[CentOS] OT: a very big problem with ipsec-tools on CentOS5 (SOLVED)

Fri Oct 12 23:55:02 UTC 2007
carlopmart <carlopmart at gmail.com>

Buf ... Solved. Problem was that /etc/pam.d/racoon doesn't exists (I found this 
tip on NetBSD ipsec pages). Simply I have copied /etc/pam.d/passwd to 
/etc/pam.d/racoon and now all works as expected.

Many thanks for your help Ross.



Ross S. W. Walker wrote:
>  
> I think it might just use another one like /etc/pam.d/remote
> cause I audited the package and it wasn't there.
> 
> Does the "users" group exist and charlie a member of it?
> 
> -Ross
> 
>> -----Original Message-----
>> From: carlopmart [mailto:carlopmart at gmail.com] 
>> Sent: Friday, October 12, 2007 6:54 PM
>> To: Ross S. W. Walker
>> Subject: Re: [CentOS] OT: a very big problem with ipsec-tools 
>> on CentOS5
>>
>> hi ross,
>>
>>   Yes I compiled with pam option. But I don't have any ipsec 
>> config file on 
>> /etc/pam.d ... I didn't find any sample on ipsec-tools 0.7 
>> source tree ... where 
>> is it??
>>
>> Ross S. W. Walker wrote:
>>> If you compiled ipsec tools yourself did you compile with 
>> the pam option?
>>> If not then you can't tell it to use pam for authentication.
>>>
>>> If you did, did you setup the appropriate ipsec config file in 
>>> /etc/pam.d? I believe there is an example one in the ipsec 
>> source tree.
>>> -Ross
>>>
>>>
>>> -----Original Message-----
>>> From: centos-bounces at centos.org <centos-bounces at centos.org>
>>> To: centos at centos.org <centos at centos.org>
>>> Sent: Fri Oct 12 18:38:38 2007
>>> Subject: [CentOS] OT: a very big problem with ipsec-tools on CentOS5
>>>
>>> Hi all,
>>>
>>>   I am trying to establish a vpn tunnel between one CentOS5 
>> IPSec server 
>>> and a
>>> roadwarrior client, CentOS5 too. Roadwarrior use 
>> ipsec-tools version 0.6.5-8
>>> (that comes with CentOS5) and  server uses version 0.7 
>> (downloaded from
>>> ipsec-tools website).
>>>
>>>   My server configuration is:
>>>
>>> path include "/etc/racoon";
>>> path certificate "/etc/racoon/certs";
>>> path pre_shared_key "/etc/racoon/psk.txt";
>>> path pidfile "/var/run/racoon.pid";
>>> #log debug;
>>>
>>> listen {
>>>          adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660;
>>>          isakmp 172.28.45.4 [500];
>>>          isakmp_natt 172.28.45.4 [4500];
>>> }
>>>
>>> remote anonymous {
>>>          exchange_mode aggressive;
>>>          certificate_type x509 "gwenc.crt" "gwenc.key";
>>>          my_identifier asn1dn;
>>>          proposal_check claim;
>>>          generate_policy on;
>>>          nat_traversal on;
>>>          dpd_delay 20;
>>>          ike_frag on;
>>>          passive on;
>>>          proposal {
>>>                  encryption_algorithm aes;
>>>                  hash_algorithm sha256;
>>>                  authentication_method hybrid_rsa_server;
>>>                  dh_group 2;
>>>          }
>>> }
>>>
>>> mode_cfg {
>>>          network4 172.31.78.5;
>>>          netmask4 255.255.255.240;
>>>          pool_size 6;
>>>          dns4 172.25.50.1;
>>>          auth_source pam;
>>>          auth_groups "users";
>>>          group_source system;
>>>          auth_throttle 10;
>>>          pfs_group 2;
>>> }
>>>
>>> sainfo anonymous
>>> {
>>>          pfs_group 2;
>>>          lifetime time 1 hour;
>>>          encryption_algorithm rijndael;
>>>          authentication_algorithm hmac_sha256;
>>>          compression_algorithm deflate;
>>> }
>>>
>>>   When I try to connect from roadwarrior client using xauth, server 
>>> returns me
>>> this errors:
>>>
>>>   2007-10-13 00:21:52: INFO: ISAKMP-SA established
>>> 172.28.45.4[4500]-172.17.35.3[4500] 
>> spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2
>>> 2007-10-13 00:21:52: INFO: Using port 0
>>> 2007-10-13 00:21:52: ERROR: pam_authenticate failed: 
>> Authentication failure
>>> 2007-10-13 00:21:52: INFO: Released port 0
>>> 2007-10-13 00:21:52: INFO: login failed for user "charlie"
>>> 2007-10-13 00:21:52: ERROR: Attempt to release an 
>> unallocated address 
>>> (port 0)
>>> 2007-10-13 00:21:52: ERROR: mode config 6 from 
>> 172.17.35.3[4500], but we 
>>> have no
>>> ISAKMP-SA.
>>> 2007-10-13 00:21:52: ERROR: unknown Informational exchange received.
>>>
>>>   why? I don't understand. Well, yes, I think that server 
>> doesn't use 
>>> really pam
>>> libraries or problem is that linux use shadow for passwords instead 
>>> passwd file.
>>>
>>>
>>>   I see a lot of webs on this configuration works out of 
>> the box, but 
>>> not for
>>> me.... I am really desperated.
>>>
>>> Many thanks.
>>>
>>> P.D: On ipsec-tools mailing list i don't receive any response.
>>> --
>>> CL Martinez
>>> carlopmart {at} gmail {d0t} com
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>>
>> --------------------------------------------------------------
>> ----------
>>> This e-mail, and any attachments thereto, is intended only 
>> for use by 
>>> the addressee(s) named herein and may contain legally 
>> privileged and/or 
>>> confidential information. If you are not the intended 
>> recipient of this 
>>> e-mail, you are hereby notified that any dissemination, 
>> distribution or 
>>> copying of this e-mail, and any attachments thereto, is strictly 
>>> prohibited. If you have received this e-mail in error, please 
>>> immediately notify the sender and permanently delete the 
>> original and 
>>> any copy or printout thereof.
>>
>> -- 
>> CL Martinez
>> carlopmart {at} gmail {d0t} com
>>
> 
> ______________________________________________________________________
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
> 
> 


-- 
CL Martinez
carlopmart {at} gmail {d0t} com