Date: Thu, 9 Mar 2017 08:55:28 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: freebsd-net@freebsd.org Subject: Re: GSSAPI and racoon Message-ID: <20170309015528.GA73893@admin.sibptus.transneft.ru> In-Reply-To: <20170308062010.GA65343@admin.sibptus.transneft.ru> References: <20170303154509.GA81714@admin.sibptus.transneft.ru> <20170308062010.GA65343@admin.sibptus.transneft.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Victor Sudakov wrote: > Victor Sudakov wrote: > > > > Is anyone running GSSAPI+IKE (racoon)? > > I'm still struggling with racoon in GSSAPI mode. racoon says > > 2017-03-08 13:01:59: [192.168.3.38] ERROR: failed to get valid proposal. > 2017-03-08 13:01:59: [192.168.3.38] ERROR: failed to pre-process ph1 packet (side: 1, status 1). > 2017-03-08 13:01:59: [192.168.3.38] ERROR: phase1 negotiation failed. > > I would be very grateful if someone with IPSec experience could look > at my configs and logs. What am I missing? > > Not to clutter the list, I'm giving short URLs: > > racoon.conf: http://termbin.com/lk2w > racoon debug log: http://termbin.com/0lol > keytab: http://termbin.com/4yj9 > > The remote host configuration is identical, only it's called "ipsec1", > not "ipsec2". I forget to mention that "kinit -t /etc/krb5.keytab ike/ipsec1.sibptus.ru@SIBPTUS.RU" fetches a TGT all right, so the problem is probably not with Kerberos setup per se. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170309015528.GA73893>