Login or Register to Ask a Question and Join Our Community


Solaris

IPsec PF_KEY UPDATE error

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris IPsec PF_KEY UPDATE error
# 1  
Old 01-03-2010
Solaris 10: IPsec error
Hello everyone Smilie

First of all, happy new year.
I am trying to set up an IPSec connection from a Solaris 10 Server to a Jetdirect 835n Printserver. We use certificates for the authentication (no preshared keys). The phase 1 completes succesffuly but the phase 2 doesn't. Unfortunately, I have no idea how I can get rif of the error (please see bellow).

I would be pleased of you could help me with this problem.

Thanks!
Bonusk.


This is the ouput of /usr/lib/inet/in.iked -d
Code:
Jan 03 17:46:39: Allocating SPI for Phase 2.
Jan 03 17:46:39: SADB GETSPI type == "esp"
Jan 03 17:46:39:   local XX.XX.XX.XX[0]
Jan 03 17:46:39:   remote YY.YY.YY.YY[0]
Jan 03 17:46:39: PF_KEY request:
                        queueing sequence number 11, message type 1 (GETSPI),
                        SA type 3 (ESP)
Jan 03 17:46:39: PF_KEY transmit request:
                        posting sequence number 11, message type 1 (GETSPI),
                        SA type 3 (ESP)
Jan 03 17:46:39: Handling data on PF_KEY socket:
                        SADB msg: message type 1 (GETSPI), SA type 3 (ESP),
                        pid 8607, sequence number 11,
                        error code 0 (Error 0), diag code 0 (No diagnostic), length 10
Jan 03 17:46:39: SADB message reply handler:
                        got sequence number 11, message type 1 (GETSPI),
                        SA type 3 (ESP)
Jan 03 17:46:39: Allocating SPI for Phase 2.
Jan 03 17:46:39: Setting PFS for phase 2.
Jan 03 17:46:39: Looking for XX.XX.XX.XX[0] in IKE daemon context...
Jan 03 17:46:39: Starting Phase 2 negotiation...
Jan 03 17:46:39: Setting QM nonce data length to 32 bytes.
Jan 03 17:46:39: IKE library: Using default remote port for NAT-T, if active.
Jan 03 17:46:39: Processing quick mode notification.
Jan 03 17:46:39: Handling responder lifetime notification from YY.YY.YY.YY.
Jan 03 17:46:39: Peer (YY.YY.YY.YY) wants lifetime of 3600 secs, 0 kb for SPI: = 0x83058ff7
Jan 03 17:46:39: Current lifetime 28800 secs 134217728 kb
Jan 03 17:46:39: Current soft lifetime 24000 secs 120795955 kb
Jan 03 17:46:39: Checking lifetimes in "Responder Lifetime"
Jan 03 17:46:39: Using default value for p2 soft lifetime: 3240 seconds.
Jan 03 17:46:39: Using default value for p2 idle lifetime: 1800 seconds.
Jan 03 17:46:39: Using default value for p2 byte lifetime: 3774873600 kb
Jan 03 17:46:39: Using default value for p2 soft byte lifetime: 390909132 kb
Jan 03 17:46:39: Updated lifetime 3600 secs 3774873600 kb
Jan 03 17:46:39: Updated soft lifetime 3240 secs 390909132 kb
Jan 03 17:46:39: Updating esp SPI: 0x83058ff7 SA lifetime....
Jan 03 17:46:39: Looking for YY.YY.YY.YY[0] in IKE daemon context...
Jan 03 17:46:39: PF_KEY request:
                        queueing sequence number 12, message type 13 (X_UPDATEPAIR),
                        SA type 3 (ESP)
Jan 03 17:46:39: PF_KEY transmit request:
                        posting sequence number 12, message type 13 (X_UPDATEPAIR),
                        SA type 3 (ESP)
Jan 03 17:46:39:   Marshalling: Transport Mode
Jan 03 17:46:39:   Marshalling: Transport Mode
Jan 03 17:46:39: ISAKMP 28800, rule 28800, p1 cache 3600 sec
Jan 03 17:46:39: ISAKMP 0, rule 134217728, p1 cache 3774873600 kb
Jan 03 17:46:39: Checking lifetimes in "Outbound SA."
Jan 03 17:46:39: Using default value for p2 soft lifetime: 3240 seconds.
Jan 03 17:46:39: Using default value for p2 idle lifetime: 1800 seconds.
Jan 03 17:46:39: p2 byte lifetime too small.
Jan 03 17:46:39: Using default value for p2 byte lifetime: 3774873600 kb
Jan 03 17:46:39: Using default value for p2 soft byte lifetime: 390909132 kb
Jan 03 17:46:39: Adding Outbound P2 SA: XX.XX.XX.XX -> YY.YY.YY.YY, SPI = 0x83058ff7
Jan 03 17:46:39: Adding Inbound P2 SA: YY.YY.YY.YY -> XX.XX.XX.XX, SPI = 0x893aa2fa
Jan 03 17:46:39:   SA Hard Lifetime = 3600 secs, Soft Lifetime = 3240 secs.
Jan 03 17:46:39:   Lifetime = 3865470566400 Bytes, Soft Lifetime = 400290951168 Bytes
Jan 03 17:46:39: PF_KEY message contents:
Timestamp: Sun Jan 03 17:46:39 2010
Base message (version 2) type ADD, SA type ESP.
Message length 424 bytes, seq=4294957150, pid=8607.
KMC: Protocol 1, cookie="IPsec with PKI" (5)
SA: SADB_ASSOC spi=0x83058ff7, replay window size=32, state=MATURE
SA: Authentication algorithm = hmac-sha1
SA: Encryption algorithm = 3des-cbc
SA: flags=0x18000 < X_PAIRED X_OUTBOUND >
OTH: Paired with spi=0x893aa2fa
SRC: Source address (proto=0)
SRC: AF_INET: port 0, XX.XX.XX.XX.
DST: Destination address (proto=0)
DST: AF_INET: port 0, YY.YY.YY.YY.
EKY: Encryption key.
EKY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/192
AKY: Authentication key.
AKY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/160
SID: Source identity, uid=802928, type ASN.1 DER Distinguished Name
SID: C=DE, O=Company, OU=Company CA, OU=PKI, CN=Client
DID: Destination identity, uid=0, type user-FQDN (mbox)
DID: pki@company.com
 LT: Lifetime information
SLT: Soft lifetime information:  400290951168 bytes of lifetime, 0 allocations.
SLT: 3240 seconds of post-add lifetime.
SLT: 0 seconds of post-use lifetime.
HLT: Hard lifetime information:  3865470566400 bytes of lifetime, 0 allocations.
HLT: 3600 seconds of post-add lifetime.
HLT: 0 seconds of post-use lifetime.
Jan 03 17:46:39: PF_KEY request:
                        queueing sequence number 4294957150, message type 3 (ADD),
                        SA type 3 (ESP)
Jan 03 17:46:39:   Marshalling: Transport Mode
Jan 03 17:46:39: ISAKMP 28800, rule 28800, p1 cache 3600 sec
Jan 03 17:46:39: ISAKMP 0, rule 134217728, p1 cache 134217728 kb
Jan 03 17:46:39: Checking lifetimes in "Inbound SA."
Jan 03 17:46:39: Using default value for p2 soft lifetime: 3240 seconds.
Jan 03 17:46:39: Using default value for p2 idle lifetime: 1800 seconds.
Jan 03 17:46:39: p2 byte lifetime too small.
Jan 03 17:46:39: Using default value for p2 byte lifetime: 3774873600 kb
Jan 03 17:46:39: Using default value for p2 soft byte lifetime: 390909132 kb
Jan 03 17:46:39: Adding Inbound P2 SA: YY.YY.YY.YY -> XX.XX.XX.XX, SPI = 0x893aa2fa
Jan 03 17:46:39: Adding Outbound P2 SA: XX.XX.XX.XX -> YY.YY.YY.YY, SPI = 0x83058ff7
Jan 03 17:46:39:   SA Hard Lifetime = 3600 secs, Soft Lifetime = 3240 secs.
Jan 03 17:46:39:   Lifetime = 3865470566400 Bytes, Soft Lifetime = 400290951168 Bytes
Jan 03 17:46:39: Incoming SA: PF_KEY lifetime 3600 secs, ISAKMP lifetime 28800 secs.
Jan 03 17:46:39: Adding Incoming P2 SA: YY.YY.YY.YY -> XX.XX.XX.XX, SPI = 0x893aa2fa, Lifetime = 3600 secs.
Jan 03 17:46:39: PF_KEY message contents:
Timestamp: Sun Jan 03 17:46:39 2010
Base message (version 2) type UPDATE, SA type ESP.
Message length 416 bytes, seq=4294957150, pid=8607.
KMC: Protocol 1, cookie="IPsec with PKI" (5)
SA: SADB_ASSOC spi=0x893aa2fa, replay window size=32, state=MATURE
SA: Authentication algorithm = hmac-sha1
SA: Encryption algorithm = 3des-cbc
SA: flags=0x4000 < X_INBOUND >
SRC: Source address (proto=0)
SRC: AF_INET: port 0, YY.YY.YY.YY.
DST: Destination address (proto=0)
DST: AF_INET: port 0, XX.XX.XX.XX.
EKY: Encryption key.
EKY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/192
AKY: Authentication key.
AKY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/160
DID: Destination identity, uid=1324236844, type ASN.1 DER Distinguished Name
DID: C=DE, O=Company, OU=Company CA, OU=PKI, CN=Client
SID: Source identity, uid=1327212332, type user-FQDN (mbox)
SID: pki@company.com
 LT: Lifetime information
SLT: Soft lifetime information:  400290951168 bytes of lifetime, 0 allocations.
SLT: 3240 seconds of post-add lifetime.
SLT: 0 seconds of post-use lifetime.
HLT: Hard lifetime information:  3865470566400 bytes of lifetime, 0 allocations.
HLT: 3600 seconds of post-add lifetime.
HLT: 0 seconds of post-use lifetime.
Jan 03 17:46:39: PF_KEY request:
                        queueing sequence number 4294957150, message type 2 (UPDATE),
                        SA type 3 (ESP)
Jan 03 17:46:39: Quick Mode negotiation completed.
Jan 03 17:46:39: Handling data on PF_KEY socket:
                        SADB msg: message type 13 (X_UPDATEPAIR), SA type 3 (ESP),
                        pid 8607, sequence number 12,
                        error code 3 (No such process), diag code 78 (Security association not found), length 2
Jan 03 17:46:39: SADB message reply handler:
                        got sequence number 12, message type 13 (X_UPDATEPAIR),
                        SA type 3 (ESP)
Jan 03 17:46:39: PF_KEY transmit request:
                        posting sequence number 4294957150, message type 3 (ADD),
                        SA type 3 (ESP)
Jan 03 17:46:39: PF_KEY UPDATE error: No such process; Diagnostic Security association not found.
Jan 03 17:46:39: Handling data on PF_KEY socket:
                        SADB msg: message type 3 (ADD), SA type 3 (ESP),
                        pid 8607, sequence number 4294957150,
                        error code 0 (Error 0), diag code 0 (No diagnostic), length 45
Jan 03 17:46:39: SADB message reply handler:
                        got sequence number 4294957150, message type 3 (ADD),
                        SA type 3 (ESP)
Jan 03 17:46:39: PF_KEY transmit request:
                        posting sequence number 4294957150, message type 2 (UPDATE),
                        SA type 3 (ESP)
Jan 03 17:46:39: Handling data on PF_KEY socket:
                         SADB msg: message type 2 (UPDATE), SA type 3 (ESP),
                         pid 8607, sequence number 4294957150,
                         error code 0 (Error 0), diag code 0 (No diagnostic), length 44
Jan 03 17:46:39: SADB message reply handler:
                         got sequence number 4294957150, message type 2 (UPDATE),
                         SA type 3 (ESP)

This is the ouput of ipseckey dump
Code:
Base message (version 2) type DUMP, SA type ESP.
Message length 440 bytes, seq=1, pid=9558.
SA: SADB_ASSOC spi=0x83058ff7, replay window size=32, state=MATURE
SA: Authentication algorithm = hmac-sha1
SA: Encryption algorithm = 3des-cbc
SA: flags=0x80018000 < X_USED X_PAIRED X_OUTBOUND >
SRC: Source address (proto=0/<unspecified>)
SRC: AF_INET: port 0, XX.XX.XX.XX (server_hostname).
DST: Destination address (proto=0/<unspecified>)
DST: AF_INET: port 0, YY.YY.YY.YY (printserver_hostname).
KMC: Protocol 1, cookie="IPsec with PKI" (5)
AKY: Authentication key.
AKY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/160
EKY: Encryption key.
EKY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/192
SID: Source identity, uid=0, type ASN.1 DER Distinguished Name
SID: C=DE, O=company, OU=company CA, OU=PKI, CN=Client
DID: Destination identity, uid=0, type user-FQDN (mbox)
DID: pki@company.com
OTH: Paired with spi=0x893aa2fa
RPL: Replay Value 32
 LT: Lifetime information
CLT: 1536 bytes protected, 0 allocations used.
CLT: SA added at time Sun Jan 03 17:46:39 2010
CLT: SA first used at time Sun Jan 03 17:46:39 2010
CLT: Time now is Sun Jan 03 18:05:14 2010
SLT: Soft lifetime information:  400290951168 bytes of lifetime, 0 allocations.
SLT: 3218 seconds of post-add lifetime.
SLT: 0 seconds of post-use lifetime.
SLT: 400290949632 more bytes can be protected.
SLT: Soft expiration occurs in 2103 seconds, at Sun Jan 03 18:40:17 2010.
HLT: Hard lifetime information:  3865470566400 bytes of lifetime, 0 allocations.
HLT: 3600 seconds of post-add lifetime.
HLT: 0 seconds of post-use lifetime.
HLT: 3865470564864 more bytes can be protected.
HLT: Hard expiration occurs in 2485 seconds, at Sun Jan 03 18:46:39 2010.

Base message (version 2) type DUMP, SA type ESP.
Message length 424 bytes, seq=1, pid=9558.
SA: SADB_ASSOC spi=0x893aa2fa, replay window size=32, state=MATURE
SA: Authentication algorithm = hmac-sha1
SA: Encryption algorithm = 3des-cbc
SA: flags=0x14000 < X_PAIRED X_INBOUND >
SRC: Source address (proto=0/<unspecified>)
SRC: AF_INET: port 0, YY.YY.YY.YY (printserver_hostname).
DST: Destination address (proto=0/<unspecified>)
DST: AF_INET: port 0, XX.XX.XX.XX (server_hostname).
KMC: Protocol 1, cookie="IPsec with PKI" (5)
AKY: Authentication key.
AKY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/160
EKY: Encryption key.
EKY: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/192
SID: Source identity, uid=0, type user-FQDN (mbox)
SID: pki@company.com
DID: Destination identity, uid=0, type ASN.1 DER Distinguished Name
DID: C=DE, O=company, OU=company CA, OU=PKI, CN=Client
OTH: Paired with spi=0x83058ff7
 LT: Lifetime information
CLT: 0 bytes protected, 0 allocations used.
CLT: SA added at time Sun Jan 03 17:46:39 2010
CLT: Time now is Sun Jan 03 18:05:14 2010
SLT: Soft lifetime information:  400290951168 bytes of lifetime, 0 allocations.
SLT: 3240 seconds of post-add lifetime.
SLT: 0 seconds of post-use lifetime.
SLT: 400290951168 more bytes can be protected.
SLT: Soft expiration occurs in 2125 seconds, at Sun Jan 03 18:40:39 2010.
HLT: Hard lifetime information:  3865470566400 bytes of lifetime, 0 allocations.
HLT: 3600 seconds of post-add lifetime.
HLT: 0 seconds of post-use lifetime.
HLT: 3865470566400 more bytes can be protected.
HLT: Hard expiration occurs in 2485 seconds, at Sun Jan 03 18:46:39 2010.

Dump succeeded for SA type 0.


(Update) This is the ouput of ikeadm dump p1
Code:
IKESA: Cookies: Initiator 0x32d22dddedf817ab  Responder 0xa1673e979ad6d02
IKESA: The local host is the initiator.
IKESA: ISAKMP version 1.0; main mode (identity protect) exchange
IKESA: Current state is ACTIVE
XFORM: Authentication method: RSA signatures
XFORM: Encryption alg: 3des-cbc(192); Authentication alg: hmac-md5
XFORM: PRF: HMAC MD5 ; Oakley Group: 1024-bit MODP (group 2)
XFORM: Phase 2 PFS is required (Oakley Group: 1536-bit MODP (group 5))
LOCIP: Address (Initiator):
LOCIP: AF_INET: port 0, xx.xx.xx.xx (server_hostname).
REMIP: Address (Responder):
REMIP: AF_INET: port 0, yy.yy.yy.yy (printserver_hostname).
LIFTM: Lifetime limits:
LIFTM: 3600 seconds; 0 kbytes protected; 0 keymat provided.
LIFTM: Current usage:
LIFTM: SA was created at Sun Jan 03 19:14:04 2010
LIFTM: 4 kbytes protected; 4 keymat provided.
LIFTM: Expiration info:
LIFTM: SA expires in 3435 seconds, at Sun Jan 03 20:14:04 2010
STATS: 1 Quick Mode SAs created; 0 Quick Mode SAs deleted
ERRS:  0 RX errors: 0 decryption, 0 hash, 0 other
ERRS:  0 TX errors
LOCID: Initiator identity, uid=0, type ASN.1 DER Distinguished Name
LOCID: C=DE, O=Comany, OU=Comany CA, OU=PKI, CN=Client
REMID: Responder identity, uid=0, type user-FQDN (mbox)
REMID: pki@company.com

This is the ouput of ipsecconf -l
Code:
#INDEX 435
{ laddr ca1-neu/32 raddr hplj_sec/32 dir out } ipsec
{ encr_algs 3des-cbc(192) encr_auth_algs hmac-sha512(512) sa shared } or
 ipsec 
{ encr_algs 3des-cbc(192) encr_auth_algs hmac-sha384(384) sa shared } or ipsec 
{ encr_algs 3des-cbc(192) encr_auth_algs hmac-sha256(256) sa shared } or ipsec 
{ encr_algs 3des-cbc(192) encr_auth_algs hmac-sha1(160) sa shared } or ipsec 
{ encr_algs 3des-cbc(192) encr_auth_algs hmac-md5(128) sa shared } or ipsec 
{ encr_algs aes-cbc(128..256) encr_auth_algs hmac-sha512(512) sa shared } or ipsec 
{ encr_algs aes-cbc(128..256) encr_auth_algs hmac-sha384(384) sa shared } or ipsec 
{ encr_algs aes-cbc(128..256) encr_auth_algs hmac-sha256(256) sa shared } or ipsec 
{ encr_algs aes-cbc(128..256) encr_auth_algs hmac-sha1(160) sa shared } or ipsec 
{ encr_algs aes-cbc(128..256) encr_auth_algs hmac-md5(128) sa shared } or ipsec 
{ encr_algs des-cbc(64) encr_auth_algs hmac-sha512(512) sa shared } or ipsec 
{ encr_algs des-cbc(64) encr_auth_algs hmac-sha384(384) sa shared } or ipsec 
{ encr_algs des-cbc(64) encr_auth_algs hmac-sha256(256) sa shared } or ipsec 
{ encr_algs des-cbc(64) encr_auth_algs hmac-sha1(160) sa shared } or ipsec 
{ encr_algs des-cbc(64) encr_auth_algs hmac-md5(128) sa shared } or ipsec 
{ encr_algs blowfish-cbc(128..448) encr_auth_algs hmac-sha512(512) sa shared } or ipsec 
{ encr_algs blowfish-cbc(128..448) encr_auth_algs hmac-sha384(384) sa shared } or ipsec 
{ encr_algs blowfish-cbc(128..448) encr_auth_algs hmac-sha256(256) sa shared } or ipsec 
{ encr_algs blowfish-cbc(128..448) encr_auth_algs hmac-sha1(160) sa shared } or ipsec 
{ encr_algs blowfish-cbc(128..448) encr_auth_algs hmac-md5(128) sa shared } or ipsec 
{ encr_algs null encr_auth_algs hmac-sha512(512) sa shared } or ipsec 
{ encr_algs null encr_auth_algs hmac-sha384(384) sa shared } or ipsec 
{ encr_algs null encr_auth_algs hmac-sha256(256) sa shared } or ipsec 
{ encr_algs null encr_auth_algs hmac-sha1(160) sa shared } or ipsec 
{ encr_algs null encr_auth_algs hmac-md5(128) sa shared }
#INDEX 436
{ laddr ca1-neu/32 raddr hplj_sec/32 dir in } ipsec 
{ encr_algs 3des-cbc(192) encr_auth_algs hmac-sha512(512) sa shared } or ipsec 
{ encr_algs 3des-cbc(192) encr_auth_algs hmac-sha384(384) sa shared } or ipsec 
{ encr_algs 3des-cbc(192) encr_auth_algs hmac-sha256(256) sa shared } or ipsec 
{ encr_algs 3des-cbc(192) encr_auth_algs hmac-sha1(160) sa shared } or ipsec 
{ encr_algs 3des-cbc(192) encr_auth_algs hmac-md5(128) sa shared } or ipsec 
{ encr_algs aes-cbc(128..256) encr_auth_algs hmac-sha512(512) sa shared } or ipsec 
{ encr_algs aes-cbc(128..256) encr_auth_algs hmac-sha384(384) sa shared } or ipsec 
{ encr_algs aes-cbc(128..256) encr_auth_algs hmac-sha256(256) sa shared } or ipsec 
{ encr_algs aes-cbc(128..256) encr_auth_algs hmac-sha1(160) sa shared } or ipsec 
{ encr_algs aes-cbc(128..256) encr_auth_algs hmac-md5(128) sa shared } or ipsec 
{ encr_algs des-cbc(64) encr_auth_algs hmac-sha512(512) sa shared } or ipsec 
{ encr_algs des-cbc(64) encr_auth_algs hmac-sha384(384) sa shared } or ipsec 
{ encr_algs des-cbc(64) encr_auth_algs hmac-sha256(256) sa shared } or ipsec 
{ encr_algs des-cbc(64) encr_auth_algs hmac-sha1(160) sa shared } or ipsec 
{ encr_algs des-cbc(64) encr_auth_algs hmac-md5(128) sa shared } or ipsec 
{ encr_algs blowfish-cbc(128..448) encr_auth_algs hmac-sha512(512) sa shared } or ipsec 
{ encr_algs blowfish-cbc(128..448) encr_auth_algs hmac-sha384(384) sa shared } or ipsec 
{ encr_algs blowfish-cbc(128..448) encr_auth_algs hmac-sha256(256) sa shared } or ipsec 
{ encr_algs blowfish-cbc(128..448) encr_auth_algs hmac-sha1(160) sa shared } or ipsec 
{ encr_algs blowfish-cbc(128..448) encr_auth_algs hmac-md5(128) sa shared } or ipsec 
{ encr_algs null encr_auth_algs hmac-sha512(512) sa shared } or ipsec 
{ encr_algs null encr_auth_algs hmac-sha384(384) sa shared } or ipsec 
{ encr_algs null encr_auth_algs hmac-sha256(256) sa shared } or ipsec 
{ encr_algs null encr_auth_algs hmac-sha1(160) sa shared } or ipsec 
{ encr_algs null encr_auth_algs hmac-md5(128) sa shared }

Thanks!
Last edited by bonusk; 01-04-2010 at 11:59 AM.. Reason: Title update
# 2  
Old 01-04-2010
hi Smilie

sorry to bother again.
I'd like to add that I tried to reboot the server, but I get the same error:

Code:
Jan 04 18:44:19: Incoming SA: PF_KEY lifetime 3600 secs, ISAKMP lifetime 28800 secs.
Jan 04 18:44:19: Adding Incoming P2 SA: YY.YY.YY.YY -> XX.XX.XX.XX, SPI = 0x6d7068e7, Lifetime = 3600 secs.
Jan 04 18:44:19: PF_KEY UPDATE error: No such process; Diagnostic Security association not found.

help ! Smilie

Thanks.
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Solaris

What's wrong with my ipsec configuration?

I want a lan encrypted with ipsec. This is my /etc/inet/ike/config p1_xform { auth_method preshared oakley_group 5 auth_alg sha256 encr_alg aes } p2_pfs 2 this is my /etc/inet/secret/ike.preshared # ike.preshared on hostA, 192.168.0.21 #... { localidtype IP localid... (1 Reply)
Discussion started by: Linusolaradm1
1 Replies

2. IP Networking

VPN IPSec Openswan

Hi all, I have installed Openswan and configured IPSec and works perfect, but for some unknown reasons it stop working. I see that the tunnels are up and established. The route to the destination are added. Everything by the book seems to be ok. But somehow when i start to ping the other side (... (4 Replies)
Discussion started by: ivancd
4 Replies

3. Cybersecurity

IPSEC

hello, after configuration ipsec in ip4 I can not ping between client and server whereas I had success ping before configuration! I also generate different key for AH and ESP as i have shown below. what is my problem and what should i do to have ping and test the configuration? code: ... (0 Replies)
Discussion started by: elinaz
0 Replies

4. UNIX for Advanced & Expert Users

Ipsec implementation

How can i implement Ipsec between two machines in linux_ ubuntu? any link?? suggestion?? (0 Replies)
Discussion started by: elinaz
0 Replies

5. Solaris

ipsec error seen in ikeadm dump p1 output

****** (0 Replies)
Discussion started by: meghnasreddy
0 Replies

6. BSD

Problem on IPSec

Hi, this is my first post...:p Hello Admin :) Can I have an ask for something with my configuration ? I have finished some kind of the tutorial to build ipsec site to site, and the "step" has finished completely. I have a simulation with a local design topology with two PC's (FreeBSD ... (0 Replies)
Discussion started by: aulia
0 Replies

7. IP Networking

IPSec VPN Routing

Hello, I'm trying to setup a gateway VPN between two routers across an unsecured network between two local networks. The routers are both linux and I'm using the ipsec tools, racoon and setkey. So far hosts from either local net can successfully ping hosts on the other local net without issue. ... (0 Replies)
Discussion started by: salukibob
0 Replies

8. UNIX for Advanced & Expert Users

PF_KEY Errors

Hardware: Sunfire 15K OS: Solaris 10 We are getting the following Logcheck e-mail alerts which are occurring every minute: Unusual System Events =-=-=-=-=-=-=-=-=-=-= Jan 1 15:55:01 some_server sckmd: PF_KEY error: type=UPDATE, errno=3: No such process, diagnostic code=0: No... (2 Replies)
Discussion started by: RobSand
2 Replies

9. Solaris

Solaris 10 IPSec peformance

Hi, does anyone have an experience how many IPSec tunnels Solaris 10 is able manage. A rough estimation would be great. I know it's hardly dependent on the hardware used, so if anyone says on a 490 with 2 CPUs and 4GB RAM a maximum of 1000 IPSec tunnels is possible, that would be great. I... (1 Reply)
Discussion started by: blombo
1 Replies
Login or Register to Ask a Question