IpSec Woes.
Felipe Alfaro Solana
lkml at mac.com
Sat Mar 5 20:35:31 UTC 2005
On 5 Mar 2005, at 18:59, Scott Ryan wrote:
> On 4 Mar 2005, at 14:38, Scott Ryan wrote:
>
>> Having followed this documentation over and over again:
>> http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/security-
>> guide/s1-ipsec-host2host.html
>>
>> One machine is FC3 the other RHEL4 (pretty similar)
>>
>> I cannot get these 2 hosts that are on the same network to pass any
>> traffic to
>> each other. I see that the tunnel is established,
>>
>> Mar 4 17:40:09 saturn racoon: INFO: unsupported PF_KEY message
>> REGISTER
>> Mar 4 17:40:25 saturn racoon: INFO: respond new phase 1 negotiation:
>> 192.168.0.200[500]<=>192.168.0.203[500]
>> Mar 4 17:40:25 saturn racoon: INFO: begin Aggressive mode.
>> Mar 4 17:40:25 saturn racoon: NOTIFY: couldn't find the proper
>> pskey,
>> try to
>> get one by the peer's address.
>> Mar 4 17:40:25 saturn racoon: INFO: ISAKMP-SA established
>> 192.168.0.200
>> [500]-192.168.0.203[500] spi:e4dc7a800a339f4a:f2247856aa9a0c57
>> Mar 4 17:40:26 saturn racoon: INFO: respond new phase 2 negotiation:
>> 192.168.0.200[0]<=>192.168.0.203[0]
>> Mar 4 17:40:27 saturn racoon: INFO: IPsec-SA established:
>> AH/Transport
>> 192.168.0.203->192.168.0.200 spi=54093889(0x3396841)
>> Mar 4 17:40:27 saturn racoon: INFO: IPsec-SA established:
>> ESP/Transport
>> 192.168.0.203->192.168.0.200 spi=44115096(0x2a12498)
>> Mar 4 17:40:27 saturn racoon: INFO: IPsec-SA established:
>> AH/Transport
>> 192.168.0.200->192.168.0.203 spi=264377756(0xfc2159c)
>> Mar 4 17:40:27 saturn racoon: INFO: IPsec-SA established:
>> ESP/Transport
>> 192.168.0.200->192.168.0.203 spi=232232718(0xdd7970e)
>>
>> but then when I try to connect from one machine to the other i get:
>>
>> # telnet 192.168.0.200 389
>> Trying 192.168.0.200...
>> telnet: connect to address 192.168.0.200: Resource temporarily
>> unavailable
>> telnet: Unable to connect to remote host: Resource temporarily
>> unavailable
>>
>> Is this a bug?
>
>> Yes. Linux IPSec stack, when instructed to use IKE (racoon), always
>> discards the first IP datagram when initially setting up the IPSEC SA
>>
>> between two hosts. Before telnetting, try first pinging the other
>> peer
>> in order to set the SA up: you'll see the first ICMP Echo Request
>> packet is lost. However, subsequent ICMP Echo Request packets should
>> get delivered properly.
>
> I see that there is an update for ipsec-tools that will make it work
> with the
> latest kernel. I think that is my problem, but I will only be able to
> test on
> Monday.
I doubt that it will fix the problem, as ipsec-tools is userspace, but
the problem is related to the kernel itself.
More information about the fedora-list
mailing list