ipsec隧道连接问题

我尝试使用IPsec隧道将Solaris 10 Box连接到Cisco PIX。 而且似乎在某个时候停了下来。

从post @ http://www.mail-archive.com/[email protected]/msg07573.html

似乎我必须禁用思科上的X-Auth和模式configuration？

从IKE转储

• 使用IPSEC隧道将端口转发添加到ASA5505
• 思科ASA – 重复ISAKMP SA – REKEYs
• SMB over IPSec提示input凭据
• Cisco RV220W ipsec与错误的ip数据包
• 在vyatta ipsec vpn中禁用证书撤销

# /usr/lib/inet/in.iked -f /etc/inet/ike/config -d Jan 16 00:40:57: 2012 (+0800) *** in.iked started *** Jan 16 00:40:57: Loading configuration... Jan 16 00:40:57: Checking lifetimes in "nullrule" Jan 16 00:40:57: Using default value for p2 lifetime: 28800 seconds. Jan 16 00:40:57: p2 softlife too small. Jan 16 00:40:57: Using default value for p2 soft lifetime: 25920 seconds. Jan 16 00:40:57: Using default value for p2 idle lifetime: 14400 seconds. Jan 16 00:40:57: Using default value for p2 byte lifetime: 134217728 kb Jan 16 00:40:57: Using default value for p2 soft byte lifetime: 120795955 kb Jan 16 00:40:57: Checking lifetimes in "myvpn" Jan 16 00:40:57: Adding rule "myvpn" to IKE configuration; Jan 16 00:40:57: mode 256 (any), cookie 6, slot 0; total rules 1 Jan 16 00:40:57: Configuration update succeeded! Updating active databases. Jan 16 00:40:57: Configuration ok. Jan 16 00:40:57: Loading preshared keys... Jan 16 00:40:57: Unique instance of in.iked started. Jan 16 00:40:57: Adding certificates... Jan 16 00:40:57: 0 certificates successfully added Jan 16 00:40:57: Adding private keys... Jan 16 00:40:57: 0 private keys successfully added. Jan 16 00:40:57: Skipping lo0 address 127.0.0.1 Jan 16 00:40:57: Adding bnx0 address xxx.xxx.44.239 to in.iked service list... Jan 16 00:40:57: Adding entry #1; IP address = xxx.xxx.44.239, interface = bnx0. Jan 16 00:40:57: Now 1 addresses being serviced. Jan 16 00:40:57: Adding bnx0:1 address xxx.xxx.44.245 to in.iked service list... Jan 16 00:40:57: Adding entry #2; IP address = xxx.xxx.44.245, interface = bnx0:1. Jan 16 00:40:57: Now 2 addresses being serviced. Jan 16 00:40:57: Adding bnx0:2 address 10.1.1.239 to in.iked service list... Jan 16 00:40:57: Adding entry #3; IP address = 10.1.1.239, interface = bnx0:2. Jan 16 00:40:57: Now 3 addresses being serviced. Jan 16 00:40:57: Adding ip.tun0 address xxx.xxx.44.245 to in.iked service list... Jan 16 00:40:57: Address already exists: now 2 users Jan 16 00:40:57: Initializing PF_KEY socket... Jan 16 00:40:57: ESP initial REGISTER with SADB... Jan 16 00:40:57: Handling SADB register message from kernel... Jan 16 00:40:57: AH initial REGISTER with SADB... Jan 16 00:40:57: Handling SADB register message from kernel... Jan 16 00:41:16: Handling data on PF_KEY socket: SADB msg: message type 6 (ACQUIRE), SA type 0 (UNSPEC), pid 0, sequence number 4294963042, error code 0 (Error 0), diag code 0 (No diagnostic), length 25 Jan 16 00:41:16: Inner addresses present, Jan 16 00:41:16: Doing ACQUIRE.... Jan 16 00:41:16: Trying to get Phase 1 (by itself)... Jan 16 00:41:16: Looking for an existing Phase 1 SA... Jan 16 00:41:16: Searching rulebase for src = xxx.xxx.44.239[0] Jan 16 00:41:16: dst = xxx.xxx.11.24[0] Jan 16 00:41:16: Examining rule list. Jan 16 00:41:16: rule 'myvpn' 0x6; Jan 16 00:41:16: local addr xxx.xxx.44.239[2824]; Jan 16 00:41:16: remote addr xxx.xxx.11.24[2824] Jan 16 00:41:16: [basic match] Jan 16 00:41:16: Selected rule: 'myvpn' Jan 16 00:41:16: Updating p2_lifetime to 28800 seconds. Jan 16 00:41:16: Checking lifetimes in "myvpn" Jan 16 00:41:16: Starting Phase 1 negotiation... Jan 16 00:41:16: Constructing local identity payload... Jan 16 00:41:16: Local ID type: ipv4(any:0,[0..3]=xxx.xxx.44.239) Jan 16 00:41:16: Constructing Phase 1 Transforms: Our Proposal: Rule: "myvpn" ; transform 0 auth_method = 1 (Pre-shared) hash_alg = 1 (md5) encr_alg = 5 (3des-cbc) oakley_group = 2 Jan 16 00:41:16: Phase 1 exchange type=2 (IP), 1 transform(s). Jan 16 00:41:16: Looking for xxx.xxx.44.239[0] in IKE daemon context... Jan 16 00:41:16: Sending out Vendor IDs, if needed: NAT-T state 0 (INIT) Jan 16 00:41:16: New Phase 1 negotiation! Jan 16 00:41:16: Waiting for IKE results. Jan 16 00:41:16: IKE library: Using default remote port for NAT-T, if active. Jan 16 00:41:16: Determining P1 nonce data length. Jan 16 00:41:16: NAT-T state 0 (INIT) Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active. Jan 16 00:41:17: IKE library: Doing port jump in case we need NAT-T. Current NAT-T state -1 Jan 16 00:41:17: Vendor ID from peer: Jan 16 00:41:17: 0x09002689dfd6b712 Jan 16 00:41:17: XAUTH Jan 16 00:41:17: Vendor ID from peer: Jan 16 00:41:17: 0xafcad71368a1f1c96b8696fc77570100 Jan 16 00:41:17: Detecting Dead IKE Peers (RFC 3706) Jan 16 00:41:17: Using Dead Peer Detection (RFC 3706) Jan 16 00:41:17: Vendor ID from peer: Jan 16 00:41:17: 0x12f5f28c457168a9702d9fe274cc0100 Jan 16 00:41:17: Cisco-Unity Jan 16 00:41:17: Vendor ID from peer: Jan 16 00:41:17: 0x1bbeeea30f37d3ccd73e1cd102c84809 Jan 16 00:41:17: Could not find VID description Jan 16 00:41:17: Finding preshared key... Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active. Jan 16 00:41:17: Finishing P1 negotiation: NAT-T state -1 (NEVER) Jan 16 00:41:17: Looking for xxx.xxx.44.239[0] in IKE daemon context... Jan 16 00:41:17: Phase 1 negotiation done. Jan 16 00:41:17: Getting ready for phase 2 (quick mode). Jan 16 00:41:17: Tunnel mode [ACQUIRE] Jan 16 00:41:17: PF_KEY message contents: Timestamp: Mon Jan 16 00:41:17 2012 Base message (version 2) type ACQUIRE, SA type <unspecified/all>. Message length 200 bytes, seq=4294963042, pid=0. INS: Inner source address (proto=0) INS: AF_INET: port 0, 0.0.0.0. IND: Inner destination address (proto=0) IND: AF_INET: port 0, 0.0.0.0. SRC: Source address (proto=4) SRC: AF_INET: port 0, xxx.xxx.44.239. DST: Destination address (proto=4) DST: AF_INET: port 0, xxx.xxx.11.24. EPR: Extended Proposal, replay counter = 32, number of combinations = 1. EPR: Extended combination #1: EPR: HARD: alloc=0, bytes=0, post-add secs=28800, post-use secs=0 EPR: SOFT: alloc=0, bytes=0, post-add secs=24000, post-use secs=0 EPR: Alg #1 for AH Authentication = hmac-md5 minbits=128, maxbits=128. EPR: Alg #2 for ESP Encryption = 3des-cbc minbits=192, maxbits=192. Jan 16 00:41:17: Allocating SPI for Phase 2. Jan 16 00:41:17: SADB GETSPI type == "ah" Jan 16 00:41:17: local xxx.xxx.44.239[0] Jan 16 00:41:17: remote xxx.xxx.11.24[0] Jan 16 00:41:17: PF_KEY request: queueing sequence number 5, message type 1 (GETSPI), SA type 2 (AH) Jan 16 00:41:17: PF_KEY transmit request: posting sequence number 5, message type 1 (GETSPI), SA type 2 (AH) Jan 16 00:41:17: Handling data on PF_KEY socket: SADB msg: message type 1 (GETSPI), SA type 2 (AH), pid 2978, sequence number 5, error code 0 (Error 0), diag code 0 (No diagnostic), length 10 Jan 16 00:41:17: SADB message reply handler: got sequence number 5, message type 1 (GETSPI), SA type 2 (AH) Jan 16 00:41:17: Allocating SPI for Phase 2. Jan 16 00:41:17: SADB GETSPI type == "esp" Jan 16 00:41:17: local xxx.xxx.44.239[0] Jan 16 00:41:17: remote xxx.xxx.11.24[0] Jan 16 00:41:17: PF_KEY request: queueing sequence number 6, message type 1 (GETSPI), SA type 3 (ESP) Jan 16 00:41:17: PF_KEY transmit request: posting sequence number 6, message type 1 (GETSPI), SA type 3 (ESP) Jan 16 00:41:17: Handling data on PF_KEY socket: SADB msg: message type 1 (GETSPI), SA type 3 (ESP), pid 2978, sequence number 6, error code 0 (Error 0), diag code 0 (No diagnostic), length 10 Jan 16 00:41:17: SADB message reply handler: got sequence number 6, message type 1 (GETSPI), SA type 3 (ESP) Jan 16 00:41:17: Allocating SPI for Phase 2. Jan 16 00:41:17: Looking for xxx.xxx.44.239[0] in IKE daemon context... Jan 16 00:41:17: Starting Phase 2 negotiation... Jan 16 00:41:17: Setting QM nonce data length to 32 bytes. Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active. Jan 16 00:41:17: IKE error: type 10 (Invalid protocol ID), decrypted 1, received 1 Jan 16 00:41:17: Policy Manager phase 1 info not found! (message type 10 (Invalid protocol ID)) Jan 16 00:41:17: Notifying library that P2 SA is freed. Jan 16 00:41:17: Local IP = xxx.xxx.44.239, Remote IP = xxx.xxx.11.24,