Hi all,
I am trying to establish a vpn tunnel between one CentOS5 IPSec server and a
roadwarrior client, CentOS5 too. Roadwarrior use ipsec-tools version 0.6.5-8
(that comes with CentOS5) and server uses version 0.7 (downloaded from
ipsec-tools website).
My server configuration is:
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path pre_shared_key "/etc/racoon/psk.txt";
path pidfile "/var/run/racoon.pid";
#log debug;
listen {
adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660;
isakmp 172.28.45.4 [500];
isakmp_natt 172.28.45.4 [4500];
}
remote anonymous {
exchange_mode aggressive;
certificate_type x509 "gwenc.crt" "gwenc.key";
my_identifier asn1dn;
proposal_check claim;
generate_policy on;
nat_traversal on;
dpd_delay 20;
ike_frag on;
passive on;
proposal {
encryption_algorithm aes;
hash_algorithm sha256;
authentication_method hybrid_rsa_server;
dh_group 2;
}
}
mode_cfg {
network4 172.31.78.5;
netmask4 255.255.255.240;
pool_size 6;
dns4 172.25.50.1;
auth_source pam;
auth_groups "users";
group_source system;
auth_throttle 10;
pfs_group 2;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm rijndael;
authentication_algorithm hmac_sha256;
compression_algorithm deflate;
}
When I try to connect from roadwarrior client using xauth, server returns me
this errors:
2007-10-13 00:21:52: INFO: ISAKMP-SA established
172.28.45.4[4500]-172.17.35.3[4500] spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2
2007-10-13 00:21:52: INFO: Using port 0
2007-10-13 00:21:52: ERROR: pam_authenticate failed: Authentication failure
2007-10-13 00:21:52: INFO: Released port 0
2007-10-13 00:21:52: INFO: login failed for user "charlie"
2007-10-13 00:21:52: ERROR: Attempt to release an unallocated address (port 0)
2007-10-13 00:21:52: ERROR: mode config 6 from 172.17.35.3[4500], but we have no
ISAKMP-SA.
2007-10-13 00:21:52: ERROR: unknown Informational exchange received.
why? I don't understand. Well, yes, I think that server doesn't use really pam
libraries or problem is that linux use shadow for passwords instead passwd file.
I see a lot of webs on this configuration works out of the box, but not for
me.... I am really desperated.
Many thanks.
P.D: On ipsec-tools mailing list i don't receive any response.
--
CL Martinez
carlopmart {at} gmail {d0t} com
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos