[Openswan Users] IPSec and IBM ZOS
Roger Doger
rogerdoger4876 at yahoo.com
Wed Aug 27 15:13:19 EDT 2008
Hello,
Has anyone successfully setup an ipsec connection between a Red Hat Enterprise Linux version 3 and an IBM mainframe zos 9.
I used to work with freeswan a lot, and I understand the configuration with ipsec.conf and ipsec.secrets, but a lot has changed in the 4 years since I last worked with it.
My configuration is setup as follows;
racoon.conf:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug2;
sainfo anonymous
{
pfs_group 1;
lifetime time 4 hour ;
encryption_algorithm aes, 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Remote side, usually listed by X.X.X.X.conf in the /etc/racoon directory.
;
remote 192.168..1.100{
exchange_mode aggressive, main;
my_identifier address;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 1;
}
}
and my ifcfg.ipsec0:
DST=192.168.1.100
TYPE=IPsec
ONBOOT=yes
IKE_METHOD=PSK
DEVICE=ipsec0
To bring up the connection, i do an ifup ipsec0 and then attempt to ping the remote side.
The ifup seems to be ok,
Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbfffc0a0: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db :0x80a1950: 10.176.150.192/32[0] 192.168.1.101/32[0] proto=any dir=in
Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbfffc0a0: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db :0x80a1f08: 192.168.1.100/32[0] 192.168.1.101/32[0] proto=any dir=in
Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbfffc0a0: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db :0x80a2258: 192.168.1.101/32[0] 10.176.150.192/32[0] proto=any dir=out
Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbfffc0a0: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db :0x80a25a8: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
When I attempt to ping the remote side, I receive a resource unavailable and the logs are;
Aug 27 15:06:52 st2 racoon: DEBUG: pfkey.c:194:pfkey_handler(): get pfkey ACQUIRE message
Aug 27 15:06:52 st2 racoon: DEBUG2: plog.c:193:plogdump(): 02060003 c8000000 05000000 00000000 03000500 00200000 02000000 0ab096c1 00000000 00000000 03000600 00200000 02000000 0ab08801 00000000 00000000 02001200 020002fe b1010000 24e19c31 be000d00 20000000 020b0000 80008000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 40190100 00000000 80510100 00000000 70620000 00000000 80700000 00000000 030b0000 a000a000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 40190100 00000000 80510100 00000000 70620000 00000000 80700000 00000000 050b0000 00010001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 40190100 00000000 80510100 00000000 70620000 00000000 80700000 00000000 02020000 80008000 40004000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 40190100 00000000 80510100 00000000 70620000 00000000 80700000 00000000 03020000 a000a000 40004000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 40190100 00000000 80510100
Aug 27 15:06:52 st2 racoon: DEBUG: pfkey.c:1521:pk_recvacquire(): suitable outbound SP found: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out.
Aug 27 15:06:52 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbfffbb00: 192.168.1.100/32[0] 192.168.1.101/32[0] proto=any dir=in
Aug 27 15:06:52 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db :0x80a1950: 10.176.150.192/32[0] 192.168.1.101/32[0] proto=any dir=in
Aug 27 15:06:52 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbfffbb00: 192.168.1.100/32[0] 192.168.1.101/32[0] proto=any dir=in
Aug 27 15:06:52 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db :0x80a1f08: 192.168.1.100/32[0] 192.168.1.101/32[0] proto=any dir=in
Aug 27 15:06:52 st2 racoon: DEBUG: pfkey.c:1537:pk_recvacquire(): suitable inbound SP found: 192.168.1.100/32[0] 192.168.1.101/32[0] proto=any dir=in.
Aug 27 15:06:52 st2 racoon: DEBUG: pfkey.c:1576:pk_recvacquire(): new acquire 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
Aug 27 15:06:52 st2 racoon: DEBUG: sainfo.c:99:getsainfo(): anonymous sainfo selected.
Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:824:printsaproto(): (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:852:printsatrns(): (trns_id=SHA authtype=2)
Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:824:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:858:printsatrns(): (trns_id=RIJNDAEL encklen=128 authtype=2)
Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:858:printsatrns(): (trns_id=3DES encklen=0 authtype=2)
Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:858:printsatrns(): (trns_id=BLOWFISH encklen=448 authtype=2)
Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:858:printsatrns(): (trns_id=RIJNDAEL encklen=128 authtype=2)
Aug 27 15:06:52 st2 racoon: DEBUG: remoteconf.c:117:getrmconf(): configuration found for 192.168.1.100.
Aug 27 15:06:52 st2 racoon: INFO: isakmp.c:1688:isakmp_post_acquire(): IPsec-SA request for 192.168.1.100 queued due to no phase1 found.
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:792:isakmp_ph1begin_i(): ===
Aug 27 15:06:52 st2 racoon: INFO: isakmp.c:797:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.1.101[500]<=>192.168.1.100[500]
Aug 27 15:06:52 st2 racoon: INFO: isakmp.c:802:isakmp_ph1begin_i(): begin Aggressive mode.
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2000:isakmp_newcookie(): new cookie: 2a5b4077b628056f
Aug 27 15:06:52 st2 racoon: DEBUG: ipsec_doi.c:3184:ipsecdoi_setid1(): use ID type of IPv4_address
Aug 27 15:06:52 st2 racoon: DEBUG: oakley.c:256:oakley_dh_generate(): compute DH's private.
Aug 27 15:06:52 st2 racoon: DEBUG: plog.c:193:plogdump(): 7e85c730 428fe42d b99c4c6e 7be228aa 63604e06 237fb3b3 655b9773 c8b8dba0 f815e684 f786aa91 499f2d92 e5a05014 c6efb406 bb9687cc 4c149420 d70a687c 5f7e9e6c 4fd35deb fceb32c2 abd59b37 f54f59e3 e1dac813 a8388ef0 d6301056
Aug 27 15:06:52 st2 racoon: DEBUG: oakley.c:258:oakley_dh_generate(): compute DH's public.
Aug 27 15:06:52 st2 racoon: DEBUG: plog.c:193:plogdump(): c78d9d2a f146eb42 b6de8ef6 ee43a9c2 c014a389 f2704ced 9bca652e 613f8dda b66d8333 c6c5478d 352c9f6f 557187d7 9c30db70 7bacba5d 2e6a8118 c73f91df 591f8e27 fe066ab1 8361321b 936a2216 367495cb 507c868d 2c366acb 3e4fba5c
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp_agg.c:162:agg_i1send(): authmethod is pre-shared key
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2117:set_isakmp_payload(): add payload of len 52, next type 4
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2117:set_isakmp_payload(): add payload of len 96, next type 10
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2117:set_isakmp_payload(): add payload of len 16, next type 5
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2117:set_isakmp_payload(): add payload of len 8, next type 0
Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:469:sendfromto(): sockname 192.168.1.101[500]
Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:471:sendfromto(): send packet from 192.168.1.101[500]
Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:473:sendfromto(): send packet to 192.168.1.100[500]
Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:588:sendfromto(): src4 192.168.1.101[500]
Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:591:sendfromto(): dst4 192.168.1.100[500]
Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:602:sendfromto(): 1 times of 216 bytes message will be sent to 192.168.1.101[500]
Aug 27 15:06:52 st2 racoon: DEBUG: plog.c:193:plogdump(): 2a5b4077 b628056f 00000000 00000000 01100400 00000000 000000d8 04000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c7080 80010007 800e0080 80030001 80020002 80040001 0a000064 c78d9d2a f146eb42 b6de8ef6 ee43a9c2 c014a389 f2704ced 9bca652e 613f8dda b66d8333 c6c5478d 352c9f6f 557187d7 9c30db70 7bacba5d 2e6a8118 c73f91df 591f8e27 fe066ab1 8361321b 936a2216 367495cb 507c868d 2c366acb 3e4fba5c 05000014 ff67f31d 9efb4e2a 9e902afa e6be6a1d 0000000c 011101f4 0ab096c1
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:1453:isakmp_ph1resend(): resend phase1 packet 2a5b4077b628056f:0000000000000000
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:220:isakmp_handler(): ===
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:221:isakmp_handler(): 40 bytes message received from 192.168.1..100[500]
Aug 27 15:06:52 st2 racoon: DEBUG: plog.c:193:plogdump(): 2a5b4077 b628056f fe30d72f 57ba5a1d 0b100500 e2a7dce3 00000028 0000000c 00000001 0100000e
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp_inf.c:113:isakmp_info_recv(): receive Information.
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:1111:isakmp_parsewoh(): begin.
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp..c:1138:isakmp_parsewoh(): seen nptype=11(notify)
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:1177:isakmp_parsewoh(): succeed.
Aug 27 15:06:52 st2 racoon: ERROR: isakmp_inf.c:774:isakmp_info_recv_n(): unknown notify message, no phase2 handle found.
Aug 27 15:06:52 st2 racoon: DEBUG: isakmp_inf.c:796:isakmp_info_recv_n(): notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0).
Any help would be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080827/732236c6/attachment.html
More information about the Users
mailing list