I have an IPSec config between to RedHat boxes:
x.x.x.x running ipsec-tools-0.3.3 (RedHat 4)
and
y.y.y.y running ipsec-tools-0.6.5 (RedHat 5)
They are configured according to
http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-ipsec-net2net.html
using pre-shared secret key.
When the IPSec tunnel was set up the port 500 was not properly opened
on either of the sides. However the tunnel seems to be working. Sort
of.
What happens as I see it today is that the connection is up. Then
when I take x.x.x.x down and bring it back up the connection won't
restore. x.x.x.x gets the following from racoon:
Nov 16 00:42:55 x.x.x.x racoon: INFO: IPsec-SA request for y.y.y.y
queued due to no phase1 found.
Nov 16 00:42:55 x.x.x.x racoon: INFO: initiate new phase 1
negotiation: x.x.x.x[500]<=>y.y.y.y[500]
Nov 16 00:42:55 x.x.x.x racoon: INFO: begin Aggressive mode.
Nov 16 00:43:26 x.x.x.x racoon: ERROR: phase2 negotiation failed due
to time up waiting for phase1. ESP y.y.y.y->x.x.x.x
Nov 16 00:43:26 x.x.x.x racoon: INFO: delete phase 2 handler.
Nov 16 00:43:55 x.x.x.x racoon: ERROR: phase1 negotiation failed due
to time up. ca42ee980da1080b:0000000000000000
The other side, y.y.y.y sits there doing nothing. Then when 1 hour
since last renegotiation passes, y.y.y.y wakes up and restores the
connection at which point everything starts working again:
Nov 16 00:46:13 y.y.y.y racoon: INFO: IPsec-SA expired: AH/Tunnel
x.x.x.x[0]->y.y.y.y[0] spi=112373441(0x6b2aec1)
Nov 16 00:46:13 y.y.y.y racoon: INFO: IPsec-SA expired: ESP/Tunnel
x.x.x.x[0]->y.y.y.y[0] spi=167960192(0xa02de80)
Nov 16 00:46:13 y.y.y.y racoon: INFO: IPsec-SA expired: AH/Tunnel
y.y.y.y[0]->x.x.x.x[0] spi=195183010(0xba241a2)
Nov 16 00:46:13 y.y.y.y racoon: INFO: IPsec-SA expired: ESP/Tunnel
y.y.y.y[0]->x.x.x.x[0] spi=268100059(0xffae1db)
Nov 16 00:46:15 y.y.y.y racoon: INFO: IPsec-SA expired: AH/Tunnel
x.x.x.x[0]->y.y.y.y[0] spi=22772025(0x15b7939)
Nov 16 00:46:16 y.y.y.y racoon: INFO: IPsec-SA expired: ESP/Tunnel
y.y.y.y[0]->x.x.x.x[0] spi=41043512(0x2724638)
Nov 16 00:46:16 y.y.y.y racoon: INFO: IPsec-SA request for x.x.x.x
queued due to no phase1 found.
Nov 16 00:46:16 y.y.y.y racoon: INFO: initiate new phase 1
negotiation: y.y.y.y[500]<=>x.x.x.x[500]
Nov 16 00:46:16 y.y.y.y racoon: INFO: begin Aggressive mode.
Nov 16 00:46:16 y.y.y.y racoon: NOTIFY: couldn't find the proper
pskey, try to get one by the peer's address.
Nov 16 00:46:16 y.y.y.y racoon: INFO: ISAKMP-SA established
y.y.y.y[500]-x.x.x.x[500] spi:d03a076655e05b80:3bc8f53203c6a281
Nov 16 00:46:16 y.y.y.y racoon: INFO: purging spi=96244685.
Nov 16 00:46:16 y.y.y.y racoon: INFO: purging spi=245759520.
Nov 16 00:46:17 y.y.y.y racoon: INFO: initiate new phase 2
negotiation: y.y.y.y[500]<=>x.x.x.x[500]
Nov 16 00:46:17 y.y.y.y racoon: INFO: respond new phase 2 negotiation:
y.y.y.y[500]<=>x.x.x.x[500]
One other thing that we are seeing in the y.y.y.y log (and not in
x.x.x.x log):
Nov 16 00:45:03 y.y.y.y racoon: INFO: unsupported PF_KEY message REGISTER
Nov 16 00:45:03 y.y.y.y racoon: INFO: unsupported PF_KEY message
X_SPDDELETE2
I verified that ports 500 are blocked going both ways. I understand
that we should unblock them, but I really want/need to understand what
is going on now? How is it negotiating anything if 500 is blocked?
Thanks!
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
