Hi all,
I am trying to establish a vpn tunnel between one CentOS5 IPSec server and a roadwarrior client, CentOS5 too. Roadwarrior use ipsec-tools version 0.6.5-8 (that comes with CentOS5) and server uses version 0.7 (downloaded from ipsec-tools website).
My server configuration is:
path include "/etc/racoon"; path certificate "/etc/racoon/certs"; path pre_shared_key "/etc/racoon/psk.txt"; path pidfile "/var/run/racoon.pid"; #log debug;
listen { adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660; isakmp 172.28.45.4 [500]; isakmp_natt 172.28.45.4 [4500]; }
remote anonymous { exchange_mode aggressive; certificate_type x509 "gwenc.crt" "gwenc.key"; my_identifier asn1dn; proposal_check claim; generate_policy on; nat_traversal on; dpd_delay 20; ike_frag on; passive on; proposal { encryption_algorithm aes; hash_algorithm sha256; authentication_method hybrid_rsa_server; dh_group 2; } }
mode_cfg { network4 172.31.78.5; netmask4 255.255.255.240; pool_size 6; dns4 172.25.50.1; auth_source pam; auth_groups "users"; group_source system; auth_throttle 10; pfs_group 2; }
sainfo anonymous { pfs_group 2; lifetime time 1 hour; encryption_algorithm rijndael; authentication_algorithm hmac_sha256; compression_algorithm deflate; }
When I try to connect from roadwarrior client using xauth, server returns me this errors:
2007-10-13 00:21:52: INFO: ISAKMP-SA established 172.28.45.4[4500]-172.17.35.3[4500] spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2 2007-10-13 00:21:52: INFO: Using port 0 2007-10-13 00:21:52: ERROR: pam_authenticate failed: Authentication failure 2007-10-13 00:21:52: INFO: Released port 0 2007-10-13 00:21:52: INFO: login failed for user "charlie" 2007-10-13 00:21:52: ERROR: Attempt to release an unallocated address (port 0) 2007-10-13 00:21:52: ERROR: mode config 6 from 172.17.35.3[4500], but we have no ISAKMP-SA. 2007-10-13 00:21:52: ERROR: unknown Informational exchange received.
why? I don't understand. Well, yes, I think that server doesn't use really pam libraries or problem is that linux use shadow for passwords instead passwd file.
I see a lot of webs on this configuration works out of the box, but not for me.... I am really desperated.
Many thanks.
P.D: On ipsec-tools mailing list i don't receive any response.