 12 21:41:01 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=244): 0.000024
      Jan 12 21:41:01 localhost racoon: INFO: no policy found, try to generate the policy : 192.120.120.120/32[0] 0.0.0.0/0[0] proto=any dir=in
      Jan 12 21:41:01 localhost racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel

      Delete
    4. KaiJanuary 12, 2012 at 10:49 PM

      .. continued ..
      Jan 12 21:41:01 localhost racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
      Jan 12 21:41:01 localhost racoon: phase2(???): 0.000737
      Jan 12 21:41:01 localhost racoon: oakley_dh_generate(MODP1024): 0.005034
      Jan 12 21:41:01 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=260): 0.000016
      Jan 12 21:41:01 localhost racoon: alg_oakley_encdef_encrypt(aes klen=256 size=272): 0.000019
      Jan 12 21:41:01 localhost racoon: phase2(quick R msg1): 0.005515
      Jan 12 21:41:01 localhost racoon: alg_oakley_encdef_decrypt(aes klen=256 size=32): 0.000038
      Jan 12 21:41:01 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=37): 0.000030
      Jan 12 21:41:01 localhost racoon: oakley_dh_compute(MODP1024): 0.005510
      Jan 12 21:41:01 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000024
      Jan 12 21:41:01 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=185): 0.000012
      Jan 12 21:41:01 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=185): 0.000012
      Jan 12 21:41:01 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=185): 0.000013
      Jan 12 21:41:01 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000011
      Jan 12 21:41:01 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=185): 0.000012
      Jan 12 21:41:01 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=185): 0.000013
      Jan 12 21:41:01 localhost racoon: alg_oakley_hmacdef_one(hmac_sha1 size=185): 0.000012
      Jan 12 21:41:01 localhost racoon: phase2(???): 0.007233
      Jan 12 21:41:01 localhost racoon: INFO: IPsec-SA established: ESP/Tunnel 85.xx.xx.xx[4500]->87.xx.xx.xx[4500] spi=167707672(0x9ff0418)
      Jan 12 21:41:01 localhost racoon: phase2(quick): 1326400861.204604
      Jan 12 21:41:01 localhost racoon: INFO: IPsec-SA established: ESP/Tunnel 87.xx.xx.xx[4500]->85.xx.xx.xx[4500] spi=49697689(0x2f65399)
      Jan 12 21:41:01 localhost racoon: ERROR: such policy does not already exist: "192.120.120.120/32[0] 0.0.0.0/0[0] proto=any dir=in"
      Jan 12 21:41:01 localhost racoon: ERROR: such policy does not already exist: "192.120.120.120/32[0] 0.0.0.0/0[0] proto=any dir=fwd"
      Jan 12 21:41:01 localhost racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 192.120.120.120/32[0] proto=any dir=out"

      Much log, but I don't know what might be important..

      Delete
    5. UnknownJanuary 12, 2012 at 11:22 PM

      OK, now it looks like you have a working IPSEC tunnel.
      Now we just have to debug why it has no gateway.
      what does "route -n" on the racoon server give?
      Is it a DNS problem -- if you use the IP address in the browser do you get connected?
      Can you connect (maybe wtith putty) to a machine inside your network?

      Delete
  25. KaiJanuary 12, 2012 at 11:42 PM

    Ok, the Errors at the end aren't important?
    I looked in the routing, there is no more rule than without connection. I tried to get onto the server with putty to ssh and on the web server, both with IP, both with no answer.
    The Syslog also gave this while I had the vpn connection open:
    Jan 12 22:39:39 localhost racoon: ERROR: packet shorter than isakmp header size (5, 4294967295, 28)
    Maybe this is relevant..

    ReplyDelete
    Replies
    1. UnknownJanuary 13, 2012 at 7:45 AM

      1. what is the output of "route -n"
      2. the nokia was assigned the ip address of 192.120.120.120 in the above logs. can you try to ping it from the router? what is the output of "traceroute 192.120.120.120" ?

      Delete
  26. KaiJanuary 13, 2012 at 4:26 PM

    route -n gives me:
    Kernel-IP-Routentabelle
    Ziel Router Genmask Flags Metric Ref Use Iface
    217.0.119.115 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
    172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan11
    192.120.120.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan1
    0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0

    vlan1 is the general interface for internal network, vlan11 is for WLAN to use VPN, but currently unused.

    When I ping I get no answer, not even "Host Unreachable".
    Traceroute also doesn't give much so know:
    traceroute to 192.120.120.120 (192.120.120.120), 30 hops max, 40 byte packets
    1 * * *
    2 * * *
    3 * * *
    4 * * *
    5 * * *
    6 * * *
    7 * * *
    8 * * *
    9 * * *
    10 * * *
    11 * * *
    12 * * *
    13 * * *
    14 * * *
    15 * * *
    16 * * *
    17 * * *
    18 * * *
    19 * * *
    20 * * *
    21 * * *
    22 * * *
    23 * * *
    24 * * *
    25 * * *
    26 * * *
    27 * * *
    28 * * *
    29 * * *
    30 * * *

    ReplyDelete
  27. UnknownJanuary 14, 2012 at 3:43 PM

    Hmm....
    Did you add the firewall rules in
    http://linuxconnect.blogspot.com/2010/04/iptable-rule-for-allowing-ipsec-traffic.html
    If you added the last rule on the page (the onle on multilines), do you get IPSEC in your log?

    ReplyDelete
  28. KaiJanuary 14, 2012 at 5:41 PM

    I already tried it without these commands, then I get warnings that the port is blocked and I don't get any vpn connection.
    I also added the last line, but get no notes about it.

    ReplyDelete
    Replies
    1. UnknownJanuary 14, 2012 at 6:48 PM

      Maybe your firewall rules are blocking IPSEC altogether. try:
      iptables --append INPUT --in-interface ppp0 --match policy --pol ipsec --dir in --jump ACCEPT

      this should allow any IPSEC packets through

      Delete
  29. KaiJanuary 16, 2012 at 10:32 AM

    This helped, afterwards I got a log about blocked traffic betweeen ppp0 and ppp0.
    Does IPsec bind to ppp0 and no internal interface? Openvpn uses devices like tun0.
    I added the following rules:
    iptables -A FORWARD -i $IFACE_EXT -o $IFACE_EXT -s 192.120.120.0/24 -j ACCEPT
    iptables -A FORWARD -i $IFACE_EXT -o $IFACE_EXT -d 192.120.120.0/24 -j ACCEPT

    Afterwards I got a connection via VPN.
    Is this secure to use? Am I allowing traffic from outside to anywhere? Can I mark that these should only be used for IPsec connections?

    Thanks..

    ReplyDelete
    Replies
    1. UnknownJanuary 17, 2012 at 1:36 PM

      Yes, you completely disabled your firewall ....
      Use the --match policy --pol ipsec instead in your rules:

      iptables -A FORWARD -i $IFACE_EXT -o $IFACE_EXT --match policy --pol ipsec -j ACCEPT
      iptables -A FORWARD -i $IFACE_EXT -o $IFACE_EXT --match policy --pol ipsec -j ACCEPT

      this will only ACCEPT ipsec packets

      Delete
  30. KaiJanuary 19, 2012 at 6:58 PM

    After a little modification this worked.
    Quite a lot new information about iptables, thank you.

    ReplyDelete
    Replies
    1. UnknownJanuary 19, 2012 at 9:22 PM

      You're welcome.
      Can you share your modifications so that others may benefit from your experience ?
      Shai Ayal

      Delete
    2. UnknownJanuary 19, 2012 at 9:22 PM

      You're welcome.
      Can you share your modifications so that others may benefit from your experience ?
      Shai Ayal

      Delete
  31. KaiJanuary 20, 2012 at 12:47 PM

    I just changed some syntax:
    iptables -A INPUT -i $IFACE_EXT --match policy --pol ipsec --dir in --jump ACCEPT
    iptables -A FORWARD -i $IFACE_EXT --match policy --pol ipsec --dir in --jump ACCEPT
    iptables -A FORWARD -o $IFACE_EXT --match policy --pol ipsec --dir out --jump ACCEPT

    I also routed the ports again, otherwise I'd need to change the ip address from my provider every 24h in racoon.conf:
    iptables -A PREROUTING -t nat -p udp --dport 500 -j DNAT --to 192.120.120.1:500
    iptables -A PREROUTING -t nat -p udp --dport 4500 -j DNAT --to 192.120.120.1:4500
    A little bit strange, but it works good and I can listen to the internal interface with a static ip.

    All other rules are already mentioned on you IPtables page.

    ReplyDelete

Subscribe to: Post Comments (Atom)