Hi, I went back over 2 years of archives, and didn't see much about this, so if you know I missed something, please forgive me, and steer me in the right direction. I'm trying to get IPSec running between 2 RHEL5 boxes (2.6.18-92.1.13.el5 #1 SMP), using either racoon or openswan. Using racoon (and GUI), I'm getting this: Feb 18 12:39:37 STORE191 racoon: 2010-02-18 12:39:37: INFO: initiate new phase 1 negotiation: 128.181.3.207[500]<=>128.181.3.201[500] Feb 18 12:39:37 STORE191 racoon: 2010-02-18 12:39:37: INFO: begin Aggressive mode. Feb 18 12:39:38 STORE191 racoon: 2010-02-18 12:39:38: INFO: received Vendor ID: DPD Feb 18 12:39:38 STORE191 racoon: 2010-02-18 12:39:38: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Feb 18 12:39:38 STORE191 racoon: 2010-02-18 12:39:38: INFO: ISAKMP-SA established 128.181.3.207[500]-128.181.3.201[500] spi:795e2bb8a279b257:8b398333ed868553 Feb 18 12:39:38 STORE191 racoon: 2010-02-18 12:39:38: INFO: initiate new phase 2 negotiation: 128.181.3.207[500]<=>128.181.3.201[500] Feb 18 12:40:08 STORE191 racoon: 2010-02-18 12:40:08: INFO: IPsec-SA expired: AH/Transport 128.181.3.201[0]->128.181.3.207[0] spi=181136274(0xacbeb92) Feb 18 12:40:08 STORE191 racoon: 2010-02-18 12:40:08: ERROR: 128.181.3.201 give up to get IPsec-SA due to time up to wait. And on the other side, I get this: Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: INFO: respond new phase 1 negotiation: 128.181.3.201[500]<=>128.181.3.207[500] Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: INFO: begin Aggressive mode. Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: INFO: received Vendor ID: DPD Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. Feb 18 12:39:38 STORE190 racoon: 2010-02-18 12:39:38: INFO: ISAKMP-SA established 128.181.3.201[500]-128.181.3.207[500] spi:795e2bb8a279b257:8b398333ed868553 I did get it working once, but I shut it down to try the openswan mode (made no changes to racoon). Now, it fails on me (as per above). Of course, I do have a psk.txt in the /etc/racoon directory on both sides, with IP address and key. If I kill racoon, and "service ipsec start" I get this: Feb 18 10:02:28 STORE191 ipsec__plutorun: 002 "test": deleting connection Feb 18 10:02:28 STORE191 ipsec__plutorun: 002 added connection description "test" Feb 18 10:02:28 STORE191 ipsec__plutorun: right: do something with host case: 0 Feb 18 10:02:29 STORE191 ipsec__plutorun: 000 "test": request to add a prospective erouted policy with netkey kernel --- not yet implemented Feb 18 10:02:29 STORE191 ipsec__plutorun: 104 "test" #1: STATE_MAIN_I1: initiate Feb 18 10:02:31 STORE191 setroubleshoot: SELinux is preventing ip (ifconfig_t) "read write" to socket (initrc_t). For complete SELinux messages. run sealert -l c134bad0-02c8-42f3-b2e6-406582ce4744 Feb 18 10:04:49 STORE191 kernel: pluto[628]: segfault at 0000000000000000 rip 0000000000000000 rsp 00007fff4f295898 error 14 Feb 18 10:04:49 STORE191 ipsec__plutorun: /usr/libexec/ipsec/_plutorun: line 250: 628 Segmentation fault /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --use-netkey --nat_traversal And the same for the other side. SELinux is disabled on both servers (and tells me it's in permissive mode). Any suggestions will be appreciated. I can send the .conf files, if needed. Once I can reliably get IPSec working with either method, I want to get it working with a Windows2003R2 server. Does anyone know which method works best with Windows? Peter Shulkin -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
