Koozali.org: home of the SME Server

Obsolete Releases => SME 7.x Contribs => Topic started by: fpausp on July 08, 2008, 07:12:03 PM

Title: IPSec Network-to-Network VPN
Post by: fpausp on July 08, 2008, 07:12:03 PM

Hi All,

Today i tried to implement ipsec on two servers, i used the script from http://www.comnetel.com/sme7_ipsec/ipsec_install.sh, it looks as the folder /etc/racoon is missing. Any suggestions ?


[root@server masq]# /sbin/ifup ipsec0
RTNETLINK answers: File exists
mktemp: cannot create temp file /etc/racoon/psk.Zs6322: No such file or directory
/etc/sysconfig/network-scripts/ifup-ipsec: line 227: $tmpfile: ambiguous redirect
/etc/sysconfig/network-scripts/ifup-ipsec: line 228: $tmpfile: ambiguous redirect
mv: Fehlendes Dateiargument
,,mv --help" gibt weitere Informationen.
/etc/sysconfig/network-scripts/ifup-ipsec: line 232: /etc/racoon/28.106.133.xx.conf: Datei oder Verzeichnis nicht gefunden
/etc/sysconfig/network-scripts/ifup-ipsec: line 239: /etc/racoon/28.106.133.xx.conf: Datei oder Verzeichnis nicht gefunden
mktemp: cannot create temp file /etc/racoon/racoon.Up6327: No such file or directory
/etc/sysconfig/network-scripts/ifup-ipsec: line 286: $racoontmp: ambiguous redirect
/etc/sysconfig/network-scripts/ifup-ipsec: line 287: $racoontmp: ambiguous redirect
mv: Fehlendes Dateiargument
,,mv --help" gibt weitere Informationen.
/etc/sysconfig/network-scripts/ifup-ipsec: line 292: /usr/sbin/racoon: Datei oder Verzeichnis nicht gefunden



Best

fpausp

Title: Re: IPSec Network-to-Network VPN
Post by: mercyh on July 08, 2008, 07:40:46 PM

Read Jumba's reply #21 here:

http://forums.contribs.org/index.php?topic=36033.15

Title: Re: IPSec Network-to-Network VPN
Post by: fpausp on July 09, 2008, 08:25:26 PM

Hi,

Thanks for your reply, after i installed ipsec-tools on the two server i got the following:


The command

less /var/log/messages | grep racoon

shows on


SERVER A

Code: [Select]


Jul  8 22:18:10 server_A racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net)
Jul  8 22:18:10 server_A racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
Jul  8 22:18:10 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=8)
Jul  8 22:18:10 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=9)
Jul  8 22:18:10 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:19:19 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=8)
Jul  8 22:19:19 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  8 22:19:19 server_A racoon: ERROR: failed to bind to address 192.168.0.246[500] (Address already in use).
Jul  8 22:19:19 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:19:19 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=8)
Jul  8 22:19:19 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  8 22:19:19 server_A racoon: ERROR: failed to bind to address 192.168.0.246[500] (Address already in use).
Jul  8 22:19:19 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:19:19 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=8)
Jul  8 22:19:19 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  8 22:19:19 server_A racoon: ERROR: failed to bind to address 192.168.0.246[500] (Address already in use).
Jul  8 22:19:19 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:21:41 server_A racoon: INFO: IPsec-SA request for 88.xx.xx.xx queued due to no phase1 found.
Jul  8 22:21:41 server_A racoon: INFO: initiate new phase 1 negotiation: 80.xx.xx.xx[500]<=>88.xx.xx.xx[500]
Jul  8 22:21:41 server_A racoon: INFO: begin Aggressive mode.
Jul  8 22:21:41 server_A racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Jul  8 22:21:41 server_A racoon: INFO: ISAKMP-SA established 80.xx.xx.xx[500]-88.xx.xx.xx[500] spi:xxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxx
Jul  8 22:21:42 server_A racoon: INFO: initiate new phase 2 negotiation: 80.xx.xx.xx[0]<=>88.xx.xx.xx[0]
Jul  8 22:22:12 server_A racoon: ERROR: 88.xx.xx.xx give up to get IPsec-SA due to time up to wait.
Jul  8 22:22:12 server_A racoon: INFO: IPsec-SA expired: AH/Tunnel 88.xx.xx.xx->80.xx.xx.xx spi=xxxxxxxxx(xxxxxxxxx)
Jul  8 22:22:12 server_A racoon: INFO: IPsec-SA expired: ESP/Tunnel 88.xx.xx.xx->80.xx.xx.xx spi=xxxxxxxxx(xxxxxxxxx)
Jul  8 22:22:15 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=8)
Jul  8 22:22:15 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=9)
Jul  8 22:22:15 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:22:15 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=8)
Jul  8 22:22:15 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=9)
Jul  8 22:22:15 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:22:23 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=8)
Jul  8 22:22:23 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  8 22:22:23 server_A racoon: ERROR: failed to bind to address 192.168.0.246[500] (Address already in use).
Jul  8 22:22:23 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:22:23 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=8)
Jul  8 22:22:23 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  8 22:22:23 server_A racoon: ERROR: failed to bind to address 192.168.0.246[500] (Address already in use).
Jul  8 22:22:23 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:22:23 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=8)
Jul  8 22:22:23 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  8 22:22:23 server_A racoon: ERROR: failed to bind to address 192.168.0.246[500] (Address already in use).
Jul  8 22:22:23 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:27:06 server_A racoon: INFO: unsupported PF_KEY message REGISTER
Jul  8 22:50:21 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=8)
Jul  8 22:50:21 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=9)
Jul  8 22:50:21 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:50:24 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=8)
Jul  8 22:50:24 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=9)
Jul  8 22:50:24 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  9 06:01:59 server_A racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net)
Jul  9 06:02:00 server_A racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
Jul  9 06:02:00 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=8)
Jul  9 06:02:00 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=9)
Jul  9 06:02:00 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  9 16:16:28 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=8)
Jul  9 16:16:28 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  9 16:16:28 server_A racoon: ERROR: failed to bind to address 192.168.0.246[500] (Address already in use).
Jul  9 16:16:28 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  9 16:16:28 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=8)
Jul  9 16:16:28 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  9 16:16:28 server_A racoon: ERROR: failed to bind to address 192.168.0.246[500] (Address already in use).
Jul  9 16:16:28 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  9 16:16:28 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=8)
Jul  9 16:16:28 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  9 16:16:28 server_A racoon: ERROR: failed to bind to address 192.168.0.246[500] (Address already in use).
Jul  9 16:16:28 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  9 16:16:40 server_A racoon: INFO: unsupported PF_KEY message REGISTER
Jul  9 16:17:22 server_A racoon: INFO: unsupported PF_KEY message REGISTER
Jul  9 16:21:36 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=8)
Jul  9 16:21:36 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=9)
Jul  9 16:21:36 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  9 16:21:36 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=8)
Jul  9 16:21:36 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=9)
Jul  9 16:21:36 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  9 20:00:46 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=8)
Jul  9 20:00:46 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  9 20:00:46 server_A racoon: ERROR: failed to bind to address 192.168.0.246[500] (Address already in use).
Jul  9 20:00:46 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  9 20:00:46 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=8)
Jul  9 20:00:46 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  9 20:00:46 server_A racoon: ERROR: failed to bind to address 192.168.0.246[500] (Address already in use).
Jul  9 20:00:46 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  9 20:00:46 server_A racoon: INFO: 192.168.0.246[500] used as isakmp port (fd=8)
Jul  9 20:00:46 server_A racoon: INFO: 80.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  9 20:00:46 server_A racoon: ERROR: failed to bind to address 192.168.0.246[500] (Address already in use).
Jul  9 20:00:46 server_A racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)



and on

SERVER B

Code: [Select]


Jul  8 22:19:04 Server_B racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net)
Jul  8 22:19:04 Server_B racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
Jul  8 22:19:05 Server_B racoon: INFO: 192.168.2.246[500] used as isakmp port (fd=8)
Jul  8 22:19:05 Server_B racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9)
Jul  8 22:19:15 Server_B racoon: INFO: 88.xx.xx.xx[500] used as isakmp port (fd=8)
Jul  8 22:19:15 Server_B racoon: INFO: 192.168.2.246[500] used as isakmp port (fd=9)
Jul  8 22:19:15 Server_B racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:19:15 Server_B racoon: INFO: 88.xx.xx.xx[500] used as isakmp port (fd=8)
Jul  8 22:19:15 Server_B racoon: INFO: 192.168.2.246[500] used as isakmp port (fd=9)
Jul  8 22:19:15 Server_B racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:19:15 Server_B racoon: INFO: 88.xx.xx.xx[500] used as isakmp port (fd=8)
Jul  8 22:19:15 Server_B racoon: INFO: 192.168.2.246[500] used as isakmp port (fd=9)
Jul  8 22:19:15 Server_B racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:19:15 Server_B racoon: INFO: 88.xx.xx.xx[500] used as isakmp port (fd=8)
Jul  8 22:19:15 Server_B racoon: INFO: 192.168.2.246[500] used as isakmp port (fd=9)
Jul  8 22:19:15 Server_B racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:19:15 Server_B racoon: INFO: 88.xx.xx.xx[500] used as isakmp port (fd=8)
Jul  8 22:19:15 Server_B racoon: INFO: 192.168.2.246[500] used as isakmp port (fd=9)
Jul  8 22:19:15 Server_B racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  8 22:21:41 Server_B racoon: INFO: respond new phase 1 negotiation: 88.xx.xx.xx[500]<=>80.xx.xx.xx[500]
Jul  8 22:21:41 Server_B racoon: INFO: begin Aggressive mode.
Jul  8 22:21:41 Server_B racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Jul  8 22:21:41 Server_B racoon: INFO: ISAKMP-SA established 88.xx.xx.xx[500]-80.xx.xx.xx[500] spi:xxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxx
Jul  8 22:21:42 Server_B racoon: INFO: respond new phase 2 negotiation: 88.xx.xx.xx[0]<=>80.xx.xx.xx[0]
Jul  8 22:21:42 Server_B racoon: ERROR: no policy found: 192.168.0.0/24[0] 192.168.2.0/24[0] proto=any dir=in
Jul  8 22:21:42 Server_B racoon: ERROR: failed to get proposal for responder.
Jul  8 22:21:42 Server_B racoon: ERROR: failed to pre-process packet.
Jul  8 22:21:52 Server_B racoon: INFO: respond new phase 2 negotiation: 88.xx.xx.xx[0]<=>80.xx.xx.xx[0]
Jul  8 22:21:52 Server_B racoon: ERROR: no policy found: 192.168.0.0/24[0] 192.168.2.0/24[0] proto=any dir=in
Jul  8 22:21:52 Server_B racoon: ERROR: failed to get proposal for responder.
Jul  8 22:21:52 Server_B racoon: ERROR: failed to pre-process packet.
Jul  8 22:22:02 Server_B racoon: INFO: respond new phase 2 negotiation: 88.xx.xx.xx[0]<=>80.xx.xx.xx[0]
Jul  8 22:22:02 Server_B racoon: ERROR: no policy found: 192.168.0.0/24[0] 192.168.2.0/24[0] proto=any dir=in
Jul  8 22:22:02 Server_B racoon: ERROR: failed to get proposal for responder.
Jul  8 22:22:02 Server_B racoon: ERROR: failed to pre-process packet.
Jul  8 22:27:06 Server_B racoon: INFO: purged ISAKMP-SA proto_id=ISAKMP spi=xxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxx.
Jul  8 22:27:07 Server_B racoon: INFO: ISAKMP-SA deleted 88.xx.xx.xx[500]-80.xx.xx.xx[500] spi:xxxxxxxxxxxxxxxx:xxxxxxxxxxxxxxxx
Jul  9 19:56:52 Server_B racoon: INFO: 192.168.2.246[500] used as isakmp port (fd=8)
Jul  9 19:56:52 Server_B racoon: INFO: 88.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  9 19:56:52 Server_B racoon: ERROR: failed to bind to address 192.168.2.246[500] (Address already in use).
Jul  9 19:56:52 Server_B racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  9 19:56:52 Server_B racoon: INFO: 192.168.2.246[500] used as isakmp port (fd=8)
Jul  9 19:56:52 Server_B racoon: INFO: 88.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  9 19:56:52 Server_B racoon: ERROR: failed to bind to address 192.168.2.246[500] (Address already in use).
Jul  9 19:56:52 Server_B racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  9 19:56:52 Server_B racoon: INFO: 192.168.2.246[500] used as isakmp port (fd=8)
Jul  9 19:56:52 Server_B racoon: INFO: 88.xx.xx.xx[500] used as isakmp port (fd=9)
Jul  9 19:56:52 Server_B racoon: ERROR: failed to bind to address 192.168.2.246[500] (Address already in use).
Jul  9 19:56:52 Server_B racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul  9 19:59:16 Server_B racoon: INFO: unsupported PF_KEY message REGISTER



Server A´s IP is 192.168.0.246
Subnet is 255.255.255.0
Gateway is 80.xx.xx.xx

Server B´s IP is 192.168.2.246
Subnet is 255.255.255.0
Gateway is 88.xx.xx.xx


In the server-manager - local network i made the step as follows:

SERVER A
Networkaddress 192.168.2.0
Subnet 255.255.255.0
Router 192.168.0.246

SERVER B
Networkaddress 192.168.0.0
Subnet 255.255.255.0
Router 192.168.2.246


What else can i do ?


Best
fpausp

Title: Re: IPSec Network-to-Network VPN
Post by: mercyh on July 09, 2008, 08:32:15 PM

fpausp,

I am sorry I can't help you more. (I just remembered seeing the racoon issue on the other post)

I think Jumba and some others have it running so maybe they will take notice.

Edit

You know, I think Jumba had exactly the same experience with the same message:

Quote

Jul  8 22:19:19 server_A racoon: ERROR: failed to bind to address 192.168.0.246[500] (Address already in use)

His seemed to somehow resolve itself after a period of time. (he diagnosed it as a stodgy internet connection) I would be curious if yours resolves itself.

Title: Re: IPSec Network-to-Network VPN
Post by: fpausp on July 10, 2008, 03:48:43 PM

OK, thanks for your help. I hope somebody can help me with my ipsec-problem, maybe Jumba ?


regards

fpausp

Title: Re: IPSec Network-to-Network VPN
Post by: mercyh on July 11, 2008, 03:38:41 PM

fpausp,

I am very curious. Did this ever resolve? Jumba mentions that a week later without him making any changes his tunnel was active.