www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

L2TP IPSEC vs Windows 8 client: "Such policy does not e

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
gordonf



Joined: 26 Feb 2012
Posts: 86

PostPosted: Fri Aug 29, 2014 1:57 pm    Post subject: L2TP IPSEC vs Windows 8 client: "Such policy does not e Reply with quote

I went to an old post that described now to modify racoon.conf to accommodate a Vista client, notably:

Code:
/etc/racoon.conf
 path certificate "/etc/ssl/certs/trusted_CAs/";

 remote anonymous {
 exchange_mode main;
 generate_policy on;
 passive on;
 certificate_type x509 "/var/register/system/ipsec/TLS/cert.pem" "/var/register/system/ipsec/TLS/key.pem";
 my_identifier asn1dn;
 peers_identifier asn1dn;
 proposal_check obey;
 nat_traversal <xvar>;
 proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1; # Changed from md5
        authentication_method rsasig;
        dh_group modp2048; # Changed from modp1024
 }
 }


 sainfo anonymous {
       pfs_group modp1024;
       encryption_algorithm aes; # changed from 3des
       authentication_algorithm hmac_sha1; # changed from hmac_md5
       compression_algorithm deflate;
 }


Note the changes: The remote proposal was changed to use SHA1 and DH group MODP2048, and the sainfo settings were changed to use AES and HMAC_SHA1.

This works but I then get a new problem: I first see something like this:

Code:
INFO: no policy found, try to generate the policy: 192.168.0.81[1701] (external.ip)[1701] proto=udp dir=in
(and it shows the IPSEC-SA is established, but then I get)
Code:
ERROR: such policy does not exist: "192.168.0.81[1701] (external.ip)[1701) proto=udp dir=in
ERROR: such policy does not exist: "(external.ip)[1701] 192.168.0.81[1701) proto=udp dir=out

...and then it drops the connection.

Because modifying racoon.conf doesn't hold between reboots according to the original Vista-related post, I'd like to try to modify the Win8 client to use the protocols enabled in Zeroshell.

But even if I have to somehow change racoon.conf (which I can do post-boot if needed), what policy or step am I missing to fix the error "such policy does not exist?" Note that my LAN network is not 192.168.0.0/24, but is instead 192.168.1.0/24. And it appears that's the private IP of the client, which is on a different ISP from my L2TP server. I probably don't have IPSEC pass-through enabled at the client end's router...
--
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group