[Openswan Users] IPSec and IBM ZOS

Peter McGill petermcgill at goco.net
Tue Sep 2 09:31:04 EDT 2008 

Roger,

It would be helpful to see both configs, to search for discrepancies.
However, I can see one problem already, you cannot use dh group 1.
Group 1 is considered obsolete/insecure and openswan will refuse it.
You must instead use group 2 or 5, change pfs_group and dh_group.
Also aggressive mode weakens security, turn it off, openswan doesn't
use it by default (see exchange_mode).

Peter

Roger Doger wrote:
> Hello,
>  
> Has anyone successfully setup an ipsec connection between a Red Hat 
> Enterprise Linux version 3 and an IBM mainframe zos 9.
>  
> I used  to work with freeswan a lot, and I understand the configuration 
> with ipsec.conf and ipsec.secrets, but a lot has changed in the 4 years 
> since I last worked with it.
>  
> My configuration is setup as follows;
>  
> racoon.conf:
>  
> path include "/etc/racoon";
> path pre_shared_key "/etc/racoon/psk.txt";
> path certificate "/etc/racoon/certs";
> log debug2;
> sainfo anonymous
> {
>         pfs_group 1;
>         lifetime time 4 hour ;
>         encryption_algorithm aes, 3des, blowfish 448, rijndael ;
>         authentication_algorithm hmac_sha1;
>         compression_algorithm deflate;
> }
>  
>  
> Remote side, usually listed by X.X.X.X.conf in the /etc/racoon directory.
>  
> ;
> remote 192.168.1.100{
>         exchange_mode aggressive, main;
>         my_identifier address;
>         proposal {
>                 encryption_algorithm aes;
>                 hash_algorithm sha1;
>                 authentication_method pre_shared_key;
>                 dh_group 1;
>         }
> }
> and my ifcfg.ipsec0:
>  
> DST=192.168.1.100
> TYPE=IPsec
> ONBOOT=yes
> IKE_METHOD=PSK
> DEVICE=ipsec0
> To bring up the connection, i do an ifup ipsec0 and then attempt to ping 
> the remote side.
>  
> The ifup seems to be ok,
>  
> 
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict(): 
> sub:0xbfffc0a0: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db 
> :0x80a1950: 10.176.150.192/32[0] 192.168.1.101/32[0] proto=any dir=in
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict(): 
> sub:0xbfffc0a0: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db 
> :0x80a1f08: 192.168.1.100/32[0] 192.168.1.101/32[0] proto=any dir=in
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict(): 
> sub:0xbfffc0a0: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db 
> :0x80a2258: 192.168.1.101/32[0] 10.176.150.192/32[0] proto=any dir=out
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict(): 
> sub:0xbfffc0a0: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
> Aug 27 14:55:49 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db 
> :0x80a25a8: 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
> 
>  
> 
> When I attempt to ping the remote side, I receive a resource unavailable 
> and the logs are;
> 
>  
> 
>  
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: pfkey.c:194:pfkey_handler(): get 
> pfkey ACQUIRE message
> 
> Aug 27 15:06:52 st2 racoon: DEBUG2: plog.c:193:plogdump(): 02060003 
> c8000000 05000000 00000000 03000500 00200000 02000000 0ab096c1 00000000 
> 00000000 03000600 00200000 02000000 0ab08801 00000000 00000000 02001200 
> 020002fe b1010000 24e19c31 be000d00 20000000 020b0000 80008000 00000000 
> 00000000 00000000 00000000 00000000 00000000 00000000 00000000 40190100 
> 00000000 80510100 00000000 70620000 00000000 80700000 00000000 030b0000 
> a000a000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
> 00000000 40190100 00000000 80510100 00000000 70620000 00000000 80700000 
> 00000000 050b0000 00010001 00000000 00000000 00000000 00000000 00000000 
> 00000000 00000000 00000000 40190100 00000000 80510100 00000000 70620000 
> 00000000 80700000 00000000 02020000 80008000 40004000 00000000 00000000 
> 00000000 00000000 00000000 00000000 00000000 40190100 00000000 80510100 
> 00000000 70620000 00000000 80700000 00000000 03020000 a000a000 40004000 
> 00000000 00000000 00000000 00000000 00000000 00000000 00000000 40190100 
> 00000000 80510100
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: pfkey.c:1521:pk_recvacquire(): 
> suitable outbound SP found: 192.168.1.101/32[0] 192.168.1.100/32[0] 
> proto=any dir=out.
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict(): 
> sub:0xbfffbb00: 192.168.1.100/32[0] 192.168.1.101/32[0] proto=any dir=in
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db 
> :0x80a1950: 10.176.150.192/32[0] 192.168.1.101/32[0] proto=any dir=in
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: policy.c:183:cmpspidxstrict(): 
> sub:0xbfffbb00: 192.168.1.100/32[0] 192.168.1.101/32[0] proto=any dir=in
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: policy.c:184:cmpspidxstrict(): db 
> :0x80a1f08: 192.168.1.100/32[0] 192.168.1.101/32[0] proto=any dir=in
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: pfkey.c:1537:pk_recvacquire(): 
> suitable inbound SP found: 192.168.1.100/32[0] 192.168.1.101/32[0] 
> proto=any dir=in.
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: pfkey.c:1576:pk_recvacquire(): new 
> acquire 192.168.1.101/32[0] 192.168.1.100/32[0] proto=any dir=out
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: sainfo.c:99:getsainfo(): anonymous 
> sainfo selected.
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:824:printsaproto(): 
> (proto_id=AH spisize=4 spi=00000000 spi_p=00000000 encmode=Transport 
> reqid=0:0)
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:852:printsatrns(): 
> (trns_id=SHA authtype=2)
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:824:printsaproto(): 
> (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport 
> reqid=0:0)
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:858:printsatrns(): 
> (trns_id=RIJNDAEL encklen=128 authtype=2)
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:858:printsatrns(): 
> (trns_id=3DES encklen=0 authtype=2)
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:858:printsatrns(): 
> (trns_id=BLOWFISH encklen=448 authtype=2)
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: proposal.c:858:printsatrns(): 
> (trns_id=RIJNDAEL encklen=128 authtype=2)
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: remoteconf.c:117:getrmconf(): 
> configuration found for 192.168.1.100.
> 
> Aug 27 15:06:52 st2 racoon: INFO: isakmp.c:1688:isakmp_post_acquire(): 
> IPsec-SA request for 192.168.1.100 queued due to no phase1 found.
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:792:isakmp_ph1begin_i(): ===
> 
> Aug 27 15:06:52 st2 racoon: INFO: isakmp.c:797:isakmp_ph1begin_i(): 
> initiate new phase 1 negotiation: 192.168.1.101[500]<=>192.168.1.100[500]
> 
> Aug 27 15:06:52 st2 racoon: INFO: isakmp.c:802:isakmp_ph1begin_i(): 
> begin Aggressive mode.
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2000:isakmp_newcookie(): new 
> cookie: 2a5b4077b628056f
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: ipsec_doi.c:3184:ipsecdoi_setid1(): 
> use ID type of IPv4_address
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: oakley.c:256:oakley_dh_generate(): 
> compute DH's private.
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: plog.c:193:plogdump(): 7e85c730 
> 428fe42d b99c4c6e 7be228aa 63604e06 237fb3b3 655b9773 c8b8dba0 f815e684 
> f786aa91 499f2d92 e5a05014 c6efb406 bb9687cc 4c149420 d70a687c 5f7e9e6c 
> 4fd35deb fceb32c2 abd59b37 f54f59e3 e1dac813 a8388ef0 d6301056
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: oakley.c:258:oakley_dh_generate(): 
> compute DH's public.
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: plog.c:193:plogdump(): c78d9d2a 
> f146eb42 b6de8ef6 ee43a9c2 c014a389 f2704ced 9bca652e 613f8dda b66d8333 
> c6c5478d 352c9f6f 557187d7 9c30db70 7bacba5d 2e6a8118 c73f91df 591f8e27 
> fe066ab1 8361321b 936a2216 367495cb 507c868d 2c366acb 3e4fba5c
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp_agg.c:162:agg_i1send(): 
> authmethod is pre-shared key
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2117:set_isakmp_payload(): 
> add payload of len 52, next type 4
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2117:set_isakmp_payload(): 
> add payload of len 96, next type 10
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2117:set_isakmp_payload(): 
> add payload of len 16, next type 5
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:2117:set_isakmp_payload(): 
> add payload of len 8, next type 0
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:469:sendfromto(): sockname 
> 192.168.1.101[500]
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:471:sendfromto(): send 
> packet from 192.168.1.101[500]
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:473:sendfromto(): send 
> packet to 192.168.1.100[500]
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:588:sendfromto(): src4 
> 192.168.1.101[500]
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:591:sendfromto(): dst4 
> 192.168.1.100[500]
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: sockmisc.c:602:sendfromto(): 1 times 
> of 216 bytes message will be sent to 192.168.1.101[500]
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: plog.c:193:plogdump(): 2a5b4077 
> b628056f 00000000 00000000 01100400 00000000 000000d8 04000038 00000001 
> 00000001 0000002c 01010001 00000024 01010000 800b0001 800c7080 80010007 
> 800e0080 80030001 80020002 80040001 0a000064 c78d9d2a f146eb42 b6de8ef6 
> ee43a9c2 c014a389 f2704ced 9bca652e 613f8dda b66d8333 c6c5478d 352c9f6f 
> 557187d7 9c30db70 7bacba5d 2e6a8118 c73f91df 591f8e27 fe066ab1 8361321b 
> 936a2216 367495cb 507c868d 2c366acb 3e4fba5c 05000014 ff67f31d 9efb4e2a 
> 9e902afa e6be6a1d 0000000c 011101f4 0ab096c1
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:1453:isakmp_ph1resend(): 
> resend phase1 packet 2a5b4077b628056f:0000000000000000
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:220:isakmp_handler(): ===
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:221:isakmp_handler(): 40 
> bytes message received from 192.168.1.100[500]
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: plog.c:193:plogdump(): 2a5b4077 
> b628056f fe30d72f 57ba5a1d 0b100500 e2a7dce3 00000028 0000000c 00000001 
> 0100000e
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp_inf.c:113:isakmp_info_recv(): 
> receive Information.
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:1111:isakmp_parsewoh(): begin.
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:1138:isakmp_parsewoh(): seen 
> nptype=11(notify)
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: isakmp.c:1177:isakmp_parsewoh(): succeed.
> 
> Aug 27 15:06:52 st2 racoon: ERROR: 
> isakmp_inf.c:774:isakmp_info_recv_n(): unknown notify message, no phase2 
> handle found.
> 
> Aug 27 15:06:52 st2 racoon: DEBUG: 
> isakmp_inf.c:796:isakmp_info_recv_n(): notification message 
> 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=1 spi=(size=0).
> 
>  
> 
>  
> 
> Any help would be appreciated.
> 
>  
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list