On 4 Mar 2005, at 14:38, Scott Ryan wrote:
Having followed this documentation over and over again:
http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/security- guide/s1-ipsec-host2host.html
One machine is FC3 the other RHEL4 (pretty similar)
I cannot get these 2 hosts that are on the same network to pass any traffic to
each other. I see that the tunnel is established,
Mar 4 17:40:09 saturn racoon: INFO: unsupported PF_KEY message REGISTER
Mar 4 17:40:25 saturn racoon: INFO: respond new phase 1 negotiation:
192.168.0.200[500]<=>192.168.0.203[500]
Mar 4 17:40:25 saturn racoon: INFO: begin Aggressive mode.
Mar 4 17:40:25 saturn racoon: NOTIFY: couldn't find the proper pskey, try to
get one by the peer's address.
Mar 4 17:40:25 saturn racoon: INFO: ISAKMP-SA established 192.168.0.200
[500]-192.168.0.203[500] spi:e4dc7a800a339f4a:f2247856aa9a0c57
Mar 4 17:40:26 saturn racoon: INFO: respond new phase 2 negotiation:
192.168.0.200[0]<=>192.168.0.203[0]
Mar 4 17:40:27 saturn racoon: INFO: IPsec-SA established: AH/Transport
192.168.0.203->192.168.0.200 spi=54093889(0x3396841)
Mar 4 17:40:27 saturn racoon: INFO: IPsec-SA established: ESP/Transport
192.168.0.203->192.168.0.200 spi=44115096(0x2a12498)
Mar 4 17:40:27 saturn racoon: INFO: IPsec-SA established: AH/Transport
192.168.0.200->192.168.0.203 spi=264377756(0xfc2159c)
Mar 4 17:40:27 saturn racoon: INFO: IPsec-SA established: ESP/Transport
192.168.0.200->192.168.0.203 spi=232232718(0xdd7970e)
but then when I try to connect from one machine to the other i get:
# telnet 192.168.0.200 389
Trying 192.168.0.200...
telnet: connect to address 192.168.0.200: Resource temporarily unavailable
telnet: Unable to connect to remote host: Resource temporarily unavailable
Is this a bug?
Yes. Linux IPSec stack, when instructed to use IKE (racoon), always discards the first IP datagram when initially setting up the IPSEC SA between two hosts. Before telnetting, try first pinging the other peer in order to set the SA up: you'll see the first ICMP Echo Request packet is lost. However, subsequent ICMP Echo Request packets should get delivered properly.