我尝试使用 IPsec 隧道将 Solaris 10 盒连接到 Cisco PIX。但它似乎在某些时候停止了。
来自帖子@ http://www.mail-archive.com/[电子邮件保护]/msg07573.html
看来我必须在 Cisco 上禁用 X-Auth 和模式配置?
从 IKE 转储
# /usr/lib/inet/in.iked -f /etc/inet/ike/config -d
Jan 16 00:40:57: 2012 (+0800) *** in.iked started ***
Jan 16 00:40:57: Loading configuration...
Jan 16 00:40:57: Checking lifetimes in "nullrule"
Jan 16 00:40:57: Using default value for p2 lifetime: 28800 seconds.
Jan 16 00:40:57: p2 softlife too small.
Jan 16 00:40:57: Using default value for p2 soft lifetime: 25920 seconds.
Jan 16 00:40:57: Using default value for p2 idle lifetime: 14400 seconds.
Jan 16 00:40:57: Using default value for p2 byte lifetime: 134217728 kb
Jan 16 00:40:57: Using default value for p2 soft byte lifetime: 120795955 kb
Jan 16 00:40:57: Checking lifetimes in "myvpn"
Jan 16 00:40:57: Adding rule "myvpn" to IKE configuration;
Jan 16 00:40:57: mode 256 (any), cookie 6, slot 0; total rules 1
Jan 16 00:40:57: Configuration update succeeded! Updating active databases.
Jan 16 00:40:57: Configuration ok.
Jan 16 00:40:57: Loading preshared keys...
Jan 16 00:40:57: Unique instance of in.iked started.
Jan 16 00:40:57: Adding certificates...
Jan 16 00:40:57: 0 certificates successfully added
Jan 16 00:40:57: Adding private keys...
Jan 16 00:40:57: 0 private keys successfully added.
Jan 16 00:40:57: Skipping lo0 address 127.0.0.1
Jan 16 00:40:57: Adding bnx0 address xxx.xxx.44.239 to in.iked service list...
Jan 16 00:40:57: Adding entry #1; IP address = xxx.xxx.44.239, interface = bnx0.
Jan 16 00:40:57: Now 1 addresses being serviced.
Jan 16 00:40:57: Adding bnx0:1 address xxx.xxx.44.245 to in.iked service list...
Jan 16 00:40:57: Adding entry #2; IP address = xxx.xxx.44.245, interface = bnx0:1.
Jan 16 00:40:57: Now 2 addresses being serviced.
Jan 16 00:40:57: Adding bnx0:2 address 10.1.1.239 to in.iked service list...
Jan 16 00:40:57: Adding entry #3; IP address = 10.1.1.239, interface = bnx0:2.
Jan 16 00:40:57: Now 3 addresses being serviced.
Jan 16 00:40:57: Adding ip.tun0 address xxx.xxx.44.245 to in.iked service list...
Jan 16 00:40:57: Address already exists: now 2 users
Jan 16 00:40:57: Initializing PF_KEY socket...
Jan 16 00:40:57: ESP initial REGISTER with SADB...
Jan 16 00:40:57: Handling SADB register message from kernel...
Jan 16 00:40:57: AH initial REGISTER with SADB...
Jan 16 00:40:57: Handling SADB register message from kernel...
Jan 16 00:41:16: Handling data on PF_KEY socket:
SADB msg: message type 6 (ACQUIRE), SA type 0 (UNSPEC),
pid 0, sequence number 4294963042,
error code 0 (Error 0), diag code 0 (No diagnostic), length 25
Jan 16 00:41:16: Inner addresses present,
Jan 16 00:41:16: Doing ACQUIRE....
Jan 16 00:41:16: Trying to get Phase 1 (by itself)...
Jan 16 00:41:16: Looking for an existing Phase 1 SA...
Jan 16 00:41:16: Searching rulebase for src = xxx.xxx.44.239[0]
Jan 16 00:41:16: dst = xxx.xxx.11.24[0]
Jan 16 00:41:16: Examining rule list.
Jan 16 00:41:16: rule 'myvpn' 0x6;
Jan 16 00:41:16: local addr xxx.xxx.44.239[2824];
Jan 16 00:41:16: remote addr xxx.xxx.11.24[2824]
Jan 16 00:41:16: [basic match]
Jan 16 00:41:16: Selected rule: 'myvpn'
Jan 16 00:41:16: Updating p2_lifetime to 28800 seconds.
Jan 16 00:41:16: Checking lifetimes in "myvpn"
Jan 16 00:41:16: Starting Phase 1 negotiation...
Jan 16 00:41:16: Constructing local identity payload...
Jan 16 00:41:16: Local ID type: ipv4(any:0,[0..3]=xxx.xxx.44.239)
Jan 16 00:41:16: Constructing Phase 1 Transforms:
Our Proposal:
Rule: "myvpn" ; transform 0
auth_method = 1 (Pre-shared)
hash_alg = 1 (md5)
encr_alg = 5 (3des-cbc)
oakley_group = 2
Jan 16 00:41:16: Phase 1 exchange type=2 (IP), 1 transform(s).
Jan 16 00:41:16: Looking for xxx.xxx.44.239[0] in IKE daemon context...
Jan 16 00:41:16: Sending out Vendor IDs, if needed: NAT-T state 0 (INIT)
Jan 16 00:41:16: New Phase 1 negotiation!
Jan 16 00:41:16: Waiting for IKE results.
Jan 16 00:41:16: IKE library: Using default remote port for NAT-T, if active.
Jan 16 00:41:16: Determining P1 nonce data length.
Jan 16 00:41:16: NAT-T state 0 (INIT)
Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active.
Jan 16 00:41:17: IKE library: Doing port jump in case we need NAT-T. Current NAT-T state -1
Jan 16 00:41:17: Vendor ID from peer:
Jan 16 00:41:17: 0x09002689dfd6b712
Jan 16 00:41:17: XAUTH
Jan 16 00:41:17: Vendor ID from peer:
Jan 16 00:41:17: 0xafcad71368a1f1c96b8696fc77570100
Jan 16 00:41:17: Detecting Dead IKE Peers (RFC 3706)
Jan 16 00:41:17: Using Dead Peer Detection (RFC 3706)
Jan 16 00:41:17: Vendor ID from peer:
Jan 16 00:41:17: 0x12f5f28c457168a9702d9fe274cc0100
Jan 16 00:41:17: Cisco-Unity
Jan 16 00:41:17: Vendor ID from peer:
Jan 16 00:41:17: 0x1bbeeea30f37d3ccd73e1cd102c84809
Jan 16 00:41:17: Could not find VID description
Jan 16 00:41:17: Finding preshared key...
Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active.
Jan 16 00:41:17: Finishing P1 negotiation: NAT-T state -1 (NEVER)
Jan 16 00:41:17: Looking for xxx.xxx.44.239[0] in IKE daemon context...
Jan 16 00:41:17: Phase 1 negotiation done.
Jan 16 00:41:17: Getting ready for phase 2 (quick mode).
Jan 16 00:41:17: Tunnel mode [ACQUIRE]
Jan 16 00:41:17: PF_KEY message contents:
Timestamp: Mon Jan 16 00:41:17 2012
Base message (version 2) type ACQUIRE, SA type <unspecified/all>.
Message length 200 bytes, seq=4294963042, pid=0.
INS: Inner source address (proto=0)
INS: AF_INET: port 0, 0.0.0.0.
IND: Inner destination address (proto=0)
IND: AF_INET: port 0, 0.0.0.0.
SRC: Source address (proto=4)
SRC: AF_INET: port 0, xxx.xxx.44.239.
DST: Destination address (proto=4)
DST: AF_INET: port 0, xxx.xxx.11.24.
EPR: Extended Proposal, replay counter = 32, number of combinations = 1.
EPR: Extended combination #1:
EPR: HARD: alloc=0, bytes=0, post-add secs=28800, post-use secs=0
EPR: SOFT: alloc=0, bytes=0, post-add secs=24000, post-use secs=0
EPR: Alg #1 for AH Authentication = hmac-md5 minbits=128, maxbits=128.
EPR: Alg #2 for ESP Encryption = 3des-cbc minbits=192, maxbits=192.
Jan 16 00:41:17: Allocating SPI for Phase 2.
Jan 16 00:41:17: SADB GETSPI type == "ah"
Jan 16 00:41:17: local xxx.xxx.44.239[0]
Jan 16 00:41:17: remote xxx.xxx.11.24[0]
Jan 16 00:41:17: PF_KEY request:
queueing sequence number 5, message type 1 (GETSPI),
SA type 2 (AH)
Jan 16 00:41:17: PF_KEY transmit request:
posting sequence number 5, message type 1 (GETSPI),
SA type 2 (AH)
Jan 16 00:41:17: Handling data on PF_KEY socket:
SADB msg: message type 1 (GETSPI), SA type 2 (AH),
pid 2978, sequence number 5,
error code 0 (Error 0), diag code 0 (No diagnostic), length 10
Jan 16 00:41:17: SADB message reply handler:
got sequence number 5, message type 1 (GETSPI),
SA type 2 (AH)
Jan 16 00:41:17: Allocating SPI for Phase 2.
Jan 16 00:41:17: SADB GETSPI type == "esp"
Jan 16 00:41:17: local xxx.xxx.44.239[0]
Jan 16 00:41:17: remote xxx.xxx.11.24[0]
Jan 16 00:41:17: PF_KEY request:
queueing sequence number 6, message type 1 (GETSPI),
SA type 3 (ESP)
Jan 16 00:41:17: PF_KEY transmit request:
posting sequence number 6, message type 1 (GETSPI),
SA type 3 (ESP)
Jan 16 00:41:17: Handling data on PF_KEY socket:
SADB msg: message type 1 (GETSPI), SA type 3 (ESP),
pid 2978, sequence number 6,
error code 0 (Error 0), diag code 0 (No diagnostic), length 10
Jan 16 00:41:17: SADB message reply handler:
got sequence number 6, message type 1 (GETSPI),
SA type 3 (ESP)
Jan 16 00:41:17: Allocating SPI for Phase 2.
Jan 16 00:41:17: Looking for xxx.xxx.44.239[0] in IKE daemon context...
Jan 16 00:41:17: Starting Phase 2 negotiation...
Jan 16 00:41:17: Setting QM nonce data length to 32 bytes.
Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active.
Jan 16 00:41:17: IKE error: type 10 (Invalid protocol ID), decrypted 1, received 1
Jan 16 00:41:17: Policy Manager phase 1 info not found! (message type 10 (Invalid protocol ID))
Jan 16 00:41:17: Notifying library that P2 SA is freed.
Jan 16 00:41:17: Local IP = xxx.xxx.44.239, Remote IP = xxx.xxx.11.24,