On Mon, 2011-01-03 at 10:30 +0100, Luc MAIGNAN wrote: > Hi, > I want to establish an IPSEC tunnel between a fedora box and a NETASQ > router. > The router doesn't support AH transport, just ESP. Yeah, you don't want to use AH anyways. All that gives you is the authentication header (AH) and no tunneling at all. You don't need it and, really, even going to the trouble of disabling it is not worth it. If you don't call for an AH-only connection, it won't be used. > So I try to disable it by setting : > AH_PROTO=none Not necessary, but doesn't do any harm. > in the ifcfg-ipsec0 file. I don't use that stuff for IPsec. That's all based on setkey and raccoon and such and I've never gotten it to behave nicely for me and I'm an extensive user and developer of IPsec (Openswan). I've looked at that in the Fedora configs and thought no way, and just installed Openswan from the repos to manage my IPsec connections. > but it doesn't work ! > In the log file, I can see : > pfkey GETSPI succeeded: AH/Transport > 8x.xxx.xx.xx[500]->192.168.50.181[500] spi=30486826(0x1d1312a) > Can anyone help me to give me a way to DISABLED the AH proto ? Sounds like you're trying to go the setkey / raccoon route with IPsec and if you don't know what you are doing, you really don't want to go down that road. Why don't you take a look at the OpenSWAN setup? How familiar are you with setting up IPsec VPNs? I think you'll find the Openswan community has is larger and generally helpful. It's all IPsec and Openswan is in the standard repositories as well. Disabling AH is not your problem. Not setting up a connection policy would seem to be would be my guess. So there's a whole lot of information which you need to have in there which you haven't told us about. So, either you have it in there and there's something wrong there, or you don't have it there and you've got a long row to hoe if you go down this route. What kind of connection are you trying to setup? Is it going to be PSK (Pre-Shared Keys - Static keys in other words) or RSA or certificate or what is that gateway wanting? You can't just tell it to connect. If it's like the Cisco ASA's where you have things like group names and passwords and what not, you're going to have to set up a keying daemon like Racoon or Openswan's Pluto to handle the key negotiations and handshakes. I don't know so much about Racoon but I did some of the coding work on Openswan for talking to Cisco gateways. Do you even have the raccoon package installed? I'm just not familiar with that NETASO unit and what it's going to want. At the very least, you'll need to post your entire config file (with appropriate secrets and sensitive information anonymized, of course, not just what you think is wrong. > Best regards Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
