# Racoon & IPsec Problems

## Aurora

I'm trying to get this IPsec thing working...I've been working on it for a while now and have not been able to get it working.

My setup:

Windows XP Laptop (running Cisco VPN Client 4.03) ----> Wireless (unsecure) Net Connection @ University ---- (Internet) ---- < Gentoo Box with 2.6 Kernel + Racoon ---- Home Network

Obviously I'm trying to SSH from the WiFi network at my university to my house -- for a variety of reasons, really.  (beyond the scope of this thread  :Wink: )

I try to connect, and racoon does not allow the connection.

Here are the errors, found in my /var/log/everything/current file:

 *Quote:*   

> Feb  5 18:50:32 [racoon] INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new phase 1 negotiation: 192.168.1.103[500]<=>192.168.1.101[500]_
> 
> Feb  5 18:50:32 [racoon] INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Identity Protection mode._
> 
> Feb  5 18:50:32 [racoon] ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005._
> ...

 

What bothers me the most is the fact that it says "invalid auth method 65005"...what in the world!?

I've followed two fairly in-depth HowTo's to the T!

I still can't get it!   :Sad: 

Help please!    :Sad: 

----------

## Aurora

Anybody have any ideas on how to help me out?

----------

## Aurora

...well, maybe nobody knows the answer to my question.

Are there any ideas on where I *could* get an answer?

----------

## Raffi

Well I don't have any specifics for your situation (I was kind of hoping to find some information on setting up ipsec with 2.6.x) but I have setup VPNs between win2k and linux freeswan.

Is there any particular reason you are using the cisco client instead of the windows builtin ipsec? From what I have seen of the cisco client you are using, it expects the server to do a lot more than I was aware of the linux server being able to do.

----------

## Aurora

Well...I already had the Cisco client on the computer  :Wink: 

I've spent countless hours over the past few weeks trying to get this to work.  I've finally broken down and starting trying to get l2tpd to work so that I can use the standard Windows client...

btw, on other reason that I wanted to use a non-M$ client is that M$ requires L2TP over IPsec...  I wanted just a plain IPsec connection.

I guess beggers can't be choosers.

One thing is for sure...  If I get this working, I'm going to write a How To so that other people interested in doing this won't have to suffer like me  :Wink: 

btw, if you're getting started on IPsec in 2.6, you should visit the following website:

http://www.ipsec-howto.org

And download the IPsec tools (IKE deamon, etc.):

http://ipsec-tools.sourceforge.net

 :Smile: 

Good luck.

----------

## Raffi

 *Aurora wrote:*   

> 
> 
> btw, on other reason that I wanted to use a non-M$ client is that M$ requires L2TP over IPsec...  I wanted just a plain IPsec connection.
> 
> 

 

Well since I did not know what l2tp was until I just looked it up, I think you might be mistaken on needing that in order to talk between the windows client and Linux.

Configuring the Windows side was painful, but you can get freeswan and the native windows client to talk using pre shared keys. I have not tried other authentication methods, so I don't know what else is possible.

I have been searching around and it looks like freeswan can be made to work with 2.6.x, but nothing in portage is currently setup to do it. I'm in the process of switching to 2.6, so this may be slowing down the move on some of my machines. I have too many other things on my plate at the moment to start hacking ebuilds.   :Very Happy: 

 *Aurora wrote:*   

> 
> 
> One thing is for sure...  If I get this working, I'm going to write a How To so that other people interested in doing this won't have to suffer like me 
> 
> 

 

That's a good idea. I know too often when I get something figured out I just move on instead of contributing back. Good thing everyone does not work that way.

 *Aurora wrote:*   

> 
> 
> btw, if you're getting started on IPsec in 2.6, you should visit the following website:
> 
> http://www.ipsec-howto.org
> ...

 

I have been there. That's when I decided I would slow down my 2.6 migration until I had a bit more time on my hands.  :Wink: 

----------

## Aurora

...man.

Talk about utter frustration.  I've read every How To I can get my hands on three times over, some of which were very long, and nothing is working...

I just installed the l2tp deamon, and I figured everything would work.  Nope...no go.

Sniffing the packets didn't reveal anything either.

I'm about to give up.  I don't know what else to do.  This was all an experiment to see if I could get it working (and I would have loved to have done it!) but I've really hit a brick wall on this one.

Sad.    :Confused: 

Good luck with whatever you decide to do, Raffi.

----------

## Raffi

 *Aurora wrote:*   

> 
> 
> I'm about to give up.  I don't know what else to do.  This was all an experiment to see if I could get it working (and I would have loved to have done it!) but I've really hit a brick wall on this one.
> 
> Sad.   
> ...

 

So do you need 2.6 or just ipsec?

Here's what I did on the freeswan side

In the ipsec.conf file I have something like

```

conn win2k-to-linux-nsa

    # win2k side

    left=ip of win box

    leftnexthop=windows gateway ip

    # linux side

    right=ip of linux box

    rightnexthop=linux gateway ip

    rightsubnet=linux inside subnet (delete line if host to host)

    auto=add

    keyexchange=ike 

    pfs=yes

    lifetime=1h 

    authby=secret

```

In the ipsec.secrets file I have something like

```

windows.ip linux.ip : PSK "some key to share"

```

If you understand the windows native ipsec setup, the values in the above config file will tell you everything you need to setup that side. If you don't understand the windows side, prepare for pain (and A LOT of dialog boxes) as you try to work your way through it.

I can try to point you to some information on the windows side if you need it (though I'd prefer to continue to supress the memory  :Wink: )

----------

## Aurora

I tried configuring an "IPsec server" running Windows 2003 before on a computer.  Oh man...even with a M$ "walkthrough" at hand, it was insanely crazy...

I couldn't believe it.  racoon is hard to set up, but Windows IPsec setup is INSANELY hard.

I don't need 2.6...but I'd think it would be kinda a pain to go back to 2.4  :Wink: 

I hear FreeS/WAN works great.  However, I have yet to read that someone has really not had many problems with 2.6 Kernel and the racoon deamon.

btw, can't blame you for trying to surpress the memories  :Wink: 

----------

## flickerfly

Any reason you didn't consider openVPN?

----------

## Aurora

Yes.  I wanted a standard.  I know it sounds cliché, but there are certain reasons why I am so intent on standards...

Actually, if I were to select something *not* standard, I'd probably just use the PPTP client which MS has built into XP.  However, the most secure form of VPN I am aware of is IPsec, and that's why I wanted to get it to work...

Actually, it's *still* not working.  I am not sure why.  I even tried FreeS/WAN, and nothing worked...

I think it's an ID10T error  :Wink:   I'm still learning...but it's a bunch of complicated material to master.

----------

## flickerfly

 *Aurora wrote:*   

> I think it's an ID10T error   I'm still learning...but it's a bunch of complicated material to master.

 

I am supremely familar with that feeling. The horrible part is it usually comes down to some trivial settings, but being able to explain why those settings work and others don't when you are done a full month of learning about a problem is certainly a good feeling. The Holy Grail of the Geek perhaps?

----------

## stream

Hi Aurora,

i have exactly the same problem:

invalid auth method 65005

How did you solve the problem?

----------

## Aurora

 *stream wrote:*   

> Hi Aurora,
> 
> i have exactly the same problem:
> 
> invalid auth method 65005
> ...

 

I didn't.

I worked to fix it for weeks and weeks and eventually gave up. Really a shame...I'd take another crack and it but I really don't have the time to play with it right now with exams rollin' up soon at my university.

sry to be the bearer of bad news.  :Sad: 

Let me know if you make any progress.

(btw, the racoon mailing list was pretty useless on the topic)

----------

## stream

did you use x509 certs or preshared keys?

----------

## Aurora

 *stream wrote:*   

> did you use x509 certs or preshared keys?

 

I actually tried both, although my main attempt was to get the whole thing ot work using x509 certificates...

I know I created the certificates correctly.

You know, now that I come to think about it, I believe that the problem imght have been my client setup.  I was using SSH Sentinel (the latest version -- I actually bought it and paid for it while I was using Windows XP).  It was a difficult client to set up because it was so powerful and had so many options.

I actually at one point installed Astaro Linux (www.astaro.com).  It's a commercial Linux product which turned any box you installed it on into a router/VPN host/etc.  For home use it's free.  Even then, following all the instructions which the company provided for setting up the VPN client to work with the VPN host, it didn't work...

That makes me believe that, instead of the problem being on the server end, it was on the client end.

I'm not sure, though.

What have you tried thus far?

----------

## stream

I am using x509 certs 

On the client I use Windows xp

I have tried the following ipsec Clients:

- http://vpn.ebootis.de/

- Cisco VPN Client

----------

## Aurora

 *stream wrote:*   

> I am using x509 certs 
> 
> On the client I use Windows xp
> 
> I have tried the following ipsec Clients:
> ...

 

The Cisco VPN client will, with 95% probability, not work.  It uses Cisco's proprietary XAUTH system, while Racoon's IKE deamon does not.

----------

