我有一个主机,正在尝试设置 ipsec。但是我在日志中发现一些对我来说毫无意义的错误。
系统是 Rhel 5.5 盒子。我跟着RHEL 的 IPSec 部署说明在两个不同 LAN 上的主机之间设置主机到主机 IPSec 连接。一个主机有一个绑定接口。运行 tcpdump 后,我没有看到任何流量流向第二台主机。
我重新启动了网络服务并看到了以下信息:
Jul 31 14:27:17 n7pg01dimg001imon002 racoon: INFO: @(#)ipsec-tools 0.6.5 (http://ipsec-tools.sourceforge.net)
Jul 31 14:27:17 n7pg01dimg001imon002 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 (http://www.openssl.org/)
Jul 31 14:27:17 n7pg01dimg001imon002 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
Jul 31 14:27:17 n7pg01dimg001imon002 racoon: INFO: 127.0.0.1[500] used for NAT-T
Jul 31 14:27:17 n7pg01dimg001imon002 racoon: INFO: 10.x.x.x[500] used as isakmp port (fd=11)
Jul 31 14:27:17 n7pg01dimg001imon002 racoon: INFO: 10.x.x.x[500] used for NAT-T
Jul 31 14:54:19 n7pg01dimg001imon002 racoon: INFO: unsupported PF_KEY message REGISTER
Jul 31 14:54:19 n7pg01dimg001imon002 racoon: INFO: unsupported PF_KEY message X_SPDDELETE2
Jul 31 14:54:19 n7pg01dimg001imon002 racoon: INFO: unsupported PF_KEY message REGISTER
Jul 31 14:54:19 n7pg01dimg001imon002 racoon: ERROR: such policy already exists. anyway replace it: 10.x.x.x/x[0] 174.x.x.x/32[0] proto=any dir=out
Jul 31 14:54:19 n7pg01dimg001imon002 racoon: ERROR: such policy already exists. anyway replace it: 10.x.x.x/x[0] 174.x.x.x/32[0] proto=any dir=in
Jul 31 14:54:19 n7pg01dimg001imon002 racoon: ERROR: such policy already exists. anyway replace it: 10.x.x.x/x[0] 174.x.x.x/32[0] proto=any dir=fwd
它在某一点上穿越 NAT。