I having problem connecting Solaris 10 to Cisco PIX through IPsec.
Dump from IKE - # /usr/lib/inet/in.iked -f /etc/inet/ike/config -d
-
Jan 16 00:40:57: 2012 (+0800) *** in.iked started ***
-
Jan 16 00:40:57: Loading configuration...
-
Jan 16 00:40:57: Checking lifetimes in "nullrule"
-
Jan 16 00:40:57: Using default value for p2 lifetime: 28800 seconds.
-
Jan 16 00:40:57: p2 softlife too small.
-
Jan 16 00:40:57: Using default value for p2 soft lifetime: 25920 seconds.
-
Jan 16 00:40:57: Using default value for p2 idle lifetime: 14400 seconds.
-
Jan 16 00:40:57: Using default value for p2 byte lifetime: 134217728 kb
-
Jan 16 00:40:57: Using default value for p2 soft byte lifetime: 120795955 kb
-
Jan 16 00:40:57: Checking lifetimes in "myvpn"
-
Jan 16 00:40:57: Adding rule "myvpn" to IKE configuration;
-
Jan 16 00:40:57: mode 256 (any), cookie 6, slot 0; total rules 1
-
Jan 16 00:40:57: Configuration update succeeded! Updating active databases.
-
Jan 16 00:40:57: Configuration ok.
-
Jan 16 00:40:57: Loading preshared keys...
-
Jan 16 00:40:57: Unique instance of in.iked started.
-
Jan 16 00:40:57: Adding certificates...
-
Jan 16 00:40:57: 0 certificates successfully added
-
Jan 16 00:40:57: Adding private keys...
-
Jan 16 00:40:57: 0 private keys successfully added.
-
Jan 16 00:40:57: Skipping lo0 address 127.0.0.1
-
Jan 16 00:40:57: Adding bnx0 address xxx.xxx.44.239 to in.iked service list...
-
Jan 16 00:40:57: Adding entry #1; IP address = xxx.xxx.44.239, interface = bnx0.
-
Jan 16 00:40:57: Now 1 addresses being serviced.
-
Jan 16 00:40:57: Adding bnx0:1 address xxx.xxx.44.245 to in.iked service list...
-
Jan 16 00:40:57: Adding entry #2; IP address = xxx.xxx.44.245, interface = bnx0:1.
-
Jan 16 00:40:57: Now 2 addresses being serviced.
-
Jan 16 00:40:57: Adding bnx0:2 address 10.1.1.239 to in.iked service list...
-
Jan 16 00:40:57: Adding entry #3; IP address = 10.1.1.239, interface = bnx0:2.
-
Jan 16 00:40:57: Now 3 addresses being serviced.
-
Jan 16 00:40:57: Adding ip.tun0 address xxx.xxx.44.245 to in.iked service list...
-
Jan 16 00:40:57: Address already exists: now 2 users
-
Jan 16 00:40:57: Initializing PF_KEY socket...
-
Jan 16 00:40:57: ESP initial REGISTER with SADB...
-
Jan 16 00:40:57: Handling SADB register message from kernel...
-
Jan 16 00:40:57: AH initial REGISTER with SADB...
-
Jan 16 00:40:57: Handling SADB register message from kernel...
-
-
-
Jan 16 00:41:16: Handling data on PF_KEY socket:
-
SADB msg: message type 6 (ACQUIRE), SA type 0 (UNSPEC),
-
pid 0, sequence number 4294963042,
-
error code 0 (Error 0), diag code 0 (No diagnostic), length 25
-
Jan 16 00:41:16: Inner addresses present,
-
Jan 16 00:41:16: Doing ACQUIRE....
-
Jan 16 00:41:16: Trying to get Phase 1 (by itself)...
-
Jan 16 00:41:16: Looking for an existing Phase 1 SA...
-
Jan 16 00:41:16: Searching rulebase for src = xxx.xxx.44.239[0]
-
Jan 16 00:41:16: dst = xxx.xxx.11.24[0]
-
Jan 16 00:41:16: Examining rule list.
-
Jan 16 00:41:16: rule 'myvpn' 0x6;
-
Jan 16 00:41:16: local addr xxx.xxx.44.239[2824];
-
Jan 16 00:41:16: remote addr xxx.xxx.11.24[2824]
-
Jan 16 00:41:16: [basic match]
-
Jan 16 00:41:16: Selected rule: 'myvpn'
-
-
Jan 16 00:41:16: Updating p2_lifetime to 28800 seconds.
-
Jan 16 00:41:16: Checking lifetimes in "myvpn"
-
Jan 16 00:41:16: Starting Phase 1 negotiation...
-
Jan 16 00:41:16: Constructing local identity payload...
-
Jan 16 00:41:16: Local ID type: ipv4(any:0,[0..3]=xxx.xxx.44.239)
-
Jan 16 00:41:16: Constructing Phase 1 Transforms:
-
Our Proposal:
-
Rule: "myvpn" ; transform 0
-
auth_method = 1 (Pre-shared)
-
hash_alg = 1 (md5)
-
encr_alg = 5 (3des-cbc)
-
oakley_group = 2
-
Jan 16 00:41:16: Phase 1 exchange type=2 (IP), 1 transform(s).
-
Jan 16 00:41:16: Looking for xxx.xxx.44.239[0] in IKE daemon context...
-
Jan 16 00:41:16: Sending out Vendor IDs, if needed: NAT-T state 0 (INIT)
-
Jan 16 00:41:16: New Phase 1 negotiation!
-
Jan 16 00:41:16: Waiting for IKE results.
-
Jan 16 00:41:16: IKE library: Using default remote port for NAT-T, if active.
-
Jan 16 00:41:16: Determining P1 nonce data length.
-
Jan 16 00:41:16: NAT-T state 0 (INIT)
-
Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active.
-
Jan 16 00:41:17: IKE library: Doing port jump in case we need NAT-T. Current NAT-T state -1
-
Jan 16 00:41:17: Vendor ID from peer:
-
Jan 16 00:41:17: 0x09002689dfd6b712
-
Jan 16 00:41:17: XAUTH
-
Jan 16 00:41:17: Vendor ID from peer:
-
Jan 16 00:41:17: 0xafcad71368a1f1c96b8696fc77570100
-
Jan 16 00:41:17: Detecting Dead IKE Peers (RFC 3706)
-
Jan 16 00:41:17: Using Dead Peer Detection (RFC 3706)
-
Jan 16 00:41:17: Vendor ID from peer:
-
Jan 16 00:41:17: 0x12f5f28c457168a9702d9fe274cc0100
-
Jan 16 00:41:17: Cisco-Unity
-
Jan 16 00:41:17: Vendor ID from peer:
-
Jan 16 00:41:17: 0x1bbeeea30f37d3ccd73e1cd102c84809
-
Jan 16 00:41:17: Could not find VID description
-
Jan 16 00:41:17: Finding preshared key...
-
Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active.
-
Jan 16 00:41:17: Finishing P1 negotiation: NAT-T state -1 (NEVER)
-
Jan 16 00:41:17: Looking for xxx.xxx.44.239[0] in IKE daemon context...
-
Jan 16 00:41:17: Phase 1 negotiation done.
-
Jan 16 00:41:17: Getting ready for phase 2 (quick mode).
-
Jan 16 00:41:17: Tunnel mode [ACQUIRE]
-
Jan 16 00:41:17: PF_KEY message contents:
-
Timestamp: Mon Jan 16 00:41:17 2012
-
Base message (version 2) type ACQUIRE, SA type <unspecified/all>.
-
Message length 200 bytes, seq=4294963042, pid=0.
-
INS: Inner source address (proto=0)
-
INS: AF_INET: port 0, 0.0.0.0.
-
IND: Inner destination address (proto=0)
-
IND: AF_INET: port 0, 0.0.0.0.
-
SRC: Source address (proto=4)
-
SRC: AF_INET: port 0, xxx.xxx.44.239.
-
DST: Destination address (proto=4)
-
DST: AF_INET: port 0, xxx.xxx.11.24.
-
EPR: Extended Proposal, replay counter = 32, number of combinations = 1.
-
EPR: Extended combination #1:
-
EPR: HARD: alloc=0, bytes=0, post-add secs=28800, post-use secs=0
-
EPR: SOFT: alloc=0, bytes=0, post-add secs=24000, post-use secs=0
-
EPR: Alg #1 for AH Authentication = hmac-md5 minbits=128, maxbits=128.
-
EPR: Alg #2 for ESP Encryption = 3des-cbc minbits=192, maxbits=192.
-
Jan 16 00:41:17: Allocating SPI for Phase 2.
-
Jan 16 00:41:17: SADB GETSPI type == "ah"
-
Jan 16 00:41:17: local xxx.xxx.44.239[0]
-
Jan 16 00:41:17: remote xxx.xxx.11.24[0]
-
Jan 16 00:41:17: PF_KEY request:
-
queueing sequence number 5, message type 1 (GETSPI),
-
SA type 2 (AH)
-
Jan 16 00:41:17: PF_KEY transmit request:
-
posting sequence number 5, message type 1 (GETSPI),
-
SA type 2 (AH)
-
Jan 16 00:41:17: Handling data on PF_KEY socket:
-
SADB msg: message type 1 (GETSPI), SA type 2 (AH),
-
pid 2978, sequence number 5,
-
error code 0 (Error 0), diag code 0 (No diagnostic), length 10
-
Jan 16 00:41:17: SADB message reply handler:
-
got sequence number 5, message type 1 (GETSPI),
-
SA type 2 (AH)
-
Jan 16 00:41:17: Allocating SPI for Phase 2.
-
Jan 16 00:41:17: SADB GETSPI type == "esp"
-
Jan 16 00:41:17: local xxx.xxx.44.239[0]
-
Jan 16 00:41:17: remote xxx.xxx.11.24[0]
-
Jan 16 00:41:17: PF_KEY request:
-
queueing sequence number 6, message type 1 (GETSPI),
-
SA type 3 (ESP)
-
Jan 16 00:41:17: PF_KEY transmit request:
-
posting sequence number 6, message type 1 (GETSPI),
-
SA type 3 (ESP)
-
Jan 16 00:41:17: Handling data on PF_KEY socket:
-
SADB msg: message type 1 (GETSPI), SA type 3 (ESP),
-
pid 2978, sequence number 6,
-
error code 0 (Error 0), diag code 0 (No diagnostic), length 10
-
Jan 16 00:41:17: SADB message reply handler:
-
got sequence number 6, message type 1 (GETSPI),
-
SA type 3 (ESP)
-
Jan 16 00:41:17: Allocating SPI for Phase 2.
-
Jan 16 00:41:17: Looking for xxx.xxx.44.239[0] in IKE daemon context...
-
Jan 16 00:41:17: Starting Phase 2 negotiation...
-
Jan 16 00:41:17: Setting QM nonce data length to 32 bytes.
-
Jan 16 00:41:17: IKE library: Using default remote port for NAT-T, if active.
-
Jan 16 00:41:17: IKE error: type 10 (Invalid protocol ID), decrypted 1, received 1
-
Jan 16 00:41:17: Policy Manager phase 1 info not found! (message type 10 (Invalid protocol ID))
-
Jan 16 00:41:17: Notifying library that P2 SA is freed.
-
Jan 16 00:41:17: Local IP = xxx.xxx.44.239, Remote IP = xxx.xxx.11.24,
0 1661 Sign in to post your reply or Sign up for a free account.
Similar topics |
by: Akif |
last post by:
Hi. I'm a SQL Server novice, so apologies if any of this sounds simple.
I am running Windows XP SP2, and have just installed SQLServer 2000. I
need another application to connect to SQLServer, and am specifying it
to do so via localhost:1433, but keep getting an error whenever I try
doing so saying it cannot connect to the database. A colleague of mine
has the exact same set up on his machine, and he can connect to SQL
Server fine....
|
by: Jenbo |
last post by:
I know this has come up frequently but I can't seem to put my finger on
the precise problem as it applies to me. I have a workgroup with a 2003
box with Sql server on it. Also, on this, I have an XP pro machine. So
the xp pro machine is running IIS. When I try and open a connection to
the Sql Server I get the Sql Server does not exist etc.
I am wondering what I need to do to correct this exactly. Because it is
on a workgroup and not a...
|
by: Patrick Finnegan |
last post by:
DB2 8.2.0 on Windows 2000 Server.
I had a problem connecting to a remote instance despite the "SVCENAME"
parameter and service file entries being set correctly. I eventually
noticed that the "tcpip option" in the ControlCenter "setup
communications" dialogue was not selected.
Is there a way of detecting whether tcpip comms is enabled using the
command line? I could not see any relevant entries in the dbm config.
|
by: bb |
last post by:
I am trying to find out how to control an IPSEC policy - mainly add a new IP
to an existing policy - from C# code. My SQL Server installation is getting
pounded by brute force password attack for the sa user. To stop this I wrote
a Windows Service to detect when this is happening. Currently when it detects
that someone is attempting to do this, it will email me with the ip so I can
add it easily to my blocking IP IPSEC policy. What I would...
|
by: TampaWebDevelopment |
last post by:
I use IPSec to create a filter list of IP addresses that I ban from
accessing one of my servers. Right now, I use the MMC to manage an
existing IP Filter List; adding a new filter to the list each time I
want to ban an IP address. I want to do this within VB.NET. Does
anyone have some sample code or can point me in the right direction?
System.Net???? System.Security???? Anyone that can help in anyway, I
would appreciate it.
| |
by: Dave44 |
last post by:
Hello,
Ok, so i have Win XP pro on one machine and RHEL 4 on another. A router connects the two machines and to the internet as well.
Linux has a static IP 192.168.1.100 and it can connect to the internet just fine. XP has dynamic address within the range 192.168.1.2 to 192.168.1.10 managed by the router and also connects to the internet just fine. The router is 192.168.1.1.
From either machine i can ping the other using IP...
|
by: reachravi |
last post by:
Hi,
In our ASP application, we are using a visual basic Dll file to perform database operations. We have a function in our Dll file for executing stored procedures.
This function takes 3 input parameters from ASP
|
by: =?Utf-8?B?Ry4gQ2FzYWJpYW5jYQ==?= |
last post by:
I an trying to set up a VPN to access my office. My router only supports
IPSec and the client Vista provides is based on PPTP. Is there any way to set
up an IPSec client in VIsta and XP or do I have to buy a 3rd party client
that supports IPSec?
|
by: johndavid |
last post by:
I work for as a Computer Systems Manager for a large government agency with a baffling problem.
Some of what I will say below makes zero sense, which is why I am baffled.
I have a site that received an Ethernet-enabled Toshiba EStudio E452. We enabled it for Ethernet and plugged it into a nearby wall jack. It does not work. The fixed IP does not ping and it picks up a 192 # on a DHCP setup.
We have a nearby working network printer, a...
|
by: paldebayan |
last post by:
We are getting following errors in the log.
ÝJun 11, 2010 03:14:35¨ ERROR RRTUtil.exception(): The program has
encountered exception
com.ibm.websphere.ce.cm.StaleConnectionException: ÝIBM¨ÝCLI Driver¨
SQL1224N The database manager is not able to accept new requests, has
terminated all requests in progress, or has terminated your particular
request due...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |