Re: OT: a very big problem with ipsec-tools on CentOS5 (SOLVED)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Buf ... Solved. Problem was that /etc/pam.d/racoon doesn't exists (I found this tip on NetBSD ipsec pages). Simply I have copied /etc/pam.d/passwd to /etc/pam.d/racoon and now all works as expected.

Many thanks for your help Ross.



Ross S. W. Walker wrote:
I think it might just use another one like /etc/pam.d/remote
cause I audited the package and it wasn't there.

Does the "users" group exist and charlie a member of it?

-Ross

-----Original Message-----
From: carlopmart [mailto:carlopmart@xxxxxxxxx] Sent: Friday, October 12, 2007 6:54 PM
To: Ross S. W. Walker
Subject: Re: OT: a very big problem with ipsec-tools on CentOS5

hi ross,

Yes I compiled with pam option. But I don't have any ipsec config file on /etc/pam.d ... I didn't find any sample on ipsec-tools 0.7 source tree ... where is it??

Ross S. W. Walker wrote:
If you compiled ipsec tools yourself did you compile with
the pam option?
If not then you can't tell it to use pam for authentication.

If you did, did you setup the appropriate ipsec config file in /etc/pam.d? I believe there is an example one in the ipsec
source tree.
-Ross


-----Original Message-----
From: centos-bounces@xxxxxxxxxx <centos-bounces@xxxxxxxxxx>
To: centos@xxxxxxxxxx <centos@xxxxxxxxxx>
Sent: Fri Oct 12 18:38:38 2007
Subject:  OT: a very big problem with ipsec-tools on CentOS5

Hi all,

I am trying to establish a vpn tunnel between one CentOS5
IPSec server
and a
roadwarrior client, CentOS5 too. Roadwarrior use
ipsec-tools version 0.6.5-8
(that comes with CentOS5) and server uses version 0.7
(downloaded from
ipsec-tools website).

  My server configuration is:

path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path pre_shared_key "/etc/racoon/psk.txt";
path pidfile "/var/run/racoon.pid";
#log debug;

listen {
         adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660;
         isakmp 172.28.45.4 [500];
         isakmp_natt 172.28.45.4 [4500];
}

remote anonymous {
         exchange_mode aggressive;
         certificate_type x509 "gwenc.crt" "gwenc.key";
         my_identifier asn1dn;
         proposal_check claim;
         generate_policy on;
         nat_traversal on;
         dpd_delay 20;
         ike_frag on;
         passive on;
         proposal {
                 encryption_algorithm aes;
                 hash_algorithm sha256;
                 authentication_method hybrid_rsa_server;
                 dh_group 2;
         }
}

mode_cfg {
         network4 172.31.78.5;
         netmask4 255.255.255.240;
         pool_size 6;
         dns4 172.25.50.1;
         auth_source pam;
         auth_groups "users";
         group_source system;
         auth_throttle 10;
         pfs_group 2;
}

sainfo anonymous
{
         pfs_group 2;
         lifetime time 1 hour;
         encryption_algorithm rijndael;
         authentication_algorithm hmac_sha256;
         compression_algorithm deflate;
}

When I try to connect from roadwarrior client using xauth, server returns me
this errors:

  2007-10-13 00:21:52: INFO: ISAKMP-SA established
172.28.45.4[4500]-172.17.35.3[4500]
spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2
2007-10-13 00:21:52: INFO: Using port 0
2007-10-13 00:21:52: ERROR: pam_authenticate failed:
Authentication failure
2007-10-13 00:21:52: INFO: Released port 0
2007-10-13 00:21:52: INFO: login failed for user "charlie"
2007-10-13 00:21:52: ERROR: Attempt to release an
unallocated address
(port 0)
2007-10-13 00:21:52: ERROR: mode config 6 from
172.17.35.3[4500], but we
have no
ISAKMP-SA.
2007-10-13 00:21:52: ERROR: unknown Informational exchange received.

why? I don't understand. Well, yes, I think that server
doesn't use
really pam
libraries or problem is that linux use shadow for passwords instead passwd file.


I see a lot of webs on this configuration works out of
the box, but
not for
me.... I am really desperated.

Many thanks.

P.D: On ipsec-tools mailing list i don't receive any response.
--
CL Martinez
carlopmart {at} gmail {d0t} com
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


--------------------------------------------------------------
----------
This e-mail, and any attachments thereto, is intended only
for use by
the addressee(s) named herein and may contain legally
privileged and/or
confidential information. If you are not the intended
recipient of this
e-mail, you are hereby notified that any dissemination,
distribution or
copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the
original and
any copy or printout thereof.

--
CL Martinez
carlopmart {at} gmail {d0t} com


______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.




--
CL Martinez
carlopmart {at} gmail {d0t} com
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux