[CentOS] racoon and ipsec issues

Bill Campbell centos at celestial.com
Thu Jul 17 22:51:59 UTC 2008

Following up on my own post with some new information and puzzler:

On Thu, Jul 17, 2008, Bill Campbell wrote:
>On Thu, Jul 17, 2008, Timothy Selivanow wrote:
>After letting things sit overnight, and seeing ``IPsec-SA
>expired'' messages in /var/log/messages, I tried again this
>afternoon. without success.  There are some things that seem
>noteworthy to me.
>  1.  There was no traffic between the machines until I started ``tcpdump''
>      on one, at which time it initiated the handshaking with the machine
>      here (one machine is here on M.I. the other in Kansas City).
>  2.  When racoon starts, there is a message in /var/log/messages,
>      ``racoon: ERROR: racoon: MLS support is not enabled''.  I haven't
>      been able to figure out what that means.
>  3.  The Kansas City machine is running kernel 2.6.18-53.1.14.el5 SMP,
>      x86_64.
>  4.  The M.I. machine is running 2.6.18-53.1.21.el5PAE SMP i686...
>  5.  The M.I. machine hosts several VMware virtual machines so both its
>      NICs are in promiscuous mode.

I tried setting up a different machine here on M.I. to connect,
changed the remote IP on the Kansas City machine, and am able to
create a tunnel, ping, and ssh from M.I. to K.C., but cannot do
any of these from K.C. to M.I.

There are *NO* iptables rules on either machine at present.  To
the best of my knowledge there are no IP filters between the
Internet and these machines.  The one in K.C. is a DSL modem on a
/29 net block while the connection here is via an Integra/Eschelon
Adtran channel bank to a T1 to our block.

I cannot understand how a connection works one way, but not the
other on what is supposed to be symmetric.

INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

Things in our country run in spite of government.  Not by aid of it!
    Will Rogers

More information about the CentOS mailing list