Could you be a little bit more specific, what are those needs..? / Nicco On 10/13/07, Ross S. W. Walker <rwalker at medallion.com> wrote: > > Not if one intends to modify it to suite racoon's specific needs... > > -Ross > > > > -----Original Message----- > > From: Nicolas Sahlqvist [mailto:nicco77 at gmail.com] > > Sent: Friday, October 12, 2007 8:04 PM > > To: CentOS mailing list; Ross S. W. Walker > > Subject: Re: [CentOS] OT: a very big problem with ipsec-tools > > on CentOS5 (SOLVED) > > > > Does it not more sense to make a symlink rather then copying > > the file..? > > > > > > / Nicolas > > > > On 10/13/07, carlopmart <carlopmart at gmail.com> wrote: > > > Buf ... Solved. Problem was that /etc/pam.d/racoon doesn't > > exists (I found > > > this > > > tip on NetBSD ipsec pages). Simply I have copied > > /etc/pam.d/passwd to > > > /etc/pam.d/racoon and now all works as expected. > > > > > > Many thanks for your help Ross. > > > > > > > > > > > > Ross S. W. Walker wrote: > > > > > > > > I think it might just use another one like /etc/pam.d/remote > > > > cause I audited the package and it wasn't there. > > > > > > > > Does the "users" group exist and charlie a member of it? > > > > > > > > -Ross > > > > > > > >> -----Original Message----- > > > >> From: carlopmart [mailto:carlopmart at gmail.com] > > > >> Sent: Friday, October 12, 2007 6:54 PM > > > >> To: Ross S. W. Walker > > > >> Subject: Re: [CentOS] OT: a very big problem with ipsec-tools > > > >> on CentOS5 > > > >> > > > >> hi ross, > > > >> > > > >> Yes I compiled with pam option. But I don't have any ipsec > > > >> config file on > > > >> /etc/pam.d ... I didn't find any sample on ipsec-tools 0.7 > > > >> source tree ... where > > > >> is it?? > > > >> > > > >> Ross S. W. Walker wrote: > > > >>> If you compiled ipsec tools yourself did you compile with > > > >> the pam option? > > > >>> If not then you can't tell it to use pam for authentication. > > > >>> > > > >>> If you did, did you setup the appropriate ipsec config file in > > > >>> /etc/pam.d? I believe there is an example one in the ipsec > > > >> source tree. > > > >>> -Ross > > > >>> > > > >>> > > > >>> -----Original Message----- > > > >>> From: centos-bounces at centos.org <centos-bounces at centos.org> > > > >>> To: centos at centos.org <centos at centos.org> > > > >>> Sent: Fri Oct 12 18:38:38 2007 > > > >>> Subject: [CentOS] OT: a very big problem with > > ipsec-tools on CentOS5 > > > >>> > > > >>> Hi all, > > > >>> > > > >>> I am trying to establish a vpn tunnel between one CentOS5 > > > >> IPSec server > > > >>> and a > > > >>> roadwarrior client, CentOS5 too. Roadwarrior use > > > >> ipsec-tools version 0.6.5-8 > > > >>> (that comes with CentOS5) and server uses version 0.7 > > > >> (downloaded from > > > >>> ipsec-tools website). > > > >>> > > > >>> My server configuration is: > > > >>> > > > >>> path include "/etc/racoon"; > > > >>> path certificate "/etc/racoon/certs"; > > > >>> path pre_shared_key "/etc/racoon/psk.txt"; > > > >>> path pidfile "/var/run/racoon.pid"; > > > >>> #log debug; > > > >>> > > > >>> listen { > > > >>> adminsock "/var/racoon/racoon.sock" "root" > > "nobody" 0660; > > > >>> isakmp 172.28.45.4 [500]; > > > >>> isakmp_natt 172.28.45.4 [4500]; > > > >>> } > > > >>> > > > >>> remote anonymous { > > > >>> exchange_mode aggressive; > > > >>> certificate_type x509 "gwenc.crt" "gwenc.key"; > > > >>> my_identifier asn1dn; > > > >>> proposal_check claim; > > > >>> generate_policy on; > > > >>> nat_traversal on; > > > >>> dpd_delay 20; > > > >>> ike_frag on; > > > >>> passive on; > > > >>> proposal { > > > >>> encryption_algorithm aes; > > > >>> hash_algorithm sha256; > > > >>> authentication_method hybrid_rsa_server; > > > >>> dh_group 2; > > > >>> } > > > >>> } > > > >>> > > > >>> mode_cfg { > > > >>> network4 172.31.78.5; > > > >>> netmask4 255.255.255.240; > > > >>> pool_size 6; > > > >>> dns4 172.25.50.1; > > > >>> auth_source pam; > > > >>> auth_groups "users"; > > > >>> group_source system; > > > >>> auth_throttle 10; > > > >>> pfs_group 2; > > > >>> } > > > >>> > > > >>> sainfo anonymous > > > >>> { > > > >>> pfs_group 2; > > > >>> lifetime time 1 hour; > > > >>> encryption_algorithm rijndael; > > > >>> authentication_algorithm hmac_sha256; > > > >>> compression_algorithm deflate; > > > >>> } > > > >>> > > > >>> When I try to connect from roadwarrior client using > > xauth, server > > > >>> returns me > > > >>> this errors: > > > >>> > > > >>> 2007-10-13 00:21:52: INFO: ISAKMP-SA established > > > >>> 172.28.45.4[4500]-172.17.35.3[4500] > > > >> spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2 > > > >>> 2007-10-13 00:21:52: INFO: Using port 0 > > > >>> 2007-10-13 00:21:52: ERROR: pam_authenticate failed: > > > >> Authentication failure > > > >>> 2007-10-13 00:21:52: INFO: Released port 0 > > > >>> 2007-10-13 00:21:52: INFO: login failed for user "charlie" > > > >>> 2007-10-13 00:21:52: ERROR: Attempt to release an > > > >> unallocated address > > > >>> (port 0) > > > >>> 2007-10-13 00:21:52: ERROR: mode config 6 from > > > >> 172.17.35.3[4500], but we > > > >>> have no > > > >>> ISAKMP-SA. > > > >>> 2007-10-13 00:21:52: ERROR: unknown Informational > > exchange received. > > > >>> > > > >>> why? I don't understand. Well, yes, I think that server > > > >> doesn't use > > > >>> really pam > > > >>> libraries or problem is that linux use shadow for > > passwords instead > > > >>> passwd file. > > > >>> > > > >>> > > > >>> I see a lot of webs on this configuration works out of > > > >> the box, but > > > >>> not for > > > >>> me.... I am really desperated. > > > >>> > > > >>> Many thanks. > > > >>> > > > >>> P.D: On ipsec-tools mailing list i don't receive any response. > > > >>> -- > > > >>> CL Martinez > > > >>> carlopmart {at} gmail {d0t} com > > > >>> _______________________________________________ > > > >>> CentOS mailing list > > > >>> CentOS at centos.org > > > >>> http://lists.centos.org/mailman/listinfo/centos > > > >>> > > > >>> > > > >> -------------------------------------------------------------- > > > >> ---------- > > > >>> This e-mail, and any attachments thereto, is intended only > > > >> for use by > > > >>> the addressee(s) named herein and may contain legally > > > >> privileged and/or > > > >>> confidential information. If you are not the intended > > > >> recipient of this > > > >>> e-mail, you are hereby notified that any dissemination, > > > >> distribution or > > > >>> copying of this e-mail, and any attachments thereto, is strictly > > > >>> prohibited. If you have received this e-mail in error, please > > > >>> immediately notify the sender and permanently delete the > > > >> original and > > > >>> any copy or printout thereof. > > > >> > > > >> -- > > > >> CL Martinez > > > >> carlopmart {at} gmail {d0t} com > > > >> > > > > > > > > > > ______________________________________________________________________ > > > > This e-mail, and any attachments thereto, is intended > > only for use by > > > > the addressee(s) named herein and may contain legally privileged > > > > and/or confidential information. If you are not the > > intended recipient > > > > of this e-mail, you are hereby notified that any dissemination, > > > > distribution or copying of this e-mail, and any > > attachments thereto, > > > > is strictly prohibited. If you have received this e-mail in error, > > > > please immediately notify the sender and permanently delete the > > > > original and any copy or printout thereof. > > > > > > > > > > > > > > > > > -- > > > CL Martinez > > > carlopmart {at} gmail {d0t} com > > > _______________________________________________ > > > CentOS mailing list > > > CentOS at centos.org > > > http://lists.centos.org/mailman/listinfo/centos > > > > > > > ______________________________________________________________________ > This e-mail, and any attachments thereto, is intended only for use by > the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient > of this e-mail, you are hereby notified that any dissemination, > distribution or copying of this e-mail, and any attachments thereto, > is strictly prohibited. If you have received this e-mail in error, > please immediately notify the sender and permanently delete the > original and any copy or printout thereof. > >