ipsec 隧道连接问题

ipsec 隧道连接问题

我尝试使用 IPsec 隧道将 Solaris 10 盒连接到 Cisco PIX。但它似乎在某些时候停止了。

来自帖子@ http://www.mail-archive.com/[电子邮件保护]/msg07573.html

看来我必须在 Cisco 上禁用 X-Auth 和模式配置?

从 IKE 转储

# /usr/lib/inet/in.iked -f /etc/inet/ike/config -d
Jan 16 00:40:57: 2012 (+0800) *** in.iked started ***
Jan 16 00:40:57: Loading configuration...
Jan 16 00:40:57: Checking lifetimes in "nullrule"
Jan 16 00:40:57: Using default value for p2 lifetime: 28800 seconds.
Jan 16 00:40:57: p2 softlife too small.
Jan 16 00:40:57: Using default value for p2 soft lifetime: 25920 seconds.
Jan 16 00:40:57: Using default value for p2 idle lifetime: 14400 seconds.
Jan 16 00:40:57: Using default value for p2 byte lifetime: 134217728 kb
Jan 16 00:40:57: Using default value for p2 soft byte lifetime: 120795955 kb
Jan 16 00:40:57: Checking lifetimes in "myvpn"
Jan 16 00:40:57: Adding rule "myvpn" to IKE configuration;
Jan 16 00:40:57:   mode 256 (any), cookie 6, slot 0; total rules 1
Jan 16 00:40:57: Configuration update succeeded! Updating active databases.
Jan 16 00:40:57: Configuration ok.
Jan 16 00:40:57: Loading preshared keys...
Jan 16 00:40:57: Unique instance of in.iked started.
Jan 16 00:40:57: Adding certificates...
Jan 16 00:40:57: 0 certificates successfully added
Jan 16 00:40:57: Adding private keys...
Jan 16 00:40:57: 0 private keys successfully added.
Jan 16 00:40:57: Skipping lo0 address 127.0.0.1
Jan 16 00:40:57: Adding bnx0 address xxx.xxx.44.239 to in.iked service list...
Jan 16 00:40:57:   Adding entry #1; IP address = xxx.xxx.44.239, interface = bnx0.
Jan 16 00:40:57:   Now 1 addresses being serviced.
Jan 16 00:40:57: Adding bnx0:1 address xxx.xxx.44.245 to in.iked service list...
Jan 16 00:40:57:   Adding entry #2; IP address = xxx.xxx.44.245, interface = bnx0:1.
Jan 16 00:40:57:   Now 2 addresses being serviced.
Jan 16 00:40:57: Adding bnx0:2 address 10.1.1.239 to in.iked service list...
Jan 16 00:40:57:   Adding entry #3; IP address = 10.1.1.239, interface = bnx0:2.
Jan 16 00:40:57:   Now 3 addresses being serviced.
Jan 16 00:40:57: Adding ip.tun0 address xxx.xxx.44.245 to in.iked service list...
Jan 16 00:40:57:   Address already exists: now 2 users
Jan 16 00:40:57: Initializing PF_KEY socket...
Jan 16 00:40:57: ESP initial REGISTER with SADB...
Jan 16 00:40:57: Handling SADB register message from kernel...
Jan 16 00:40:57: AH initial REGISTER with SADB...
Jan 16 00:40:57: Handling SADB register message from kernel...


Jan 16 00:41:16: Handling data on PF_KEY socket:
                                         SADB msg: message type 6 (ACQUIRE), SA type 0 (UNSPEC),
                                         pid 0, sequence number 4294963042,
                                         error code 0 (Error 0), diag code 0 (No diagnostic), length 25
Jan 16 00:41:16: Inner addresses present,
Jan 16 00:41:16: Doing ACQUIRE....
Jan 16 00:41:16: Trying to get Phase 1 (by itself)...
Jan 16 00:41:16: Looking for an existing Phase 1 SA...
Jan 16 00:41:16:   Searching rulebase for src = xxx.xxx.44.239[0]
Jan 16 00:41:16:                          dst = xxx.xxx.11.24[0]
Jan 16 00:41:16:   Examining rule list.
Jan 16 00:41:16:   rule 'myvpn' 0x6;
Jan 16 00:41:16:                          local addr xxx.xxx.44.239[2824];
Jan 16 00:41:16:                          remote addr xxx.xxx.11.24[2824]
Jan 16 00:41:16:    [basic match]
Jan 16 00:41:16:   Selected rule: 'myvpn'

Jan 16 00:41:16: Updating p2_lifetime to 28800 seconds.
Jan 16 00:41:16: Checking lifetimes in "myvpn"
Jan 16 00:41:16: Starting Phase 1 negotiation...
Jan 16 00:41:16: Constructing local identity payload...
Jan 16 00:41:16:   Local ID type: ipv4(any:0,[0..3]=xxx.xxx.44.239)
Jan 16 00:41:16: Constructing Phase 1 Transforms:
        Our Proposal:
        Rule: "myvpn" ; transform 0
        auth_method = 1 (Pre-shared)
        hash_alg = 1 (md5)
        encr_alg = 5 (3des-cbc)
        oakley_group = 2
Jan 16 00:41:16: Phase 1 exchange type=2 (IP), 1 transform(s).
Jan 16 00:41:16: Looking for xxx.xxx.44.239[0] in IKE daemon context...
Jan 16 00:41:16: Sending out Vendor IDs, if needed: NAT-T state 0 (INIT)
Jan 16 00:41:16:   New Phase 1 negotiation!
Jan 16 00:41:16:   Waiting for IKE results.
Jan 16 00:41:16: IKE library: Using default remote port for NAT-T, if active.
Jan 16 00:41:16: Determining P1 nonce data length.
Jan 16 00:41:16:   NAT-T state 0 (INIT)
Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active.
Jan 16 00:41:17: IKE library: Doing port jump in case we need NAT-T. Current NAT-T state -1
Jan 16 00:41:17: Vendor ID from peer:
Jan 16 00:41:17:   0x09002689dfd6b712
Jan 16 00:41:17:   XAUTH
Jan 16 00:41:17: Vendor ID from peer:
Jan 16 00:41:17:   0xafcad71368a1f1c96b8696fc77570100
Jan 16 00:41:17:   Detecting Dead IKE Peers (RFC 3706)
Jan 16 00:41:17:   Using Dead Peer Detection (RFC 3706)
Jan 16 00:41:17: Vendor ID from peer:
Jan 16 00:41:17:   0x12f5f28c457168a9702d9fe274cc0100
Jan 16 00:41:17:   Cisco-Unity
Jan 16 00:41:17: Vendor ID from peer:
Jan 16 00:41:17:   0x1bbeeea30f37d3ccd73e1cd102c84809
Jan 16 00:41:17:   Could not find VID description
Jan 16 00:41:17: Finding preshared key...
Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active.
Jan 16 00:41:17: Finishing P1 negotiation: NAT-T state -1 (NEVER)
Jan 16 00:41:17: Looking for xxx.xxx.44.239[0] in IKE daemon context...
Jan 16 00:41:17: Phase 1 negotiation done.
Jan 16 00:41:17: Getting ready for phase 2 (quick mode).
Jan 16 00:41:17:   Tunnel mode [ACQUIRE]
Jan 16 00:41:17: PF_KEY message contents:
Timestamp: Mon Jan 16 00:41:17 2012
Base message (version 2) type ACQUIRE, SA type <unspecified/all>.
Message length 200 bytes, seq=4294963042, pid=0.
INS: Inner source address (proto=0)
INS: AF_INET: port 0, 0.0.0.0.
IND: Inner destination address (proto=0)
IND: AF_INET: port 0, 0.0.0.0.
SRC: Source address (proto=4)
SRC: AF_INET: port 0, xxx.xxx.44.239.
DST: Destination address (proto=4)
DST: AF_INET: port 0, xxx.xxx.11.24.
EPR: Extended Proposal, replay counter = 32, number of combinations = 1.
EPR:  Extended combination #1:
EPR:  HARD: alloc=0, bytes=0, post-add secs=28800, post-use secs=0
EPR:  SOFT: alloc=0, bytes=0, post-add secs=24000, post-use secs=0
EPR:  Alg #1 for AH Authentication = hmac-md5  minbits=128, maxbits=128.
EPR:  Alg #2 for ESP Encryption = 3des-cbc  minbits=192, maxbits=192.
Jan 16 00:41:17: Allocating SPI for Phase 2.
Jan 16 00:41:17: SADB GETSPI type == "ah"
Jan 16 00:41:17:   local xxx.xxx.44.239[0]
Jan 16 00:41:17:   remote xxx.xxx.11.24[0]
Jan 16 00:41:17: PF_KEY request:
                                         queueing sequence number 5, message type 1 (GETSPI),
                                         SA type 2 (AH)
Jan 16 00:41:17: PF_KEY transmit request:
                                         posting sequence number 5, message type 1 (GETSPI),
                                         SA type 2 (AH)
Jan 16 00:41:17: Handling data on PF_KEY socket:
                                         SADB msg: message type 1 (GETSPI), SA type 2 (AH),
                                         pid 2978, sequence number 5,
                                         error code 0 (Error 0), diag code 0 (No diagnostic), length 10
Jan 16 00:41:17: SADB message reply handler:
                                         got sequence number 5, message type 1 (GETSPI),
                                         SA type 2 (AH)
Jan 16 00:41:17: Allocating SPI for Phase 2.
Jan 16 00:41:17: SADB GETSPI type == "esp"
Jan 16 00:41:17:   local xxx.xxx.44.239[0]
Jan 16 00:41:17:   remote xxx.xxx.11.24[0]
Jan 16 00:41:17: PF_KEY request:
                                         queueing sequence number 6, message type 1 (GETSPI),
                                         SA type 3 (ESP)
Jan 16 00:41:17: PF_KEY transmit request:
                                         posting sequence number 6, message type 1 (GETSPI),
                                         SA type 3 (ESP)
Jan 16 00:41:17: Handling data on PF_KEY socket:
                                         SADB msg: message type 1 (GETSPI), SA type 3 (ESP),
                                         pid 2978, sequence number 6,
                                         error code 0 (Error 0), diag code 0 (No diagnostic), length 10
Jan 16 00:41:17: SADB message reply handler:
                                         got sequence number 6, message type 1 (GETSPI),
                                         SA type 3 (ESP)
Jan 16 00:41:17: Allocating SPI for Phase 2.
Jan 16 00:41:17: Looking for xxx.xxx.44.239[0] in IKE daemon context...
Jan 16 00:41:17: Starting Phase 2 negotiation...
Jan 16 00:41:17: Setting QM nonce data length to 32 bytes.
Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active.
Jan 16 00:41:17: IKE error: type 10 (Invalid protocol ID), decrypted 1, received 1
Jan 16 00:41:17: Policy Manager phase 1 info not found! (message type 10 (Invalid protocol ID))
Jan 16 00:41:17: Notifying library that P2 SA is freed.
Jan 16 00:41:17:   Local IP = xxx.xxx.44.239, Remote IP = xxx.xxx.11.24,

相关内容