IPSec Woes...

Felipe Alfaro Solana lkml at mac.com
Sat Mar 5 17:07:01 UTC 2005 

On 4 Mar 2005, at 14:38, Scott Ryan wrote:

> Having followed this documentation over and over again:
> http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/security- 
> guide/s1-ipsec-host2host.html
>
> One machine is FC3 the other RHEL4 (pretty similar)
>
> I cannot get these 2 hosts that are on the same network to pass any  
> traffic to
> each other. I see that the tunnel is established,
>
> Mar  4 17:40:09 saturn racoon: INFO: unsupported PF_KEY message  
> REGISTER
> Mar  4 17:40:25 saturn racoon: INFO: respond new phase 1 negotiation:
> 192.168.0.200[500]<=>192.168.0.203[500]
> Mar  4 17:40:25 saturn racoon: INFO: begin Aggressive mode.
> Mar  4 17:40:25 saturn racoon: NOTIFY: couldn't find the proper pskey,  
> try to
> get one by the peer's address.
> Mar  4 17:40:25 saturn racoon: INFO: ISAKMP-SA established  
> 192.168.0.200
> [500]-192.168.0.203[500] spi:e4dc7a800a339f4a:f2247856aa9a0c57
> Mar  4 17:40:26 saturn racoon: INFO: respond new phase 2 negotiation:
> 192.168.0.200[0]<=>192.168.0.203[0]
> Mar  4 17:40:27 saturn racoon: INFO: IPsec-SA established: AH/Transport
> 192.168.0.203->192.168.0.200 spi=54093889(0x3396841)
> Mar  4 17:40:27 saturn racoon: INFO: IPsec-SA established:  
> ESP/Transport
> 192.168.0.203->192.168.0.200 spi=44115096(0x2a12498)
> Mar  4 17:40:27 saturn racoon: INFO: IPsec-SA established: AH/Transport
> 192.168.0.200->192.168.0.203 spi=264377756(0xfc2159c)
> Mar  4 17:40:27 saturn racoon: INFO: IPsec-SA established:  
> ESP/Transport
> 192.168.0.200->192.168.0.203 spi=232232718(0xdd7970e)
>
>  but then when I try to connect from one machine to the other i get:
>
> # telnet 192.168.0.200 389
> Trying 192.168.0.200...
> telnet: connect to address 192.168.0.200: Resource temporarily  
> unavailable
> telnet: Unable to connect to remote host: Resource temporarily  
> unavailable
>
> Is this a bug?

Yes. Linux IPSec stack, when instructed to use IKE (racoon), always  
discards the first IP datagram when initially setting up the IPSEC SA  
between two hosts. Before telnetting, try first pinging the other peer  
in order to set the SA up: you'll see the first ICMP Echo Request  
packet is lost. However, subsequent ICMP Echo Request packets should  
get delivered properly.

More information about the fedora-list mailing list