Racoon Roadwarrior Configuration

Discussion in 'HOWTO-Related Questions' started by marwooj, Feb 15, 2008.

  1. marwooj

    marwooj New Member

    Whenever I try:
    racoonctl vc -u user my.ip
    I am getting:
    send: Bad file descriptor
    What could be the problem?
     
  2. falko

    falko Super Moderator

    What's in your /etc/racoon/racoon.conf?
     
  3. marwooj

    marwooj New Member

    Hi,
    There is :



    log debug;
    path certificate "/etc/racoon";

    listen {
    adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
    }

    remote XX.XX.XXX.XXX {
    exchange_mode aggressive;
    ca_type x509 "cacert.pem";
    proposal_check strict;
    nat_traversal on;
    verify_cert off;
    ike_frag on;
    mode_cfg on;
    script "/etc/racoon/phase1-up.sh" phase1_up;
    script "/etc/racoon/phase1-down.sh" phase1_down;
    passive off;
    proposal {
    encryption_algorithm aes;
    hash_algorithm md5;
    authentication_method hybrid_rsa_client;
    dh_group 2;
    }
    }


    sainfo anonymous {
    pfs_group 2;
    lifetime time 1 hour;
    encryption_algorithm aes;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate ;
    }
     
    Last edited: Feb 20, 2008
  4. falko

    falko Super Moderator

    What are the outputs of
    Code:
    ls -l /var/racoon/racoon.sock
    ls -l /etc/racoon/phase1-up.sh
    ls -l /etc/racoon/phase1-down.sh
    ls -la /etc/racoon
    ?
     
  5. marwooj

    marwooj New Member

    Hi,
    That would be

    srw-rw---- 1 root operator 0 2008-02-20 21:14 racoon.sock

    -rwxr-xr-x 1 root operator 2101 2006-09-30 23:22 /etc/racoon/phase1-up.sh

    -rwxr-xr-x 1 root operator 1926 2006-09-30 23:22 /etc/racoon/phase1-down.sh


    drwxr-xr-x 2 root root 4096 2008-02-20 20:16 .
    drwxr-xr-x 148 root root 12288 2008-02-20 19:11 ..
    -rw-r--r-- 1 root operator 1180 2008-02-20 20:16 cacert.pem
    -rwxr-xr-x 1 root operator 1926 2006-09-30 23:22 phase1-down.sh
    -rwxr-xr-x 1 root operator 2101 2006-09-30 23:22 phase1-up.sh
    -rw------- 1 root root 275 2007-07-19 19:03 psk.txt
    -rw-r--r-- 1 root operator 807 2008-02-20 20:17 racoon.conf
    -rw-r--r-- 1 root root 1000 2007-07-19 19:03 racoon-tool.conf
     
  6. falko

    falko Super Moderator

    Can you try this?
    Code:
    chmod 666 /var/racoon/racoon.sock
     
  7. marwooj

    marwooj New Member


    It does not help, even user root is getting this
    send: Bad file descriptor
     
  8. marwooj

    marwooj New Member

    more symptoms:
    root@desktop:/etc/racoon# racoonctl show-event
    send: Bad file descriptor
    root@desktop:/etc/racoon# racoonctl reload-config
    send: Bad file descriptor
     
  9. marwooj

    marwooj New Member

    I have changed my conf to:
    adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660;

    and connection works fine, so the problem was with directory permissions

    Now I howe some routing/netfilter problems - I can ping everything in local nad remote lan, i have TCP to local lan and only too racoon gateway(it is also router and firewall of remote lan in one box), but nothing else :-(. I will try to resolve it now
     
  10. pixel.hu

    pixel.hu New Member

    certificate problem

    Hi!

    I get the following error and I can't google up anything that
    works...

    ***
    [root@mail1 Templates]# openssl req -new -x509 -extensions v3_ca -keyout privateKey/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf
    error on line -1 of ./openssl.cnf
    31310:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('./openssl.cnf','rb')
    31310:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
    31310:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
    ***

    I run it as root, so I dont think there are permission problems.

    I tried it on ubuntu 8.04 and fedora 10, but i get the very same error...

    Yours sincererly

    Laszlo Balogh
     
  11. falko

    falko Super Moderator

    What's in ./openssl.cnf?
     
  12. pixel.hu

    pixel.hu New Member

    openssl.cnf

    Hi!

    Nothing. I don't even have a file like that. I mean the howto didn't specify from which folder I should run the command, so i ran it from /etc/racoon and from other places too. (the howto mentioned openssl.conf i tried that too)

    But #locate openssl.conf only gives this one answer

    /var/lib/dpkg/info/openssl.conffiles

    After a bit of browsing i found openssl.cnf in /etc/ssl, and it indeed has a
    few parts i think should work. Pasting them now:

    .......

    [ req ]
    default_bits = 1024
    default_keyfile = privkey.pem
    distinguished_name = req_distinguished_name
    attributes = req_attributes
    x509_extensions = v3_ca # The extentions to add to the self signed cert

    .....

    [ v3_ca ]

    # Extensions for a typical CA

    # PKIX recommendation.

    subjectKeyIdentifier=hash

    authorityKeyIdentifier=keyid:always,issuer:always

    # This is what PKIX recommends but some broken software chokes on critical
    # extensions.
    #basicConstraints = critical,CA:true
    # So we do this instead.
    basicConstraints = CA:true

    # Key usage: this is typical for a CA certificate. However since it will
    # prevent it being used as an test self-signed certificate it is best
    # left out by default.
    # keyUsage = cRLSign, keyCertSign

    # Some might want this also
    # nsCertType = sslCA, emailCA

    # Include email address in subject alt name: another PKIX recommendation
    # subjectAltName=email:copy
    # Copy issuer details
    # issuerAltName=issuer:copy

    # DER hex encoding of an extension: beware experts only!
    # obj=DER:02:03
    # Where 'obj' is a standard or added object
    # You can even override a supported extension:
    # basicConstraints= critical, DER:30:03:01:01:FF

    [ crl_ext ]

    .........


    So i think i am missing something, but i don't know where i make that mistake.

    Thx

    Laszlo Balogh
     
  13. topdog

    topdog HowtoForge Supporter

    This is how to call the command.

    Code:
    openssl req -new -x509 -extensions v3_ca -keyout privateKey/cakey.pem -out cacert.pem -days 3650 -config /etc/ssl/openssl.cnf
    and the privateKey directory needs to exist in your pwd.
     
  14. pixel.hu

    pixel.hu New Member

    finished at last

    Hi there!

    Thx for all the help!

    I finally finished.

    I had to create a few directories and move around a few files, but it is done.

    Last it asked for a serial file. I just created one empty serial file,
    and wrote random numbers in one line into it. It swallowed it.

    Now if I can only get shorewall tunelling done it ll work.

    Thx a lot

    Laszlo Balogh
     

Share This Page