Buf ... Solved. Problem was that /etc/pam.d/racoon doesn't exists (I found this tip on NetBSD ipsec pages). Simply I have copied /etc/pam.d/passwd to /etc/pam.d/racoon and now all works as expected.
Many thanks for your help Ross.
Ross S. W. Walker wrote:
I think it might just use another one like /etc/pam.d/remote cause I audited the package and it wasn't there.
Does the "users" group exist and charlie a member of it?
-Ross
-----Original Message----- From: carlopmart [mailto:carlopmart@gmail.com] Sent: Friday, October 12, 2007 6:54 PM To: Ross S. W. Walker Subject: Re: [CentOS] OT: a very big problem with ipsec-tools on CentOS5
hi ross,
Yes I compiled with pam option. But I don't have any ipsec config file on /etc/pam.d ... I didn't find any sample on ipsec-tools 0.7 source tree ... where is it??
Ross S. W. Walker wrote:
If you compiled ipsec tools yourself did you compile with
the pam option?
If not then you can't tell it to use pam for authentication.
If you did, did you setup the appropriate ipsec config file in /etc/pam.d? I believe there is an example one in the ipsec
source tree.
-Ross
-----Original Message----- From: centos-bounces@centos.org centos-bounces@centos.org To: centos@centos.org centos@centos.org Sent: Fri Oct 12 18:38:38 2007 Subject: [CentOS] OT: a very big problem with ipsec-tools on CentOS5
Hi all,
I am trying to establish a vpn tunnel between one CentOS5
IPSec server
and a roadwarrior client, CentOS5 too. Roadwarrior use
ipsec-tools version 0.6.5-8
(that comes with CentOS5) and server uses version 0.7
(downloaded from
ipsec-tools website).
My server configuration is:
path include "/etc/racoon"; path certificate "/etc/racoon/certs"; path pre_shared_key "/etc/racoon/psk.txt"; path pidfile "/var/run/racoon.pid"; #log debug;
listen { adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660; isakmp 172.28.45.4 [500]; isakmp_natt 172.28.45.4 [4500]; }
remote anonymous { exchange_mode aggressive; certificate_type x509 "gwenc.crt" "gwenc.key"; my_identifier asn1dn; proposal_check claim; generate_policy on; nat_traversal on; dpd_delay 20; ike_frag on; passive on; proposal { encryption_algorithm aes; hash_algorithm sha256; authentication_method hybrid_rsa_server; dh_group 2; } }
mode_cfg { network4 172.31.78.5; netmask4 255.255.255.240; pool_size 6; dns4 172.25.50.1; auth_source pam; auth_groups "users"; group_source system; auth_throttle 10; pfs_group 2; }
sainfo anonymous { pfs_group 2; lifetime time 1 hour; encryption_algorithm rijndael; authentication_algorithm hmac_sha256; compression_algorithm deflate; }
When I try to connect from roadwarrior client using xauth, server returns me this errors:
2007-10-13 00:21:52: INFO: ISAKMP-SA established 172.28.45.4[4500]-172.17.35.3[4500]
spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2
2007-10-13 00:21:52: INFO: Using port 0 2007-10-13 00:21:52: ERROR: pam_authenticate failed:
Authentication failure
2007-10-13 00:21:52: INFO: Released port 0 2007-10-13 00:21:52: INFO: login failed for user "charlie" 2007-10-13 00:21:52: ERROR: Attempt to release an
unallocated address
(port 0) 2007-10-13 00:21:52: ERROR: mode config 6 from
172.17.35.3[4500], but we
have no ISAKMP-SA. 2007-10-13 00:21:52: ERROR: unknown Informational exchange received.
why? I don't understand. Well, yes, I think that server
doesn't use
really pam libraries or problem is that linux use shadow for passwords instead passwd file.
I see a lot of webs on this configuration works out of
the box, but
not for me.... I am really desperated.
Many thanks.
P.D: On ipsec-tools mailing list i don't receive any response.
CL Martinez carlopmart {at} gmail {d0t} com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
This e-mail, and any attachments thereto, is intended only
for use by
the addressee(s) named herein and may contain legally
privileged and/or
confidential information. If you are not the intended
recipient of this
e-mail, you are hereby notified that any dissemination,
distribution or
copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the
original and
any copy or printout thereof.
-- CL Martinez carlopmart {at} gmail {d0t} com
This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
Does it not more sense to make a symlink rather then copying the file..?
/ Nicolas
On 10/13/07, carlopmart carlopmart@gmail.com wrote:
Buf ... Solved. Problem was that /etc/pam.d/racoon doesn't exists (I found this tip on NetBSD ipsec pages). Simply I have copied /etc/pam.d/passwd to /etc/pam.d/racoon and now all works as expected.
Many thanks for your help Ross.
Ross S. W. Walker wrote:
I think it might just use another one like /etc/pam.d/remote cause I audited the package and it wasn't there.
Does the "users" group exist and charlie a member of it?
-Ross
-----Original Message----- From: carlopmart [mailto:carlopmart@gmail.com] Sent: Friday, October 12, 2007 6:54 PM To: Ross S. W. Walker Subject: Re: [CentOS] OT: a very big problem with ipsec-tools on CentOS5
hi ross,
Yes I compiled with pam option. But I don't have any ipsec config file on /etc/pam.d ... I didn't find any sample on ipsec-tools 0.7 source tree ... where is it??
Ross S. W. Walker wrote:
If you compiled ipsec tools yourself did you compile with
the pam option?
If not then you can't tell it to use pam for authentication.
If you did, did you setup the appropriate ipsec config file in /etc/pam.d? I believe there is an example one in the ipsec
source tree.
-Ross
-----Original Message----- From: centos-bounces@centos.org centos-bounces@centos.org To: centos@centos.org centos@centos.org Sent: Fri Oct 12 18:38:38 2007 Subject: [CentOS] OT: a very big problem with ipsec-tools on CentOS5
Hi all,
I am trying to establish a vpn tunnel between one CentOS5
IPSec server
and a roadwarrior client, CentOS5 too. Roadwarrior use
ipsec-tools version 0.6.5-8
(that comes with CentOS5) and server uses version 0.7
(downloaded from
ipsec-tools website).
My server configuration is:
path include "/etc/racoon"; path certificate "/etc/racoon/certs"; path pre_shared_key "/etc/racoon/psk.txt"; path pidfile "/var/run/racoon.pid"; #log debug;
listen { adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660; isakmp 172.28.45.4 [500]; isakmp_natt 172.28.45.4 [4500]; }
remote anonymous { exchange_mode aggressive; certificate_type x509 "gwenc.crt" "gwenc.key"; my_identifier asn1dn; proposal_check claim; generate_policy on; nat_traversal on; dpd_delay 20; ike_frag on; passive on; proposal { encryption_algorithm aes; hash_algorithm sha256; authentication_method hybrid_rsa_server; dh_group 2; } }
mode_cfg { network4 172.31.78.5; netmask4 255.255.255.240; pool_size 6; dns4 172.25.50.1; auth_source pam; auth_groups "users"; group_source system; auth_throttle 10; pfs_group 2; }
sainfo anonymous { pfs_group 2; lifetime time 1 hour; encryption_algorithm rijndael; authentication_algorithm hmac_sha256; compression_algorithm deflate; }
When I try to connect from roadwarrior client using xauth, server returns me this errors:
2007-10-13 00:21:52: INFO: ISAKMP-SA established 172.28.45.4[4500]-172.17.35.3[4500]
spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2
2007-10-13 00:21:52: INFO: Using port 0 2007-10-13 00:21:52: ERROR: pam_authenticate failed:
Authentication failure
2007-10-13 00:21:52: INFO: Released port 0 2007-10-13 00:21:52: INFO: login failed for user "charlie" 2007-10-13 00:21:52: ERROR: Attempt to release an
unallocated address
(port 0) 2007-10-13 00:21:52: ERROR: mode config 6 from
172.17.35.3[4500], but we
have no ISAKMP-SA. 2007-10-13 00:21:52: ERROR: unknown Informational exchange received.
why? I don't understand. Well, yes, I think that server
doesn't use
really pam libraries or problem is that linux use shadow for passwords instead passwd file.
I see a lot of webs on this configuration works out of
the box, but
not for me.... I am really desperated.
Many thanks.
P.D: On ipsec-tools mailing list i don't receive any response.
CL Martinez carlopmart {at} gmail {d0t} com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
This e-mail, and any attachments thereto, is intended only
for use by
the addressee(s) named herein and may contain legally
privileged and/or
confidential information. If you are not the intended
recipient of this
e-mail, you are hereby notified that any dissemination,
distribution or
copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the
original and
any copy or printout thereof.
-- CL Martinez carlopmart {at} gmail {d0t} com
This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
-- CL Martinez carlopmart {at} gmail {d0t} com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Not if one intends to modify it to suite racoon's specific needs...
-Ross
-----Original Message----- From: Nicolas Sahlqvist [mailto:nicco77@gmail.com] Sent: Friday, October 12, 2007 8:04 PM To: CentOS mailing list; Ross S. W. Walker Subject: Re: [CentOS] OT: a very big problem with ipsec-tools on CentOS5 (SOLVED)
Does it not more sense to make a symlink rather then copying the file..?
/ Nicolas
On 10/13/07, carlopmart carlopmart@gmail.com wrote:
Buf ... Solved. Problem was that /etc/pam.d/racoon doesn't
exists (I found
this tip on NetBSD ipsec pages). Simply I have copied
/etc/pam.d/passwd to
/etc/pam.d/racoon and now all works as expected.
Many thanks for your help Ross.
Ross S. W. Walker wrote:
I think it might just use another one like /etc/pam.d/remote cause I audited the package and it wasn't there.
Does the "users" group exist and charlie a member of it?
-Ross
-----Original Message----- From: carlopmart [mailto:carlopmart@gmail.com] Sent: Friday, October 12, 2007 6:54 PM To: Ross S. W. Walker Subject: Re: [CentOS] OT: a very big problem with ipsec-tools on CentOS5
hi ross,
Yes I compiled with pam option. But I don't have any ipsec config file on /etc/pam.d ... I didn't find any sample on ipsec-tools 0.7 source tree ... where is it??
Ross S. W. Walker wrote:
If you compiled ipsec tools yourself did you compile with
the pam option?
If not then you can't tell it to use pam for authentication.
If you did, did you setup the appropriate ipsec config file in /etc/pam.d? I believe there is an example one in the ipsec
source tree.
-Ross
-----Original Message----- From: centos-bounces@centos.org centos-bounces@centos.org To: centos@centos.org centos@centos.org Sent: Fri Oct 12 18:38:38 2007 Subject: [CentOS] OT: a very big problem with
ipsec-tools on CentOS5
Hi all,
I am trying to establish a vpn tunnel between one CentOS5
IPSec server
and a roadwarrior client, CentOS5 too. Roadwarrior use
ipsec-tools version 0.6.5-8
(that comes with CentOS5) and server uses version 0.7
(downloaded from
ipsec-tools website).
My server configuration is:
path include "/etc/racoon"; path certificate "/etc/racoon/certs"; path pre_shared_key "/etc/racoon/psk.txt"; path pidfile "/var/run/racoon.pid"; #log debug;
listen { adminsock "/var/racoon/racoon.sock" "root"
"nobody" 0660;
isakmp 172.28.45.4 [500]; isakmp_natt 172.28.45.4 [4500];}
remote anonymous { exchange_mode aggressive; certificate_type x509 "gwenc.crt" "gwenc.key"; my_identifier asn1dn; proposal_check claim; generate_policy on; nat_traversal on; dpd_delay 20; ike_frag on; passive on; proposal { encryption_algorithm aes; hash_algorithm sha256; authentication_method hybrid_rsa_server; dh_group 2; } }
mode_cfg { network4 172.31.78.5; netmask4 255.255.255.240; pool_size 6; dns4 172.25.50.1; auth_source pam; auth_groups "users"; group_source system; auth_throttle 10; pfs_group 2; }
sainfo anonymous { pfs_group 2; lifetime time 1 hour; encryption_algorithm rijndael; authentication_algorithm hmac_sha256; compression_algorithm deflate; }
When I try to connect from roadwarrior client using
xauth, server
returns me this errors:
2007-10-13 00:21:52: INFO: ISAKMP-SA established 172.28.45.4[4500]-172.17.35.3[4500]
spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2
2007-10-13 00:21:52: INFO: Using port 0 2007-10-13 00:21:52: ERROR: pam_authenticate failed:
Authentication failure
2007-10-13 00:21:52: INFO: Released port 0 2007-10-13 00:21:52: INFO: login failed for user "charlie" 2007-10-13 00:21:52: ERROR: Attempt to release an
unallocated address
(port 0) 2007-10-13 00:21:52: ERROR: mode config 6 from
172.17.35.3[4500], but we
have no ISAKMP-SA. 2007-10-13 00:21:52: ERROR: unknown Informational
exchange received.
why? I don't understand. Well, yes, I think that server
doesn't use
really pam libraries or problem is that linux use shadow for
passwords instead
passwd file.
I see a lot of webs on this configuration works out of
the box, but
not for me.... I am really desperated.
Many thanks.
P.D: On ipsec-tools mailing list i don't receive any response.
CL Martinez carlopmart {at} gmail {d0t} com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
This e-mail, and any attachments thereto, is intended only
for use by
the addressee(s) named herein and may contain legally
privileged and/or
confidential information. If you are not the intended
recipient of this
e-mail, you are hereby notified that any dissemination,
distribution or
copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the
original and
any copy or printout thereof.
-- CL Martinez carlopmart {at} gmail {d0t} com
This e-mail, and any attachments thereto, is intended
only for use by
the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the
intended recipient
of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any
attachments thereto,
is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
-- CL Martinez carlopmart {at} gmail {d0t} com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
Could you be a little bit more specific, what are those needs..?
/ Nicco
On 10/13/07, Ross S. W. Walker rwalker@medallion.com wrote:
Not if one intends to modify it to suite racoon's specific needs...
-Ross
-----Original Message----- From: Nicolas Sahlqvist [mailto:nicco77@gmail.com] Sent: Friday, October 12, 2007 8:04 PM To: CentOS mailing list; Ross S. W. Walker Subject: Re: [CentOS] OT: a very big problem with ipsec-tools on CentOS5 (SOLVED)
Does it not more sense to make a symlink rather then copying the file..?
/ Nicolas
On 10/13/07, carlopmart carlopmart@gmail.com wrote:
Buf ... Solved. Problem was that /etc/pam.d/racoon doesn't
exists (I found
this tip on NetBSD ipsec pages). Simply I have copied
/etc/pam.d/passwd to
/etc/pam.d/racoon and now all works as expected.
Many thanks for your help Ross.
Ross S. W. Walker wrote:
I think it might just use another one like /etc/pam.d/remote cause I audited the package and it wasn't there.
Does the "users" group exist and charlie a member of it?
-Ross
-----Original Message----- From: carlopmart [mailto:carlopmart@gmail.com] Sent: Friday, October 12, 2007 6:54 PM To: Ross S. W. Walker Subject: Re: [CentOS] OT: a very big problem with ipsec-tools on CentOS5
hi ross,
Yes I compiled with pam option. But I don't have any ipsec config file on /etc/pam.d ... I didn't find any sample on ipsec-tools 0.7 source tree ... where is it??
Ross S. W. Walker wrote:
If you compiled ipsec tools yourself did you compile with
the pam option?
If not then you can't tell it to use pam for authentication.
If you did, did you setup the appropriate ipsec config file in /etc/pam.d? I believe there is an example one in the ipsec
source tree.
-Ross
-----Original Message----- From: centos-bounces@centos.org centos-bounces@centos.org To: centos@centos.org centos@centos.org Sent: Fri Oct 12 18:38:38 2007 Subject: [CentOS] OT: a very big problem with
ipsec-tools on CentOS5
Hi all,
I am trying to establish a vpn tunnel between one CentOS5
IPSec server
and a roadwarrior client, CentOS5 too. Roadwarrior use
ipsec-tools version 0.6.5-8
(that comes with CentOS5) and server uses version 0.7
(downloaded from
ipsec-tools website).
My server configuration is:
path include "/etc/racoon"; path certificate "/etc/racoon/certs"; path pre_shared_key "/etc/racoon/psk.txt"; path pidfile "/var/run/racoon.pid"; #log debug;
listen { adminsock "/var/racoon/racoon.sock" "root"
"nobody" 0660;
isakmp 172.28.45.4 [500]; isakmp_natt 172.28.45.4 [4500];}
remote anonymous { exchange_mode aggressive; certificate_type x509 "gwenc.crt" "gwenc.key"; my_identifier asn1dn; proposal_check claim; generate_policy on; nat_traversal on; dpd_delay 20; ike_frag on; passive on; proposal { encryption_algorithm aes; hash_algorithm sha256; authentication_method hybrid_rsa_server; dh_group 2; } }
mode_cfg { network4 172.31.78.5; netmask4 255.255.255.240; pool_size 6; dns4 172.25.50.1; auth_source pam; auth_groups "users"; group_source system; auth_throttle 10; pfs_group 2; }
sainfo anonymous { pfs_group 2; lifetime time 1 hour; encryption_algorithm rijndael; authentication_algorithm hmac_sha256; compression_algorithm deflate; }
When I try to connect from roadwarrior client using
xauth, server
returns me this errors:
2007-10-13 00:21:52: INFO: ISAKMP-SA established 172.28.45.4[4500]-172.17.35.3[4500]
spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2
2007-10-13 00:21:52: INFO: Using port 0 2007-10-13 00:21:52: ERROR: pam_authenticate failed:
Authentication failure
2007-10-13 00:21:52: INFO: Released port 0 2007-10-13 00:21:52: INFO: login failed for user "charlie" 2007-10-13 00:21:52: ERROR: Attempt to release an
unallocated address
(port 0) 2007-10-13 00:21:52: ERROR: mode config 6 from
172.17.35.3[4500], but we
have no ISAKMP-SA. 2007-10-13 00:21:52: ERROR: unknown Informational
exchange received.
why? I don't understand. Well, yes, I think that server
doesn't use
really pam libraries or problem is that linux use shadow for
passwords instead
passwd file.
I see a lot of webs on this configuration works out of
the box, but
not for me.... I am really desperated.
Many thanks.
P.D: On ipsec-tools mailing list i don't receive any response.
CL Martinez carlopmart {at} gmail {d0t} com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
This e-mail, and any attachments thereto, is intended only
for use by
the addressee(s) named herein and may contain legally
privileged and/or
confidential information. If you are not the intended
recipient of this
e-mail, you are hereby notified that any dissemination,
distribution or
copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the
original and
any copy or printout thereof.
-- CL Martinez carlopmart {at} gmail {d0t} com
This e-mail, and any attachments thereto, is intended
only for use by
the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the
intended recipient
of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any
attachments thereto,
is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
-- CL Martinez carlopmart {at} gmail {d0t} com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
Nicolas Sahlqvist wrote
On 10/13/07, Ross S. W. Walker rwalker@medallion.com wrote:
Not if one intends to modify it to suite racoon's specific needs...
-Ross
Could you be a little bit more specific, what are those needs..?
Please avoid top posting.
One need I can come up with off the top of my head is to have racoon use radius for the authentication requests. Another is a separate Kerberos domain...
<snip>
______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof.
-
carlopmart -
Nicolas Sahlqvist -
Ross S. W. Walker