Whenever I try:
racoonctl vc -u user my.ip
I am getting:
send: Bad file descriptor
What could be the problem?

What's in your /etc/racoon/racoon.conf?

Hi,
There is :



log debug;
path certificate "/etc/racoon";

listen {
adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
}

remote XX.XX.XXX.XXX {
exchange_mode aggressive;
ca_type x509 "cacert.pem";
proposal_check strict;
nat_traversal on;
verify_cert off;
ike_frag on;
mode_cfg on;
script "/etc/racoon/phase1-up.sh" phase1_up;
script "/etc/racoon/phase1-down.sh" phase1_down;
passive off;
proposal {
encryption_algorithm aes;
hash_algorithm md5;
authentication_method hybrid_rsa_client;
dh_group 2;
}
}


sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}

What are the outputs of
ls -l /var/racoon/racoon.sock
ls -l /etc/racoon/phase1-up.sh
ls -l /etc/racoon/phase1-down.sh
ls -la /etc/racoon?

Hi,
That would be

srw-rw---- 1 root operator 0 2008-02-20 21:14 racoon.sock

-rwxr-xr-x 1 root operator 2101 2006-09-30 23:22 /etc/racoon/phase1-up.sh

-rwxr-xr-x 1 root operator 1926 2006-09-30 23:22 /etc/racoon/phase1-down.sh


drwxr-xr-x 2 root root 4096 2008-02-20 20:16 .
drwxr-xr-x 148 root root 12288 2008-02-20 19:11 ..
-rw-r--r-- 1 root operator 1180 2008-02-20 20:16 cacert.pem
-rwxr-xr-x 1 root operator 1926 2006-09-30 23:22 phase1-down.sh
-rwxr-xr-x 1 root operator 2101 2006-09-30 23:22 phase1-up.sh
-rw------- 1 root root 275 2007-07-19 19:03 psk.txt
-rw-r--r-- 1 root operator 807 2008-02-20 20:17 racoon.conf
-rw-r--r-- 1 root root 1000 2007-07-19 19:03 racoon-tool.conf

Can you try this?
chmod 666 /var/racoon/racoon.sock

Can you try this?
chmod 666 /var/racoon/racoon.sock


It does not help, even user root is getting this
send: Bad file descriptor

more symptoms:
root@desktop:/etc/racoon# racoonctl show-event
send: Bad file descriptor
root@desktop:/etc/racoon# racoonctl reload-config
send: Bad file descriptor

I have changed my conf to:
adminsock "/var/run/racoon/racoon.sock" "root" "operator" 0660;

and connection works fine, so the problem was with directory permissions

Now I howe some routing/netfilter problems - I can ping everything in local nad remote lan, i have TCP to local lan and only too racoon gateway(it is also router and firewall of remote lan in one box), but nothing else :-(. I will try to resolve it now

Hi!

I get the following error and I can't google up anything that
works...

***
[root@mail1 Templates]# openssl req -new -x509 -extensions v3_ca -keyout privateKey/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf
error on line -1 of ./openssl.cnf
31310:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('./openssl.cnf','rb')
31310:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
31310:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
***

I run it as root, so I dont think there are permission problems.

I tried it on ubuntu 8.04 and fedora 10, but i get the very same error...

Yours sincererly

Laszlo Balogh

What's in ./openssl.cnf?

Hi!

Nothing. I don't even have a file like that. I mean the howto didn't specify from which folder I should run the command, so i ran it from /etc/racoon and from other places too. (the howto mentioned openssl.conf i tried that too)

But #locate openssl.conf only gives this one answer

/var/lib/dpkg/info/openssl.conffiles

After a bit of browsing i found openssl.cnf in /etc/ssl, and it indeed has a
few parts i think should work. Pasting them now:

.......

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

.....

[ v3_ca ]

# Extensions for a typical CA

# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

.........


So i think i am missing something, but i don't know where i make that mistake.

Thx

Laszlo Balogh

This is how to call the command.

openssl req -new -x509 -extensions v3_ca -keyout privateKey/cakey.pem -out cacert.pem -days 3650 -config /etc/ssl/openssl.cnf

and the privateKey directory needs to exist in your pwd.

Hi there!

Thx for all the help!

I finally finished.

I had to create a few directories and move around a few files, but it is done.

Last it asked for a serial file. I just created one empty serial file,
and wrote random numbers in one line into it. It swallowed it.

Now if I can only get shorewall tunelling done it ll work.

Thx a lot

Laszlo Balogh