carlopmart
2007-Oct-12 23:55 UTC
[CentOS] OT: a very big problem with ipsec-tools on CentOS5 (SOLVED)
Buf ... Solved. Problem was that /etc/pam.d/racoon doesn't exists (I found this tip on NetBSD ipsec pages). Simply I have copied /etc/pam.d/passwd to /etc/pam.d/racoon and now all works as expected. Many thanks for your help Ross. Ross S. W. Walker wrote:> > I think it might just use another one like /etc/pam.d/remote > cause I audited the package and it wasn't there. > > Does the "users" group exist and charlie a member of it? > > -Ross > >> -----Original Message----- >> From: carlopmart [mailto:carlopmart at gmail.com] >> Sent: Friday, October 12, 2007 6:54 PM >> To: Ross S. W. Walker >> Subject: Re: [CentOS] OT: a very big problem with ipsec-tools >> on CentOS5 >> >> hi ross, >> >> Yes I compiled with pam option. But I don't have any ipsec >> config file on >> /etc/pam.d ... I didn't find any sample on ipsec-tools 0.7 >> source tree ... where >> is it?? >> >> Ross S. W. Walker wrote: >>> If you compiled ipsec tools yourself did you compile with >> the pam option? >>> If not then you can't tell it to use pam for authentication. >>> >>> If you did, did you setup the appropriate ipsec config file in >>> /etc/pam.d? I believe there is an example one in the ipsec >> source tree. >>> -Ross >>> >>> >>> -----Original Message----- >>> From: centos-bounces at centos.org <centos-bounces at centos.org> >>> To: centos at centos.org <centos at centos.org> >>> Sent: Fri Oct 12 18:38:38 2007 >>> Subject: [CentOS] OT: a very big problem with ipsec-tools on CentOS5 >>> >>> Hi all, >>> >>> I am trying to establish a vpn tunnel between one CentOS5 >> IPSec server >>> and a >>> roadwarrior client, CentOS5 too. Roadwarrior use >> ipsec-tools version 0.6.5-8 >>> (that comes with CentOS5) and server uses version 0.7 >> (downloaded from >>> ipsec-tools website). >>> >>> My server configuration is: >>> >>> path include "/etc/racoon"; >>> path certificate "/etc/racoon/certs"; >>> path pre_shared_key "/etc/racoon/psk.txt"; >>> path pidfile "/var/run/racoon.pid"; >>> #log debug; >>> >>> listen { >>> adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660; >>> isakmp 172.28.45.4 [500]; >>> isakmp_natt 172.28.45.4 [4500]; >>> } >>> >>> remote anonymous { >>> exchange_mode aggressive; >>> certificate_type x509 "gwenc.crt" "gwenc.key"; >>> my_identifier asn1dn; >>> proposal_check claim; >>> generate_policy on; >>> nat_traversal on; >>> dpd_delay 20; >>> ike_frag on; >>> passive on; >>> proposal { >>> encryption_algorithm aes; >>> hash_algorithm sha256; >>> authentication_method hybrid_rsa_server; >>> dh_group 2; >>> } >>> } >>> >>> mode_cfg { >>> network4 172.31.78.5; >>> netmask4 255.255.255.240; >>> pool_size 6; >>> dns4 172.25.50.1; >>> auth_source pam; >>> auth_groups "users"; >>> group_source system; >>> auth_throttle 10; >>> pfs_group 2; >>> } >>> >>> sainfo anonymous >>> { >>> pfs_group 2; >>> lifetime time 1 hour; >>> encryption_algorithm rijndael; >>> authentication_algorithm hmac_sha256; >>> compression_algorithm deflate; >>> } >>> >>> When I try to connect from roadwarrior client using xauth, server >>> returns me >>> this errors: >>> >>> 2007-10-13 00:21:52: INFO: ISAKMP-SA established >>> 172.28.45.4[4500]-172.17.35.3[4500] >> spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2 >>> 2007-10-13 00:21:52: INFO: Using port 0 >>> 2007-10-13 00:21:52: ERROR: pam_authenticate failed: >> Authentication failure >>> 2007-10-13 00:21:52: INFO: Released port 0 >>> 2007-10-13 00:21:52: INFO: login failed for user "charlie" >>> 2007-10-13 00:21:52: ERROR: Attempt to release an >> unallocated address >>> (port 0) >>> 2007-10-13 00:21:52: ERROR: mode config 6 from >> 172.17.35.3[4500], but we >>> have no >>> ISAKMP-SA. >>> 2007-10-13 00:21:52: ERROR: unknown Informational exchange received. >>> >>> why? I don't understand. Well, yes, I think that server >> doesn't use >>> really pam >>> libraries or problem is that linux use shadow for passwords instead >>> passwd file. >>> >>> >>> I see a lot of webs on this configuration works out of >> the box, but >>> not for >>> me.... I am really desperated. >>> >>> Many thanks. >>> >>> P.D: On ipsec-tools mailing list i don't receive any response. >>> -- >>> CL Martinez >>> carlopmart {at} gmail {d0t} com >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> http://lists.centos.org/mailman/listinfo/centos >>> >>> >> -------------------------------------------------------------- >> ---------- >>> This e-mail, and any attachments thereto, is intended only >> for use by >>> the addressee(s) named herein and may contain legally >> privileged and/or >>> confidential information. If you are not the intended >> recipient of this >>> e-mail, you are hereby notified that any dissemination, >> distribution or >>> copying of this e-mail, and any attachments thereto, is strictly >>> prohibited. If you have received this e-mail in error, please >>> immediately notify the sender and permanently delete the >> original and >>> any copy or printout thereof. >> >> -- >> CL Martinez >> carlopmart {at} gmail {d0t} com >> > > ______________________________________________________________________ > This e-mail, and any attachments thereto, is intended only for use by > the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient > of this e-mail, you are hereby notified that any dissemination, > distribution or copying of this e-mail, and any attachments thereto, > is strictly prohibited. If you have received this e-mail in error, > please immediately notify the sender and permanently delete the > original and any copy or printout thereof. > >-- CL Martinez carlopmart {at} gmail {d0t} com
Nicolas Sahlqvist
2007-Oct-13 00:04 UTC
[CentOS] OT: a very big problem with ipsec-tools on CentOS5 (SOLVED)
Does it not more sense to make a symlink rather then copying the file..? / Nicolas On 10/13/07, carlopmart <carlopmart at gmail.com> wrote:> Buf ... Solved. Problem was that /etc/pam.d/racoon doesn't exists (I found > this > tip on NetBSD ipsec pages). Simply I have copied /etc/pam.d/passwd to > /etc/pam.d/racoon and now all works as expected. > > Many thanks for your help Ross. > > > > Ross S. W. Walker wrote: > > > > I think it might just use another one like /etc/pam.d/remote > > cause I audited the package and it wasn't there. > > > > Does the "users" group exist and charlie a member of it? > > > > -Ross > > > >> -----Original Message----- > >> From: carlopmart [mailto:carlopmart at gmail.com] > >> Sent: Friday, October 12, 2007 6:54 PM > >> To: Ross S. W. Walker > >> Subject: Re: [CentOS] OT: a very big problem with ipsec-tools > >> on CentOS5 > >> > >> hi ross, > >> > >> Yes I compiled with pam option. But I don't have any ipsec > >> config file on > >> /etc/pam.d ... I didn't find any sample on ipsec-tools 0.7 > >> source tree ... where > >> is it?? > >> > >> Ross S. W. Walker wrote: > >>> If you compiled ipsec tools yourself did you compile with > >> the pam option? > >>> If not then you can't tell it to use pam for authentication. > >>> > >>> If you did, did you setup the appropriate ipsec config file in > >>> /etc/pam.d? I believe there is an example one in the ipsec > >> source tree. > >>> -Ross > >>> > >>> > >>> -----Original Message----- > >>> From: centos-bounces at centos.org <centos-bounces at centos.org> > >>> To: centos at centos.org <centos at centos.org> > >>> Sent: Fri Oct 12 18:38:38 2007 > >>> Subject: [CentOS] OT: a very big problem with ipsec-tools on CentOS5 > >>> > >>> Hi all, > >>> > >>> I am trying to establish a vpn tunnel between one CentOS5 > >> IPSec server > >>> and a > >>> roadwarrior client, CentOS5 too. Roadwarrior use > >> ipsec-tools version 0.6.5-8 > >>> (that comes with CentOS5) and server uses version 0.7 > >> (downloaded from > >>> ipsec-tools website). > >>> > >>> My server configuration is: > >>> > >>> path include "/etc/racoon"; > >>> path certificate "/etc/racoon/certs"; > >>> path pre_shared_key "/etc/racoon/psk.txt"; > >>> path pidfile "/var/run/racoon.pid"; > >>> #log debug; > >>> > >>> listen { > >>> adminsock "/var/racoon/racoon.sock" "root" "nobody" 0660; > >>> isakmp 172.28.45.4 [500]; > >>> isakmp_natt 172.28.45.4 [4500]; > >>> } > >>> > >>> remote anonymous { > >>> exchange_mode aggressive; > >>> certificate_type x509 "gwenc.crt" "gwenc.key"; > >>> my_identifier asn1dn; > >>> proposal_check claim; > >>> generate_policy on; > >>> nat_traversal on; > >>> dpd_delay 20; > >>> ike_frag on; > >>> passive on; > >>> proposal { > >>> encryption_algorithm aes; > >>> hash_algorithm sha256; > >>> authentication_method hybrid_rsa_server; > >>> dh_group 2; > >>> } > >>> } > >>> > >>> mode_cfg { > >>> network4 172.31.78.5; > >>> netmask4 255.255.255.240; > >>> pool_size 6; > >>> dns4 172.25.50.1; > >>> auth_source pam; > >>> auth_groups "users"; > >>> group_source system; > >>> auth_throttle 10; > >>> pfs_group 2; > >>> } > >>> > >>> sainfo anonymous > >>> { > >>> pfs_group 2; > >>> lifetime time 1 hour; > >>> encryption_algorithm rijndael; > >>> authentication_algorithm hmac_sha256; > >>> compression_algorithm deflate; > >>> } > >>> > >>> When I try to connect from roadwarrior client using xauth, server > >>> returns me > >>> this errors: > >>> > >>> 2007-10-13 00:21:52: INFO: ISAKMP-SA established > >>> 172.28.45.4[4500]-172.17.35.3[4500] > >> spi:e3ff2f5a0873ff54:ad9b13f8035ec2f2 > >>> 2007-10-13 00:21:52: INFO: Using port 0 > >>> 2007-10-13 00:21:52: ERROR: pam_authenticate failed: > >> Authentication failure > >>> 2007-10-13 00:21:52: INFO: Released port 0 > >>> 2007-10-13 00:21:52: INFO: login failed for user "charlie" > >>> 2007-10-13 00:21:52: ERROR: Attempt to release an > >> unallocated address > >>> (port 0) > >>> 2007-10-13 00:21:52: ERROR: mode config 6 from > >> 172.17.35.3[4500], but we > >>> have no > >>> ISAKMP-SA. > >>> 2007-10-13 00:21:52: ERROR: unknown Informational exchange received. > >>> > >>> why? I don't understand. Well, yes, I think that server > >> doesn't use > >>> really pam > >>> libraries or problem is that linux use shadow for passwords instead > >>> passwd file. > >>> > >>> > >>> I see a lot of webs on this configuration works out of > >> the box, but > >>> not for > >>> me.... I am really desperated. > >>> > >>> Many thanks. > >>> > >>> P.D: On ipsec-tools mailing list i don't receive any response. > >>> -- > >>> CL Martinez > >>> carlopmart {at} gmail {d0t} com > >>> _______________________________________________ > >>> CentOS mailing list > >>> CentOS at centos.org > >>> http://lists.centos.org/mailman/listinfo/centos > >>> > >>> > >> -------------------------------------------------------------- > >> ---------- > >>> This e-mail, and any attachments thereto, is intended only > >> for use by > >>> the addressee(s) named herein and may contain legally > >> privileged and/or > >>> confidential information. If you are not the intended > >> recipient of this > >>> e-mail, you are hereby notified that any dissemination, > >> distribution or > >>> copying of this e-mail, and any attachments thereto, is strictly > >>> prohibited. If you have received this e-mail in error, please > >>> immediately notify the sender and permanently delete the > >> original and > >>> any copy or printout thereof. > >> > >> -- > >> CL Martinez > >> carlopmart {at} gmail {d0t} com > >> > > > > ______________________________________________________________________ > > This e-mail, and any attachments thereto, is intended only for use by > > the addressee(s) named herein and may contain legally privileged > > and/or confidential information. If you are not the intended recipient > > of this e-mail, you are hereby notified that any dissemination, > > distribution or copying of this e-mail, and any attachments thereto, > > is strictly prohibited. If you have received this e-mail in error, > > please immediately notify the sender and permanently delete the > > original and any copy or printout thereof. > > > > > > > -- > CL Martinez > carlopmart {at} gmail {d0t} com > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >