Skip to Main Content

Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Please ask technical questions in the appropriate category. Thank you!

IPSec and Sun Ray 3 Plus

1902334May 7 2014

Please help me configure ipsets between client and server.

Configuration according to the documentation  http://docs.oracle.com/cd/E35310_01/E35309/html/IPsec-Examples.html

This work demon in.iked


bash-3.00# /usr/lib/inet/in.iked -d

May 07 15:36:42: 2014  *** in.iked started ***

May 07 15:36:42: Configuration file not defined using /etc/inet/ike/config.

May 07 15:36:42: Loading configuration...

May 07 15:36:42: Checking lifetimes in "nullrule"

May 07 15:36:42: p2 softlife too small.

May 07 15:36:42: Using default value for p2 soft lifetime: 25920 seconds.

May 07 15:36:42: Using default value for p2 idle lifetime: 14400 seconds.

May 07 15:36:42: Using default value for p2 byte lifetime: 134217728 kb

May 07 15:36:42: Using default value for p2 soft byte lifetime: 120795955 kb

May 07 15:36:42: Checking lifetimes in "SRSS Rule"

May 07 15:36:42: Adding rule "SRSS Rule" to IKE configuration;

May 07 15:36:42:   mode 256 (any), cookie 1, slot 0; total rules 1

May 07 15:36:42: Configuration update succeeded! Updating active databases.

May 07 15:36:42: Configuration ok.

May 07 15:36:42: Loading preshared keys...

May 07 15:36:42: Unique instance of in.iked started.

May 07 15:36:42: Adding certificates...

May 07 15:36:42: 0 certificates successfully added

May 07 15:36:42: Adding private keys...

May 07 15:36:42: 0 private keys successfully added.

May 07 15:36:42: Skipping lo0 address 127.0.0.1

May 07 15:36:42: Adding aggr1 address 10.10.55.1 to in.iked service list...

May 07 15:36:42:   Adding entry #1; IP address = 10.10.55.1, interface = aggr1.

May 07 15:36:42:   Now 1 addresses being serviced.

May 07 15:36:42: Initializing PF_KEY socket...

May 07 15:36:42: ESP initial REGISTER with SADB...

May 07 15:36:42: Handling SADB register message from kernel...

May 07 15:36:42: AH initial REGISTER with SADB...

May 07 15:36:42: Handling SADB register message from kernel...

May 07 15:37:14: New incoming phase 1 from 10.10.53.1[500].

May 07 15:37:14:   NAT-T state 0 (INIT)

May 07 15:37:14: Creating receiver phase1 structure for P1 SA negotiation.

May 07 15:37:14:   Examining rule list.

May 07 15:37:14:   rule 'SRSS Rule' 256;

May 07 15:37:14:                          local addr 0.0.0.0[2568]-255.255.255.255[2568];

May 07 15:37:14:                          remote addr 0.0.0.0[2568]-255.255.255.255[2568]

May 07 15:37:14:    [match]

May 07 15:37:14: Vendor ID from peer:

May 07 15:37:14:   0x4048b7d56ebce88525e7de7f00d6c2d380000000

May 07 15:37:14:   Could not find VID description

May 07 15:37:14: Vendor ID from peer:

May 07 15:37:14:   0xafcad71368a1f1c96b8696fc77570100

May 07 15:37:14:   Detecting Dead IKE Peers (RFC 3706)

May 07 15:37:14:   Using Dead Peer Detection (RFC 3706)

May 07 15:37:14: Selecting transform from inbound SA...

May 07 15:37:14:   NAT-T state 0 (INIT)

May 07 15:37:14: Checking P1 transform from remote initiator!

May 07 15:37:14:   NAT-T state 0 (INIT)

May 07 15:37:14: P1 Transform check

        Rule "SRSS Rule", transform 0:

        auth_method = 1 (Pre-shared)

        hash_alg = 2 (sha1)

        encr_alg = 7 (aes-cbc)

        keysizes = 128..256 bits

        oakley_group = 5

May 07 15:37:14: P1 Transform check:

Peer Proposal: transform 0

May 07 15:37:14:        auth_method = 1 (Pre-shared)

        hash_alg = 2 (sha1)

        encr_alg = 7 (aes-cbc)

        key_length = 128 bits

        oakley_group = 5

May 07 15:37:14:   Rule "SRSS Rule" matches proposal.

May 07 15:37:14:   Selected Proposal Transform 0.

May 07 15:37:14:   Sending selected SA with transforms_index 0 to library.

May 07 15:37:14: Sending out Vendor IDs, if needed: NAT-T state 0 (INIT)

May 07 15:37:15: IKE library: Using default remote port for NAT-T, if active.

May 07 15:37:15: Determining P1 nonce data length.

May 07 15:37:15:   NAT-T state -1 (NEVER)

May 07 15:37:15: Finding preshared key...

May 07 15:37:15: IKE library: Using default remote port for NAT-T, if active.

May 07 15:37:16: New incoming phase 1 from 10.10.53.1[500].

May 07 15:37:16:   NAT-T state 0 (INIT)

May 07 15:37:16: Creating receiver phase1 structure for P1 SA negotiation.

May 07 15:37:16:   Examining rule list.

May 07 15:37:16:   rule 'SRSS Rule' 256;

May 07 15:37:16:                          local addr 0.0.0.0[2568]-255.255.255.255[2568];

May 07 15:37:16:                          remote addr 0.0.0.0[2568]-255.255.255.255[2568]

May 07 15:37:16:    [match]

May 07 15:37:16: Vendor ID from peer:

May 07 15:37:16:   0x4048b7d56ebce88525e7de7f00d6c2d380000000

May 07 15:37:16:   Could not find VID description

May 07 15:37:16: Vendor ID from peer:

May 07 15:37:16:   0xafcad71368a1f1c96b8696fc77570100

May 07 15:37:16:   Detecting Dead IKE Peers (RFC 3706)

May 07 15:37:16:   Using Dead Peer Detection (RFC 3706)

May 07 15:37:16: Selecting transform from inbound SA...

May 07 15:37:16:   NAT-T state 0 (INIT)

May 07 15:37:16: Checking P1 transform from remote initiator!

May 07 15:37:16:   NAT-T state 0 (INIT)

May 07 15:37:16: P1 Transform check

        Rule "SRSS Rule", transform 0:

        auth_method = 1 (Pre-shared)

        hash_alg = 2 (sha1)

        encr_alg = 7 (aes-cbc)

        keysizes = 128..256 bits

        oakley_group = 5

May 07 15:37:16: P1 Transform check:

Peer Proposal: transform 0

May 07 15:37:16:        auth_method = 1 (Pre-shared)

        hash_alg = 2 (sha1)

        encr_alg = 7 (aes-cbc)

        key_length = 128 bits

        oakley_group = 5

May 07 15:37:16:   Rule "SRSS Rule" matches proposal.

May 07 15:37:16:   Selected Proposal Transform 0.

May 07 15:37:16:   Sending selected SA with transforms_index 0 to library.

May 07 15:37:16: Sending out Vendor IDs, if needed: NAT-T state 0 (INIT)

May 07 15:37:17: IKE library: Using default remote port for NAT-T, if active.

May 07 15:37:17: Determining P1 nonce data length.

May 07 15:37:17:   NAT-T state -1 (NEVER)

May 07 15:37:17: Finding preshared key...

May 07 15:37:18: IKE library: Using default remote port for NAT-T, if active.

May 07 15:37:47: Finishing P1 negotiation: NAT-T state -1 (NEVER)

May 07 15:37:47: Phase 1 negotiation error: code 8197 (Timeout).

May 07 15:37:47: Deleting local phase 1 instance.

May 07 15:37:47: Looking for 10.10.55.1[0] in IKE daemon context...

May 07 15:37:49: Finishing P1 negotiation: NAT-T state -1 (NEVER)

May 07 15:37:49: Phase 1 negotiation error: code 8197 (Timeout).

May 07 15:37:49: Deleting local phase 1 instance.

May 07 15:37:49: Looking for 10.10.55.1[0] in IKE daemon context...

This is my  configuration

bash-3.00# cat /etc/inet/ike/config

p1_lifetime_secs 86400
p1_nonce_len 16

p2_lifetime_secs 28800

## Parameters that may also show up in rules.

p1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg aes }

p2_pfs 0

### Now some rules...

{
   label "SRSS Rule"

   # Use whatever "host" (e.g. IP address) identity is appropriate
   local_addr 0.0.0.0/0
   remote_addr 0.0.0.0/0

   p1_xform
   { auth_method preshared oakley_group 5 auth_alg sha encr_alg aes }

   p2_pfs 0
}

bash-3.00# cat /etc/inet/secret/ike.preshared

{
        localidtype     IP
        localid         10.10.55.1
        remoteidtype    IP
        remoteid        10.10.53.1
        key             12345678
}

bash-3.00# cat /etc/inet/ipsecinit.config

{laddr 10.10.55.1 raddr 10.10.53.1} ipsec {encr_algs aes encr_auth_algs sha1}

bash-3.00# cat /tftpboot/sunray_ike.conf

remote anonymous {
        exchange_mode main;
        proposal {
                authentication_method pre_shared_key;
                encryption_algorithm aes;
                hash_algorithm sha1;
                dh_group 5;
        }
        lifetime time 24 hour;
        proposal_check claim;
}
sainfo anonymous {
        authentication_algorithm hmac_sha1;
        encryption_algorithm aes;
        lifetime time 8 hour;
}

Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jun 4 2014
Added on May 7 2014
0 comments
1,079 views