[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec-tools-devel
Subject: Re: [Ipsec-tools-devel] Ipsec-tools-devel Digest, Vol 11, Issue 7
From: Matthew Grooms <mgrooms () shrew ! net>
Date: 2007-04-19 18:25:31
Message-ID: 4627B41B.7030808 () shrew ! net
[Download RAW message or body]
On 4/19/2007, "Andy Tang" <andy.atang@gmail.com> wrote:
> >Thank you for the advice.
> >Isn't that the authentication_algorithm line in the sainfo is for
the ESP?
> >How does one distinguish if the auth algorithm should be used by ESP
and not
> >AH?
If you specify an authentication_algorithm, racoon will attempt to
negotiate hmac algorithm for ESP. Notice, there is a non_auth option
which I assume would be used to tell racoon to disable auth for ESP. To
be honest, I have never tried to disable message authentication.
> >I don't know how to disable the AH in QM? I could not find such
reference
> >in man racoon.conf.
I don't know what QM is, but the AH algorithm is specified when adding
an IPSEC policy to the kernel using setkey. Both your policies below
also use transport mode which would be used for encrypting traffic only
between the two IPSEC peers and not tunneling between two private
networks. Is this what you want?
> >
> >The setkey -DP is showing something like this now:
> >setkey -DP
> >192.168.15.102[any] 192.168.15.103[any] any
> > in prio def ipsec
> > esp/transport//require
> > ah/transport//require
> > created: Apr 18 23:14:24 2007 lastused:
> > lifetime: 0(s) validtime: 0(s)
> > spid=248 seq=1 pid=3459
> > refcnt=1
> >192.168.15.103[any] 192.168.15.102[any] any
> > out prio def ipsec
> > esp/transport//require
> > ah/transport//require
> > created: Apr 18 23:14:24 2007 lastused: Apr 18 23:14:37 2007
> > lifetime: 0(s) validtime: 0(s)
> > spid=241 seq=2 pid=3459
> > refcnt=2
> >
When policies include multiple protocols, they are considered additive.
In other words, your not using ESP or AH, your using ESP and AH. This
causes racoon to expect the Vista box to negotiate a SA bundle and may
explain why you are getting the protocol mismatch error.
I believe this was discussed recently on the list but my memory is
fuzzy. It seems that there was a stock setkey wrapper script in a Linux
distro ( maybe fedora ) that specified AH and ESP when auto building
policies. Unfortunately, this not what a user wants the vast majority of
the time. ( see setkey man page for more details ) Your best bet is to
find the FC6 tool or script that specifies AH and ESP and remove AH.
Any FC6 admins out there that can point to documentation on the "right
way" to configure IPSEC policy? In FreeBSD, you specify these in the
/etc/ipsec.conf file.
I have a FC6 test box collecting dust that I could look at but I don't
have access to it at the moment. If you can't figure this out, let me
know and I will try to look at it later and give you some better advice.
> >The weird thing is that I updated the /etc/racoon/psk.txt with a new
> >preshared key.
> >Then I ran "killall racoon" and restart the racoon daemon.
> >When I started to initiate an IPsec session, I notice that the MM
does not
> >complete successful, when I looked at the racoon.log, I saw:
> >
> >2007-04-18 23:01:26: DEBUG: pfkey X_SPDDUMP failed: No such file or
> >directory
> >
I really can't comment too much on this. I would assume it means racoon
couldn't open a PF_KEY socket. Are you starting it as root?
-Matthew
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic