In hindsight, the error below was very easy to explain. But when you're confronted with a non-working VPN server, you're checking every error in the log. Unfortunately most errors are non-self-explanatory and when you look them up on the internet, nothing can be found.
2011-04-23 11:38:53: [192.168.0.3] ERROR: invalid flag 0x08.
A default configuration in Windows 7 will have the type of type of VPN set to "automatic". This will cause Windows to try to connect with each VPN type it supports until it has a connection. In this case, Windows will first try IKEv2, then PPTP and finally (in this case) IPSec/L2TP. This can also be
If you look this error up in Google, you get exactly 1 result. The result is a message on a board from someone who apparently has the same problem. To me, this seems very strange. As most people will use the automatic setting (since it will work in most cases), almost every racoon log will contain this error... Doesn't anybody care about errors in their logs? Or am I mistaken?
Saturday, April 23, 2011
Racoon (IPsec) and Windows 7 VPN
I'm trying to create a VPN server on my Linux From Scratch server using IPsec and L2TP. I would like to log-in using only a password, not using certificates.
I'm trying to make this work using ipsec-tools-0.8.0, xl2tpd-1.2.8 and ppp-2.4.5. I want to log in using Windows clients.
My racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
initial_contact on;
passive off;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
Almost independent of how you configure racoon, if you create a default VPN-connection under Windows 7, you'll find out that it will not work and that the log file ends with:
2011-04-23 11:41:49: ERROR: no suitable proposal found.
2011-04-23 11:41:49: [192.168.0.3] ERROR: failed to get valid proposal.
2011-04-23 11:41:49: [192.168.0.3] ERROR: failed to process ph1 packet (side: 1, status: 1).
Apparently, the VPN client of Windows 7 uses certificates by default. So if you want to use pre-shared keys for authentication for L2TP under Windows, you have to change this explicitly in the properties of your VPN client. (Under Security -> Advanced Settings -> L2TP -> Use preshared key for authentication) (which should, of course, be the same as the key that you have set in (/usr/local/)/etc/racoon/psk.txt.)
I'm trying to make this work using ipsec-tools-0.8.0, xl2tpd-1.2.8 and ppp-2.4.5. I want to log in using Windows clients.
My racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
remote anonymous {
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
initial_contact on;
passive off;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
Almost independent of how you configure racoon, if you create a default VPN-connection under Windows 7, you'll find out that it will not work and that the log file ends with:
2011-04-23 11:41:49: ERROR: no suitable proposal found.
2011-04-23 11:41:49: [192.168.0.3] ERROR: failed to get valid proposal.
2011-04-23 11:41:49: [192.168.0.3] ERROR: failed to process ph1 packet (side: 1, status: 1).
Apparently, the VPN client of Windows 7 uses certificates by default. So if you want to use pre-shared keys for authentication for L2TP under Windows, you have to change this explicitly in the properties of your VPN client. (Under Security -> Advanced Settings -> L2TP -> Use preshared key for authentication) (which should, of course, be the same as the key that you have set in (/usr/local/)/etc/racoon/psk.txt.)
Welcome to my blog.
As a hobby, I'm always experimenting with computer stuff. I'm fiddling with a Linux From Scratch machine, A.C. Ryan PlayonHD (don't buy it!) and my Windows Domain on which I try to configure web servers, imap-servers, VPN, crosscompiling, etc. I'm not easily satisfied with solutions that just work, I'm interested in the details. In most of these situations, this will lead to frustrations about errors that occur, for which even the Internets do not seem to have an answer. This goes up (and beyond) to a certain point where I think: "Isn't a hobby supposed to be fun?". That's why I decided to post my experiences on a blog, so at least, I can remember my own solutions when I encounter the same error again, and, as a bonus, I hope to help others.
Subscribe to:
Posts (Atom)