IPSec configuration problems

Peter Shulkin pshulkin at demoulasmarketbasket.com
Thu Feb 18 17:55:27 UTC 2010 

Hi, I went back over 2 years of archives, and didn't see much about
this, so if you know I missed something, please forgive me, and steer me
in the right direction.

 

I'm trying to get IPSec running between 2 RHEL5 boxes
(2.6.18-92.1.13.el5 #1 SMP), using either racoon or openswan.  Using
racoon (and GUI), I'm getting this:

 

Feb 18 12:39:37 STORE191 racoon: 2010-02-18 12:39:37: INFO: initiate new
phase 1 negotiation: 128.181.3.207[500]<=>128.181.3.201[500] 

Feb 18 12:39:37 STORE191 racoon: 2010-02-18 12:39:37: INFO: begin
Aggressive mode. 

Feb 18 12:39:38 STORE191 racoon: 2010-02-18 12:39:38: INFO: received
Vendor ID: DPD 

Feb 18 12:39:38 STORE191 racoon: 2010-02-18 12:39:38: NOTIFY: couldn't
find the proper pskey, try to get one by the peer's address. 

Feb 18 12:39:38 STORE191 racoon: 2010-02-18 12:39:38: INFO: ISAKMP-SA
established 128.181.3.207[500]-128.181.3.201[500]
spi:795e2bb8a279b257:8b398333ed868553 

Feb 18 12:39:38 STORE191 racoon: 2010-02-18 12:39:38: INFO: initiate new
phase 2 negotiation: 128.181.3.207[500]<=>128.181.3.201[500] 

Feb 18 12:40:08 STORE191 racoon: 2010-02-18 12:40:08: INFO: IPsec-SA
expired: AH/Transport 128.181.3.201[0]->128.181.3.207[0]
spi=181136274(0xacbeb92) 

Feb 18 12:40:08 STORE191 racoon: 2010-02-18 12:40:08: ERROR:
128.181.3.201 give up to get IPsec-SA due to time up to wait.

 

And on the other side, I get this:

Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: INFO: respond new
phase 1 negotiation: 128.181.3.201[500]<=>128.181.3.207[500] 

Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: INFO: begin
Aggressive mode. 

Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: INFO: received
Vendor ID: DPD 

Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: NOTIFY: couldn't
find the proper pskey, try to get one by the peer's address. 

Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: INFO: ISAKMP-SA
established 128.181.3.201[500]-128.181.3.207[500]
spi:795e2bb8a279b257:8b398333ed868553

 

I did get it working once, but I shut it down to try the openswan mode
(made no changes to racoon).  Now, it fails on me (as per above).

 

Of course, I do have a psk.txt in the /etc/racoon directory on both
sides, with IP address and key.

 

If I kill racoon, and "service ipsec start"

I get this:

Feb 18 10:02:28 STORE191 ipsec__plutorun: 002 "test": deleting
connection

Feb 18 10:02:28 STORE191 ipsec__plutorun: 002 added connection
description "test"

Feb 18 10:02:28 STORE191 ipsec__plutorun: right: do something with host
case: 0

Feb 18 10:02:29 STORE191 ipsec__plutorun: 000 "test": request to add a
prospective erouted policy with netkey kernel --- not yet implemented

Feb 18 10:02:29 STORE191 ipsec__plutorun: 104 "test" #1: STATE_MAIN_I1:
initiate

Feb 18 10:02:31 STORE191 setroubleshoot: SELinux is preventing ip
(ifconfig_t) "read write" to socket (initrc_t). For complete SELinux
messages. run sealert -l c134bad0-02c8-42f3-b2e6-406582ce4744

Feb 18 10:04:49 STORE191 kernel: pluto[628]: segfault at
0000000000000000 rip 0000000000000000 rsp 00007fff4f295898 error 14

Feb 18 10:04:49 STORE191 ipsec__plutorun: /usr/libexec/ipsec/_plutorun:
line 250:   628 Segmentation fault      /usr/libexec/ipsec/pluto
--nofork --secretsfile /etc/ipsec.secrets --use-netkey --nat_traversal

 

And the same for the other side.  SELinux is disabled on both servers
(and tells me it's in permissive mode).

 

Any suggestions will be appreciated.  I can send the .conf files, if
needed.

 

Once I can reliably get IPSec working with either method, I want to get
it working with a Windows2003R2 server.  Does anyone know which method
works best with Windows?

Peter Shulkin

More information about the redhat-list mailing list