Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


Search this Thread
Old 11-23-2007, 02:14 AM   #1
LQ Newbie
Registered: Apr 2005
Location: Bucharest
Distribution: debian lenny, RHEL AS3, gentoo 1.12
Posts: 5

Rep: Reputation: 0
ipsec server on debian


first of all, I have performed a (short) search on the forum, but I could't find what I was looking for

I am trying to configure a security gateway on a debian

# uname -a
Linux ipsec01 2.6.22-2-686 #1 SMP Fri Aug 31 00:24:01 UTC 2007 i686 GNU/Linux

basically, this setup should know ipsec transport and tunneling on ipv4 and ipv6, to automatically negociate security association, based both on pre-shared

keys and on digital certificated, to crypt and authenticate traffic

the main features I am interested in are the ike v2 and isakmp logging

the tunneling will be done versus a cisco 6500

I have tried to create a transport mode config with ipsec-tools and racoon, I can start both daemons (running /etc/init.d/ipsec start and /etc/init.f/racoon

start I don't have any error messages), but when I ping the cisco from debian and viceversa, I can't see any negociation, only plain messages

ipsec-tools.conf file:

#!/usr/sbin/setkey -f

# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.

## Flush the SAD and SPD

## Some sample SPDs for use racoon

spdadd any -P out ipsec

spdadd any -P in ipsec

#add esp 15701 -E des-cbc "cheie"
#add esp 24501 -E des-cbc "cheie"

racoon.conf file:

# NOTE: This file will not be used if you use racoon-tool(8) to manage your
# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead
# of this file.
# Simple racoon.conf
# Please look in /usr/share/doc/racoon/examples for
# examples that come with the source.
# Please read racoon.conf(5) for details, and alsoread setkey(8).
# Also read the Linux IPSEC Howto up at

#RACOON_OPTS="-4 -l /var/log/racoon.log"

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;


counter 5;
interval 20 sec;
persend 1;

#cat astept pt. fiecare faza
phase1 90 sec;
phase2 90 sec;

# this is the debian peer

remote anonymous {
exchange_mode aggressive,main;
my_identifier address "";
# doi ipsec_doi;
situation identity_only;

initial_contact on;
proposal_check obey;

proposal {
encryption_algorithm des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;

sainfo anonymous
pfs_group 2;
encryption_algorithm des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;

iptables allows all traffic:

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

when I ping the cisco from the debian, this is what I have in the /var/log/syslog file:

Nov 22 20:06:18 ipsec01 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: giving up on message 0x828ccc0, exchange ISAKMP-peer-west
Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: either this message did not reach the other peer
Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: or the responsemessage did not reach us back

cisco config looks like this:

crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cheie address
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set IL esp-des esp-md5-hmac
crypto map IL 10 ipsec-isakmp
set peer
set transform-set IL
match address 100

and it is put on an interface

interface FastEthernet5/0
ip address
duplex auto
speed auto
crypto map IL
no shut

I have used online tutorials, but I do some wrong, obviously
could you please help me out with this?

thanks a lot

Last edited by cristina_crow; 11-23-2007 at 03:42 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to implement IPsec in IPv6 postfix mail server squirtle Linux - Newbie 3 06-05-2011 01:46 AM
IPsec VPN - Dynamic Server IP, NAT, etc. jantman Linux - Networking 3 01-16-2007 12:11 AM
Running IPSEC vpn server ? winxandlinx Linux - Security 1 10-11-2006 05:41 AM
could not stop ipsec on debian sarge cccc Debian 5 03-01-2006 07:10 PM
IPSEC/L2TP VPN Server on Fedora Core 3 using Kernel 2.6 petwalrus Linux - Networking 3 04-21-2005 10:55 AM

All times are GMT -5. The time now is 05:40 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration