[CentOS] OT: a very big problem with ipsec-tools on CentOS5 (SOLVED)

Sat Oct 13 00:09:50 UTC 2007
Ross S. W. Walker <rwalker at medallion.com>

Not if one intends to modify it to suite racoon's specific needs...

-Ross
 

> -----Original Message-----
> From: Nicolas Sahlqvist [mailto:nicco77 at gmail.com] 
> Sent: Friday, October 12, 2007 8:04 PM
> To: CentOS mailing list; Ross S. W. Walker
> Subject: Re: [CentOS] OT: a very big problem with ipsec-tools 
> on CentOS5 (SOLVED)
> 
> Does it not more sense to make a symlink rather then copying 
> the file..?
> 
> 
> / Nicolas
> 
> On 10/13/07, carlopmart <carlopmart at gmail.com> wrote:
> > Buf ... Solved. Problem was that /etc/pam.d/racoon doesn't 
> exists (I found
> > this
> > tip on NetBSD ipsec pages). Simply I have copied 
> /etc/pam.d/passwd to
> > /etc/pam.d/racoon and now all works as expected.
> >
> > Many thanks for your help Ross.
> >
> >
> >
> > Ross S. W. Walker wrote:
> > >
> > > I think it might just use another one like /etc/pam.d/remote
> > > cause I audited the package and it wasn't there.
> > >
> > > Does the "users" group exist and charlie a member of it?
> > >
> > > -Ross
> > >
> > >> -----Original Message-----
> > >> From: carlopmart [mailto:carlopmart at gmail.com]
> > >> Sent: Friday, October 12, 2007 6:54 PM
> > >> To: Ross S. W. Walker
> > >> Subject: Re: [CentOS] OT: a very big problem with ipsec-tools
> > >> on CentOS5
> > >>
> > >> hi ross,
> > >>
> > >>   Yes I compiled with pam option. But I don't have any ipsec
> > >> config file on
> > >> /etc/pam.d ... I didn't find any sample on ipsec-tools 0.7
> > >> source tree ... where
> > >> is it??
> > >>
> > >> Ross S. W. Walker wrote:
> > >>> If you compiled ipsec tools yourself did you compile with
> > >> the pam option?
> > >>> If not then you can't tell it to use pam for authentication.
> > >>>
> > >>> If you did, did you setup the appropriate ipsec config file in
> > >>> /etc/pam.d? I believe there is an example one in the ipsec
> > >> source tree.
> > >>> -Ross
> > >>>
> > >>>
> > >>> -----Original Message-----
> > >>> From: centos-bounces at centos.org <centos-bounces at centos.org>
> > >>> To: centos at centos.org <centos at centos.org>
> > >>> Sent: Fri Oct 12 18:38:38 2007
> > >>> Subject: [CentOS] OT: a very big problem with 
> ipsec-tools on CentOS5
> > >>>
> > >>> Hi all,
> > >>>
> > >>>   I am trying to establish a vpn tunnel between one CentOS5
> > >> IPSec server
> > >>> and a
> > >>> roadwarrior client, CentOS5 too. Roadwarrior use
> > >> ipsec-tools version 0.6.5-8
> > >>> (that comes with CentOS5) and  server uses version 0.7
> > >> (downloaded from
> > >>> ipsec-tools website).
> > >>>
> > >>>   My server configuration is:
> > >>>
> > >>> path include "/etc/racoon";
> > >>> path certificate "/etc/racoon/certs";
> > >>> path pre_shared_key "/etc/racoon/psk.txt";
> > >>> path pidfile "/var/run/racoon.pid";
> > >>> #log debug;
> > >>>
> > >>> listen {
> > >>>          adminsock "/var/racoon/racoon.sock" "root" 
> "nobody" 0660;
> > >>>          isakmp 172.28.45.4 [500];
> > >>>          isakmp_natt 172.28.45.4 [4500];
> > >>> }
> > >>>
> > >>> remote anonymous {
> > >>>          exchange_mode aggressive;
> > >>>          certificate_type x509 "gwenc.crt" "gwenc.key";
> > >>>          my_identifier asn1dn;
> > >>>          proposal_check claim;
> > >>>          generate_policy on;
> > >>>          nat_traversal on;
> > >>>          dpd_delay 20;
> > >>>          ike_frag on;
> > >>>          passive on;
> > >>>          proposal {
> > >>>                  encryption_algorithm aes;
> > >>>                  hash_algorithm sha256;
> > >>>                  authentication_method hybrid_rsa_server;
> > >>>                  dh_group 2;
> > >>>          }
> > >>> }
> > >>>
> > >>> mode_cfg {
> > >>>          network4 172.31.78.5;
> > >>>          netmask4 255.255.255.240;
> > >>>          pool_size 6;
> > >>>          dns4 172.25.50.1;
> > >>>          auth_source pam;
> > >>>          auth_groups "users";
> > >>>          group_source system;
> > >>>          auth_throttle 10;
> > >>>          pfs_group 2;
> > >>> }
> > >>>
> > >>> sainfo anonymous
> > >>> {
> > >>>          pfs_group 2;
> > >>>          lifetime time 1 hour;
> > >>>          encryption_algorithm rijndael;
> > >>>          authentication_algorithm hmac_sha256;
> > >>>          compression_algorithm deflate;
> > >>> }
> > >>>
> > >>>   When I try to connect from roadwarrior client using 
> xauth, server
> > >>> returns me
> > >>> this errors:
> > >>>
> > >>>   2007-10-13 00:21:52: INFO: ISAKMP-SA established
> > >>> 172.28.45.4[4500]-172.17.35.3[4500]
> > >> spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2
> > >>> 2007-10-13 00:21:52: INFO: Using port 0
> > >>> 2007-10-13 00:21:52: ERROR: pam_authenticate failed:
> > >> Authentication failure
> > >>> 2007-10-13 00:21:52: INFO: Released port 0
> > >>> 2007-10-13 00:21:52: INFO: login failed for user "charlie"
> > >>> 2007-10-13 00:21:52: ERROR: Attempt to release an
> > >> unallocated address
> > >>> (port 0)
> > >>> 2007-10-13 00:21:52: ERROR: mode config 6 from
> > >> 172.17.35.3[4500], but we
> > >>> have no
> > >>> ISAKMP-SA.
> > >>> 2007-10-13 00:21:52: ERROR: unknown Informational 
> exchange received.
> > >>>
> > >>>   why? I don't understand. Well, yes, I think that server
> > >> doesn't use
> > >>> really pam
> > >>> libraries or problem is that linux use shadow for 
> passwords instead
> > >>> passwd file.
> > >>>
> > >>>
> > >>>   I see a lot of webs on this configuration works out of
> > >> the box, but
> > >>> not for
> > >>> me.... I am really desperated.
> > >>>
> > >>> Many thanks.
> > >>>
> > >>> P.D: On ipsec-tools mailing list i don't receive any response.
> > >>> --
> > >>> CL Martinez
> > >>> carlopmart {at} gmail {d0t} com
> > >>> _______________________________________________
> > >>> CentOS mailing list
> > >>> CentOS at centos.org
> > >>> http://lists.centos.org/mailman/listinfo/centos
> > >>>
> > >>>
> > >> --------------------------------------------------------------
> > >> ----------
> > >>> This e-mail, and any attachments thereto, is intended only
> > >> for use by
> > >>> the addressee(s) named herein and may contain legally
> > >> privileged and/or
> > >>> confidential information. If you are not the intended
> > >> recipient of this
> > >>> e-mail, you are hereby notified that any dissemination,
> > >> distribution or
> > >>> copying of this e-mail, and any attachments thereto, is strictly
> > >>> prohibited. If you have received this e-mail in error, please
> > >>> immediately notify the sender and permanently delete the
> > >> original and
> > >>> any copy or printout thereof.
> > >>
> > >> --
> > >> CL Martinez
> > >> carlopmart {at} gmail {d0t} com
> > >>
> > >
> > > 
> ______________________________________________________________________
> > > This e-mail, and any attachments thereto, is intended 
> only for use by
> > > the addressee(s) named herein and may contain legally privileged
> > > and/or confidential information. If you are not the 
> intended recipient
> > > of this e-mail, you are hereby notified that any dissemination,
> > > distribution or copying of this e-mail, and any 
> attachments thereto,
> > > is strictly prohibited. If you have received this e-mail in error,
> > > please immediately notify the sender and permanently delete the
> > > original and any copy or printout thereof.
> > >
> > >
> >
> >
> > --
> > CL Martinez
> > carlopmart {at} gmail {d0t} com
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> 

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.