solaris vpn just up and died

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: comp.dcom.vpn (More info?)

My solaris 9 tunnel was up and running, then just died. I can't for
the life of me figure out what I changed, if anything. Can someone
please lend some thoughts on this?

My crypto (transport) seems to be working fine between the outside's -
snoop also shows a good circuit w/ESP

Configuration:
Inside#1 (10.2.1.5) -- Outside#1 (192.168.1.6) ---WAN--- Outside#2
(192.168.1.5) -- Inside#2 (10.3.1.5)
------- machine1 ---------------------------- ----------
machine2 -------------------------

ifconfigs:

machine1:ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index
1
inet 127.0.0.1 netmask ff000000
hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 2
inet 10.2.1.5 netmask ffff0000 broadcast 10.2.255.255
ether 8:0:20:a0:47:2d
hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 2
inet 192.168.1.6 netmask ffffff00 broadcast 192.168.1.255
ip.tun1: flags=10028d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,UNNUMBERED,IPv4>
mtu 1480 index 4
inet tunnel src 192.168.1.6 tunnel dst 192.168.1.5
tunnel security settings esp (aes-cbc/hmac-md5)
tunnel hop limit 60
inet 10.2.1.5 --> 10.3.1.5 netmask ff000000

machine2: ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index
1
inet 127.0.0.1 netmask ff000000
le0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index
2
inet 10.3.1.5 netmask ffff0000 broadcast 10.3.255.255
ether 8:0:20:72:97:24
le0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
index 2
inet 192.168.1.5 netmask ffffff00 broadcast 192.168.1.255
ip.tun1: flags=10028d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,UNNUMBERED,IPv4>
mtu 1480 index 4
inet tunnel src 192.168.1.5 tunnel dst 192.168.1.6
tunnel security settings esp (aes-cbc/hmac-md5)
tunnel hop limit 60
inet 10.3.1.5 --> 10.2.1.5 netmask ff000000

(notice mask on the tunnel is 255.0.0.0 - I've tried moving it to
255.255.0.0 but it didn't help

ipnodes:
machine1:cat ipnodes
#
# Internet host table
#
::1 localhost
127.0.0.1 localhost
192.168.1.5 outside1

machine2:cat ipnodes
#
# Internet host table
#
::1 localhost
127.0.0.1 localhost
192.168.1.6 outside2

machine1:cat ipsecinit.conf
{sport 500} bypass {dir out}
{dport 500} bypass {dir in}
{ laddr 10.2.1.2 dir both } bypass {}
{} ipsec {encr_algs aes auth_algs md5}
{ laddr 192.168.1.6 raddr 192.168.1.5 } ipsec { auth_algs any
encr_algs any sa shared }

machine2:cat ipsecinit.conf
# I opened port 500 for IKE -
{sport 500} bypass {dir out}
{dport 500} bypass {dir in}
{ laddr 10.3.1.5 dir both } bypass {}
{} ipsec {encr_algs aes auth_algs md5}
{ laddr 192.168.1.5 raddr 192.168.1.6 } ipsec { auth_algs any
encr_algs any sa shared }

machine1:cat ipseckeys
# outbounds...
add esp spi 1def804a dst 192.168.1.6 encr_alg AES encrkey
9a1b22a41eddb89d5f3252f98a8a8a8a
add ah spi 7a929bff dst 192.168.1.6 auth_alg MD5 authkey
330c106ea11adbf12fd6901d8a8a8a8a
# inbounds...
add esp spi 41182fc0 dst 192.168.1.5 encr_alg AES encrkey
0da24e98d882701708bceb348a8a8a8a
add ah spi 5b1af7ae dst 192.168.1.5 auth_alg MD5 authkey
2b3abe29e834bc6590dbecbd8a8a8a8a

machine2:cat ipseckeys
# inbounds...
add esp spi 1def804a dst 192.168.1.6 encr_alg AES encrkey
9a1b22a41eddb89d5f3252f98a8a8a8a
add ah spi 7a929bff dst 192.168.1.6 auth_alg MD5 authkey
330c106ea11adbf12fd6901d8a8a8a8a
# outbounds...
add esp spi 41182fc0 dst 192.168.1.5 encr_alg AES encrkey
0da24e98d882701708bceb348a8a8a8a
add ah spi 5b1af7ae dst 192.168.1.5 auth_alg MD5 authkey
2b3abe29e834bc6590dbecbd8a8a8a8a

(these keys have been replaced)

The outside interface cryto is running fine - and each 192 interface
can ping the other.

All of a sudden I can't get the tunnel to ping from 10.2.1.5 to
10.3.1.5, or vice-versa. Was working fine, it just up and died.

No IKE configs exist, and the deamon has not started. Didn't want any
more complications at this point.

Any way to debug this? It looks like the tunnels plumb, and accept
the config, and are up on each machine. They just won't talk!

Oh - on both machines:
ndd -set /dev/ip hme0:ip_forwarding 1
ndd -set /dev/ip ip.tun0:ip_forwarding 1

Thank you in advance! I know this is all too much, but I don't know
where to turn...
 
G

Guest

Guest
Archived from groups: comp.dcom.vpn (More info?)

I got it. It was phase 2 ike (quick my butt). We set rekey timeouts
for 600 secs, but also set phase 1 for 600secs. It doesn't like both
and revoked the new keyset. Boy, it took me all day to figure that
one out

buckwheat_phd@yahoo.com (buckwheat) wrote in message news:<4260a1cc.0408241759.61eb4fb@posting.google.com>...
> My solaris 9 tunnel was up and running, then just died. I can't for
> the life of me figure out what I changed, if anything. Can someone
> please lend some thoughts on this?
>
> My crypto (transport) seems to be working fine between the outside's -
> snoop also shows a good circuit w/ESP
>
> Configuration:
> Inside#1 (10.2.1.5) -- Outside#1 (192.168.1.6) ---WAN--- Outside#2
> (192.168.1.5) -- Inside#2 (10.3.1.5)
> ------- machine1 ---------------------------- ----------
> machine2 -------------------------
>
> ifconfigs:
>
> machine1:ifconfig -a
> lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index
> 1
> inet 127.0.0.1 netmask ff000000
> hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
> index 2
> inet 10.2.1.5 netmask ffff0000 broadcast 10.2.255.255
> ether 8:0:20:a0:47:2d
> hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
> index 2
> inet 192.168.1.6 netmask ffffff00 broadcast 192.168.1.255
> ip.tun1: flags=10028d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,UNNUMBERED,IPv4>
> mtu 1480 index 4
> inet tunnel src 192.168.1.6 tunnel dst 192.168.1.5
> tunnel security settings esp (aes-cbc/hmac-md5)
> tunnel hop limit 60
> inet 10.2.1.5 --> 10.3.1.5 netmask ff000000
>
> machine2: ifconfig -a
> lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index
> 1
> inet 127.0.0.1 netmask ff000000
> le0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index
> 2
> inet 10.3.1.5 netmask ffff0000 broadcast 10.3.255.255
> ether 8:0:20:72:97:24
> le0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500
> index 2
> inet 192.168.1.5 netmask ffffff00 broadcast 192.168.1.255
> ip.tun1: flags=10028d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,UNNUMBERED,IPv4>
> mtu 1480 index 4
> inet tunnel src 192.168.1.5 tunnel dst 192.168.1.6
> tunnel security settings esp (aes-cbc/hmac-md5)
> tunnel hop limit 60
> inet 10.3.1.5 --> 10.2.1.5 netmask ff000000
>
> (notice mask on the tunnel is 255.0.0.0 - I've tried moving it to
> 255.255.0.0 but it didn't help
>
> ipnodes:
> machine1:cat ipnodes
> #
> # Internet host table
> #
> ::1 localhost
> 127.0.0.1 localhost
> 192.168.1.5 outside1
>
> machine2:cat ipnodes
> #
> # Internet host table
> #
> ::1 localhost
> 127.0.0.1 localhost
> 192.168.1.6 outside2
>
> machine1:cat ipsecinit.conf
> {sport 500} bypass {dir out}
> {dport 500} bypass {dir in}
> { laddr 10.2.1.2 dir both } bypass {}
> {} ipsec {encr_algs aes auth_algs md5}
> { laddr 192.168.1.6 raddr 192.168.1.5 } ipsec { auth_algs any
> encr_algs any sa shared }
>
> machine2:cat ipsecinit.conf
> # I opened port 500 for IKE -
> {sport 500} bypass {dir out}
> {dport 500} bypass {dir in}
> { laddr 10.3.1.5 dir both } bypass {}
> {} ipsec {encr_algs aes auth_algs md5}
> { laddr 192.168.1.5 raddr 192.168.1.6 } ipsec { auth_algs any
> encr_algs any sa shared }
>
> machine1:cat ipseckeys
> # outbounds...
> add esp spi 1def804a dst 192.168.1.6 encr_alg AES encrkey
> 9a1b22a41eddb89d5f3252f98a8a8a8a
> add ah spi 7a929bff dst 192.168.1.6 auth_alg MD5 authkey
> 330c106ea11adbf12fd6901d8a8a8a8a
> # inbounds...
> add esp spi 41182fc0 dst 192.168.1.5 encr_alg AES encrkey
> 0da24e98d882701708bceb348a8a8a8a
> add ah spi 5b1af7ae dst 192.168.1.5 auth_alg MD5 authkey
> 2b3abe29e834bc6590dbecbd8a8a8a8a
>
> machine2:cat ipseckeys
> # inbounds...
> add esp spi 1def804a dst 192.168.1.6 encr_alg AES encrkey
> 9a1b22a41eddb89d5f3252f98a8a8a8a
> add ah spi 7a929bff dst 192.168.1.6 auth_alg MD5 authkey
> 330c106ea11adbf12fd6901d8a8a8a8a
> # outbounds...
> add esp spi 41182fc0 dst 192.168.1.5 encr_alg AES encrkey
> 0da24e98d882701708bceb348a8a8a8a
> add ah spi 5b1af7ae dst 192.168.1.5 auth_alg MD5 authkey
> 2b3abe29e834bc6590dbecbd8a8a8a8a
>
> (these keys have been replaced)
>
> The outside interface cryto is running fine - and each 192 interface
> can ping the other.
>
> All of a sudden I can't get the tunnel to ping from 10.2.1.5 to
> 10.3.1.5, or vice-versa. Was working fine, it just up and died.
>
> No IKE configs exist, and the deamon has not started. Didn't want any
> more complications at this point.
>
> Any way to debug this? It looks like the tunnels plumb, and accept
> the config, and are up on each machine. They just won't talk!
>
> Oh - on both machines:
> ndd -set /dev/ip hme0:ip_forwarding 1
> ndd -set /dev/ip ip.tun0:ip_forwarding 1
>
> Thank you in advance! I know this is all too much, but I don't know
> where to turn...
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom