[CentOS] OT: a very big problem with ipsec-tools on CentOS5

Fri Oct 12 22:38:38 UTC 2007
carlopmart <carlopmart at gmail.com>

Hi all,

  I am trying to establish a vpn tunnel between one CentOS5 IPSec server and a 
roadwarrior client, CentOS5 too. Roadwarrior use ipsec-tools version 0.6.5-8 
(that comes with CentOS5) and  server uses version 0.7 (downloaded from 
ipsec-tools website).

  My server configuration is:

path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path pre_shared_key "/etc/racoon/psk.txt";
path pidfile "/var/run/racoon.pid";
#log debug;

listen {
         adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660;
         isakmp 172.28.45.4 [500];
         isakmp_natt 172.28.45.4 [4500];
}

remote anonymous {
         exchange_mode aggressive;
         certificate_type x509 "gwenc.crt" "gwenc.key";
         my_identifier asn1dn;
         proposal_check claim;
         generate_policy on;
         nat_traversal on;
         dpd_delay 20;
         ike_frag on;
         passive on;
         proposal {
                 encryption_algorithm aes;
                 hash_algorithm sha256;
                 authentication_method hybrid_rsa_server;
                 dh_group 2;
         }
}

mode_cfg {
         network4 172.31.78.5;
         netmask4 255.255.255.240;
         pool_size 6;
         dns4 172.25.50.1;
         auth_source pam;
         auth_groups "users";
         group_source system;
         auth_throttle 10;
         pfs_group 2;
}

sainfo anonymous
{
         pfs_group 2;
         lifetime time 1 hour;
         encryption_algorithm rijndael;
         authentication_algorithm hmac_sha256;
         compression_algorithm deflate;
}

  When I try to connect from roadwarrior client using xauth, server returns me 
this errors:

  2007-10-13 00:21:52: INFO: ISAKMP-SA established 
172.28.45.4[4500]-172.17.35.3[4500] spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2
2007-10-13 00:21:52: INFO: Using port 0
2007-10-13 00:21:52: ERROR: pam_authenticate failed: Authentication failure
2007-10-13 00:21:52: INFO: Released port 0
2007-10-13 00:21:52: INFO: login failed for user "charlie"
2007-10-13 00:21:52: ERROR: Attempt to release an unallocated address (port 0)
2007-10-13 00:21:52: ERROR: mode config 6 from 172.17.35.3[4500], but we have no 
ISAKMP-SA.
2007-10-13 00:21:52: ERROR: unknown Informational exchange received.

  why? I don't understand. Well, yes, I think that server doesn't use really pam 
libraries or problem is that linux use shadow for passwords instead passwd file.


  I see a lot of webs on this configuration works out of the box, but not for 
me.... I am really desperated.

Many thanks.

P.D: On ipsec-tools mailing list i don't receive any response.
-- 
CL Martinez
carlopmart {at} gmail {d0t} com