LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-23-2007, 03:14 AM   #1
cristina_crow
LQ Newbie
 
Registered: Apr 2005
Location: Bucharest
Distribution: debian lenny, RHEL AS3, gentoo 1.12
Posts: 5

Rep: Reputation: 0
ipsec server on debian


hello

first of all, I have performed a (short) search on the forum, but I could't find what I was looking for

I am trying to configure a security gateway on a debian

# uname -a
Linux ipsec01 2.6.22-2-686 #1 SMP Fri Aug 31 00:24:01 UTC 2007 i686 GNU/Linux

basically, this setup should know ipsec transport and tunneling on ipv4 and ipv6, to automatically negociate security association, based both on pre-shared

keys and on digital certificated, to crypt and authenticate traffic

the main features I am interested in are the ike v2 and isakmp logging

the tunneling will be done versus a cisco 6500

I have tried to create a transport mode config with ipsec-tools and racoon, I can start both daemons (running /etc/init.d/ipsec start and /etc/init.f/racoon

start I don't have any error messages), but when I ping the cisco from debian and viceversa, I can't see any negociation, only plain messages

ipsec-tools.conf file:

#!/usr/sbin/setkey -f

# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.
#

## Flush the SAD and SPD
#
flush;
spdflush;

## Some sample SPDs for use racoon

spdadd 26.0.0.254 26.0.0.250 any -P out ipsec
esp/transport/require;

spdadd 26.0.0.250 26.0.0.254 any -P in ipsec
esp/transport/require;

#add 26.0.0.250 26.0.0.254 esp 15701 -E des-cbc "cheie"
#add 26.0.0.254 26.0.0.250 esp 24501 -E des-cbc "cheie"


racoon.conf file:

# NOTE: This file will not be used if you use racoon-tool(8) to manage your
# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead
# of this file.
#
# Simple racoon.conf
#
#
# Please look in /usr/share/doc/racoon/examples for
# examples that come with the source.
#
# Please read racoon.conf(5) for details, and alsoread setkey(8).
#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#

#RACOON_OPTS="-4 -l /var/log/racoon.log"
#RACOON_CONF="/etc/racoon/racoon.conf"
#RACOON_PSK_FILE="/etc/racoon/psk.txt"
#SETKEY_CONF="/etc/ipsec-tools.conf"
#RACOON_RESET_TABLES="true"

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}

listen
{
isakmp 26.0.0.254[10];
#admin[7002];
#strict_address;
}

timer
{
counter 5;
interval 20 sec;
persend 1;

#cat astept pt. fiecare faza
phase1 90 sec;
phase2 90 sec;
}


# this is the debian peer

remote anonymous {
exchange_mode aggressive,main;
my_identifier address "26.0.0.254";
# doi ipsec_doi;
situation identity_only;

initial_contact on;
proposal_check obey;

proposal {
encryption_algorithm des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo anonymous
{
pfs_group 2;
encryption_algorithm des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
}


iptables allows all traffic:

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



when I ping the cisco from the debian, this is what I have in the /var/log/syslog file:

Nov 22 20:06:18 ipsec01 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: giving up on message 0x828ccc0, exchange ISAKMP-peer-west
Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: either this message did not reach the other peer
Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: or the responsemessage did not reach us back

cisco config looks like this:

crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cheie address 20.0.0.254
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set IL esp-des esp-md5-hmac
!
crypto map IL 10 ipsec-isakmp
set peer 20.0.0.254
set transform-set IL
match address 100

and it is put on an interface

interface FastEthernet5/0
ip address 26.0.0.250 255.255.0.0
duplex auto
speed auto
crypto map IL
no shut


I have used online tutorials, but I do some wrong, obviously
could you please help me out with this?

thanks a lot

Last edited by cristina_crow; 11-23-2007 at 04:42 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to implement IPsec in IPv6 postfix mail server squirtle Linux - Newbie 3 06-05-2011 02:46 AM
IPsec VPN - Dynamic Server IP, NAT, etc. jantman Linux - Networking 3 01-16-2007 01:11 AM
Running IPSEC vpn server ? winxandlinx Linux - Security 1 10-11-2006 06:41 AM
could not stop ipsec on debian sarge cccc Debian 5 03-01-2006 08:10 PM
IPSEC/L2TP VPN Server on Fedora Core 3 using Kernel 2.6 petwalrus Linux - Networking 3 04-21-2005 11:55 AM


All times are GMT -5. The time now is 03:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration