GSSAPI and racoon
Victor Sudakov
vas at mpeks.tomsk.su
Thu Mar 9 01:55:32 UTC 2017
Victor Sudakov wrote:
> Victor Sudakov wrote:
> >
> > Is anyone running GSSAPI+IKE (racoon)?
>
> I'm still struggling with racoon in GSSAPI mode. racoon says
>
> 2017-03-08 13:01:59: [192.168.3.38] ERROR: failed to get valid proposal.
> 2017-03-08 13:01:59: [192.168.3.38] ERROR: failed to pre-process ph1 packet (side: 1, status 1).
> 2017-03-08 13:01:59: [192.168.3.38] ERROR: phase1 negotiation failed.
>
> I would be very grateful if someone with IPSec experience could look
> at my configs and logs. What am I missing?
>
> Not to clutter the list, I'm giving short URLs:
>
> racoon.conf: http://termbin.com/lk2w
> racoon debug log: http://termbin.com/0lol
> keytab: http://termbin.com/4yj9
>
> The remote host configuration is identical, only it's called "ipsec1",
> not "ipsec2".
I forget to mention that
"kinit -t /etc/krb5.keytab ike/ipsec1.sibptus.ru at SIBPTUS.RU"
fetches a TGT all right, so the problem is probably not with Kerberos
setup per se.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
AS43859
More information about the freebsd-net
mailing list