Problem with Kerberos using racoon

sandypossible@gmail.com sandypossible at gmail.com
Tue Nov 29 07:40:50 EST 2005 

Hi all,

I am trying to use kerberos as authentication method for IPSec using
Racoon as daemon. My set up is:

I have two redhat linux machines. I have verified the kerberos
functionality in  standalone mode.  I am now trying to do IPSec
connection. I am having issues :

My racoon.conf file looks like:

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
remote  191.169.3.10 {
    exchange_mode main;
    my_identifier fqdn "test1.mydomain.com";
        peers_identifier fqdn "test2.mydomain.com";
    verify_identifier on;
    proposal {
        encryption_algorithm des;
        hash_algorithm md5;
        authentication_method gssapi_krb;
        gssapi_id "ike/test1.mydomain.com";
        dh_group 2;
    }
}
sainfo anonymous
{
    pfs_group 2;
    lifetime time 1 hour;
    encryption_algorithm des;
    authentication_algorithm hmac_sha1, hmac_md5 ;
    compression_algorithm deflate ;
}

Log messages in racoon.log:

2005-11-29 16:46:51: DEBUG: isakmp.c:1111:isakmp_parsewoh(): begin.
2005-11-29 16:46:51: DEBUG: isakmp.c:1138:isakmp_parsewoh(): seen
nptype=4(ke)
2005-11-29 16:46:51: DEBUG: isakmp.c:1138:isakmp_parsewoh(): seen
nptype=10(nonce)
2005-11-29 16:46:51: DEBUG: isakmp.c:1138:isakmp_parsewoh(): seen
nptype=13(vid)
2005-11-29 16:46:51: DEBUG: isakmp.c:1177:isakmp_parsewoh(): succeed.
2005-11-29 16:46:51: INFO: vendorid.c:128:check_vendorid(): received
Vendor ID: GSSAPI
2005-11-29 16:46:51: DEBUG: isakmp.c:621:ph1_main(): ===
2005-11-29 16:46:51: DEBUG: oakley.c:210:oakley_dh_compute(): compute
DH's shared.
2005-11-29 16:46:51: DEBUG: plog.c:193:plogdump():
1c2a3fe3 bd417e7f c6e7a997 68390cc6 da9bd83c 24367265 8adf0621 8b73f85f
d7a80e99 43b610cb 4ba5c422 6861ff92 a4f336d4 90972388 db4e90ba bb5dec0d
dbc12908 fc087d65 21304def 0530e939 b248f6a6 0b8b36d6 9bb1cb64 e66b913d
906f1cf2 fdb54342 f44418e5 2aec2225 ab3bd71c 0f3ecd4e 86e67b05 7aaf4877
2005-11-29 16:46:51: ERROR: oakley.c:2128:oakley_skeyid(): invalid
authentication method 65001
2005-11-29 16:46:51: ERROR: isakmp.c:625:ph1_main(): failed to process
packet.
2005-11-29 16:46:51: ERROR: isakmp.c:439:isakmp_main(): phase1
negotiation failed.
2005-11-29 16:47:22: ERROR: isakmp.c:1780:isakmp_chkph1there(): phase2
negotiation failed due to time up waiting for phase1. ESP
191.169.3.10->191.169.3.11
2005-11-29 16:47:22: INFO: isakmp.c:1785:isakmp_chkph1there(): delete
phase 2 handler.

Could anybody help
- Sandy

More information about the Kerberos mailing list