[Openswan Users] Openswan IPSec host to host between RHEL and z/OS mainframe
Diep, David (OCTO-Contractor)
David.Diep at dc.gov
Mon Dec 29 15:31:01 EST 2014
Hi,
I'm new here and I was hoping if to find some help. I have built many IPSec tunnels between z/OS mainframes and Microsoft servers. This is my first attempt at trying to build a IPSec host to host between RHEL and a z/OS mainframe. Though it seems it should work in theory, without much luck so far, as I am trying to do the following:
(left) RHEL = lsysg01a
(right) z/OS mainframe = 10.y.y.y
1. CA server is on the mainframe
2. A site certificate is created and imported to the RHEL machine
# pk12util -i LSYSG01AOS28.p12 OS28CA.p12 -d /etc/ipsec.d
Enter Password or Pin for "NSS Certificate DB"
Enter password for PKCS12 file
pk12util: PKCS12 IMPORT SUCCESSFUL
3. Displaying key database shows the certificates
# certutil -L -d /etc/ipsec.d/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
lsysg01a u,u,u
IKE DAEMON CA ,,
4. Display of my /etc/ipsec.d/ipsec.conf
# cat ipsec.conf
config setup
# Connections are added below
conn testOS28
type=transport
left=10.x.x.x
leftcert=lsysg01a
right=10.y.y.y
ike=aes256-sha1-modp2048
keylife=480m
ikelifetime=1440m
phase2=esp
phase2alg=aes256-sha1-modp2048
authby=rsasig
auto=start
pfs=yes
# Inlcude other configuration files
include /etc/ipsec.d/*.conf
5. Display of /etc/ipsec.secrets
# cat ipsec.secrets
: RSA "IKE DAEMON CA"
I do not have iptables activated. IPSEC starts without errors. I do not know where the logged messages can be found to troubleshoot this further. On the mainframe side, I see this message (which indicates there is a mismatch in tunnel definition):
Dec 29 11:29:29 OS28 TRMD.INET[32]: EZD0833I Packet denied, tunnel mismatch: 12/29/2014 16:29:28.68 filter rule= RHEL_LSYSG01A~7 ext= 2 sipaddr= 10.x.x.x dipaddr= 10.y.y.y proto= icmp(1) type= 8 code= 0 -= Interface= 10.82.X.X (I) dest= local len= 84 tunnelID= N/A decap_tunnelID= N/A ifcname= LOSA42P0 fragment= N
Here is the 'right' tunnel definition:
Security Level: PFS - AES 256 FIPS Compliant Settings
Type:
Dynamic Tunnel
Encryption:
AES CBC 256-bit key (first choice)
Authentication:
SHA1 (first choice)
Protocol:
ESP (first choice)
Advanced Security Level Settings
VPN Life:
1440 Minutes
Initiator PFS Level:
None
Acceptable PFS Levels:
None
Diffie-Hellman Group14
Diffie-Hellman Group19
Diffie-Hellman Group20
Diffie-Hellman Group21
Diffie-Hellman Group24
How to set the do not fragment bit:
Propagate
How to set the DSCP field:
Propagate
IKEv1 Dynamic tunnel encapsulation mode:
Transport
IKEv2 Dynamic tunnel encapsulation mode:
Either
Local Security Endpoint for the Dynamic Tunnels:
10.y.y.y
Local IKE Identity for Dynamic Tunnels:
CN=IKED DAEMON RSA,C=USA
(X500 Name)
Remote Security Endpoint for the Dynamic Tunnels:
10.x.x.x
Remote IKE Identity for Dynamic Tunnels:
CN=lsysg01a,C=USA
(X500 Name)
How to authenticate IKE (IKEv1):
Digital Signature (RSA)
How to authenticate IKE (IKEv2):
Digital Signature (ECDSA or RSA)
IKE Initiator mode:
IKEv1 main mode
IKEv1 Responder mode:
Main
IKEv1 NAT Traversal:
Not allowed
Bypass IP validation:
Use stack level setting (Yes)
Certificate revocation checking preference:
None
IKEv2 URL certificate lookup preference:
Use stack level setting (Tolerate)
IKEv2 authentication interval:
Do not automatically reauthenticate
Any ideas??
Thanks!
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141229/610835ab/attachment-0001.html>
More information about the Users
mailing list