Solaris 11.3 IPSec 错误“PF_KEY 中没有这样的文件或目录”的含义。

Solaris 11.3 IPSec 错误“PF_KEY 中没有这样的文件或目录”的含义。

我正在尝试通过 IPSec 传输模式将运行 macOS 10.12 的计算机连接到 Solaris 11.3 机器。我相信我的 IKE 协商已经成功(阶段1),我现在处于第 2 阶段。如果我更改 PSK,我将无法通过第 1 阶段,因此看起来我的密钥是正确的。以下链接以及其他链接无法帮助我:

https://community.oracle.com/thread/1922024?db=5 https://groups.google.com/forum/#!topic/comp.unix.solaris/VolBr8GXgKg https://kb.juniper.net/InfoCenter/index?page=content&id=KB24642 http://www.deskdr.com/dr/ipsec-in-transport-mode-not-completeing-phase-2-quick-mode.html

我尝试查找“PF_KEY 中没有这样的文件或目录”错误消息、“未找到标签”消息以及有关反向获取的信息。

当我尝试在两台机器之间建立连接时的转储/usr/lib/inet/in.iked -d -p 2如下:

Jun 30 20:32:50: Selecting transform from inbound SA...
Jun 30 20:32:50:   NAT-T state 1 (VID)
Jun 30 20:32:50: Checking P1 transform from remote initiator!
Jun 30 20:32:50:   NAT-T state 1 (VID)
Jun 30 20:32:50: P1 Transform check
        Rule "client", transform 0: 
        auth_method = 1 (Pre-shared)
        hash_alg = 6 (sha512)
        encr_alg = 7 (aes-cbc)
        keysizes = 128..256 bits
        oakley_group = 16
Jun 30 20:32:50: Peer Proposal: transform 0
        auth_method = 1 (Pre-shared)
        hash_alg = 6 (sha512)
        encr_alg = 7 (aes-cbc)
        key_length = 128 bits
        oakley_group = 16
Jun 30 20:32:50:   Rule "client" matches proposal.
Jun 30 20:32:50:   Selected Proposal Transform 0.
Jun 30 20:32:50:   Sending selected SA with transforms_index 0 to library.
Jun 30 20:32:50: Sending out Vendor IDs, if needed: NAT-T state 1 (VID)
Jun 30 20:32:50: IKE library: Using default remote port for NAT-T, if active.
Jun 30 20:32:50: IKE library: NAT-Discovery - not a NAT-T connection
Jun 30 20:32:50: Determining P1 nonce data length.
Jun 30 20:32:50:   NAT-T state -1 (NEVER)
Jun 30 20:32:50: Finding preshared key...
Jun 30 20:32:50: IKE library: Using default remote port for NAT-T, if active.
Jun 30 20:32:50: IKE library: Doing port jump in case we need NAT-T. Current NAT-T state -1
Jun 30 20:32:50: Handling P1 status notification from peer.
Jun 30 20:32:50:   NAT-T state -1 (NEVER)
Jun 30 20:32:50: Handling initial contact notification from peer: NAT-T state -1 (NEVER) phase2 1
Jun 30 20:32:50: Deleting SA ...
Jun 30 20:32:50: PF_KEY message contents:
Timestamp: June 30, 2017 08:32:50 PM EDT
Base message (version 2) type DELETE, SA type AH.
Message length 80 bytes, seq=0, pid=1412.
KMC: Protocol 1, cookie="<Label not found.>" (0)
DST: Destination address (proto=0)
DST: AF_INET: port 0, 192.168.0.3.
SRC: Source address (proto=0)
SRC: AF_INET: port 0, 192.168.0.2.
Jun 30 20:32:50: PF_KEY request:
                                         queueing sequence number 5, message type 4 (DELETE),
                                         SA type 2 (AH)
Jun 30 20:32:50: PF_KEY transmit request:
                                         posting sequence number 5, message type 4 (DELETE),
                                         SA type 2 (AH)
Jun 30 20:32:50: Deleting SA ...
Jun 30 20:32:50: PF_KEY message contents:
Timestamp: June 30, 2017 08:32:50 PM EDT
Base message (version 2) type DELETE, SA type AH.
Message length 80 bytes, seq=0, pid=1412.
KMC: Protocol 1, cookie="<Label not found.>" (0)
DST: Destination address (proto=0)
DST: AF_INET: port 0, 192.168.0.2.
SRC: Source address (proto=0)
SRC: AF_INET: port 0, 192.168.0.3.
Jun 30 20:32:50: PF_KEY request:
                                         queueing sequence number 6, message type 4 (DELETE),
                                         SA type 2 (AH)
Jun 30 20:32:50: Deleting SA ...
Jun 30 20:32:50: PF_KEY message contents:
Timestamp: June 30, 2017 08:32:50 PM EDT
Base message (version 2) type DELETE, SA type ESP.
Message length 80 bytes, seq=0, pid=1412.
KMC: Protocol 1, cookie="<Label not found.>" (0)
DST: Destination address (proto=0)
DST: AF_INET: port 0, 192.168.0.3.
SRC: Source address (proto=0)
SRC: AF_INET: port 0, 192.168.0.2.
Jun 30 20:32:50: PF_KEY request:
                                         queueing sequence number 7, message type 4 (DELETE),
                                         SA type 3 (ESP)
Jun 30 20:32:50: Deleting SA ...
Jun 30 20:32:50: PF_KEY message contents:
Timestamp: June 30, 2017 08:32:50 PM EDT
Base message (version 2) type DELETE, SA type ESP.
Message length 80 bytes, seq=0, pid=1412.
KMC: Protocol 1, cookie="<Label not found.>" (0)
DST: Destination address (proto=0)
DST: AF_INET: port 0, 192.168.0.2.
SRC: Source address (proto=0)
SRC: AF_INET: port 0, 192.168.0.3.
Jun 30 20:32:50: PF_KEY request:
                                         queueing sequence number 8, message type 4 (DELETE),
                                         SA type 3 (ESP)
Jun 30 20:32:50: Getting local id for inbound P1: NAT-T state -1 (NEVER)
Jun 30 20:32:50: Constructing local identity payload...
Jun 30 20:32:50:   Local ID type: ipv4(any:0,[0..3]=192.168.0.2)
Jun 30 20:32:50: Finishing P1 negotiation: NAT-T state -1 (NEVER)
Jun 30 20:32:50: Looking for 192.168.0.2[0] in IKE daemon context...
Jun 30 20:32:50: Notifying library that P2 SA is freed.
Jun 30 20:32:50:   Local IP = 192.168.0.2, Remote IP = 192.168.0.3,
Jun 30 20:32:50: Handling data on PF_KEY socket:
                                         SADB msg: message type 4 (DELETE), SA type 2 (AH),
                                         pid 1412, sequence number 5,
                                         error code 0 (Error 0), diag code 0 (No diagnostic), length 10
Jun 30 20:32:50: SADB message reply handler:
                                         got sequence number 5, message type 4 (DELETE),
                                         SA type 2 (AH)
Jun 30 20:32:50: PF_KEY transmit request:
                                         posting sequence number 6, message type 4 (DELETE),
                                         SA type 2 (AH)
Jun 30 20:32:50: Handling data on PF_KEY socket:
                                         SADB msg: message type 4 (DELETE), SA type 2 (AH),
                                         pid 1412, sequence number 6,
                                         error code 0 (Error 0), diag code 0 (No diagnostic), length 10
Jun 30 20:32:50: SADB message reply handler:
                                         got sequence number 6, message type 4 (DELETE),
                                         SA type 2 (AH)
Jun 30 20:32:50: PF_KEY transmit request:
                                         posting sequence number 7, message type 4 (DELETE),
                                         SA type 3 (ESP)
Jun 30 20:32:50: Handling data on PF_KEY socket:
                                         SADB msg: message type 4 (DELETE), SA type 3 (ESP),
                                         pid 1412, sequence number 7,
                                         error code 0 (Error 0), diag code 0 (No diagnostic), length 10
Jun 30 20:32:50: SADB message reply handler:
                                         got sequence number 7, message type 4 (DELETE),
                                         SA type 3 (ESP)
Jun 30 20:32:50: PF_KEY transmit request:
                                         posting sequence number 8, message type 4 (DELETE),
                                         SA type 3 (ESP)
Jun 30 20:32:50: Handling data on PF_KEY socket:
                                         SADB msg: message type 4 (DELETE), SA type 3 (ESP),
                                         pid 1412, sequence number 8,
                                         error code 0 (Error 0), diag code 0 (No diagnostic), length 10
Jun 30 20:32:50: SADB message reply handler:
                                         got sequence number 8, message type 4 (DELETE),
                                         SA type 3 (ESP)
Jun 30 20:32:51: IKE library: Using default remote port for NAT-T, if active.
Jun 30 20:32:51: New Quick Mode (QM) connection received from 192.168.0.3[500]
Jun 30 20:32:51: Selecting proposal for 1 inbound QM SA(s).
Jun 30 20:32:51: Constructing inverse ACQUIRE...
Jun 30 20:32:51:   Initiator Local ID = No Id, Local IP = 192.168.0.2
Jun 30 20:32:51:   Initiator Remote ID = No Id, Remote IP = 192.168.0.3
Jun 30 20:32:51: qm_id_check: Either no NAT-T using tunnel-mode.
Jun 30 20:32:51:     checking local_id...
Jun 30 20:32:51:     checking remote_id...
Jun 30 20:32:51:     assuming transport mode.
Jun 30 20:32:51:   Transport Mode [INVERSE ACQUIRE]
Jun 30 20:32:51: PF_KEY message contents:
Timestamp: June 30, 2017 08:32:51 PM EDT
Base message (version 2) type X_INVERSE_ACQUIRE, SA type <unspecified/all>.
Message length 96 bytes, seq=0, pid=1412.
SRC: Source address (proto=0)
SRC: AF_INET: port 0, 192.168.0.2.
DST: Destination address (proto=0)
DST: AF_INET: port 0, 192.168.0.3.
Jun 30 20:32:51: PF_KEY request:
                                         queueing sequence number 9, message type 12 (X_INVERSE_ACQUIRE),
                                         SA type 0 (UNSPEC)
Jun 30 20:32:51: PF_KEY transmit request:
                                         posting sequence number 9, message type 12 (X_INVERSE_ACQUIRE),
                                         SA type 0 (UNSPEC)
Jun 30 20:32:51: Handling data on PF_KEY socket:
                                         SADB msg: message type 12 (X_INVERSE_ACQUIRE), SA type 0 (UNSPEC),
                                         pid 1412, sequence number 9,
                                         error code 2 (No such file or directory), diag code 0 (No diagnostic), length 2
Jun 30 20:32:51: SADB message reply handler:
                                         got sequence number 9, message type 12 (X_INVERSE_ACQUIRE),
                                         SA type 0 (UNSPEC)
Jun 30 20:32:51: PF_KEY message contents:
Timestamp: June 30, 2017 08:32:51 PM EDT
Base message (version 2) type X_INVERSE_ACQUIRE, SA type <unspecified/all>.
Error No such file or directory from PF_KEY.
  Diagnostic code 0:  No diagnostic.
Message length 16 bytes, seq=9, pid=1412.
Jun 30 20:32:51: Continuing QM SA selection...
Jun 30 20:32:51:   inverse_acquire() failed.
Jun 30 20:32:51: Quick Mode negotiation failed: code 14 (No proposal chosen).
Jun 30 20:32:51:   Local IP: 192.168.0.2[500], Remote IP: 192.168.0.3[500]
Jun 30 20:32:51:   Initiator Local ID = No Id
Jun 30 20:32:51:   Initiator Remote ID = No Id
Jun 30 20:32:51:   ** Responder Local ID = No Id
Jun 30 20:32:51:   ** Responder Remote ID = No Id
Jun 30 20:32:51: Notifying library that P2 SA is freed.
Jun 30 20:32:51:   Local IP = 192.168.0.2, Remote IP = 192.168.0.3,

Solaris 盒配置

/etc/inet/ipsecinit.conf包含以下内容:

{laddr 192.168.0.2 raddr 192.168.0.3} ipsec
        {encr_algs aes encr_auth_algs sha512 sa shared}

/etc/inet/secret/ike.preshared包含

{ localidtype IP
    localid 192.168.0.2
    remoteidtype IP
    remoteid 192.168.0.3
    key 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
}

/etc/inet/ike/config包含

p2_lifetime_secs 14400
p2_nonce_len 20

p1_xform
  { auth_method preshared oakley_group 16 auth_alg sha512 encr_alg aes }
p2_pfs 2

{
        label "client"
        local_id_type ip
        local_addr 192.168.0.2
        remote_addr 192.168.0.3
        p1_xform { auth_method preshared auth_alg
                sha512 oakley_group 16 encr_alg aes }
        p2_pfs 5
}

Mac 配置

/etc/racoon/racoon.conf包含

path include "/etc/racoon" ;
path pre_shared_key "/etc/racoon/psk.txt" ;
path certificate "/etc/cert" ;

log debug2;

padding
{
    maximum_length 20;  # maximum padding length.
    randomize off;      # enable randomize length.
    strict_check off;   # enable strict check.
    exclusive_tail off; # extract last one octet.
}

timer
{
    # These value can be changed per remote node.
    counter 10;     # maximum trying count to send.
    interval 3 sec; # interval to resend (retransmit)
    persend 1;      # the number of packets per a send.

    # timer for waiting to complete each phase.
    phase1 30 sec;
    phase2 30 sec;

    # Auto exit delay timer - for use when controlled by VPN socket
    auto_exit_delay 3 sec;
}

remote 192.168.0.2 [500]
{
  exchange_mode main;
  doi ipsec_doi;
  situation identity_only;

  my_identifier   address 192.168.0.3;
  peers_identifier        address 192.168.0.2;

  lifetime        time 1 hour;
  passive         off;
  proposal_check  obey;
  generate_policy off;

  proposal {
    encryption_algorithm    aes;
    hash_algorithm          sha512;
    authentication_method   pre_shared_key;
    lifetime time           3600 sec;
    dh_group                16;
  }
}


sainfo address ::1 icmp6 address ::1 icmp6
{
    pfs_group 1;
    lifetime time 60 sec;
    encryption_algorithm 3des, aes ;
    authentication_algorithm hmac_sha1, hmac_md5 ;
    compression_algorithm deflate ;
}

sainfo address 192.168.0.3 any address 192.168.0.2 any {
  pfs_group 5;
  encryption_algorithm aes256;
  authentication_algorithm hmac_sha512;
  compression_algorithm deflate;
}

/etc/racoon/psk.txt包含

192.168.0.2 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef

setkey命令

flush;
spdflush;
spdadd 192.168.0.3 192.168.0.2[22] any -P out ipsec esp/transport//use ah/transport//use;
spdadd 192.168.0.2[22] 192.168.0.3 any -P out ipsec esp/transport//use ah/transport//use;

spdadd 192.168.0.3 192.168.0.2 any -P out ipsec esp/transport//require ah/transport//use;
spdadd 192.168.0.2 192.168.0.3 any -P out ipsec esp/transport//require ah/transport//use;

提前致谢!

答案1

事实证明,问题在于我用来刷新安全策略的命令 svcadm restart svc:/network/ipsec/policy:default 正在清除我的 SA 列表,正如 ipsecconf -l

重新启动守护进程后,我需要运行 ipsecconf -f -a /etc/inet/ipsecinit.conf

我还没有弄清楚我表面上缺少什么文件,但会尝试@AndrewHenle 的建议并找出答案(仍然有用)并稍后回复!

相关内容