[GRLUG] IPSec & CentOS

Godwin godwin at grandrapids-lug.org
Fri Jan 30 09:17:53 EST 2009


Hey Adam,

What device is on the other end of the IPsec tunnel?  Is it behind
NAT?  It looks like the CentOS how-to there uses the kernel's built-in
ipsec features.  I've not used that, but I have used openswan
(compiled from source) in different site-to-site tunnels, though never
tried to "ifup" the interface.  It does it automagically.

Also if you switch to openswan, kernel 2.6 has to be patched if you
want the ipsec0 interface to exist.  The *swan guys left it with 2.4
kernels.  I'm not sure about the kernel's ipsec-tools device creation,
but you could just install/compile openswan easily.  I found it a
little easier to work with and plenty of how-to's on the Net.

Of course, first check that the right ports/protocols are allowed
through the firewall on either end: UDP 500 (4500 if behind NAT) and
protocols ESP (50) and AH (51).

cheers,
G-


On Thu, Jan 29, 2009 at 9:40 AM, Adam Tauno Williams
<awilliam at whitemice.org> wrote:
> On Thu, 2009-01-29 at 09:29 -0500, Adam Tauno Williams wrote:
>> I'm trying to setup an IPSec connection where one end is a CentOS box.
>> This seems pretty straight forward according to the manual
>> <http://www.linuxtopia.org/online_books/centos_linux_guides/centos_linux_security_guide/s1-ipsec-net2net.html>.  Currently I'm just using a simple pre-shared key (PSK).  But it doesn't get as far as even failing in some interesting way:
>> [root at vpn ~]# ifup ipsec0
>> RTNETLINK answers: Invalid argument
>> That response is immediate.
>> Any ideas?  It is such a helpful error message.
>
> If I kill off the running racoon process and start it as "racoon
> -F" (debugging mode) in the /etc/racoon directory  I see the following
> when trying to ifup...
>
> [root at vpn racoon]# racoon -F
> Foreground mode.
> 2009-01-29 09:34:54: INFO: @(#)ipsec-tools 0.6.5
> (http://ipsec-tools.sourceforge.net)
> 2009-01-29 09:34:54: INFO: @(#)This product linked OpenSSL 0.9.8b 04 May
> 2006 (http://www.openssl.org/)
> 2009-01-29 09:34:54: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
> 2009-01-29 09:34:54: INFO: 127.0.0.1[500] used for NAT-T
> 2009-01-29 09:34:54: INFO: X.X.X.X[500] used as isakmp port (fd=8)
> 2009-01-29 09:34:54: INFO: X.X.X.X[500] used for NAT-T
> 2009-01-29 09:34:54: INFO: 192.168.1.72[500] used as isakmp port (fd=9)
> 2009-01-29 09:34:54: INFO: 192.168.1.72[500] used for NAT-T
> 2009-01-29 09:34:54: INFO: ::1[500] used as isakmp port (fd=10)
> 2009-01-29 09:34:54: INFO: fe80::250:56ff:fea8:5816%eth0[500] used as
> isakmp port (fd=11)
> 2009-01-29 09:34:54: INFO: fdb5:60da:9b8a:1:250:56ff:fea8:7d21[500] used
> as isakmp port (fd=12)
> 2009-01-29 09:34:54: INFO: fe80::250:56ff:fea8:7d21%eth1[500] used as
> isakmp port (fd=13)
>
> .... ifup executed ...
>
> 2009-01-29 09:35:33: INFO: unsupported PF_KEY message REGISTER
> 2009-01-29 09:35:33: INFO: unsupported PF_KEY message X_SPDDELETE2
> 2009-01-29 09:35:33: INFO: unsupported PF_KEY message X_SPDDELETE2
> 2009-01-29 09:35:33: INFO: unsupported PF_KEY message X_SPDDELETE2
> 2009-01-29 09:35:33: ERROR: such policy already exists. anyway replace
> it: 192.168.1.77/24[0] 192.168.24.19/24[0] proto=any dir=out
> 2009-01-29 09:35:33: ERROR: such policy already exists. anyway replace
> it: 192.168.24.19/24[0] 192.168.1.77/24[0] proto=any dir=in
> 2009-01-29 09:35:33: ERROR: such policy already exists. anyway replace
> it: 192.168.24.19/24[0] 192.168.1.77/24[0] proto=any dir=fwd
> 2009-01-29 09:35:33: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
> 2009-01-29 09:35:33: INFO: 127.0.0.1[500] used for NAT-T
> 2009-01-29 09:35:33: INFO: X.X.X.X[500] used as isakmp port (fd=9)
> 2009-01-29 09:35:33: INFO: X.X.X.X[500] used for NAT-T
> 2009-01-29 09:35:33: INFO: 192.168.1.72[500] used as isakmp port (fd=10)
> 2009-01-29 09:35:33: INFO: 192.168.1.72[500] used for NAT-T
> 2009-01-29 09:35:33: INFO: ::1[500] used as isakmp port (fd=11)
> 2009-01-29 09:35:33: INFO: fe80::250:56ff:fea8:5816%eth0[500] used as
> isakmp port (fd=12)
> 2009-01-29 09:35:33: INFO: fdb5:60da:9b8a:1:250:56ff:fea8:7d21[500] used
> as isakmp port (fd=13)
> 2009-01-29 09:35:33: INFO: fe80::250:56ff:fea8:7d21%eth1[500] used as
> isakmp port (fd=14)
>
> "tcpdump -v -ne -i eth1" shows no traffic on the external interface;
> there is also no traffic on loopback, and no AH traffic on internal
> interface.
>
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>



-- 

Ubber::Geek
http://grlug.org/


More information about the grlug mailing list