Whenever I try: racoonctl vc -u user my.ip I am getting: send: Bad file descriptor What could be the problem?
Hi, There is : log debug; path certificate "/etc/racoon"; listen { adminsock "/var/racoon/racoon.sock" "root" "operator" 0660; } remote XX.XX.XXX.XXX { exchange_mode aggressive; ca_type x509 "cacert.pem"; proposal_check strict; nat_traversal on; verify_cert off; ike_frag on; mode_cfg on; script "/etc/racoon/phase1-up.sh" phase1_up; script "/etc/racoon/phase1-down.sh" phase1_down; passive off; proposal { encryption_algorithm aes; hash_algorithm md5; authentication_method hybrid_rsa_client; dh_group 2; } } sainfo anonymous { pfs_group 2; lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_md5; compression_algorithm deflate ; }
What are the outputs of Code: ls -l /var/racoon/racoon.sock ls -l /etc/racoon/phase1-up.sh ls -l /etc/racoon/phase1-down.sh ls -la /etc/racoon ?
Hi, That would be srw-rw---- 1 root operator 0 2008-02-20 21:14 racoon.sock -rwxr-xr-x 1 root operator 2101 2006-09-30 23:22 /etc/racoon/phase1-up.sh -rwxr-xr-x 1 root operator 1926 2006-09-30 23:22 /etc/racoon/phase1-down.sh drwxr-xr-x 2 root root 4096 2008-02-20 20:16 . drwxr-xr-x 148 root root 12288 2008-02-20 19:11 .. -rw-r--r-- 1 root operator 1180 2008-02-20 20:16 cacert.pem -rwxr-xr-x 1 root operator 1926 2006-09-30 23:22 phase1-down.sh -rwxr-xr-x 1 root operator 2101 2006-09-30 23:22 phase1-up.sh -rw------- 1 root root 275 2007-07-19 19:03 psk.txt -rw-r--r-- 1 root operator 807 2008-02-20 20:17 racoon.conf -rw-r--r-- 1 root root 1000 2007-07-19 19:03 racoon-tool.conf
more symptoms: root@desktop:/etc/racoon# racoonctl show-event send: Bad file descriptor root@desktop:/etc/racoon# racoonctl reload-config send: Bad file descriptor
I have changed my conf to: adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660; and connection works fine, so the problem was with directory permissions Now I howe some routing/netfilter problems - I can ping everything in local nad remote lan, i have TCP to local lan and only too racoon gateway(it is also router and firewall of remote lan in one box), but nothing else :-(. I will try to resolve it now
certificate problem Hi! I get the following error and I can't google up anything that works... *** [root@mail1 Templates]# openssl req -new -x509 -extensions v3_ca -keyout privateKey/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf error on line -1 of ./openssl.cnf 31310:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('./openssl.cnf','rb') 31310:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 31310:error:0E078072:configuration file routinesEF_LOAD:no such file:conf_def.c:197: *** I run it as root, so I dont think there are permission problems. I tried it on ubuntu 8.04 and fedora 10, but i get the very same error... Yours sincererly Laszlo Balogh
openssl.cnf Hi! Nothing. I don't even have a file like that. I mean the howto didn't specify from which folder I should run the command, so i ran it from /etc/racoon and from other places too. (the howto mentioned openssl.conf i tried that too) But #locate openssl.conf only gives this one answer /var/lib/dpkg/info/openssl.conffiles After a bit of browsing i found openssl.cnf in /etc/ssl, and it indeed has a few parts i think should work. Pasting them now: ....... [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert ..... [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] ......... So i think i am missing something, but i don't know where i make that mistake. Thx Laszlo Balogh
This is how to call the command. Code: openssl req -new -x509 -extensions v3_ca -keyout privateKey/cakey.pem -out cacert.pem -days 3650 -config /etc/ssl/openssl.cnf and the privateKey directory needs to exist in your pwd.
finished at last Hi there! Thx for all the help! I finally finished. I had to create a few directories and move around a few files, but it is done. Last it asked for a serial file. I just created one empty serial file, and wrote random numbers in one line into it. It swallowed it. Now if I can only get shorewall tunelling done it ll work. Thx a lot Laszlo Balogh