[CentOS] OT: a very big problem with ipsec-tools on CentOS5 (SOLVED)

Sat Oct 13 00:04:15 UTC 2007
Nicolas Sahlqvist <nicco77 at gmail.com>

Does it not more sense to make a symlink rather then copying the file..?


/ Nicolas

On 10/13/07, carlopmart <carlopmart at gmail.com> wrote:
> Buf ... Solved. Problem was that /etc/pam.d/racoon doesn't exists (I found
> this
> tip on NetBSD ipsec pages). Simply I have copied /etc/pam.d/passwd to
> /etc/pam.d/racoon and now all works as expected.
>
> Many thanks for your help Ross.
>
>
>
> Ross S. W. Walker wrote:
> >
> > I think it might just use another one like /etc/pam.d/remote
> > cause I audited the package and it wasn't there.
> >
> > Does the "users" group exist and charlie a member of it?
> >
> > -Ross
> >
> >> -----Original Message-----
> >> From: carlopmart [mailto:carlopmart at gmail.com]
> >> Sent: Friday, October 12, 2007 6:54 PM
> >> To: Ross S. W. Walker
> >> Subject: Re: [CentOS] OT: a very big problem with ipsec-tools
> >> on CentOS5
> >>
> >> hi ross,
> >>
> >>   Yes I compiled with pam option. But I don't have any ipsec
> >> config file on
> >> /etc/pam.d ... I didn't find any sample on ipsec-tools 0.7
> >> source tree ... where
> >> is it??
> >>
> >> Ross S. W. Walker wrote:
> >>> If you compiled ipsec tools yourself did you compile with
> >> the pam option?
> >>> If not then you can't tell it to use pam for authentication.
> >>>
> >>> If you did, did you setup the appropriate ipsec config file in
> >>> /etc/pam.d? I believe there is an example one in the ipsec
> >> source tree.
> >>> -Ross
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: centos-bounces at centos.org <centos-bounces at centos.org>
> >>> To: centos at centos.org <centos at centos.org>
> >>> Sent: Fri Oct 12 18:38:38 2007
> >>> Subject: [CentOS] OT: a very big problem with ipsec-tools on CentOS5
> >>>
> >>> Hi all,
> >>>
> >>>   I am trying to establish a vpn tunnel between one CentOS5
> >> IPSec server
> >>> and a
> >>> roadwarrior client, CentOS5 too. Roadwarrior use
> >> ipsec-tools version 0.6.5-8
> >>> (that comes with CentOS5) and  server uses version 0.7
> >> (downloaded from
> >>> ipsec-tools website).
> >>>
> >>>   My server configuration is:
> >>>
> >>> path include "/etc/racoon";
> >>> path certificate "/etc/racoon/certs";
> >>> path pre_shared_key "/etc/racoon/psk.txt";
> >>> path pidfile "/var/run/racoon.pid";
> >>> #log debug;
> >>>
> >>> listen {
> >>>          adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660;
> >>>          isakmp 172.28.45.4 [500];
> >>>          isakmp_natt 172.28.45.4 [4500];
> >>> }
> >>>
> >>> remote anonymous {
> >>>          exchange_mode aggressive;
> >>>          certificate_type x509 "gwenc.crt" "gwenc.key";
> >>>          my_identifier asn1dn;
> >>>          proposal_check claim;
> >>>          generate_policy on;
> >>>          nat_traversal on;
> >>>          dpd_delay 20;
> >>>          ike_frag on;
> >>>          passive on;
> >>>          proposal {
> >>>                  encryption_algorithm aes;
> >>>                  hash_algorithm sha256;
> >>>                  authentication_method hybrid_rsa_server;
> >>>                  dh_group 2;
> >>>          }
> >>> }
> >>>
> >>> mode_cfg {
> >>>          network4 172.31.78.5;
> >>>          netmask4 255.255.255.240;
> >>>          pool_size 6;
> >>>          dns4 172.25.50.1;
> >>>          auth_source pam;
> >>>          auth_groups "users";
> >>>          group_source system;
> >>>          auth_throttle 10;
> >>>          pfs_group 2;
> >>> }
> >>>
> >>> sainfo anonymous
> >>> {
> >>>          pfs_group 2;
> >>>          lifetime time 1 hour;
> >>>          encryption_algorithm rijndael;
> >>>          authentication_algorithm hmac_sha256;
> >>>          compression_algorithm deflate;
> >>> }
> >>>
> >>>   When I try to connect from roadwarrior client using xauth, server
> >>> returns me
> >>> this errors:
> >>>
> >>>   2007-10-13 00:21:52: INFO: ISAKMP-SA established
> >>> 172.28.45.4[4500]-172.17.35.3[4500]
> >> spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2
> >>> 2007-10-13 00:21:52: INFO: Using port 0
> >>> 2007-10-13 00:21:52: ERROR: pam_authenticate failed:
> >> Authentication failure
> >>> 2007-10-13 00:21:52: INFO: Released port 0
> >>> 2007-10-13 00:21:52: INFO: login failed for user "charlie"
> >>> 2007-10-13 00:21:52: ERROR: Attempt to release an
> >> unallocated address
> >>> (port 0)
> >>> 2007-10-13 00:21:52: ERROR: mode config 6 from
> >> 172.17.35.3[4500], but we
> >>> have no
> >>> ISAKMP-SA.
> >>> 2007-10-13 00:21:52: ERROR: unknown Informational exchange received.
> >>>
> >>>   why? I don't understand. Well, yes, I think that server
> >> doesn't use
> >>> really pam
> >>> libraries or problem is that linux use shadow for passwords instead
> >>> passwd file.
> >>>
> >>>
> >>>   I see a lot of webs on this configuration works out of
> >> the box, but
> >>> not for
> >>> me.... I am really desperated.
> >>>
> >>> Many thanks.
> >>>
> >>> P.D: On ipsec-tools mailing list i don't receive any response.
> >>> --
> >>> CL Martinez
> >>> carlopmart {at} gmail {d0t} com
> >>> _______________________________________________
> >>> CentOS mailing list
> >>> CentOS at centos.org
> >>> http://lists.centos.org/mailman/listinfo/centos
> >>>
> >>>
> >> --------------------------------------------------------------
> >> ----------
> >>> This e-mail, and any attachments thereto, is intended only
> >> for use by
> >>> the addressee(s) named herein and may contain legally
> >> privileged and/or
> >>> confidential information. If you are not the intended
> >> recipient of this
> >>> e-mail, you are hereby notified that any dissemination,
> >> distribution or
> >>> copying of this e-mail, and any attachments thereto, is strictly
> >>> prohibited. If you have received this e-mail in error, please
> >>> immediately notify the sender and permanently delete the
> >> original and
> >>> any copy or printout thereof.
> >>
> >> --
> >> CL Martinez
> >> carlopmart {at} gmail {d0t} com
> >>
> >
> > ______________________________________________________________________
> > This e-mail, and any attachments thereto, is intended only for use by
> > the addressee(s) named herein and may contain legally privileged
> > and/or confidential information. If you are not the intended recipient
> > of this e-mail, you are hereby notified that any dissemination,
> > distribution or copying of this e-mail, and any attachments thereto,
> > is strictly prohibited. If you have received this e-mail in error,
> > please immediately notify the sender and permanently delete the
> > original and any copy or printout thereof.
> >
> >
>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>