IpSec Woes.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 4 Mar 2005, at 14:38, Scott Ryan wrote:

> Having followed this documentation over and over again:
> http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/security- 
> guide/s1-ipsec-host2host.html
>
> One machine is FC3 the other RHEL4 (pretty similar)
>
> I cannot get these 2 hosts that are on the same network to pass any  
> traffic to
> each other. I see that the tunnel is established,
>
> Mar  4 17:40:09 saturn racoon: INFO: unsupported PF_KEY message  
> REGISTER
> Mar  4 17:40:25 saturn racoon: INFO: respond new phase 1 negotiation:
> 192.168.0.200[500]<=>192.168.0.203[500]
> Mar  4 17:40:25 saturn racoon: INFO: begin Aggressive mode.
> Mar  4 17:40:25 saturn racoon: NOTIFY: couldn't find the proper pskey,  
> try to
> get one by the peer's address.
> Mar  4 17:40:25 saturn racoon: INFO: ISAKMP-SA established  
> 192.168.0.200
> [500]-192.168.0.203[500] spi:e4dc7a800a339f4a:f2247856aa9a0c57
> Mar  4 17:40:26 saturn racoon: INFO: respond new phase 2 negotiation:
> 192.168.0.200[0]<=>192.168.0.203[0]
> Mar  4 17:40:27 saturn racoon: INFO: IPsec-SA established: AH/Transport
> 192.168.0.203->192.168.0.200 spi=54093889(0x3396841)
> Mar  4 17:40:27 saturn racoon: INFO: IPsec-SA established:  
> ESP/Transport
> 192.168.0.203->192.168.0.200 spi=44115096(0x2a12498)
> Mar  4 17:40:27 saturn racoon: INFO: IPsec-SA established: AH/Transport
> 192.168.0.200->192.168.0.203 spi=264377756(0xfc2159c)
> Mar  4 17:40:27 saturn racoon: INFO: IPsec-SA established:  
> ESP/Transport
> 192.168.0.200->192.168.0.203 spi=232232718(0xdd7970e)
>
>  but then when I try to connect from one machine to the other i get:
>
> # telnet 192.168.0.200 389
> Trying 192.168.0.200...
> telnet: connect to address 192.168.0.200: Resource temporarily  
> unavailable
> telnet: Unable to connect to remote host: Resource temporarily  
> unavailable
>
> Is this a bug?

>Yes. Linux IPSec stack, when instructed to use IKE (racoon), always  
>discards the first IP datagram when initially setting up the IPSEC SA  
>between two hosts. Before telnetting, try first pinging the other peer  
>in order to set the SA up: you'll see the first ICMP Echo Request  
>packet is lost. However, subsequent ICMP Echo Request packets should  
>get delivered properly.

I see that there is an update for ipsec-tools that will make it work with the 
latest kernel. I think that is my problem, but I will only be able to test on 
Monday.

-- 
slr.
b0n0b0 #qmail on efnet
key: 0x0B65ABDC - http://wwwkeys.pgp.net:11371
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux