How to configure IPsec/IKE on Sun.

Hi
I was new to SUN Ipsec configuration and hope to get help to configure IPsec and test with windows XP or a device.
I did the following configuration on a SUN 5.10 OS:
1. Configured an IKE rule in the config file
label "simple inheritor2"
local_id_type ipv4
local_addr 10.62.18.131
remote_addr 10.62.18.139
p1_xform
{auth_method preshared  oakley_group 2  auth_alg sha  encr_alg 3des }
and was able to verify the file using in.iked.
2. Configured preshared key in ike.preshared
{ localidtype IP
localid 10.62.18.131
remoteidtype IP
remoteid 10.62.18.139
key ac077cc699c17055848a3cf34377980aac077cc699c17055
3. Configured IPsec policy in ipsecinit.conf as
{laddr 10.62.18.131 raddr 10.62.18.139} ipsec {
encr_algs 3DES
encr_auth_algs SHA1
I configured matching policy in XP. After I reboot the Sun system, trigger traffic from XP to Sun system, I saw the first two IKE phase one exchange were fine but Sun system didn't response to the ID payload sent from XP.
I suspect few things: one is the id, if I use ikeadm to dump the rule, it says unknow local id and remote id, where and how should I specify the local and remote ID?
the other thing I suspect is the preshared key, the admin guide the key should be corresponding to the algorithm, I used the one for 3des(24 bytes), should I also consider sha1 when specifying the preshared key or it doesn't matter?
Also where is the IPsec/ike log file? the admin guide doesn't indicate that.
Thanks a lot!

Hi Dan
Thanks. Your suggestion is constructive. I hope to get your furhter help to straight it up. I tried to use the following key in Sun:
key 606162636465666768696a6b6c6d6e6f7071727374
and used abcdefghijklmnopqrst on XP as the preshared key. The length should be good for both DES and SHA1.
When triggering traffic from Sun, I got the following from Sun log file:
hu Nov 15 17:42:05 2007: in.iked: In ssh_policy_isakmp_nonce_data_len.
Thu Nov 15 17:42:05 2007: in.iked: ssh_policy_isakmp_nonce_data_len: natt_state 0
Thu Nov 15 17:42:05 2007: in.iked: spsi: ike_send_packet 0
Thu Nov 15 17:42:06 2007: in.iked: spsi: ike_udp_callback_common 0
Thu Nov 15 17:42:06 2007: in.iked: spsi: portjump -1
Thu Nov 15 17:42:06 2007: in.iked: In ssh_policy_find_pre_shared_key.
Thu Nov 15 17:42:06 2007: in.iked: spsi: ike_send_packet -1
Thu Nov 15 17:42:06 2007: in.iked: spsi: ike_send_packet -1
Thu Nov 15 17:42:06 2007: in.iked: spsi: ike_udp_callback_common -1
Thu Nov 15 17:42:07 2007: in.iked: spsi: ike_send_packet -1
Thu Nov 15 17:42:08 2007: in.iked: spsi: ike_udp_callback_common -1
Thu Nov 15 17:42:08 2007: in.iked: spsi: ike_send_packet -1
Thu Nov 15 17:42:09 2007: in.iked: spsi: ike_udp_callback_common -1
Thu Nov 15 17:42:09 2007: in.iked: IKE error: type 8194 (No SA established), decrypted 0, rx 1
Thu Nov 15 17:42:09 2007: in.iked: pm_info null! (msg type 8194 (No SA established))
Windows XP was able to process the KE payload sent from Sun and sent KE payload but complains the ID payload from Sun is invalid.
Any thoughts on what was going on? Thanks a lot!

Similar Messages

  • How  to configure the network on Sun Solaris 8

    The Sun workstation is a license server, and Window NT workstation need to access the license file that located in the sun workstation.
    Now the Window NT workstation cannot connect with the sun solaris, and I guess that I need to configure the network on Sun Solaris 8.
    Could you please tell me how to do that step by step?
    If there is the system tool like the window system to configure the network easily and quickly.
    I appreciate it.
    Mark

    If your sun system is working then probably it has network configured already .You can check it by the following command on the sun.
    ifconfig -a
    Generally applications asks where license server is located and you need to give the ip-address or host name only . Application docs will give more detail about it.
    You can get ip-address from ifconfig comand above.
    Hemant Sharma
    http://www.adminschoice.com

  • How to configure ipsec policy on windows server 2008 r2 to permit local machine only access to gateway,one other server and it's local ip?

    I have applied IPsec policy on local machine(ip address:10.82.138.76) with windows server 2008 ent r2 installed,only permit local machine to comunicate with itself,one other server(ip address:10.82.138.77) and the gateway device(ip address:10.82.138.1).After
    i asigned this policy,i can ping the gateway (ip address:10.82.138.1),and the other server(ip address:10.82.138.77),but i can't ping local machine itself(ip address:10.82.138.76),could anybody tell me why and how to solve this problem?When i applied the same
    policy to windows server 2003 ent,i can ping the local machine ip address.

    Hi,
    Thanks for your post.
    First, try to ping the loopback address 127.0.0.1. If the loopback test succeeds but you cannot ping the local IP address, please post the unedited
    ipconfig /all and route print of the problematic computer.
    For test purpose, you may refer to the following lab step by step guide to deployment Tunnel Mode IPsec. Hope it helps.
    Windows Firewall and IPsec Policy Deployment Step-by-Step Guide
    http://technet.microsoft.com/en-us/library/cc732400(v=ws.10)
    Connection Security and IPsec
    http://technet.microsoft.com/en-us/library/cc771593(v=ws.10).aspx
    Connection Security Rule Wizard: Tunnel Endpoints Page - Client-to-Gateway
    http://technet.microsoft.com/en-us/library/dd759083
    Best Regards,
    Aiden
    Aiden Cao
    TechNet Community Support

  • Configuring IPSec in Solaris 9

    Hello Friends,
    I want to configure IPSec in solaris 9 so that a win2k/XP machine can communicate with that solaris m/c using IPSec. Could anybody help me regarding this. I have a basic idea of IPSec. I just want a step by step instructions for how to configure it. I have searched through google and found many docs which instructs how to configure IPSec between solaris only and also between windows only and I have succeeded to do so. But failed to configure it within solaris and windows.
    Thanks and Regards
    Dipta P Banerjee

    yes, you can use oracle thin driver.
    Your connection pool configuration is actually using datasource of oracle thin driver.
    1) download oracle thin driver from oracle
    2) .jar need to be kept in AS_INSTALL/domains/<domain-name>/lib/ext
    3) restart AS
    4) set all the necessary properties for Oracle thin driver - conn. pool (refer App Server Administration Guide > JDBC Resources > Config. for specific JDBC Drivers > Oracle thin type 4 driver
    5) Ping conn. pool
    If you are still getting the failure message, please post
    1) exception got during ping, from domains/<domain-name>/logs/server.log
    2) connection pool configuration
    Thanks,
    -Jagadish

  • How to configure oracle thin drivers for SUN APPLICATION SERVER

    hi all,
    I am working with EJB with oracle as back-end. I wants to know how to configure oracle thin drivers for the SUN APPLICATION SERVER. Please explain me breifly.
    Advanced thanks to all the replies.
    with regards,
    /kumaraswamy.n

    Kumaraswamy,
    Did you try searching the Internet? Here are the results of my Internet search:
    http://tinyurl.com/zo4gk
    And one of the first hits in the list was this:
    Deploying to a Sun Java System Application Server
    Good Luck,
    Avi.

  • How to configure informix connection pool in sun-one appserver 7

    Hello,
    Anybody knows , How to configure informix connection pool properties in sun-one appserver 7?
    Thanks in advance.

    Actually,it couldn't get some advice in here.But now,I known how to configure it,I expended 2 days to search and test it.Follow :
    jdbc class:com.informix.jdbcx.IfxDataSource
    serverName=(INFORMIXSERVER)
    portNumber=1526(default)
    IfxIFXHOST=(host ip)
    databaseName=(your dbname)
    user=(your username)
    password=(your pwd)
    attention:configure right transaction and userthreads in your informix sever
    Hope helpful to someone!

  • How to configure Sun Java System Application Server Enterprise Edition 8.1

    hi all,
    How to configure Sun Java System Application Server Enterprise Edition 8.1 to my IDE..( jstudio)
    I have installed jes for my windows system.. so that i have removed platform version of Application Server..
    I try to add the Enterprise application Server (Sun Java System Application Server Enterprise Edition 8.1) to JStudio IDE..
    but i couldn't;

    Configuring your IDE to integrate with Sun App Server is something you probably will have to ask in some sort of JStudio forum. Other than for Netbeans, Eclipse, or possibly IntelliJ IDEA, you might not have much luck answering an IDE question here. I could be wrong though. Maybe somebody will have an answer for you and set me straight.

  • How to configura multiple ldap server to the sun access manager

    Hi,
    please help how to configure multiple ldap server to the sun access manager, for example access manager does't find the user in ldap1 then it should search in ldap2.
    Thanks
    Mouli

    There�s no need for deleting the default amSDK based datastore because it�s needed for some default accounts.
    You may try to create the datastore using the commandline (amadmin)
    Have a look /etc/opt/SUNWam/config/xml/idRepoService.xml
    You may also try to create amadmin account in the external ldap directory.
    (Un)fortunately i�ve never tried to remove the default datastore.
    -Bernhard

  • Don't know which technology to utilize or how to configure ASA5505

    I have an ASA5505.  Currently, it is using static NAT on several ports to forward traffic to several devices inside my network.  It is a pain not only to configure but from the end user side.
    The issue I am having is the applicatoins I am using to access the devices become a mess with dual configurations, one for when I am connected to the internal network and one for when I am away from the office and accessing from the internet.  For example, I have 2 Cisco VC240 IP Cameras behind the ASA5505.  One is set use port 9091 and the other 9092.  When I am inside the office, I access them via http://10.1.2.215:9091 and http://10.1.2.216:9092.  But when I am away from the office, I have to have another configuration in an Android app to use them, http://external_ASA_IP:9091 and 9092 and then NAT 9091 to the object for Camera1 and 9092 for Camera2.  This is only one scenario.  I also have a UC320W that I would like to put an IP phone at home and it sounds like AnyConnect is the only way to do this.
    It sounds like to me that if I use some type of VPN, I can access the same devices using the same IP whether internal or external with the external connection using the VPN to tunnel the IP to the local network.  There seems to be quite a few ways to do this with an ASA 5505.
    AnyConnect seems like the way to go but after reading Cisco documentation, it requires your Android device to be root'd if it is not a particular Samsung model.  If I understand correctly, root'ing your phone voids the warranty.  I know it is common practice but would think Cisco would have a better solution as I am sure Cisco would not want another manufacturer telling their customers to void the warranty on their Cisco equipment in order to get it to work.
    I believe I can just use IPSEC and use the native VPN of the Android OS and also tunnel L2TP as the Android supports IPSEC-PSK/L2TP or IPSEC-CRT/L2TP.  But will either of these will support the IP phone to the UC320W?
    A friend also told me to use NginX to proxy URL's so the URL http://www.fqdn.com/camera1 gets proxy'd to the internal IP of Camera1 and http://www.fqdn.com/camera2 gets proxy'd to Camera2.  He says I should be able to store a cookie on the phone and let the phone authenticate to the camera and if the phone cannot, the proxy can authenticate internally to the IP camera over SSL.
    I don't know anymore, I am so confused and just want to simplify my life as I am just a small business with me and a couple other employees but I have full-time job and it is not IT/Network Technician, it is only CTO/CEO/CIO/CFO.  I don't have hours upon hours to set this up and test and I don't have hours upon hours to manage it.  I just need to simplify this and have so that it is a set-it-and-forget-it for 6 months to 1 year and re-evaluate or update.  So, if someone suggests IPSEC, I would not know how to configure anyway and you should expect another post.  The same for AnyConnect or any of the other suggestions.
    Thanks in advance for any advice.

    Hi!
    1. Set Calculation Mode property of ITEM_5 to Formula.
    Formula property:
    nvl(:Block_Name.ITEM_1, 0) + nvl(:Block_Name.ITEM_2, 0) + nvl(:Block_Name.ITEM_3, 0) + nvl(:Block_Name.ITEM_4, 0)
    OR
    Function_Name(Param_1,... Param_N);
    Have in view of, that the ITEM_5 data will not be saved in DataBase.
    2. When-Validate-Item trigger is usfull when is necessary to store calculated item data in DataBase.
    Rename you Post-Query trigger to When-Validate-Item.
    Modify trigger: Store calculation result in the variable.
    (Don't forget to round variable value!)
    Then compare it with ITEM_5. If they are different - :ITEM_5 := var_name.
    I prefer the first method.

  • How to Configure Multiple Relays / Mail Gateways

    Platform: Sun Solaris 8
    Software: iMS 5.2
    How to Configure two MX ( relay / Gateway servers) records in imta config file..? Our requiorement is to have two gateways defined ..for example "xyz.net" and "xyz.com". All emails destined to email addresses ending with ".net" should use the "xyz.net" gateway and rest of them should use the "xyz.com" gateway. and the configuration should be flexible enopugh to accomodate future additions to our gateways.
    An Early Response would be appriciated.
    Thanks
    Arun Addepalli

    Well, To point the outside mail servers to your gateways just put MX entries for each domain into DNS and point dns to the correct host for that domain.
    To make the mail server recognize the domain just create it in the ida and put the users under that domain. The users mailhost attribute will take care of letting the gateways know where to forward the mail so it will go to the correct host.
    If you need to do domain aliasing with the same users for both domains that is a bit different. Do you need to do this?

  • How to Configure the Communication among Multiple OpenMQ Servers

    Hi,
    My application is distributed across multiple machines available in the LAN.
    Components running on one machine can only communicate to OpenMQ server running on same machine.
    I want to run OpenMQ server on all the machines where components of my application is running.
    I also want a way of communication between all OpenMQ servers so that OpenMQ server exchange messages among them to transfer message to destination component running on any of the machines in the LAN.
    How can i configure two OpenMQ servers to communicate each other?
    please help with sample configuration or example.
    Thanks & regards,
    Pawan Modi

    Hi Pawan,
    It sounds like you are asking how to configure a cluster of Open Message Queue brokers.
    There's a general explanation of broker clusters at
    [http://docs.sun.com/app/docs/doc/820-6424/aerdj?a=view|http://docs.sun.com/app/docs/doc/820-6424/aerdj?a=view]
    Details of how to configure them are given at
    [http://docs.sun.com/app/docs/doc/820-6740/aeohv?a=view|http://docs.sun.com/app/docs/doc/820-6740/aeohv?a=view]
    Nigel

  • How to Configure OIM 9.1 for Request-Based Provisioning

    Hi experts,
    I am new to OIM and need to know how to configure request based provisioning. Here is the scenario.
    My environment has two target systems (Sun LDAP and Novell EDirectory) configured for provisioning to OIM 9.1
    A user should be able to login, request either or both (SUN LDAP and EDir) for self or others.
    Now the request should go to an admin for approval.
    Once approved, the requested accounts should be created on the target systems.
    Please guide me on the procedure to be followed.
    Many thanks in advance

    You will have to download the standard out of box connector for these target systems & will have to import it through the Deployment manager into OIM. Then you will have to create the Process definition of approval type & attach it to the same resource object. Please read the belo link before implementing any thing. This will provide you a better idea.
    http://download.oracle.com/docs/cd/E10391_01/doc.910/e10363.pdf

  • How to configure PPPoE in solaris 10

    Hi
    As I have to configure Internet in one Intel based Solaris box [Solaris 10] can you tell me the steps how to configure it as I have Brodband connection of Iqara.

    hi,
    did you configure your interface for pppoe? the first step is configuring your interface for ppoe and then you can define a pppoe access server.
    please look at http://docs.sun.com/app/docs/doc/816-4555/6maoquija?a=view for details.
    yavuz

  • Reg: How to Configure internet for solaris 10 in x86 32 bit

    Hi,
    I am new to Sun Solaris can any one help me detailed step of how to configure internet for standalone pc. Thanks in Advance
    Thanx
    MA

    OK, the classical way:
    Open a terminal.
    Type
    ifconfig -a
    ifconfig -a plumb
    ifconfig -a
    Note the differences, it will plumb ALL available interfaces this way. So, now you can see, which device is your network card.
    Then perform a
    ifconfig <interface> unplumb
    for all the newly interfaces (aka those, that were new in the last ifconfig -a output).
    Then, the simple way:
    cd /etc
    vi hostname.<interface-driver-name>0 (example: hostname.rge0, the driver would be rge, the instance is 0, and rge0 would have been displayed as an available interface in the last ifconfig command). Add the name of the host into this file.
    Then
    vi /etc/inet/hosts
    and add the pair of IP-address and hostname.
    If needed:
    vi /etc/inet/netmasks
    if you have a sub-divided network, and you need a differenbt subnet mask...
    Then:
    vi /etc/defaultrouter
    and add the name or ip-adress of the gateway... (name only, if you have that name also in the /etc/inet/hosts file!)
    Also:
    vi /etc/nodename
    and add the name of your host into that file, so that the system knows, who it is... ;-)
    And: For the DNS you can then add the infos into:
    /etc/resolv.conf
    For example:
    nameserver 192.168.2.1
    or some such...
    Then, as the last but one step:
    ls /etc/nsswitch.*
    and:
    cd /etc
    cp nsswitch.<what you need> nsswitch.conf (should be .files here!)
    And the reboot... ;-)
    HTH!
    Matthias
    P.S.: There might be some GUI, but I'm an old-timer, so I prefer the command-line version of things...

  • How to configure Symantec Mail Security for SMTP & Messaging Server 6.3

    Hi!
    I want to install a Symantec Mail Security for SMTP 5.0.1(host1) with Messaging Server 6.3 (in production - host2), but when I try to access to POP protocol to send a message from Internet, the system display a message with a relay problem.
    - Could you help me with this issue?,
    - Do you know some documentation that speaks of this?. I can't find any documentation that explain how to configure and integrate SMS and Messaging Server. Thanks in advance.
    Regards, CR

    ctemp1 wrote:
    I want to install a Symantec Mail Security for SMTP 5.0.1(host1) with Messaging Server 6.3 (in production - host2), but when I try to access to POP protocol to send a message from Internet, the system display a message with a relay problem.I take it that you have configured the symantec software like this?
    internet -> symantec mail security system -> sun messaging server -> recipientA better approach is the following
    internet -> sun messaging server -> recipient
                              |
                             V
                  symantec mail security system(refer here: http://blogs.sun.com/factotum/entry/messaging_server_correctly_deploying_the)
    - Do you know some documentation that speaks of this?. I can't find any documentation that explain how to configure and integrate SMS and Messaging Server. Thanks in advance.There is no documentation specifically for symantec software but we do document how to send emails via the symantec mail security server using the aliasdetourhost channel keyword:
    http://docs.sun.com/app/docs/doc/819-4428/6n6j42615?a=view#bgaqy
    Regards,
    Shane.

Maybe you are looking for

  • How to get the View for a particular Document position?

    Hi there, Does anyone know how to get the "deepest" View that is responsible for rendering a particular Document offset? I tried looking at modelToView() and some other methods, but I am lost. Can anyone please help me? Thanks, Swati

  • Auto Approval EBP Purchase Order is not updating the status at the header

    Hi There , We are facing an issue in EBP auto approval PO , The process level schema is set to Auto Approval  (Standard 9CBUS2201_EX01_55) During the PO creation , the standard schema is triggered and it gets approved . The status of the PO in the Ap

  • Where to update the query

    Hi All, I am new to webadi. Pls do the needful to resolve my problem. My clinet gave letter names and he told me that, letter are retriving incorrrect results. So, change the query to get the proper details. So, Can anobody suggest what i need to do

  • Using boost::thread with Sun Studio C++ gives error

    Hi, I'm trying to compile a code which uses the boost thread library, but I get the following error: CC -library=stlport4 -features=tmplife -features=tmplrefstatic -mt -c -o t t.cpp "/opt/boost/include/boost/thread/pthread/mutex.hpp", line 142: Error

  • Authorization for FBL5n specific customer

    Hi all, I have a scenario where we want to restrict sales person to view specific customer. We maintain sales person and customer number relation in a Z table. Please advise how I can restrict?