在正在运行且使用 IKE 交换或尝试交换包的系统上,可以使用 ikeadm 命令查看统计信息、规则、预先共享的密钥和其他项。此外,也可以使用日志文件和部分工具,例如 Wireshark 应用程序。
在以下测试系统上,使用 manual-key 服务进行密钥管理:
% svcs -a | grep ipsec online Feb_04 svc:/network/ipsec/manual-key:default online Feb_04 svc:/network/ipsec/ipsecalgs:default online Feb_04 svc:/network/ipsec/policy:default disabled Feb_28 svc:/network/ipsec/ike:ikev2 disabled Feb_28 svc:/network/ipsec/ike:default
如果已禁用此服务,请启用它。
可以同时使用两个 IKE 服务。也可以同时使用手动密钥和 IKE,但此配置会导致难以进行故障排除的异常情况。
# svcs -xL ikev2 svc:/network/ipsec/ike:ikev2 (IKEv2 daemon) State: disabled since October 10, 2013 10:10:40 PM PDT Reason: Disabled by an administrator. See: http://support.oracle.com/msg/SMF-8000-05 See: in.ikev2d(1M) See: /var/svc/log/network-ipsec-ike:ikev2.log Impact: This service is not running. Log: Oct 01 13:20:20: (1) Property "debug_level" set to: "op" Oct 01 13:20:20: (1) Errors and debug messages will be written to: /var/log/ikev2/in.ikev2d.log [ Oct 10 10:10:10 Method "start" exited with status 0. ] [ Oct 10 10:10:40 Stopping because service disabled. ] [ Oct 10 10:10:40 Executing stop method (:kill). ] Use: 'svcs -Lv svc:/network/ipsec/ike:ikev2' to view the complete log.
# ikeadm set debug verbose /var/log/ikev2/in.ikev2d.log Successfully changed debug level from 0x80000000 to 0x6204 Debug categories enabled: Operational / Errors Config file processing Interaction with Audit Verbose Operational
# ipsecconf #INDEX 14 ... { laddr 10.133.66.222 raddr 10.133.64.77 } ipsec { encr_algs aes(256) encr_auth_algs sha512 sa shared } ... { laddr 10.134.66.122 raddr 10.132.55.55 } ipsec { encr_algs aes(256) encr_auth_algs sha512 sa shared } # cat /etc/inet/ipsecinit.conf ... { laddr 10.133.66.222 raddr 10.133.64.77 } ipsec { encr_algs aes(256) encr_auth_algs sha512 sa shared } { laddr 10.134.66.122 raddr 10.132.55.55 } ipsec { encr_algs aes(256) encr_auth_algs sha512 sa shared }
如果无法为 ipsecconf 命令显示任何输出,请检验策略服务是否已启用,并刷新服务。
% svcs policy STATE STIME FMRI online Apr_10 svc:/network/ipsec/policy:default
如果输出显示错误,请编辑 ipsecinit.conf 文件以修复错误,然后刷新服务。
有关可能需要修复的配置输出,请参见Example 11–1 和Example 11–2。以下示例中的输出指示配置有效。
# /usr/lib/inet/in.ikev2d -c Feb 04 12:08:25: (1) Reading service properties from smf(5) repository. Feb 04 12:08:25: (1) Property "config_file" set to: "/etc/inet/ike/ikev2.config" Feb 04 12:08:25: (1) Property "debug_level" set to: "all" Feb 04 12:08:25: (1) Warning: debug output being written to stdout. Feb 04 12:08:25: (1) Checking IKE rule #1: "Test 104 to 113" Feb 04 12:08:25: (1) Configuration file /etc/inet/ike/ikev2.config is valid. Feb 04 12:08:25: (1) Pre-shared key file /etc/inet/ike/ikev2.preshared is valid.
在 Checking IKE rule 行中,检验 IKE 规则是否连接适当的 IP 地址。例如,以下项匹配。来自 ipsecinit.conf 文件的 laddr 值与来自 ikev2.config 文件的 local_addr 值相匹配,并且远程地址相匹配。
{ laddr 10.134.64.104 raddr 10.134.66.113 } /** ipsecinit.conf **/ ipsec {encr_algs aes encr_auth_algs sha512 sa shared} local_addr 10.134.64.104 /** ikev2.config **/ remote_addr 10.134.66.113 /** ikev2.config **/
如果这些项不对应,请修复配置,标识正确的 IP 地址。
如果 Pre-shared key file 行指示文件无效,请修复此文件。
查找拼写错误。另外,在 IKEv2 中,查看 ikev2.config 中规则的标签值是否与 ikev2.preshared 文件中的标签值相匹配。接下来,如果您使用两个密钥,请检验一个系统上的本地预先共享密钥是否与其对等方上的远程预先共享密钥相匹配,以及远程密钥是否与对等方上的本地密钥相匹配。
如果配置依然不工作,请参见对 IPsec 和 IKE 语义错误进行故障排除。
在以下输出中,IKE SA 的生命周期太短。
# /usr/lib/inet/in.ikev2d -c ... May 08 08:52:49: (1) WARNING: Problem in rule "Test 104 to 113" May 08 08:52:49: (1) HARD lifetime too small (60 < 100) May 08 08:52:49: (1) -> Using 100 seconds (minimum) May 08 08:52:49: (1) Checking IKE rule #1: "config 10.134.13.113 to 10.134.13.104" ...
已在 ikev2.config 文件中显式设置了该值。要删除警告,请将生命周期值更改为至少 100,然后刷新服务。
# pfedit /etc/inet/ike/ikev2.config ... ## childsa_lifetime_secs 60 childsa_lifetime_secs 100 ... # /usr/lib/inet/in.ikev2d -c ... # svcadm refresh ikev2示例 11-2 修复无匹配规则消息
在以下输出中,定义了预先共享的密钥,但该密钥未在规则中使用。
# /usr/lib/inet/in.ikev2d -c Feb 4 12:58:31: (1) Reading service properties from smf(5) repository. Feb 4 12:58:31: (1) Property "config_file" set to: "/etc/inet/ike/ikev2.config" Feb 4 12:58:31: (1) Property "debug_level" set to: "op" Feb 4 12:58:31: (1) Warning: debug output being written to stdout. Feb 4 12:58:31: (1) Checking IKE rule #1: "Test 104 to 113" Feb 4 12:58:31: (1) Configuration file /etc/inet/ike/ikev2.config is valid. Feb 4 12:58:31: (1) No matching IKEv2 rule for pre-shared key ending on line 12 Feb 4 12:58:31: (1) Pre-shared key file /etc/inet/ike/ikev2.preshared is valid.
如果规则要求预先共享的密钥,那么预先共享的密钥的标签与规则的标签不匹配。修复 ikev2.config 规则标签和 ikev2.preshared 密钥标签,使得它们相匹配。
如果规则使用证书,则可以删除或注释掉在 ikev2.preshared 文件第 12 行结束的预先共享的密钥,阻止 No matching 消息。
在以下输出中,调试输出在 ikev2 服务中设置为 all。
# /usr/lib/inet/in.ikev2d -c Feb 4 12:58:31: (1) Reading service properties from smf(5) repository. ... Feb 4 12:58:31: (1) Property "debug_level" set to: "all" ...
如果完成了如何在 IPsec 和 IKE 运行之前对系统进行故障排除中的Step 2,并且调试输出依然为 op 而非 all,请使用 ikeadm 命令在正在运行的 IKE 守护进程上设置调试级别。
# ikeadm set debug_level all