服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Solaris 11.3 IPSec错误的含义“没有PF_KEY的文件或目录”。
Intereting Posts
SBS2011 – Exchange 2010 – 删除用户删除邮件帐户? 将CENTOS服务器(映像)克隆到DVD刻录机/外部硬盘或通过networking 减lessmunin伐木水平 使用WDS部署映像需要多less额外空间 在AWS OpsWorks中部署Rails应用程序 IPSec VPNlogin失败证书authentication 后缀(仅用于发送邮件)多域设置 如何在debian预置文件中一起pipe理命令? php-fpm和nginx:找不到文件 每次加载默认脚本Powershell ISE启动 NGINXconfiguration许多小文件 我如何解释一个非常高的平均。 磁盘秒/写perfmon值? 从Windows Azure绘图/聚合IIS日志 什么是可以在Python中定制的好的HTTP 代理? 使用postgres后端对pdns进行性能调优

Solaris 11.3 IPSec错误的含义“没有PF_KEY的文件或目录”。

我试图通过IPSec传输模式将运行macOS 10.12的计算机连接到Solaris 11.3盒。 我相信我的IKE谈判已经成功(第一阶段 ),现在我已经进入了第二阶段。如果我改变我的PSK,我不会让它进入第一阶段,所以看起来我的钥匙是正确的。 以下的链接,以及其他,无法帮助我:

https://community.oracle.com/thread/1922024?db=5 https://groups.google.com/forum/#!topic/comp.unix.solaris/VolBr8GXgKg https://kb.juniper.net/ InfoCenter / index?page = content&id = KB24642 http://www.deskdr.com/dr/ipsec-in-transport-mode-not-completeing-phase-2-quick-mode.html

我试图查找“没有PF_KEY这样的文件或目录”错误消息,“标签未find”消息,以及有关反向获取的信息。

当我尝试在两台机器之间build立连接时,从/usr/lib/inet/in.iked -d -p 2转储如下: 

 Jun 30 20:32:50: Selecting transform from inbound SA... Jun 30 20:32:50: NAT-T state 1 (VID) Jun 30 20:32:50: Checking P1 transform from remote initiator! Jun 30 20:32:50: NAT-T state 1 (VID) Jun 30 20:32:50: P1 Transform check Rule "client", transform 0: auth_method = 1 (Pre-shared) hash_alg = 6 (sha512) encr_alg = 7 (aes-cbc) keysizes = 128..256 bits oakley_group = 16 Jun 30 20:32:50: Peer Proposal: transform 0 auth_method = 1 (Pre-shared) hash_alg = 6 (sha512) encr_alg = 7 (aes-cbc) key_length = 128 bits oakley_group = 16 Jun 30 20:32:50: Rule "client" matches proposal. Jun 30 20:32:50: Selected Proposal Transform 0. Jun 30 20:32:50: Sending selected SA with transforms_index 0 to library. Jun 30 20:32:50: Sending out Vendor IDs, if needed: NAT-T state 1 (VID) Jun 30 20:32:50: IKE library: Using default remote port for NAT-T, if active. Jun 30 20:32:50: IKE library: NAT-Discovery - not a NAT-T connection Jun 30 20:32:50: Determining P1 nonce data length. Jun 30 20:32:50: NAT-T state -1 (NEVER) Jun 30 20:32:50: Finding preshared key... Jun 30 20:32:50: IKE library: Using default remote port for NAT-T, if active. Jun 30 20:32:50: IKE library: Doing port jump in case we need NAT-T. Current NAT-T state -1 Jun 30 20:32:50: Handling P1 status notification from peer. Jun 30 20:32:50: NAT-T state -1 (NEVER) Jun 30 20:32:50: Handling initial contact notification from peer: NAT-T state -1 (NEVER) phase2 1 Jun 30 20:32:50: Deleting SA ... Jun 30 20:32:50: PF_KEY message contents: Timestamp: June 30, 2017 08:32:50 PM EDT Base message (version 2) type DELETE, SA type AH. Message length 80 bytes, seq=0, pid=1412. KMC: Protocol 1, cookie="<Label not found.>" (0) DST: Destination address (proto=0) DST: AF_INET: port 0, 192.168.0.3. SRC: Source address (proto=0) SRC: AF_INET: port 0, 192.168.0.2. Jun 30 20:32:50: PF_KEY request: queueing sequence number 5, message type 4 (DELETE), SA type 2 (AH) Jun 30 20:32:50: PF_KEY transmit request: posting sequence number 5, message type 4 (DELETE), SA type 2 (AH) Jun 30 20:32:50: Deleting SA ... Jun 30 20:32:50: PF_KEY message contents: Timestamp: June 30, 2017 08:32:50 PM EDT Base message (version 2) type DELETE, SA type AH. Message length 80 bytes, seq=0, pid=1412. KMC: Protocol 1, cookie="<Label not found.>" (0) DST: Destination address (proto=0) DST: AF_INET: port 0, 192.168.0.2. SRC: Source address (proto=0) SRC: AF_INET: port 0, 192.168.0.3. Jun 30 20:32:50: PF_KEY request: queueing sequence number 6, message type 4 (DELETE), SA type 2 (AH) Jun 30 20:32:50: Deleting SA ... Jun 30 20:32:50: PF_KEY message contents: Timestamp: June 30, 2017 08:32:50 PM EDT Base message (version 2) type DELETE, SA type ESP. Message length 80 bytes, seq=0, pid=1412. KMC: Protocol 1, cookie="<Label not found.>" (0) DST: Destination address (proto=0) DST: AF_INET: port 0, 192.168.0.3. SRC: Source address (proto=0) SRC: AF_INET: port 0, 192.168.0.2. Jun 30 20:32:50: PF_KEY request: queueing sequence number 7, message type 4 (DELETE), SA type 3 (ESP) Jun 30 20:32:50: Deleting SA ... Jun 30 20:32:50: PF_KEY message contents: Timestamp: June 30, 2017 08:32:50 PM EDT Base message (version 2) type DELETE, SA type ESP. Message length 80 bytes, seq=0, pid=1412. KMC: Protocol 1, cookie="<Label not found.>" (0) DST: Destination address (proto=0) DST: AF_INET: port 0, 192.168.0.2. SRC: Source address (proto=0) SRC: AF_INET: port 0, 192.168.0.3. Jun 30 20:32:50: PF_KEY request: queueing sequence number 8, message type 4 (DELETE), SA type 3 (ESP) Jun 30 20:32:50: Getting local id for inbound P1: NAT-T state -1 (NEVER) Jun 30 20:32:50: Constructing local identity payload... Jun 30 20:32:50: Local ID type: ipv4(any:0,[0..3]=192.168.0.2) Jun 30 20:32:50: Finishing P1 negotiation: NAT-T state -1 (NEVER) Jun 30 20:32:50: Looking for 192.168.0.2[0] in IKE daemon context... Jun 30 20:32:50: Notifying library that P2 SA is freed. Jun 30 20:32:50: Local IP = 192.168.0.2, Remote IP = 192.168.0.3, Jun 30 20:32:50: Handling data on PF_KEY socket: SADB msg: message type 4 (DELETE), SA type 2 (AH), pid 1412, sequence number 5, error code 0 (Error 0), diag code 0 (No diagnostic), length 10 Jun 30 20:32:50: SADB message reply handler: got sequence number 5, message type 4 (DELETE), SA type 2 (AH) Jun 30 20:32:50: PF_KEY transmit request: posting sequence number 6, message type 4 (DELETE), SA type 2 (AH) Jun 30 20:32:50: Handling data on PF_KEY socket: SADB msg: message type 4 (DELETE), SA type 2 (AH), pid 1412, sequence number 6, error code 0 (Error 0), diag code 0 (No diagnostic), length 10 Jun 30 20:32:50: SADB message reply handler: got sequence number 6, message type 4 (DELETE), SA type 2 (AH) Jun 30 20:32:50: PF_KEY transmit request: posting sequence number 7, message type 4 (DELETE), SA type 3 (ESP) Jun 30 20:32:50: Handling data on PF_KEY socket: SADB msg: message type 4 (DELETE), SA type 3 (ESP), pid 1412, sequence number 7, error code 0 (Error 0), diag code 0 (No diagnostic), length 10 Jun 30 20:32:50: SADB message reply handler: got sequence number 7, message type 4 (DELETE), SA type 3 (ESP) Jun 30 20:32:50: PF_KEY transmit request: posting sequence number 8, message type 4 (DELETE), SA type 3 (ESP) Jun 30 20:32:50: Handling data on PF_KEY socket: SADB msg: message type 4 (DELETE), SA type 3 (ESP), pid 1412, sequence number 8, error code 0 (Error 0), diag code 0 (No diagnostic), length 10 Jun 30 20:32:50: SADB message reply handler: got sequence number 8, message type 4 (DELETE), SA type 3 (ESP) Jun 30 20:32:51: IKE library: Using default remote port for NAT-T, if active. Jun 30 20:32:51: New Quick Mode (QM) connection received from 192.168.0.3[500] Jun 30 20:32:51: Selecting proposal for 1 inbound QM SA(s). Jun 30 20:32:51: Constructing inverse ACQUIRE... Jun 30 20:32:51: Initiator Local ID = No Id, Local IP = 192.168.0.2 Jun 30 20:32:51: Initiator Remote ID = No Id, Remote IP = 192.168.0.3 Jun 30 20:32:51: qm_id_check: Either no NAT-T using tunnel-mode. Jun 30 20:32:51: checking local_id... Jun 30 20:32:51: checking remote_id... Jun 30 20:32:51: assuming transport mode. Jun 30 20:32:51: Transport Mode [INVERSE ACQUIRE] Jun 30 20:32:51: PF_KEY message contents: Timestamp: June 30, 2017 08:32:51 PM EDT Base message (version 2) type X_INVERSE_ACQUIRE, SA type <unspecified/all>. Message length 96 bytes, seq=0, pid=1412. SRC: Source address (proto=0) SRC: AF_INET: port 0, 192.168.0.2. DST: Destination address (proto=0) DST: AF_INET: port 0, 192.168.0.3. Jun 30 20:32:51: PF_KEY request: queueing sequence number 9, message type 12 (X_INVERSE_ACQUIRE), SA type 0 (UNSPEC) Jun 30 20:32:51: PF_KEY transmit request: posting sequence number 9, message type 12 (X_INVERSE_ACQUIRE), SA type 0 (UNSPEC) Jun 30 20:32:51: Handling data on PF_KEY socket: SADB msg: message type 12 (X_INVERSE_ACQUIRE), SA type 0 (UNSPEC), pid 1412, sequence number 9, error code 2 (No such file or directory), diag code 0 (No diagnostic), length 2 Jun 30 20:32:51: SADB message reply handler: got sequence number 9, message type 12 (X_INVERSE_ACQUIRE), SA type 0 (UNSPEC) Jun 30 20:32:51: PF_KEY message contents: Timestamp: June 30, 2017 08:32:51 PM EDT Base message (version 2) type X_INVERSE_ACQUIRE, SA type <unspecified/all>. Error No such file or directory from PF_KEY. Diagnostic code 0: No diagnostic. Message length 16 bytes, seq=9, pid=1412. Jun 30 20:32:51: Continuing QM SA selection... Jun 30 20:32:51: inverse_acquire() failed. Jun 30 20:32:51: Quick Mode negotiation failed: code 14 (No proposal chosen). Jun 30 20:32:51: Local IP: 192.168.0.2[500], Remote IP: 192.168.0.3[500] Jun 30 20:32:51: Initiator Local ID = No Id Jun 30 20:32:51: Initiator Remote ID = No Id Jun 30 20:32:51: ** Responder Local ID = No Id Jun 30 20:32:51: ** Responder Remote ID = No Id Jun 30 20:32:51: Notifying library that P2 SA is freed. Jun 30 20:32:51: Local IP = 192.168.0.2, Remote IP = 192.168.0.3,

Solaris机箱configuration

/etc/inet/ipsecinit.conf包含以下内容: 

 {laddr 192.168.0.2 raddr 192.168.0.3} ipsec {encr_algs aes encr_auth_algs sha512 sa shared}

/etc/inet/secret/ike.preshared包含 

 { localidtype IP localid 192.168.0.2 remoteidtype IP remoteid 192.168.0.3 key 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef }

/etc/inet/ike/config包含 

 p2_lifetime_secs 14400 p2_nonce_len 20 p1_xform { auth_method preshared oakley_group 16 auth_alg sha512 encr_alg aes } p2_pfs 2 { label "client" local_id_type ip local_addr 192.168.0.2 remote_addr 192.168.0.3 p1_xform { auth_method preshared auth_alg sha512 oakley_group 16 encr_alg aes } p2_pfs 5 }

Macconfiguration

/etc/racoon/racoon.conf包含 

 path include "/etc/racoon" ; path pre_shared_key "/etc/racoon/psk.txt" ; path certificate "/etc/cert" ; log debug2; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } timer { # These value can be changed per remote node. counter 10; # maximum trying count to send. interval 3 sec; # interval to resend (retransmit) persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 30 sec; # Auto exit delay timer - for use when controlled by VPN socket auto_exit_delay 3 sec; } remote 192.168.0.2 [500] { exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier address 192.168.0.3; peers_identifier address 192.168.0.2; lifetime time 1 hour; passive off; proposal_check obey; generate_policy off; proposal { encryption_algorithm aes; hash_algorithm sha512; authentication_method pre_shared_key; lifetime time 3600 sec; dh_group 16; } } sainfo address ::1 icmp6 address ::1 icmp6 { pfs_group 1; lifetime time 60 sec; encryption_algorithm 3des, aes ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } sainfo address 192.168.0.3 any address 192.168.0.2 any { pfs_group 5; encryption_algorithm aes256; authentication_algorithm hmac_sha512; compression_algorithm deflate; }

/etc/racoon/psk.txt包含 

 192.168.0.2 0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef

setkey命令 

 flush; spdflush; spdadd 192.168.0.3 192.168.0.2[22] any -P out ipsec esp/transport//use ah/transport//use; spdadd 192.168.0.2[22] 192.168.0.3 any -P out ipsec esp/transport//use ah/transport//use; spdadd 192.168.0.3 192.168.0.2 any -P out ipsec esp/transport//require ah/transport//use; spdadd 192.168.0.2 192.168.0.3 any -P out ipsec esp/transport//require ah/transport//use;

提前致谢!

事实certificate,问题是我重新使用的命令刷新我的安全策略, svcadm restart svc:/network/ipsec/policy:default正在清除我的SA列表,如ipsecconf -l

重启守护进程之后,我需要运行ipsecconf -f -a /etc/inet/ipsecinit.conf

我还没有弄清楚我表面上缺less什么文件,但会尝试@ AndrewHenle的build议,并找出(仍然有用了解),并回来后!