On 4 Mar 2005, at 14:38, Scott Ryan wrote: > Having followed this documentation over and over again: > http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/security- > guide/s1-ipsec-host2host.html > > One machine is FC3 the other RHEL4 (pretty similar) > > I cannot get these 2 hosts that are on the same network to pass any > traffic to > each other. I see that the tunnel is established, > > Mar 4 17:40:09 saturn racoon: INFO: unsupported PF_KEY message > REGISTER > Mar 4 17:40:25 saturn racoon: INFO: respond new phase 1 negotiation: > 192.168.0.200[500]<=>192.168.0.203[500] > Mar 4 17:40:25 saturn racoon: INFO: begin Aggressive mode. > Mar 4 17:40:25 saturn racoon: NOTIFY: couldn't find the proper pskey, > try to > get one by the peer's address. > Mar 4 17:40:25 saturn racoon: INFO: ISAKMP-SA established > 192.168.0.200 > [500]-192.168.0.203[500] spi:e4dc7a800a339f4a:f2247856aa9a0c57 > Mar 4 17:40:26 saturn racoon: INFO: respond new phase 2 negotiation: > 192.168.0.200[0]<=>192.168.0.203[0] > Mar 4 17:40:27 saturn racoon: INFO: IPsec-SA established: AH/Transport > 192.168.0.203->192.168.0.200 spi=54093889(0x3396841) > Mar 4 17:40:27 saturn racoon: INFO: IPsec-SA established: > ESP/Transport > 192.168.0.203->192.168.0.200 spi=44115096(0x2a12498) > Mar 4 17:40:27 saturn racoon: INFO: IPsec-SA established: AH/Transport > 192.168.0.200->192.168.0.203 spi=264377756(0xfc2159c) > Mar 4 17:40:27 saturn racoon: INFO: IPsec-SA established: > ESP/Transport > 192.168.0.200->192.168.0.203 spi=232232718(0xdd7970e) > > but then when I try to connect from one machine to the other i get: > > # telnet 192.168.0.200 389 > Trying 192.168.0.200... > telnet: connect to address 192.168.0.200: Resource temporarily > unavailable > telnet: Unable to connect to remote host: Resource temporarily > unavailable > > Is this a bug? >Yes. Linux IPSec stack, when instructed to use IKE (racoon), always >discards the first IP datagram when initially setting up the IPSEC SA >between two hosts. Before telnetting, try first pinging the other peer >in order to set the SA up: you'll see the first ICMP Echo Request >packet is lost. However, subsequent ICMP Echo Request packets should >get delivered properly. I see that there is an update for ipsec-tools that will make it work with the latest kernel. I think that is my problem, but I will only be able to test on Monday. -- slr. b0n0b0 #qmail on efnet key: 0x0B65ABDC - http://wwwkeys.pgp.net:11371
