IPSec Host2Host
Scott Ryan
scott at staff.telkomsa.net
Tue Mar 8 07:49:05 UTC 2005
Sorry for the long message, but all I am trying to do is establish a host to
host VPN.
On one side I have Redhat Enterprise Linux 4 and the other I have Fedora Core3
I will call them A & B Respectively; The setups of A & B are at the end of
this mail.
I can ifup ipsec0 on both hosts. But when I ping from B->A I get:
# ping 192.168.0.200
connect: Resource temporarily unavailable
>From A->B I get 50% packet loss:
# ping 192.168.0.203
PING 192.168.0.203 (192.168.0.203) 56(84) bytes of data.
64 bytes from 192.168.0.203: icmp_seq=1 ttl=64 time=0.707 ms
64 bytes from 192.168.0.203: icmp_seq=3 ttl=64 time=0.663 ms
64 bytes from 192.168.0.203: icmp_seq=5 ttl=64 time=0.660 ms
64 bytes from 192.168.0.203: icmp_seq=7 ttl=64 time=0.605 ms
64 bytes from 192.168.0.203: icmp_seq=9 ttl=64 time=0.644 ms
64 bytes from 192.168.0.203: icmp_seq=11 ttl=64 time=0.669 ms
64 bytes from 192.168.0.203: icmp_seq=13 ttl=64 time=0.647 ms
64 bytes from 192.168.0.203: icmp_seq=15 ttl=64 time=0.666 ms
64 bytes from 192.168.0.203: icmp_seq=17 ttl=64 time=0.665 ms
64 bytes from 192.168.0.203: icmp_seq=19 ttl=64 time=0.675 ms
--- 192.168.0.203 ping statistics ---
20 packets transmitted, 10 received, 50% packet loss, time 19005ms
rtt min/avg/max/mdev = 0.605/0.660/0.707/0.027 ms, pipe 2
In /var/log /messages I see that the connections on both sides are
established:
A :
Mar 8 11:45:49 saturn racoon: INFO: respond new phase 2 negotiation:
192.168.0.200[0]<=>192.168.0.203[0]
Mar 8 11:45:50 saturn racoon: INFO: IPsec-SA established: AH/Transport
192.168.0.203->192.168.0.200 spi=140466698(0x85f5a0a)
Mar 8 11:45:50 saturn racoon: INFO: IPsec-SA established: ESP/Transport
192.168.0.203->192.168.0.200 spi=90498626(0x564e642)
Mar 8 11:45:50 saturn racoon: INFO: IPsec-SA established: AH/Transport
192.168.0.200->192.168.0.203 spi=10443078(0x9f5946)
Mar 8 11:45:50 saturn racoon: INFO: IPsec-SA established: ESP/Transport
192.168.0.200->192.168.0.203 spi=34513017(0x20ea079)
B:
Mar 8 09:45:57 sirius racoon: INFO: initiate new phase 2 negotiation:
192.168.0.203[0]<=>192.168.0.200[0]
Mar 8 09:45:58 sirius racoon: INFO: IPsec-SA established: AH/Transport
192.168.0.200->192.168.0.203 spi=10443078(0x9f5946)
Mar 8 09:45:58 sirius racoon: INFO: IPsec-SA established: ESP/Transport
192.168.0.200->192.168.0.203 spi=34513017(0x20ea079)
Mar 8 09:45:58 sirius racoon: INFO: IPsec-SA established: AH/Transport
192.168.0.203->192.168.0.200 spi=140466698(0x85f5a0a)
Mar 8 09:45:58 sirius racoon: INFO: IPsec-SA established: ESP/Transport
192.168.0.203->192.168.0.200 spi=90498626(0x564e642)
If I try to telnet from A->B to a TCP port (mysql ) it just sits there:
# telnet 192.168.0.203 3306
Trying 192.168.0.203...
And from B->A I get:
# telnet 192.168.0.200 22
Trying 192.168.0.200...
telnet: connect to address 192.168.0.200: Resource temporarily unavailable
telnet: Unable to connect to remote host: Resource temporarily unavailable
This problem really is frustrating me. I believe that the problem is with the
Fedora side although I cannot determine for sure. Any help will really be
appreciated.
A is setup as follows:
ifcfg-ipsec0:
DEVICE=ipsec0
DST=192.168.0.203
TYPE=IPsec
ONBOOT=no
IKE_METHOD=PSK
racoon.conf:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug;
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
include "/etc/racoon/192.168.0.203.conf";
B is setup like thus:
DEVICE=ipsec0
DST=192.168.0.200
TYPE=IPsec
ONBOOT=no
IKE_METHOD=PSK
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug;
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
include "/etc/racoon/192.168.0.200.conf";
The /etc/racoon/psk.txt file has the same key on both sides.
--
slr.
'Dont queue mail with Sendmail,
send mail with Qmail ... '
b0n0b0 #qmail on efnet
key: 0x0B65ABDC - http://wwwkeys.pgp.net:11371
More information about the fedora-list
mailing list