racoon ipsec <-> zywall 5, dlhe

Mato Gajdos mato na d15.sk
Čtvrtek Červenec 10 12:39:53 CEST 2008 

Prajem pekny den,

snazim sa rozchodit ipsec vpn, neuspesne.

Situacia:

[client] <--> [GWC] <-- internet --> [ADSL] <--> [ZyWall5] <--> [target LAN]

client: 192.168.0.10, gentoo linux 2.6.25-gentoo-r6, ipsec-tools-0.6.7
GWC: NAT GW. WAN IP: CG.CG.CG.CG, forward UDP 500 a 4500 na client
ADSL: WAN IP: SG.SG.SG.SG, forward 500 na ZyWall
target LAN: 192.168.100.0/24

Po spusteni racoon a ping na stroj v cielovej LAN v logu racoon to 
vyzera takto:

2008-07-10 12:01:35: INFO: @(#)ipsec-tools 0.6.7 
(http://ipsec-tools.sourceforge.net)
2008-07-10 12:01:35: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 
2007 (http://www.openssl.org/)
2008-07-10 12:01:35: INFO: 192.168.0.10[500] used as isakmp port (fd=6)
2008-07-10 12:01:35: INFO: 192.168.0.10[500] used for NAT-T
2008-07-10 12:01:35: INFO: 192.168.0.10[4500] used as isakmp port (fd=7)
2008-07-10 12:01:35: INFO: 192.168.0.10[4500] used for NAT-T
2008-07-10 12:01:47: INFO: IPsec-SA request for SG.SG.SG.SG queued due 
to no phase1 found.
2008-07-10 12:01:47: INFO: initiate new phase 1 negotiation: 
192.168.0.10[500]<=>SG.SG.SG.SG[500]
2008-07-10 12:01:47: INFO: begin Aggressive mode.
2008-07-10 12:01:48: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2008-07-10 12:01:48: INFO: Selected NAT-T version: 
draft-ietf-ipsec-nat-t-ike-00
2008-07-10 12:01:48: INFO: Hashing 192.168.0.10[500] with algo #1
2008-07-10 12:01:48: INFO: NAT-D payload #-1 doesn't match
2008-07-10 12:01:48: INFO: Hashing SG.SG.SG.SG[500] with algo #1
2008-07-10 12:01:48: INFO: NAT-D payload #0 doesn't match
2008-07-10 12:01:48: INFO: NAT detected: ME PEER
2008-07-10 12:01:48: INFO: KA list add: 192.168.0.10[500]->SG.SG.SG.SG[500]
2008-07-10 12:01:48: NOTIFY: couldn't find the proper pskey, try to get 
one by the peer's address.
2008-07-10 12:01:48: INFO: Adding remote and local NAT-D payloads.
2008-07-10 12:01:48: INFO: Hashing SG.SG.SG.SG[500] with algo #1
2008-07-10 12:01:48: INFO: Hashing 192.168.0.10[500] with algo #1
2008-07-10 12:01:48: INFO: ISAKMP-SA established 
192.168.0.10[500]-SG.SG.SG.SG[500] spi:a711d657e0928c96:b8cb97467d024f0d
2008-07-10 12:01:48: INFO: initiate new phase 2 negotiation: 
192.168.0.10[500]<=>SG.SG.SG.SG[500]
2008-07-10 12:01:48: INFO: NAT detected -> UDP encapsulation (ENC_MODE 
1->61443).
2008-07-10 12:01:49: WARNING: attribute has been modified.
2008-07-10 12:01:49: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
2008-07-10 12:01:49: INFO: Adjusting peer's encmode 
UDP-Tunnel(61443)->Tunnel(1)
2008-07-10 12:01:49: INFO: IPsec-SA established: ESP/Tunnel 
SG.SG.SG.SG[0]->192.168.0.10[0] spi=77699812(0x4a19ae4)
2008-07-10 12:01:49: INFO: IPsec-SA established: ESP/Tunnel 
192.168.0.10[0]->SG.SG.SG.SG[0] spi=3670754123(0xdacb434b)

Niekto znaly tam vidi nejaky zasadny problem? Podla dvoch poslednych 
riadkov som presvedceny o tom, ze spojenie sa podarilo. I ked nie som o 
tom 100% presvedceny :-).

Tcpdump na [GWC] ukazuje toto:
(nadviazanie)
12:01:48.008203 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 1 I agg
12:01:48.755760 IP SG.SG.SG.SG.500 > CG.CG.CG.CG.500: isakmp: phase 1 R agg
12:01:48.780412 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 1 I agg
12:01:48.781367 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others I inf[E]
12:01:48.793385 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others I oakley-quick[E]
12:01:49.538332 IP SG.SG.SG.SG.500 > CG.CG.CG.CG.500: isakmp: phase 
2/others R oakley-quick[E]
12:01:49.540478 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others I oakley-quick[E]
12:01:49.562731 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #246[EC]
12:01:50.562247 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #125[C]
12:01:55.562376 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: [|isakmp]

(ping ciela v ciel. LAN)
12:02:05.763689 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #80[E]
12:02:06.763675 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #156[C]
12:02:13.870675 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #177[E]
12:02:14.869877 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #50[]
12:02:15.562872 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: [|isakmp]
12:02:15.869885 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #140[EC]
12:02:16.869908 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #214[E]
12:02:17.869943 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #42[]
12:02:18.869975 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #23[C]
12:02:19.869996 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #196[E]
12:02:20.870014 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #206[EC]
12:02:21.870045 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #41[EC]
12:02:22.870082 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #212[E]
12:02:23.870081 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #181[EC]
12:02:24.870151 IP CG.CG.CG.CG.500 > SG.SG.SG.SG.500: isakmp: phase 
2/others ? #138[C]

Tu jasne vidim, ze pakety idu iba jednym smerom, z druhej strany nic. 
Vobec netusim, kde je zrada.

Konfiguracia racoon:

log notify;
path pre_shared_key "/etc/racoon/psk.txt";
listen
{
  isakmp_natt 192.168.0.10[4500];
  isakmp 192.168.0.10[500];
}

padding {
  maximum_length 20;
  randomize off;
  strict_check off;
  exclusive_tail off;
}

timer {
  counter 5;
  interval 20 sec;
  persend 1;
  phase1 30 sec;
  phase2 30 sec;
  natt_keepalive 10 sec;
}

remote SG.SG.SG.SG {
  exchange_mode aggressive;
  proposal_check obey;
  initial_contact on;
  nat_traversal on;
  my_identifier fqdn "aaaaaaaaaaaaaaaaaa";
  peers_identifier fqdn "bbbbbbbbbbbbbbbbbb";
  nonce_size 16;
  proposal {
    encryption_algorithm 3des;
    hash_algorithm md5;
    authentication_method pre_shared_key;
    dh_group modp1024;
    lifetime time 28800 sec;
  }
}

sainfo address 192.168.0.10/32 any address 192.168.100.0/24 any {
  encryption_algorithm 3des;
  authentication_algorithm hmac_sha1;
  compression_algorithm deflate;
  pfs_group modp1024;
}

Predpokladam, ze v psk.txt sa toho az tak vela neda pokazit, ale pre 
istotu, vyzera takto:
SG.SG.SG.SG        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Kde xxxx je preshared key.

Tusite niekto co robit?

BTW, z Windowsu to ide OK. Rovnaky stroj (notebook). Jediny rozdiel 
podla tcpdump som nasiel vo flags UDP paketu, ak idem z linuxu, ma 
nastavene DF, v pripade win tam nie je ziadny [none].

S pozdravom,
Matej Gajdos

Další informace o konferenci Linux