[Openswan Users] IPSec and IBM ZOS
Peter McGill
petermcgill at goco.net
Tue Sep 2 09:31:04 EDT 2008
Roger,
It would be helpful to see both configs, to search for discrepancies.
However, I can see one problem already, you cannot use dh group 1.
Group 1 is considered obsolete/insecure and openswan will refuse it.
You must instead use group 2 or 5, change pfs_group and dh_group.
Also aggressive mode weakens security, turn it off, openswan doesn't
use it by default (see exchange_mode).
Peter
Roger Doger wrote:
> Hello,
>
> Has anyone successfully setup an ipsec connection between a Red Hat
> Enterprise Linux version 3 and an IBM mainframe zos 9.
>
> I used to work with freeswan a lot, and I understand the configuration
> with ipsec.conf and ipsec.secrets, but a lot has changed in the 4 years
> since I last worked with it.
>
> My configuration is setup as follows;
>
> racoon.conf:
>
> path include "/etc/racoon";
> path pre_shared_key "/etc/racoon/psk.txt";
> path certificate "/etc/racoon/certs";
> log debug2;
> sainfo anonymous
> {
> pfs_group 1;
> lifetime time 4 hour ;
> encryption_algorithm aes, 3des, blowfish 448, rijndael ;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate;
> }
>
>
> Remote side, usually listed by X.X.X.X.conf in the /etc/racoon directory.
>
> ;
> remote 192.168.1.100{
> exchange_mode aggressive, main;
> my_identifier address;
> proposal {
> encryption_algorithm aes;
> hash_algorithm sha1;
> authentication_method pre_shared_key;
> dh_group 1;
> }
> }
> and my ifcfg.ipsec0:
>
> DST=192.168.1.100
> TYPE=IPsec
> ONBOOT=yes
> IKE_METHOD=PSK
> DEVICE=ipsec0
> To bring up the connection, i do an ifup ipsec0 and then attempt to ping
> the remote side.
>
> The ifup seems to be ok,
>
>
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict():
> sub:0xbfffc0a0: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db
> :0x80a1950: 10.176.150.192/32[0] 192.168.1.101/32[0] proto=any dir=in
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict():
> sub:0xbfffc0a0: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db
> :0x80a1f08: 192.168.1.100/32[0] 192.168.1.101/32[0] proto=any dir=in
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict():
> sub:0xbfffc0a0: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db
> :0x80a2258: 192.168.1.101/32[0] 10.176.150.192/32[0] proto=any dir=out
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict():
> sub:0xbfffc0a0: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db
> :0x80a25a8: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
>
>
>
> When I attempt to ping the remote side, I receive a resource unavailable
> and the logs are;
>
>
>
>
>
> Aug 27 15:06:52 st2 racoon: DEBUG: pfkey.c:194:pfkey_handler(): get
> pfkey ACQUIRE message
>
> Aug 27 15:06:52 st2 racoon: DEBUG2: plog.c:193:plogdump(): 02060003
> c8000000 05000000 00000000 03000500 00200000 02000000 0ab096c1 00000000
> 00000000 03000600 00200000 02000000 0ab08801 00000000 00000000 02001200
> 020002fe b1010000 24e19c31 be000d00 20000000 020b0000 80008000 00000000
> 00000000 00000000 00000000 00000000 00000000 00000000 00000000 40190100
> 00000000 80510100 00000000 70620000 00000000 80700000 00000000 030b0000
> a000a000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 00000000 40190100 00000000 80510100 00000000 70620000 00000000 80700000
> 00000000 050b0000 00010001 00000000 00000000 00000000 00000000 00000000
> 00000000 00000000 00000000 40190100 00000000 80510100 00000000 70620000
> 00000000 80700000 00000000 02020000 80008000 40004000 00000000 00000000
> 00000000 00000000 00000000 00000000 00000000 40190100 00000000 80510100
> 00000000 70620000 00000000 80700000 00000000 03020000 a000a000 40004000
> 00000000 00000000 00000000 00000000 00000000 00000000 00000000 40190100
> 00000000 80510100
>
> Aug 27 15:06:52 st2 racoon: DEBUG: pfkey.c:1521:pk_recvacquire():
> suitable outbound SP found: 192.168.1.101/32[0] 192.168.1.100/32[0]
> proto=any dir=out.
>
> Aug 27 15:06:52 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict():
> sub:0xbfffbb00: 192.168.1.100/32[0] 192.168.1.101/32[0] proto=any dir=in
>
> Aug 27 15:06:52 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db
> :0x80a1950: 10.176.150.192/32[0] 192.168.1.101/32[0] proto=any dir=in
>
> Aug 27 15:06:52 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict():
> sub:0xbfffbb00: 192.168.1.100/32[0] 192.168.1.101/32[0] proto=any dir=in
>
> Aug 27 15:06:52 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db
> :0x80a1f08: 192.168.1.100/32[0] 192.168.1.101/32[0] proto=any dir=in
>
> Aug 27 15:06:52 st2 racoon: DEBUG: pfkey.c:1537:pk_recvacquire():
> suitable inbound SP found: 192.168.1.100/32[0] 192.168.1.101/32[0]
> proto=any dir=in.
>
> Aug 27 15:06:52 st2 racoon: DEBUG: pfkey.c:1576:pk_recvacquire(): new
> acquire 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
>
> Aug 27 15:06:52 st2 racoon: DEBUG: sainfo.c:99:getsainfo(): anonymous
> sainfo selected.
>
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:824:printsaproto():
> (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport
> reqid=0:0)
>
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:852:printsatrns():
> (trns_id=SHA authtype=2)
>
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:824:printsaproto():
> (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport
> reqid=0:0)
>
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:858:printsatrns():
> (trns_id=RIJNDAEL encklen=128 authtype=2)
>
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:858:printsatrns():
> (trns_id=3DES encklen=0 authtype=2)
>
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:858:printsatrns():
> (trns_id=BLOWFISH encklen=448 authtype=2)
>
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:858:printsatrns():
> (trns_id=RIJNDAEL encklen=128 authtype=2)
>
> Aug 27 15:06:52 st2 racoon: DEBUG: remoteconf.c:117:getrmconf():
> configuration found for 192.168.1.100.
>
> Aug 27 15:06:52 st2 racoon: INFO: isakmp.c:1688:isakmp_post_acquire():
> IPsec-SA request for 192.168.1.100 queued due to no phase1 found.
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:792:isakmp_ph1begin_i(): ===
>
> Aug 27 15:06:52 st2 racoon: INFO: isakmp.c:797:isakmp_ph1begin_i():
> initiate new phase 1 negotiation: 192.168.1.101[500]<=>192.168.1.100[500]
>
> Aug 27 15:06:52 st2 racoon: INFO: isakmp.c:802:isakmp_ph1begin_i():
> begin Aggressive mode.
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2000:isakmp_newcookie(): new
> cookie: 2a5b4077b628056f
>
> Aug 27 15:06:52 st2 racoon: DEBUG: ipsec_doi.c:3184:ipsecdoi_setid1():
> use ID type of IPv4_address
>
> Aug 27 15:06:52 st2 racoon: DEBUG: oakley.c:256:oakley_dh_generate():
> compute DH's private.
>
> Aug 27 15:06:52 st2 racoon: DEBUG: plog.c:193:plogdump(): 7e85c730
> 428fe42d b99c4c6e 7be228aa 63604e06 237fb3b3 655b9773 c8b8dba0 f815e684
> f786aa91 499f2d92 e5a05014 c6efb406 bb9687cc 4c149420 d70a687c 5f7e9e6c
> 4fd35deb fceb32c2 abd59b37 f54f59e3 e1dac813 a8388ef0 d6301056
>
> Aug 27 15:06:52 st2 racoon: DEBUG: oakley.c:258:oakley_dh_generate():
> compute DH's public.
>
> Aug 27 15:06:52 st2 racoon: DEBUG: plog.c:193:plogdump(): c78d9d2a
> f146eb42 b6de8ef6 ee43a9c2 c014a389 f2704ced 9bca652e 613f8dda b66d8333
> c6c5478d 352c9f6f 557187d7 9c30db70 7bacba5d 2e6a8118 c73f91df 591f8e27
> fe066ab1 8361321b 936a2216 367495cb 507c868d 2c366acb 3e4fba5c
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp_agg.c:162:agg_i1send():
> authmethod is pre-shared key
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2117:set_isakmp_payload():
> add payload of len 52, next type 4
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2117:set_isakmp_payload():
> add payload of len 96, next type 10
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2117:set_isakmp_payload():
> add payload of len 16, next type 5
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2117:set_isakmp_payload():
> add payload of len 8, next type 0
>
> Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:469:sendfromto(): sockname
> 192.168.1.101[500]
>
> Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:471:sendfromto(): send
> packet from 192.168.1.101[500]
>
> Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:473:sendfromto(): send
> packet to 192.168.1.100[500]
>
> Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:588:sendfromto(): src4
> 192.168.1.101[500]
>
> Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:591:sendfromto(): dst4
> 192.168.1.100[500]
>
> Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:602:sendfromto(): 1 times
> of 216 bytes message will be sent to 192.168.1.101[500]
>
> Aug 27 15:06:52 st2 racoon: DEBUG: plog.c:193:plogdump(): 2a5b4077
> b628056f 00000000 00000000 01100400 00000000 000000d8 04000038 00000001
> 00000001 0000002c 01010001 00000024 01010000 800b0001 800c7080 80010007
> 800e0080 80030001 80020002 80040001 0a000064 c78d9d2a f146eb42 b6de8ef6
> ee43a9c2 c014a389 f2704ced 9bca652e 613f8dda b66d8333 c6c5478d 352c9f6f
> 557187d7 9c30db70 7bacba5d 2e6a8118 c73f91df 591f8e27 fe066ab1 8361321b
> 936a2216 367495cb 507c868d 2c366acb 3e4fba5c 05000014 ff67f31d 9efb4e2a
> 9e902afa e6be6a1d 0000000c 011101f4 0ab096c1
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:1453:isakmp_ph1resend():
> resend phase1 packet 2a5b4077b628056f:0000000000000000
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:220:isakmp_handler(): ===
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:221:isakmp_handler(): 40
> bytes message received from 192.168.1.100[500]
>
> Aug 27 15:06:52 st2 racoon: DEBUG: plog.c:193:plogdump(): 2a5b4077
> b628056f fe30d72f 57ba5a1d 0b100500 e2a7dce3 00000028 0000000c 00000001
> 0100000e
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp_inf.c:113:isakmp_info_recv():
> receive Information.
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:1111:isakmp_parsewoh(): begin.
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:1138:isakmp_parsewoh(): seen
> nptype=11(notify)
>
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:1177:isakmp_parsewoh(): succeed.
>
> Aug 27 15:06:52 st2 racoon: ERROR:
> isakmp_inf.c:774:isakmp_info_recv_n(): unknown notify message, no phase2
> handle found.
>
> Aug 27 15:06:52 st2 racoon: DEBUG:
> isakmp_inf.c:796:isakmp_info_recv_n(): notification message
> 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0).
>
>
>
>
>
> Any help would be appreciated.
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list