IPSec configuration problems
Peter Shulkin
pshulkin at demoulasmarketbasket.com
Thu Feb 18 17:55:27 UTC 2010
Hi, I went back over 2 years of archives, and didn't see much about
this, so if you know I missed something, please forgive me, and steer me
in the right direction.
I'm trying to get IPSec running between 2 RHEL5 boxes
(2.6.18-92.1.13.el5 #1 SMP), using either racoon or openswan. Using
racoon (and GUI), I'm getting this:
Feb 18 12:39:37 STORE191 racoon: 2010-02-18 12:39:37: INFO: initiate new
phase 1 negotiation: 128.181.3.207[500]<=>128.181.3.201[500]
Feb 18 12:39:37 STORE191 racoon: 2010-02-18 12:39:37: INFO: begin
Aggressive mode.
Feb 18 12:39:38 STORE191 racoon: 2010-02-18 12:39:38: INFO: received
Vendor ID: DPD
Feb 18 12:39:38 STORE191 racoon: 2010-02-18 12:39:38: NOTIFY: couldn't
find the proper pskey, try to get one by the peer's address.
Feb 18 12:39:38 STORE191 racoon: 2010-02-18 12:39:38: INFO: ISAKMP-SA
established 128.181.3.207[500]-128.181.3.201[500]
spi:795e2bb8a279b257:8b398333ed868553
Feb 18 12:39:38 STORE191 racoon: 2010-02-18 12:39:38: INFO: initiate new
phase 2 negotiation: 128.181.3.207[500]<=>128.181.3.201[500]
Feb 18 12:40:08 STORE191 racoon: 2010-02-18 12:40:08: INFO: IPsec-SA
expired: AH/Transport 128.181.3.201[0]->128.181.3.207[0]
spi=181136274(0xacbeb92)
Feb 18 12:40:08 STORE191 racoon: 2010-02-18 12:40:08: ERROR:
128.181.3.201 give up to get IPsec-SA due to time up to wait.
And on the other side, I get this:
Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: INFO: respond new
phase 1 negotiation: 128.181.3.201[500]<=>128.181.3.207[500]
Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: INFO: begin
Aggressive mode.
Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: INFO: received
Vendor ID: DPD
Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: NOTIFY: couldn't
find the proper pskey, try to get one by the peer's address.
Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: INFO: ISAKMP-SA
established 128.181.3.201[500]-128.181.3.207[500]
spi:795e2bb8a279b257:8b398333ed868553
I did get it working once, but I shut it down to try the openswan mode
(made no changes to racoon). Now, it fails on me (as per above).
Of course, I do have a psk.txt in the /etc/racoon directory on both
sides, with IP address and key.
If I kill racoon, and "service ipsec start"
I get this:
Feb 18 10:02:28 STORE191 ipsec__plutorun: 002 "test": deleting
connection
Feb 18 10:02:28 STORE191 ipsec__plutorun: 002 added connection
description "test"
Feb 18 10:02:28 STORE191 ipsec__plutorun: right: do something with host
case: 0
Feb 18 10:02:29 STORE191 ipsec__plutorun: 000 "test": request to add a
prospective erouted policy with netkey kernel --- not yet implemented
Feb 18 10:02:29 STORE191 ipsec__plutorun: 104 "test" #1: STATE_MAIN_I1:
initiate
Feb 18 10:02:31 STORE191 setroubleshoot: SELinux is preventing ip
(ifconfig_t) "read write" to socket (initrc_t). For complete SELinux
messages. run sealert -l c134bad0-02c8-42f3-b2e6-406582ce4744
Feb 18 10:04:49 STORE191 kernel: pluto[628]: segfault at
0000000000000000 rip 0000000000000000 rsp 00007fff4f295898 error 14
Feb 18 10:04:49 STORE191 ipsec__plutorun: /usr/libexec/ipsec/_plutorun:
line 250: 628 Segmentation fault /usr/libexec/ipsec/pluto
--nofork --secretsfile /etc/ipsec.secrets --use-netkey --nat_traversal
And the same for the other side. SELinux is disabled on both servers
(and tells me it's in permissive mode).
Any suggestions will be appreciated. I can send the .conf files, if
needed.
Once I can reliably get IPSec working with either method, I want to get
it working with a Windows2003R2 server. Does anyone know which method
works best with Windows?
Peter Shulkin
More information about the redhat-list
mailing list