[GRLUG] IPSec & CentOS

Adam Tauno Williams awilliam at whitemice.org
Thu Jan 29 09:40:08 EST 2009


On Thu, 2009-01-29 at 09:29 -0500, Adam Tauno Williams wrote:
> I'm trying to setup an IPSec connection where one end is a CentOS box.
> This seems pretty straight forward according to the manual
> <http://www.linuxtopia.org/online_books/centos_linux_guides/centos_linux_security_guide/s1-ipsec-net2net.html>.  Currently I'm just using a simple pre-shared key (PSK).  But it doesn't get as far as even failing in some interesting way:
> [root at vpn ~]# ifup ipsec0
> RTNETLINK answers: Invalid argument
> That response is immediate.
> Any ideas?  It is such a helpful error message.

If I kill off the running racoon process and start it as "racoon
-F" (debugging mode) in the /etc/racoon directory  I see the following
when trying to ifup...

[root at vpn racoon]# racoon -F
Foreground mode.
2009-01-29 09:34:54: INFO: @(#)ipsec-tools 0.6.5
(http://ipsec-tools.sourceforge.net)
2009-01-29 09:34:54: INFO: @(#)This product linked OpenSSL 0.9.8b 04 May
2006 (http://www.openssl.org/)
2009-01-29 09:34:54: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
2009-01-29 09:34:54: INFO: 127.0.0.1[500] used for NAT-T
2009-01-29 09:34:54: INFO: X.X.X.X[500] used as isakmp port (fd=8)
2009-01-29 09:34:54: INFO: X.X.X.X[500] used for NAT-T
2009-01-29 09:34:54: INFO: 192.168.1.72[500] used as isakmp port (fd=9)
2009-01-29 09:34:54: INFO: 192.168.1.72[500] used for NAT-T
2009-01-29 09:34:54: INFO: ::1[500] used as isakmp port (fd=10)
2009-01-29 09:34:54: INFO: fe80::250:56ff:fea8:5816%eth0[500] used as
isakmp port (fd=11)
2009-01-29 09:34:54: INFO: fdb5:60da:9b8a:1:250:56ff:fea8:7d21[500] used
as isakmp port (fd=12)
2009-01-29 09:34:54: INFO: fe80::250:56ff:fea8:7d21%eth1[500] used as
isakmp port (fd=13)

.... ifup executed ...

2009-01-29 09:35:33: INFO: unsupported PF_KEY message REGISTER
2009-01-29 09:35:33: INFO: unsupported PF_KEY message X_SPDDELETE2
2009-01-29 09:35:33: INFO: unsupported PF_KEY message X_SPDDELETE2
2009-01-29 09:35:33: INFO: unsupported PF_KEY message X_SPDDELETE2
2009-01-29 09:35:33: ERROR: such policy already exists. anyway replace
it: 192.168.1.77/24[0] 192.168.24.19/24[0] proto=any dir=out
2009-01-29 09:35:33: ERROR: such policy already exists. anyway replace
it: 192.168.24.19/24[0] 192.168.1.77/24[0] proto=any dir=in
2009-01-29 09:35:33: ERROR: such policy already exists. anyway replace
it: 192.168.24.19/24[0] 192.168.1.77/24[0] proto=any dir=fwd
2009-01-29 09:35:33: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
2009-01-29 09:35:33: INFO: 127.0.0.1[500] used for NAT-T
2009-01-29 09:35:33: INFO: X.X.X.X[500] used as isakmp port (fd=9)
2009-01-29 09:35:33: INFO: X.X.X.X[500] used for NAT-T
2009-01-29 09:35:33: INFO: 192.168.1.72[500] used as isakmp port (fd=10)
2009-01-29 09:35:33: INFO: 192.168.1.72[500] used for NAT-T
2009-01-29 09:35:33: INFO: ::1[500] used as isakmp port (fd=11)
2009-01-29 09:35:33: INFO: fe80::250:56ff:fea8:5816%eth0[500] used as
isakmp port (fd=12)
2009-01-29 09:35:33: INFO: fdb5:60da:9b8a:1:250:56ff:fea8:7d21[500] used
as isakmp port (fd=13)
2009-01-29 09:35:33: INFO: fe80::250:56ff:fea8:7d21%eth1[500] used as
isakmp port (fd=14)

"tcpdump -v -ne -i eth1" shows no traffic on the external interface;
there is also no traffic on loopback, and no AH traffic on internal
interface.



More information about the grlug mailing list