solaris vpn just up and died

Archived from groups: comp.dcom.vpn (More info?)

I got it. It was phase 2 ike (quick my butt). We set rekey timeouts
for 600 secs, but also set phase 1 for 600secs. It doesn't like both
and revoked the new keyset. Boy, it took me all day to figure that
one out

buckwheat_phd@yahoo.com (buckwheat) wrote in message news:<4260a1cc.0408241759.61eb4fb@posting.google.com>...
> My solaris 9 tunnel was up and running, then just died. I can't for
> the life of me figure out what I changed, if anything. Can someone
> please lend some thoughts on this?
>
> My crypto (transport) seems to be working fine between the outside's -
> snoop also shows a good circuit w/ESP
>
> Configuration:
> Inside#1 (10.2.1.5) -- Outside#1 (192.168.1.6) ---WAN--- Outside#2
> (192.168.1.5) -- Inside#2 (10.3.1.5)
> ------- machine1 ---------------------------- ----------
> machine2 -------------------------
>
> ifconfigs:
>
> machine1:ifconfig -a
> lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index
> 1
> inet 127.0.0.1 netmask ff000000
> hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
> index 2
> inet 10.2.1.5 netmask ffff0000 broadcast 10.2.255.255
> ether 8:0:20:a0:47:2d
> hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
> index 2
> inet 192.168.1.6 netmask ffffff00 broadcast 192.168.1.255
> ip.tun1: flags=10028d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,UNNUMBERED,IPv4>
> mtu 1480 index 4
> inet tunnel src 192.168.1.6 tunnel dst 192.168.1.5
> tunnel security settings esp (aes-cbc/hmac-md5)
> tunnel hop limit 60
> inet 10.2.1.5 --> 10.3.1.5 netmask ff000000
>
> machine2: ifconfig -a
> lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index
> 1
> inet 127.0.0.1 netmask ff000000
> le0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index
> 2
> inet 10.3.1.5 netmask ffff0000 broadcast 10.3.255.255
> ether 8:0:20:72:97:24
> le0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
> index 2
> inet 192.168.1.5 netmask ffffff00 broadcast 192.168.1.255
> ip.tun1: flags=10028d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,UNNUMBERED,IPv4>
> mtu 1480 index 4
> inet tunnel src 192.168.1.5 tunnel dst 192.168.1.6
> tunnel security settings esp (aes-cbc/hmac-md5)
> tunnel hop limit 60
> inet 10.3.1.5 --> 10.2.1.5 netmask ff000000
>
> (notice mask on the tunnel is 255.0.0.0 - I've tried moving it to
> 255.255.0.0 but it didn't help
>
> ipnodes:
> machine1:cat ipnodes
> #
> # Internet host table
> #
> ::1 localhost
> 127.0.0.1 localhost
> 192.168.1.5 outside1
>
> machine2:cat ipnodes
> #
> # Internet host table
> #
> ::1 localhost
> 127.0.0.1 localhost
> 192.168.1.6 outside2
>
> machine1:cat ipsecinit.conf
> {sport 500} bypass {dir out}
> {dport 500} bypass {dir in}
> { laddr 10.2.1.2 dir both } bypass {}
> {} ipsec {encr_algs aes auth_algs md5}
> { laddr 192.168.1.6 raddr 192.168.1.5 } ipsec { auth_algs any
> encr_algs any sa shared }
>
> machine2:cat ipsecinit.conf
> # I opened port 500 for IKE -
> {sport 500} bypass {dir out}
> {dport 500} bypass {dir in}
> { laddr 10.3.1.5 dir both } bypass {}
> {} ipsec {encr_algs aes auth_algs md5}
> { laddr 192.168.1.5 raddr 192.168.1.6 } ipsec { auth_algs any
> encr_algs any sa shared }
>
> machine1:cat ipseckeys
> # outbounds...
> add esp spi 1def804a dst 192.168.1.6 encr_alg AES encrkey
> 9a1b22a41eddb89d5f3252f98a8a8a8a
> add ah spi 7a929bff dst 192.168.1.6 auth_alg MD5 authkey
> 330c106ea11adbf12fd6901d8a8a8a8a
> # inbounds...
> add esp spi 41182fc0 dst 192.168.1.5 encr_alg AES encrkey
> 0da24e98d882701708bceb348a8a8a8a
> add ah spi 5b1af7ae dst 192.168.1.5 auth_alg MD5 authkey
> 2b3abe29e834bc6590dbecbd8a8a8a8a
>
> machine2:cat ipseckeys
> # inbounds...
> add esp spi 1def804a dst 192.168.1.6 encr_alg AES encrkey
> 9a1b22a41eddb89d5f3252f98a8a8a8a
> add ah spi 7a929bff dst 192.168.1.6 auth_alg MD5 authkey
> 330c106ea11adbf12fd6901d8a8a8a8a
> # outbounds...
> add esp spi 41182fc0 dst 192.168.1.5 encr_alg AES encrkey
> 0da24e98d882701708bceb348a8a8a8a
> add ah spi 5b1af7ae dst 192.168.1.5 auth_alg MD5 authkey
> 2b3abe29e834bc6590dbecbd8a8a8a8a
>
> (these keys have been replaced)
>
> The outside interface cryto is running fine - and each 192 interface
> can ping the other.
>
> All of a sudden I can't get the tunnel to ping from 10.2.1.5 to
> 10.3.1.5, or vice-versa. Was working fine, it just up and died.
>
> No IKE configs exist, and the deamon has not started. Didn't want any
> more complications at this point.
>
> Any way to debug this? It looks like the tunnels plumb, and accept
> the config, and are up on each machine. They just won't talk!
>
> Oh - on both machines:
> ndd -set /dev/ip hme0:ip_forwarding 1
> ndd -set /dev/ip ip.tun0:ip_forwarding 1
>
> Thank you in advance! I know this is all too much, but I don't know
> where to turn...