Re: IpSec Woes.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5 Mar 2005, at 18:59, Scott Ryan wrote:

On 4 Mar 2005, at 14:38, Scott Ryan wrote:

Having followed this documentation over and over again:
http://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/security-
guide/s1-ipsec-host2host.html

One machine is FC3 the other RHEL4 (pretty similar)

I cannot get these 2 hosts that are on the same network to pass any  
traffic to
each other. I see that the tunnel is established,

Mar  4 17:40:09 saturn racoon: INFO: unsupported PF_KEY message  
REGISTER
Mar  4 17:40:25 saturn racoon: INFO: respond new phase 1 negotiation:
192.168.0.200[500]<=>192.168.0.203[500]
Mar  4 17:40:25 saturn racoon: INFO: begin Aggressive mode.
Mar  4 17:40:25 saturn racoon: NOTIFY: couldn't find the proper pskey,  
try to
get one by the peer's address.
Mar  4 17:40:25 saturn racoon: INFO: ISAKMP-SA established  
192.168.0.200
[500]-192.168.0.203[500] spi:e4dc7a800a339f4a:f2247856aa9a0c57
Mar  4 17:40:26 saturn racoon: INFO: respond new phase 2 negotiation:
192.168.0.200[0]<=>192.168.0.203[0]
Mar  4 17:40:27 saturn racoon: INFO: IPsec-SA established: AH/Transport
192.168.0.203->192.168.0.200 spi=54093889(0x3396841)
Mar  4 17:40:27 saturn racoon: INFO: IPsec-SA established:  
ESP/Transport
192.168.0.203->192.168.0.200 spi=44115096(0x2a12498)
Mar  4 17:40:27 saturn racoon: INFO: IPsec-SA established: AH/Transport
192.168.0.200->192.168.0.203 spi=264377756(0xfc2159c)
Mar  4 17:40:27 saturn racoon: INFO: IPsec-SA established:  
ESP/Transport
192.168.0.200->192.168.0.203 spi=232232718(0xdd7970e)


 but then when I try to connect from one machine to the other i get:

# telnet 192.168.0.200 389
Trying 192.168.0.200...
telnet: connect to address 192.168.0.200: Resource temporarily  
unavailable
telnet: Unable to connect to remote host: Resource temporarily  
unavailable

Is this a bug?

Yes. Linux IPSec stack, when instructed to use IKE (racoon), always  
discards the first IP datagram when initially setting up the IPSEC SA  
between two hosts. Before telnetting, try first pinging the other peer  
in order to set the SA up: you'll see the first ICMP Echo Request  
packet is lost. However, subsequent ICMP Echo Request packets should  
get delivered properly.

I see that there is an update for ipsec-tools that will make it work with the
latest kernel. I think that is my problem, but I will only be able to test on
Monday.

I doubt that it will fix the problem, as ipsec-tools is userspace, but the problem is related to the kernel itself.



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux