[CentOS] OT: a very big problem with ipsec-tools on CentOS5

carlopmart carlopmart at gmail.com
Fri Oct 12 22:38:38 UTC 2007

Hi all,

  I am trying to establish a vpn tunnel between one CentOS5 IPSec server and a 
roadwarrior client, CentOS5 too. Roadwarrior use ipsec-tools version 0.6.5-8 
(that comes with CentOS5) and  server uses version 0.7 (downloaded from 
ipsec-tools website).

  My server configuration is:

path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path pre_shared_key "/etc/racoon/psk.txt";
path pidfile "/var/run/racoon.pid";
#log debug;

listen {
         adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660;
         isakmp [500];
         isakmp_natt [4500];

remote anonymous {
         exchange_mode aggressive;
         certificate_type x509 "gwenc.crt" "gwenc.key";
         my_identifier asn1dn;
         proposal_check claim;
         generate_policy on;
         nat_traversal on;
         dpd_delay 20;
         ike_frag on;
         passive on;
         proposal {
                 encryption_algorithm aes;
                 hash_algorithm sha256;
                 authentication_method hybrid_rsa_server;
                 dh_group 2;

mode_cfg {
         pool_size 6;
         auth_source pam;
         auth_groups "users";
         group_source system;
         auth_throttle 10;
         pfs_group 2;

sainfo anonymous
         pfs_group 2;
         lifetime time 1 hour;
         encryption_algorithm rijndael;
         authentication_algorithm hmac_sha256;
         compression_algorithm deflate;

  When I try to connect from roadwarrior client using xauth, server returns me 
this errors:

  2007-10-13 00:21:52: INFO: ISAKMP-SA established[4500]-[4500] spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2
2007-10-13 00:21:52: INFO: Using port 0
2007-10-13 00:21:52: ERROR: pam_authenticate failed: Authentication failure
2007-10-13 00:21:52: INFO: Released port 0
2007-10-13 00:21:52: INFO: login failed for user "charlie"
2007-10-13 00:21:52: ERROR: Attempt to release an unallocated address (port 0)
2007-10-13 00:21:52: ERROR: mode config 6 from[4500], but we have no 
2007-10-13 00:21:52: ERROR: unknown Informational exchange received.

  why? I don't understand. Well, yes, I think that server doesn't use really pam 
libraries or problem is that linux use shadow for passwords instead passwd file.

  I see a lot of webs on this configuration works out of the box, but not for 
me.... I am really desperated.

Many thanks.

P.D: On ipsec-tools mailing list i don't receive any response.
CL Martinez
carlopmart {at} gmail {d0t} com

More information about the CentOS mailing list