IPSec Host2Host

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Sorry for the long message, but all I am trying to do is establish a host to 
host VPN.
On one side I have Redhat Enterprise Linux 4 and the other I have Fedora Core3 
I will call them A & B Respectively; The setups of A & B are at the end of 
this mail. 

I can ifup ipsec0 on both hosts. But when I ping from B->A I get:

# ping 192.168.0.200
connect: Resource temporarily unavailable

>From A->B I get 50% packet loss:

# ping 192.168.0.203
PING 192.168.0.203 (192.168.0.203) 56(84) bytes of data.
64 bytes from 192.168.0.203: icmp_seq=1 ttl=64 time=0.707 ms
64 bytes from 192.168.0.203: icmp_seq=3 ttl=64 time=0.663 ms
64 bytes from 192.168.0.203: icmp_seq=5 ttl=64 time=0.660 ms
64 bytes from 192.168.0.203: icmp_seq=7 ttl=64 time=0.605 ms
64 bytes from 192.168.0.203: icmp_seq=9 ttl=64 time=0.644 ms
64 bytes from 192.168.0.203: icmp_seq=11 ttl=64 time=0.669 ms
64 bytes from 192.168.0.203: icmp_seq=13 ttl=64 time=0.647 ms
64 bytes from 192.168.0.203: icmp_seq=15 ttl=64 time=0.666 ms
64 bytes from 192.168.0.203: icmp_seq=17 ttl=64 time=0.665 ms
64 bytes from 192.168.0.203: icmp_seq=19 ttl=64 time=0.675 ms

--- 192.168.0.203 ping statistics ---
20 packets transmitted, 10 received, 50% packet loss, time 19005ms
rtt min/avg/max/mdev = 0.605/0.660/0.707/0.027 ms, pipe 2

In /var/log /messages I  see that the connections on both sides are 
established:

A :
Mar  8 11:45:49 saturn racoon: INFO: respond new phase 2 negotiation: 
192.168.0.200[0]<=>192.168.0.203[0]
Mar  8 11:45:50 saturn racoon: INFO: IPsec-SA established: AH/Transport 
192.168.0.203->192.168.0.200 spi=140466698(0x85f5a0a)
Mar  8 11:45:50 saturn racoon: INFO: IPsec-SA established: ESP/Transport 
192.168.0.203->192.168.0.200 spi=90498626(0x564e642)
Mar  8 11:45:50 saturn racoon: INFO: IPsec-SA established: AH/Transport 
192.168.0.200->192.168.0.203 spi=10443078(0x9f5946)
Mar  8 11:45:50 saturn racoon: INFO: IPsec-SA established: ESP/Transport 
192.168.0.200->192.168.0.203 spi=34513017(0x20ea079)

B:
Mar  8 09:45:57 sirius racoon: INFO: initiate new phase 2 negotiation: 
192.168.0.203[0]<=>192.168.0.200[0]
Mar  8 09:45:58 sirius racoon: INFO: IPsec-SA established: AH/Transport 
192.168.0.200->192.168.0.203 spi=10443078(0x9f5946)
Mar  8 09:45:58 sirius racoon: INFO: IPsec-SA established: ESP/Transport 
192.168.0.200->192.168.0.203 spi=34513017(0x20ea079)
Mar  8 09:45:58 sirius racoon: INFO: IPsec-SA established: AH/Transport 
192.168.0.203->192.168.0.200 spi=140466698(0x85f5a0a)
Mar  8 09:45:58 sirius racoon: INFO: IPsec-SA established: ESP/Transport 
192.168.0.203->192.168.0.200 spi=90498626(0x564e642)

If I try to telnet from A->B to a TCP port (mysql ) it just sits there:

# telnet 192.168.0.203 3306
Trying 192.168.0.203...

And from B->A I get:

# telnet 192.168.0.200 22
Trying 192.168.0.200...
telnet: connect to address 192.168.0.200: Resource temporarily unavailable
telnet: Unable to connect to remote host: Resource temporarily unavailable

This problem really is frustrating me. I believe that the problem is with the 
Fedora side although I cannot determine for sure. Any help will really be 
appreciated.


A is setup as follows:

ifcfg-ipsec0:
DEVICE=ipsec0
DST=192.168.0.203
TYPE=IPsec
ONBOOT=no
IKE_METHOD=PSK

racoon.conf:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug;

sainfo anonymous
{
        pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm 3des, blowfish 448, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}
include "/etc/racoon/192.168.0.203.conf";

B is setup like thus:

DEVICE=ipsec0
DST=192.168.0.200
TYPE=IPsec
ONBOOT=no
IKE_METHOD=PSK

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug;

sainfo anonymous
{
        pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm 3des, blowfish 448, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}
include "/etc/racoon/192.168.0.200.conf";

The /etc/racoon/psk.txt file has the same key on both sides.


-- 
slr.
'Dont queue mail with Sendmail,
send mail with Qmail ... '
b0n0b0 #qmail on efnet
key: 0x0B65ABDC - http://wwwkeys.pgp.net:11371
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux