Re: Problem with IPSEC transport

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2011-01-03 at 10:30 +0100, Luc MAIGNAN wrote: 
> Hi,

> I want to establish an IPSEC tunnel between a fedora box and a NETASQ 
> router.

> The router doesn't support AH transport, just ESP.

Yeah, you don't want to use AH anyways.  All that gives you is the
authentication header (AH) and no tunneling at all.  You don't need it
and, really, even going to the trouble of disabling it is not worth it.
If you don't call for an AH-only connection, it won't be used.

> So I try to disable it by setting :

> AH_PROTO=none

Not necessary, but doesn't do any harm.
> in the ifcfg-ipsec0 file.

I don't use that stuff for IPsec.  That's all based on setkey and
raccoon and such and I've never gotten it to behave nicely for me and
I'm an extensive user and developer of IPsec (Openswan).  I've looked at
that in the Fedora configs and thought no way, and just installed
Openswan from the repos to manage my IPsec connections. 

> but it doesn't work !
> In the log file, I can see :

> pfkey GETSPI succeeded: AH/Transport 
> 8x.xxx.xx.xx[500]->192.168.50.181[500] spi=30486826(0x1d1312a)

> Can anyone help me to give me a way to DISABLED the AH proto ?

Sounds like you're trying to go the setkey / raccoon route with IPsec
and if you don't know what you are doing, you really don't want to go
down that road.  Why don't you take a look at the OpenSWAN setup?  How
familiar are you with setting up IPsec VPNs?  I think you'll find the
Openswan community has is larger and generally helpful.  It's all IPsec
and Openswan is in the standard repositories as well.

Disabling AH is not your problem.  Not setting up a connection policy
would seem to be would be my guess.  So there's a whole lot of
information which you need to have in there which you haven't told us
about.  So, either you have it in there and there's something wrong
there, or you don't have it there and you've got a long row to hoe if
you go down this route.

What kind of connection are you trying to setup?  Is it going to be PSK
(Pre-Shared Keys - Static keys in other words) or RSA or certificate or
what is that gateway wanting?  You can't just tell it to connect.  If
it's like the Cisco ASA's where you have things like group names and
passwords and what not, you're going to have to set up a keying daemon
like Racoon or Openswan's Pluto to handle the key negotiations and
handshakes.  I don't know so much about Racoon but I did some of the
coding work on Openswan for talking to Cisco gateways.  Do you even have
the raccoon package installed?  I'm just not familiar with that NETASO
unit and what it's going to want.

At the very least, you'll need to post your entire config file (with
appropriate secrets and sensitive information anonymized, of course, not
just what you think is wrong. 

> Best regards

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw@xxxxxxxxxxxx
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux