[clug] IPSEC and Fedora Core 2

Donovan J. Edye donovan at edyeweb.com
Tue Oct 5 10:36:06 GMT 2004 

G'Day,

- I am a newbie to IPSEC
- The topology is as follows:

MyHomeNetwork   Gateway         Internet  Gateway        RemoteNetwork

192.168.40.0/24   192.168.40.1                203.xx.xx.xx  192.168.42.0/24


The ipsec server that I am attempting to connect to is configured as:

FILE:/etc/config/ipsec.conf
conn DonovanHome
type = tunnel
left = %defaultroute
leftsubnet = 192.168.0.0/255.255.0.0
right = 0.0.0.0
rightsubnet = 192.168.40.0/255.255.255.0
keyexchange = ike
auth = esp
authby = secret
pfs = yes
keylife = 1h
ikelifetime = 5h
rekeyfuzz = 50%
rekeymargin = 10s
keyingtries = 0
dpddelay = 9
dpdtimeout = 30
auto = add

FILE:/etc/config/ipsec.secrets
203.xx.xx.xx 0.0.0.0 : PSK "the_agreed_password"

On my fedora box (192.168.40.3 default gateway 192.168.40.1) I have:

ifcfg-MyConnection

DSTGW=192.168.42.5
SRCGW=192.168.40.1
DSTNET=192.168.42.0/16
SRCNET=192.168.40.0/24
DST=203.xx.xx.xx
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK

and keys-MyConnection

IKE_PSK= the_agreed_password

Now when I attempt to start my ipsec connection using
/etc/sysconfig/network-scripts/ifup-ipsec MyConnection I see the following
in Syslog:

Oct 4 22:20:37 moe racoon: INFO: main.c:174:main(): @(#)racoon - IPsec-tools
0.2.3
Oct 4 22:20:37 moe racoon: INFO: main.c:175:main(): @(#)This product linked
OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
Oct 4 22:20:38 moe racoon: ERROR: isakmp.c:1378:isakmp_open(): failed to
bind to address fe80::240:63ff:fed8:5729%253[500] (No such
device).
Oct 4 22:20:38 moe racoon: INFO: isakmp.c:1387:isakmp_open(): ::1[500] used
as isakmp port (fd=7)
Oct 4 22:20:38 moe racoon: INFO: isakmp.c:1387:isakmp_open():
192.168.40.3[500] used as isakmp port (fd=8)
Oct 4 22:20:38 moe racoon: INFO: isakmp.c:1387:isakmp_open(): 127.0.0.1[500]
used as isakmp port (fd=9)
Oct 4 22:24:52 moe racoon: INFO: isakmp.c:1713:isakmp_post_acquire():
IPsec-SA request for 203.26.16.136 queued due to no phase1 fo
und.
Oct 4 22:24:52 moe racoon: INFO: isakmp.c:807:isakmp_ph1begin_i(): initiate
new phase 1 negotiation: 192.168.40.3[500]<=>203.26.16.
136[500]
Oct 4 22:24:52 moe racoon: INFO: isakmp.c:812:isakmp_ph1begin_i(): begin
Aggressive mode.
Oct 4 22:25:23 moe racoon: ERROR: isakmp.c:1805:isakmp_chkph1there(): phase2
negotiation failed due to time up waiting for phase1.
ESP 203.26.16.136->192.168.40.3
Oct 4 22:25:23 moe racoon: INFO: isakmp.c:1810:isakmp_chkph1there(): delete
phase 2 handler.
Oct 4 22:25:26 moe racoon: INFO: isakmp.c:1732:isakmp_post_acquire():
request for establishing IPsec-SA was queued due to no phase1
found.
Oct 4 22:25:52 moe racoon: ERROR: isakmp.c:1466:isakmp_ph1resend(): phase1
negotiation failed due to time up. 984142c9edc7d9a7:0000
000000000000
Oct 4 22:25:57 moe racoon: ERROR: isakmp.c:1805:isakmp_chkph1there(): phase2
negotiation failed due to time up waiting for phase1.
ESP 203.26.16.136->192.168.40.3
Oct 4 22:25:57 moe racoon: INFO: isakmp.c:1810:isakmp_chkph1there(): delete
phase 2 handler.
Oct 4 22:26:26 moe racoon: INFO: isakmp.c:1713:isakmp_post_acquire():
IPsec-SA request for 203.26.16.136 queued due to no phase1 fo
und.
Oct 4 22:26:26 moe racoon: INFO: isakmp.c:807:isakmp_ph1begin_i(): initiate
new phase 1 negotiation: 192.168.40.3[500]<=>203.26.16.
136[500]
Oct 4 22:26:26 moe racoon: INFO: isakmp.c:812:isakmp_ph1begin_i(): begin
Aggressive mode.
Oct 4 22:26:57 moe racoon: ERROR: isakmp.c:1805:isakmp_chkph1there(): phase2
negotiation failed due to time up waiting for phase1.
ESP 203.26.16.136->192.168.40.3
Oct 4 22:26:57 moe racoon: INFO: isakmp.c:1810:isakmp_chkph1there(): delete
phase 2 handler.
Oct 4 22:27:26 moe racoon: ERROR: isakmp.c:1466:isakmp_ph1resend(): phase1
negotiation failed due to time up. 2d661a9e4e69e7e2:0000
000000000000
Oct 4 22:27:26 moe racoon: INFO: isakmp.c:1713:isakmp_post_acquire():
IPsec-SA request for 203.26.16.136 queued due to no phase1 fo
und.
Oct 4 22:27:26 moe racoon: INFO: isakmp.c:807:isakmp_ph1begin_i(): initiate
new phase 1 negotiation: 192.168.40.3[500]<=>203.26.16.
136[500]
Oct 4 22:27:26 moe racoon: INFO: isakmp.c:812:isakmp_ph1begin_i(): begin
Aggressive mode.

- Obviously no connection can be established
- I don't have access to the remote IPSEC server to see what its logs say
- I suspect I have a config error on my Fedora box but cannot see exactly
what it is
- Can anyone shed any light or suggestions?

TIA

--Donovan
www.edyeweb.com

More information about the linux mailing list