两台机器之间通过证书建立ipsec通道，transport模式

发布于 2022-06-30 08:43:33 字数 2957 浏览 6 评论 0

我在linux（内核2.6.8.1）下两台机器（A,B）之间想建立transport模式的ipsec通道。利用的是ipsec-tools。A,B利用IPV6地址，分别是3ffe:0302:2700::4，3ffe:0302:2700::2
按照如下配置之后，不能建立SA。
A的racoon.conf配置
path certificate "/etc/certs";
remote 3ffe:0302:2700::2
{
exchange_mode main;
my_identifier asn1dn;
peers_identifier asn1dn;
lifetime time 24 hour;
certificate_type x509 "Acert.pem" "Akey.pem";
peers_certfile x509 "Bcert.pem";
verify_cert on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1024 ;
}
}
sainfo anonymous
{
pfs_group modp768;
lifetime time 2 min;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
A的setkey.conf :
flush;
spdflush;
spdadd 3ffe:0302:2700::2 3ffe:0302:2700::4 any -P out ipsec esp/transport//require;
spdadd 3ffe:0302:2700::4 3ffe:0302:2700::2 any -P in ipsec esp/transport//require;
B的配置文件相对应
运行setkey -f /etc/setkey.conf
racoon -F -f /etc/racoon.conf后
A ping6 B后，显示网络不通。出现
.........
begin Identity Protection mode.
2005-05-14 15:01:59: INFO: respond new phase 1 negotiation: 3ffe:302:2700::4[500]<=>;3ffe:302:2700::2[500]
2005-05-14 15:01:59: INFO: begin Identity Protection mode.
2005-05-14 15:02:09: NOTIFY: the packet is retransmitted by 3ffe:302:2700::2[500].
2005-05-14 15:02:19: NOTIFY: the packet is retransmitted by 3ffe:302:2700::2[500].
2005-05-14 15:02:29: NOTIFY: the packet is retransmitted by 3ffe:302:2700::2[500].
2005-05-14 15:02:30: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 3ffe:302:2700::2->;3ffe:302:2700::4
2005-05-14 15:02:30: INFO: delete phase 2 handler.
2005-05-14 15:02:39: NOTIFY: the packet is retransmitted by 3ffe:302:2700::2[500].
2005-05-14 15:02:49: NOTIFY: the packet is retransmitted by 3ffe:302:2700::2[500].
2005-05-14 15:02:59: ERROR: phase1 negotiation failed due to time up. 9b702bc9251a0d4e:0000000000000000
2005-05-14 15:02:59: ERROR: phase1 negotiation failed due to time up. 34945a70facfe333