CONFIG:config setup protostack=netkey plutodebug="all" plutos

1. CONFIG:
2.  
3. config setup
4. protostack=netkey
5. plutodebug="all"
6. plutostderrlog=/var/log/pluto.log
7. dumpdir=/var/run/pluto/
8. nat_traversal=yes
9. virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
10. uniqueids=yes
11.  
12. conn routers-12
13. type=tunnel
14. left=69.x.x.x
15. leftsubnet=192.168.55.0/24
16. leftnexthop=%defaultroute
17. leftsourceip=192.168.55.254
18. leftid=@router1
19. right=%any <-- Have also tried IP of client, same result
20. rightsubnet=192.168.22.0/24
21. rightid=@router2
22. forceencaps=yes
23. nat_keepalive=yes
24. dpddelay=30
25. dpdtimeout=120
26. dpdaction=clear
27. authby=secret
28. #aggrmode=yes
29. #ike=3des-sha1-modp1536
30. #ikev2=insist
31.  
32. conn routers-13
33. type=tunnel
34. left=69.x.x.x
35. leftsubnet=192.168.55.0/24
36. leftnexthop=%defaultroute
37. leftsourceip=192.168.55.254
38. leftid=@router1
39. right=%any <-- Have also tried IP of client, same result
40. rightsubnet=192.168.33.0/24
41. rightid=@router3
42. forceencaps=yes
43. nat_keepalive=yes
44. dpddelay=30
45. dpdtimeout=120
46. dpdaction=clear
47. authby=secret
48. #aggrmode=yes
49. #ike=3des-sha1-modp1536
50. #ikev2=insist
51.  
52. FULL EXAMPLE using IKEv2:
53.  
54. root@server:~# ipsec start
55. Redirecting to: start ipsec
56. ipsec start/running, process 1834
57. root@server:~# tail: `/var/log/pluto.log' has appeared; following end of new file
58.  
59. ==> /var/log/pluto.log <==
60. nss directory plutomain: /etc/ipsec.d
61.  
62. ==> /var/log/pluto.log <==
63. NSS Initialized
64. FIPS integrity support [disabled]
65. libcap-ng support [enabled]
66. Linux audit support [disabled]
67. Starting Pluto (Libreswan Version 3.5; Vendor ID OEN_RhPPH{d^) pid:1897
68. FIPS: could not open /proc/sys/crypto/fips_enabled
69. FIPS: could not open /proc/sys/crypto/fips_enabled
70. ERROR: FIPS detection failed, Pluto running in non-FIPS mode
71. core dump dir: /var/run/pluto/
72. secrets file: /etc/ipsec.secrets
73. LEAK_DETECTIVE support [disabled]
74. OCF support for IKE [disabled]
75. SAref support [disabled]: Protocol not available
76. SAbind support [disabled]: Protocol not available
77. NSS crypto [enabled]
78. XAUTH PAM support [enabled]
79. HAVE_STATSD notification support [disabled]
80. Setting NAT-Traversal port-4500 floating to on
81. port floating activation criteria nat_t=1/port_float=1
82. NAT-Traversal support [enabled]
83. | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
84. | event added at head of queue
85. | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
86. | event added at head of queue
87. | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
88. | event added after event EVENT_PENDING_DDNS
89. ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
90. ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
91. ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)
92. ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
93. starting up 7 cryptographic helpers
94. started helper (thread) pid=-1234822336 (fd:7)
95. started helper (thread) pid=-1244660928 (fd:9)
96. | status value returned by setting the priority of this thread (id=0) 22
97. | helper 0 waiting on fd: 8
98. started helper (thread) pid=-1255146688 (fd:11)
99. | status value returned by setting the priority of this thread (id=1) 22
100. | helper 1 waiting on fd: 10
101. started helper (thread) pid=-1265632448 (fd:14)
102. | status value returned by setting the priority of this thread (id=3) 22
103. | helper 3 waiting on fd: 15
104. started helper (thread) pid=-1276118208 (fd:16)
105. | status value returned by setting the priority of this thread (id=2) 22
106. | helper 2 waiting on fd: 13
107. started helper (thread) pid=-1286603968 (fd:18)
108. | status value returned by setting the priority of this thread (id=4) 22
109. | helper 4 waiting on fd: 17
110. | status value returned by setting the priority of this thread (id=5) 22
111. | helper 5 waiting on fd: 19
112. | status value returned by setting the priority of this thread (id=6) 22
113. | helper 6 waiting on fd: 21
114. started helper (thread) pid=-1297089728 (fd:20)
115. Using Linux XFRM/NETKEY IPsec interface code on 3.9.3-x86-linode52
116. | process 1897 listening for PF_KEY_V2 on file descriptor 24
117. | finish_pfkey_msg: K_SADB_REGISTER message 1 for AH
118. | 02 07 00 02 02 00 00 00 01 00 00 00 69 07 00 00
119. | pfkey_get: K_SADB_REGISTER message 1
120. | AH registered with kernel.
121. | finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP
122. | 02 07 00 03 02 00 00 00 02 00 00 00 69 07 00 00
123. | pfkey_get: K_SADB_REGISTER message 2
124. | alg_init():memset(0xb7749320, 0, 2048) memset(0xb7749b20, 0, 2048)
125. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=72
126. | kernel_alg_add():satype=3, exttype=14, alg_id=251
127. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14, satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
128. | kernel_alg_add():satype=3, exttype=14, alg_id=2
129. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14, satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
130. | kernel_alg_add():satype=3, exttype=14, alg_id=3
131. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14, satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
132. | kernel_alg_add():satype=3, exttype=14, alg_id=5
133. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14, satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256, res=0, ret=1
134. | kernel_alg_add():satype=3, exttype=14, alg_id=6
135. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14, satype=3, alg_id=6, alg_ivlen=0, alg_minbits=384, alg_maxbits=384, res=0, ret=1
136. | kernel_alg_add():satype=3, exttype=14, alg_id=7
137. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14, satype=3, alg_id=7, alg_ivlen=0, alg_minbits=512, alg_maxbits=512, res=0, ret=1
138. | kernel_alg_add():satype=3, exttype=14, alg_id=8
139. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=14, satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
140. | kernel_alg_add():satype=3, exttype=14, alg_id=9
141. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=14, satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
142. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=88
143. | kernel_alg_add():satype=3, exttype=15, alg_id=11
144. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15, satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
145. | kernel_alg_add():satype=3, exttype=15, alg_id=2
146. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15, satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0, ret=1
147. | kernel_alg_add():satype=3, exttype=15, alg_id=3
148. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15, satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
149. | kernel_alg_add():satype=3, exttype=15, alg_id=6
150. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15, satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0, ret=1
151. | kernel_alg_add():satype=3, exttype=15, alg_id=7
152. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15, satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0, ret=1
153. | kernel_alg_add():satype=3, exttype=15, alg_id=12
154. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15, satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
155. | kernel_alg_add():satype=3, exttype=15, alg_id=252
156. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15, satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
157. | kernel_alg_add():satype=3, exttype=15, alg_id=22
158. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[15], exttype=15, satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
159. | kernel_alg_add():satype=3, exttype=15, alg_id=253
160. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[16], exttype=15, satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
161. | kernel_alg_add():satype=3, exttype=15, alg_id=13
162. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[17], exttype=15, satype=3, alg_id=13, alg_ivlen=8, alg_minbits=160, alg_maxbits=288, res=0, ret=1
163. | kernel_alg_add():satype=3, exttype=15, alg_id=18
164. | kernel_alg_add():satype=3, exttype=15, alg_id=19
165. | kernel_alg_add():satype=3, exttype=15, alg_id=20
166. | kernel_alg_add():satype=3, exttype=15, alg_id=14
167. | kernel_alg_add():satype=3, exttype=15, alg_id=15
168. | kernel_alg_add():satype=3, exttype=15, alg_id=16
169. ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
170. ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
171. ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
172. ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
173. ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
174. ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
175. ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
176. ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
177. ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
178. ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
179. ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
180. | ESP registered with kernel.
181. | finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP
182. | 02 07 00 09 02 00 00 00 03 00 00 00 69 07 00 00
183. | pfkey_get: K_SADB_REGISTER message 3
184. | IPCOMP registered with kernel.
185. | Changed path to directory '/etc/ipsec.d/cacerts'
186. | Changing to directory '/etc/ipsec.d/crls'
187. | inserting event EVENT_LOG_DAILY, timeout in 61577 seconds
188. | event added after event EVENT_REINIT_SECRET
189. listening for IKE messages
190. | Inspecting interface lo
191. | found lo with address 127.0.0.1
192. | Inspecting interface eth0
193. | found eth0 with address 69.x.x.x
194. | Inspecting interface eth0:1
195. | found eth0:1 with address 192.168.55.254
196. | NAT-Traversal: Trying new style NAT-T
197. | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
198. | NAT-Traversal: Trying old style NAT-T
199. | NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
200. adding interface eth0:1/eth0:1 192.168.55.254:500
201. | NAT-Traversal: Trying new style NAT-T
202. | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
203. | NAT-Traversal: Trying old style NAT-T
204. | NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
205. adding interface eth0:1/eth0:1 192.168.55.254:4500
206. | NAT-Traversal: Trying new style NAT-T
207. | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
208. | NAT-Traversal: Trying old style NAT-T
209. | NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
210. adding interface eth0/eth0 69.x.x.x:500
211. | NAT-Traversal: Trying new style NAT-T
212. | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
213. | NAT-Traversal: Trying old style NAT-T
214. | NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
215. adding interface eth0/eth0 69.x.x.x:4500
216. | NAT-Traversal: Trying new style NAT-T
217. | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
218. | NAT-Traversal: Trying old style NAT-T
219. | NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
220. adding interface lo/lo 127.0.0.1:500
221. | NAT-Traversal: Trying new style NAT-T
222. | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
223. | NAT-Traversal: Trying old style NAT-T
224. | NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
225. adding interface lo/lo 127.0.0.1:4500
226. | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
227. | found he-ipv6 with address 2001:0470:1f0e:0ec4:0000:0000:0000:0002
228. | found eth0 with address 2600:3c03:0000:0000:f03c:91ff:fedf:db97
229. adding interface eth0/eth0 2600:3c03::f03c:91ff:fedf:db97:500
230. adding interface he-ipv6/he-ipv6 2001:470:1f0e:ec4::2:500
231. adding interface lo/lo ::1:500
232. | certs and keys locked by 'free_preshared_secrets'
233. | certs and keys unlocked by 'free_preshard_secrets'
234. loading secrets from "/etc/ipsec.secrets"
235. loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
236. | id type added to secret(0xb8be2d48) PPK_PSK: @router1
237. | id type added to secret(0xb8be2d48) PPK_PSK: @router4
238. | Processing PSK at line 2: passed
239. | certs and keys locked by 'process_secret'
240. | certs and keys unlocked by 'process_secret'
241. | id type added to secret(0xb8be2e58) PPK_PSK: @router1
242. | id type added to secret(0xb8be2e58) PPK_PSK: @router2
243. | Processing PSK at line 3: passed
244. | certs and keys locked by 'process_secret'
245. | certs and keys unlocked by 'process_secret'
246. | id type added to secret(0xb8be7088) PPK_PSK: @router1
247. | id type added to secret(0xb8be7088) PPK_PSK: @router3
248. | Processing PSK at line 3: passed
249. | certs and keys locked by 'process_secret'
250. | certs and keys unlocked by 'process_secret'
251. | next event EVENT_PENDING_DDNS in 60 seconds
252.  
253. ==> /var/log/pluto.log <==
254. | calling addconn helper using execve
255. | next event EVENT_PENDING_DDNS in 59 seconds
256. | reaped addconn helper child
257.  
258. root@server:~# ls -ltrh /var/log/pluto.log
259. -rw-r--r-- 1 root root 12K Aug 4 06:53 /var/log/pluto.log
260. root@server:~# ipsec verify
261. Verifying installed system and configuration files
262.  
263. Version check and ipsec on-path [OK]
264. Libreswan 3.5 (netkey) on 3.9.3-x86-linode52
265. Checking for IPsec support in kernel [OK]
266. NETKEY: Testing XFRM related proc values
267. ICMP default/send_redirects [OK]
268. ICMP default/accept_redirects [OK]
269. XFRM larval drop [OK]
270. Pluto ipsec.conf syntax [OK]
271. Hardware random device [N/A]
272. Two or more interfaces found, checking IP forwarding [FAILED]
273. Checking rp_filter [ENABLED]
274. /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
275. /proc/sys/net/ipv4/conf/he-ipv6/rp_filter [ENABLED]
276. /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
277. rp_filter is not fully aware of IPsec and should be disabled
278. Checking that pluto is running [OK]
279. Pluto listening for IKE on udp 500 [OK]
280. Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
281. Pluto listening for IKE/NAT-T on udp 4500 [OK]
282. Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
283. Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
284. |
285. | *received whack message
286. | certs and keys locked by 'free_preshared_secrets'
287. forgetting secrets
288. | certs and keys unlocked by 'free_preshard_secrets'
289. loading secrets from "/etc/ipsec.secrets"
290. loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
291. | id type added to secret(0xb8be2d48) PPK_PSK: @router1
292. | id type added to secret(0xb8be2d48) PPK_PSK: @router4
293. | Processing PSK at line 2: passed
294. | certs and keys locked by 'process_secret'
295. | certs and keys unlocked by 'process_secret'
296. | id type added to secret(0xb8be2e58) PPK_PSK: @router1
297. | id type added to secret(0xb8be2e58) PPK_PSK: @router2
298. | Processing PSK at line 3: passed
299. | certs and keys locked by 'process_secret'
300. | certs and keys unlocked by 'process_secret'
301. | id type added to secret(0xb8be7088) PPK_PSK: @router1
302. | id type added to secret(0xb8be7088) PPK_PSK: @router3
303. | Processing PSK at line 3: passed
304. | certs and keys locked by 'process_secret'
305. | certs and keys unlocked by 'process_secret'
306. | * processed 0 messages from cryptographic helpers
307. | next event EVENT_PENDING_DDNS in 47 seconds
308. | next event EVENT_PENDING_DDNS in 47 seconds
309. Pluto ipsec.secret syntax [OK]
310. Checking NAT and MASQUERADEing [TEST INCOMPLETE]
311. Checking 'ip' command [OK]
312. Checking 'iptables' command [OK]
313. Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
314. Opportunistic Encryption [DISABLED]
315.  
316. ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help
317. root@server:~#
318. root@server:~#
319. root@server:~# ipsec addconn routers-13
320. |
321. | *received whack message
322. | find_host_pair_conn (check_connection_end): 69.x.x.x:500 %any:500 -> hp:none
323. | Added new connection routers-13 with policy PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
324. | counting wild cards for @router1 is 0
325. | counting wild cards for @router3 is 0
326. | based upon policy, the connection is a template.
327. | connect_to_host_pair: 69.x.x.x:500 0.0.0.0:500 -> hp:none
328. added connection description "routers-13"
329. 002 added connection description "routers-13"
330. | 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router3]===192.168.33.0/24
331. | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
332. | * processed 0 messages from cryptographic helpers
333. | next event EVENT_PENDING_DDNS in 37 seconds
334. | next event EVENT_PENDING_DDNS in 37 seconds
335. root@server:~# ipsec addconn routers-12
336. |
337. | *received whack message
338. | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
339. | find_host_pair_conn (check_connection_end): 69.x.x.x:500 %any:500 -> hp:routers-13
340. | Added new connection routers-12 with policy PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
341. | counting wild cards for @router1 is 0
342. | counting wild cards for @router2 is 0
343. | based upon policy, the connection is a template.
344. | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
345. | connect_to_host_pair: 69.x.x.x:500 0.0.0.0:500 -> hp:routers-13
346. added connection description "routers-12"
347. 002 added connection description "routers-12"
348. | 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router2]===192.168.22.0/24
349. | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
350. | * processed 0 messages from cryptographic helpers
351. | next event EVENT_PENDING_DDNS in 36 seconds
352. | next event EVENT_PENDING_DDNS in 36 seconds
353. root@server:~#
354. root@server:~# ipsec status
355. |
356. | *received whack message
357. SElinux: could not open /sys/fs/selinux/enforce
358. FIPS: could not open /proc/sys/crypto/fips_enabled
359. 000 using kernel interface: netkey
360. 000 interface lo/lo ::1
361. 000 interface he-ipv6/he-ipv6 2001:470:1f0e:ec4::2
362. 000 interface eth0/eth0 2600:3c03::f03c:91ff:fedf:db97
363. 000 interface lo/lo 127.0.0.1
364. 000 interface lo/lo 127.0.0.1
365. 000 interface eth0/eth0 69.x.x.x
366. 000 interface eth0/eth0 69.x.x.x
367. 000 interface eth0:1/eth0:1 192.168.55.254
368. 000 interface eth0:1/eth0:1 192.168.55.254
369. 000
370. 000 FIPS=error(disabled)
371. 000 SElinux=indeterminate
372. 000
373. 000 config setup options:
374. 000
375. 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/
376. | * processed 0 messages from cryptographic helpers
377. 000 sbindir=/usr/local/sbin, libdir=/usr/local/libexec/ipsec, libexecdir=/usr/local/libexec/ipsec
378. 000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
379. 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
380. | next event EVENT_PENDING_DDNS in 33 seconds
381. 000 secctx_attr_value=<unsupported>
382. | next event EVENT_PENDING_DDNS in 33 seconds
383. 000 %myid = (none)
384. 000 debug raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
385. 000
386. 000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500, disable_port_floating=no
387. 000 virtual_private (%priv):
388. 000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
389. 000 - disallowed 0 subnets:
390. 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
391. 000 private address space in internal use, it should be excluded!
392. 000
393. 000 ESP algorithms supported:
394. 000
395. 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
396. 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
397. 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
398. 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
399. 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
400. 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
401. 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
402. 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
403. 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
404. 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
405. 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
406. 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
407. 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
408. 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
409. 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
410. 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
411. 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
412. 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
413. 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
414. 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
415. 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
416. 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
417. 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
418. 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
419. 000
420. 000 IKE algorithms supported:
421. 000
422. 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
423. 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
424. 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
425. 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
426. 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
427. 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
428. 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
429. 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
430. 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
431. 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
432. 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
433. 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
434. 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
435. 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
436. 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
437. 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
438. 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
439. 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
440. 000
441. 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
442. 000
443. 000 Connection list:
444. 000
445. 000 "routers-12": 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router2]===192.168.22.0/24; unrouted; eroute owner: #0
446. 000 "routers-12": oriented; my_ip=192.168.55.254; their_ip=unset;
447. 000 "routers-12": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;
448. 000 "routers-12": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;
449. 000 "routers-12": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;
450. 000 "routers-12": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
451. 000 "routers-12": prio: 24,24; interface: eth0; metric: 0, mtu: unset;
452. 000 "routers-12": dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:yes; nat_keepalive:yes;
453. 000 "routers-12": newest ISAKMP SA: #0; newest IPsec SA: #0;
454. 000 "routers-13": 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router3]===192.168.33.0/24; unrouted; eroute owner: #0
455. 000 "routers-13": oriented; my_ip=192.168.55.254; their_ip=unset;
456. 000 "routers-13": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;
457. 000 "routers-13": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;
458. 000 "routers-13": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;
459. 000 "routers-13": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
460. 000 "routers-13": prio: 24,24; interface: eth0; metric: 0, mtu: unset;
461. 000 "routers-13": dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:yes; nat_keepalive:yes;
462. 000 "routers-13": newest ISAKMP SA: #0; newest IPsec SA: #0;
463. 000
464. 000 Total IPsec connections: loaded 2, active 0
465. 000
466. 000 State list:
467. 000
468. 000 Shunt list:
469. 000
470. root@server:~# |
471. | *received 836 bytes from 2.x.x.x:4497 on eth0 (port=500)
472. | 0e 4d 0f 13 eb 45 5d 5d 00 00 00 00 00 00 00 00
473. | 21 20 22 08 00 00 00 00 00 00 03 44 22 00 01 fc
474. | 02 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c
475. | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
476. | 02 00 00 02 00 00 00 08 04 00 00 0e 02 00 00 2c
477. | 02 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 00 80
478. | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
479. | 00 00 00 08 04 00 00 0e 02 00 00 28 03 01 00 04
480. | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02
481. | 03 00 00 08 02 00 00 02 00 00 00 08 04 00 00 0e
482. | 02 00 00 28 04 01 00 04 03 00 00 08 01 00 00 03
483. | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
484. | 00 00 00 08 04 00 00 0e 02 00 00 2c 05 01 00 04
485. | 03 00 00 0c 01 00 00 0c 80 0e 00 80 03 00 00 08
486. | 03 00 00 02 03 00 00 08 02 00 00 02 00 00 00 08
487. | 04 00 00 05 02 00 00 2c 06 01 00 04 03 00 00 0c
488. | 01 00 00 0c 80 0e 00 80 03 00 00 08 03 00 00 01
489. | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05
490. | 02 00 00 28 07 01 00 04 03 00 00 08 01 00 00 03
491. | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
492. | 00 00 00 08 04 00 00 05 02 00 00 28 08 01 00 04
493. | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 01
494. | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05
495. | 02 00 00 2c 09 01 00 04 03 00 00 0c 01 00 00 0c
496. | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
497. | 02 00 00 02 00 00 00 08 04 00 00 02 02 00 00 2c
498.  
499.  
500. ==> /var/log/pluto.log <==
501. | 0a 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 00 80
502. | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
503. | 00 00 00 08 04 00 00 02 02 00 00 28 0b 01 00 04
504. | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02
505. | 03 00 00 08 02 00 00 02 00 00 00 08 04 00 00 02
506. | 00 00 00 28 0c 01 00 04 03 00 00 08 01 00 00 03
507. | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
508. | 00 00 00 08 04 00 00 02 28 00 01 08 00 0e 00 00
509. | 31 0d 41 e1 d8 e6 7d 24 50 ba 39 6a 00 5f 31 f8
510. | c0 90 24 d0 09 02 f1 16 cc 0a fa f7 4c 5a f3 e1
511. | a3 f0 15 70 3c dc 74 08 5d f6 c7 79 ef 64 e9 51
512. | f4 e4 3a 2d e8 8a 0e 5f 77 a3 6d 12 0f 2a 82 15
513. | c5 6f c6 c9 fe 66 c0 4d d7 c6 03 bb af 2e 3f e0
514. | 75 bc ae d3 e6 b7 99 7b f4 c7 9b 58 82 da 60 7f
515. | ca d0 01 74 2d f2 5c 24 b7 d0 8c 8e e5 5c ea 63
516. | 95 d9 0e b9 54 72 4d eb 0d 0f 1e 48 fd 1b cd 40
517. | 5e 3d 8f 50 98 6b c4 e8 ec 6a d9 46 3a 45 ea 65
518. | df a6 ec 13 75 73 e8 d3 e0 15 7b 93 b6 71 d7 c2
519. | b4 d9 f4 9e bf ed 72 28 df 2d 54 92 5b 39 a2 e3
520. | 3b d2 41 72 13 61 b0 15 55 12 b1 a0 d1 91 17 b9
521. | 90 8e e3 85 6d 3a 24 28 84 b3 18 ad 63 6e 50 e7
522. | c3 53 23 f6 7b 37 f6 f5 14 2c b8 92 3b 34 e5 9c
523. | 6d d0 13 58 d5 51 39 4d 77 40 b9 81 4c ae 2a 18
524. | 07 89 a7 10 37 c2 80 f9 e0 55 b1 23 fb bd 74 e2
525. | 2b 00 00 14 7f 6c 92 5f cd 34 8c eb 41 67 14 bc
526. | f7 74 19 f3 00 00 00 10 4f 45 4e 5f 52 68 50 50
527. | 48 7b 64 5e
528. | **parse ISAKMP Message:
529. | initiator cookie:
530. | 0e 4d 0f 13 eb 45 5d 5d
531. | responder cookie:
532. | 00 00 00 00 00 00 00 00
533. | next payload type: ISAKMP_NEXT_v2SA
534. | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
535. | exchange type: ISAKMP_v2_SA_INIT
536. | flags: ISAKMP_FLAG_INIT
537. | message ID: 00 00 00 00
538. | length: 836
539. | processing version=2.0 packet with exchange type=ISAKMP_v2_SA_INIT (34)
540. | I am IKE SA Responder
541. | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
542. | RCOOKIE: 00 00 00 00 00 00 00 00
543. | state hash entry 5
544. | v2 state object not found
545. | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
546. | RCOOKIE: 00 00 00 00 00 00 00 00
547. | state hash entry 5
548. | v2 state object not found
549. | Now lets proceed with payload (ISAKMP_NEXT_v2SA)
550. | ***parse IKEv2 Security Association Payload:
551. | next payload type: ISAKMP_NEXT_v2KE
552. | critical bit: none
553. | length: 508
554. | processing payload: ISAKMP_NEXT_v2SA (len=508)
555. | Now lets proceed with payload (ISAKMP_NEXT_v2KE)
556. | ***parse IKEv2 Key Exchange Payload:
557. | next payload type: ISAKMP_NEXT_v2Ni
558. | critical bit: none
559. | length: 264
560. | transform type: 14
561. | processing payload: ISAKMP_NEXT_v2KE (len=264)
562. | Now lets proceed with payload (ISAKMP_NEXT_v2Ni)
563. | ***parse IKEv2 Nonce Payload:
564. | next payload type: ISAKMP_NEXT_v2V
565. | critical bit: none
566. | length: 20
567. | processing payload: ISAKMP_NEXT_v2Ni (len=20)
568. | Now lets proceed with payload (ISAKMP_NEXT_v2V)
569. | ***parse IKEv2 Vendor ID Payload:
570. | next payload type: ISAKMP_NEXT_NONE
571. | critical bit: none
572. | length: 16
573. | processing payload: ISAKMP_NEXT_v2V (len=16)
574. | Finished and now at the end of ikev2_process_payload
575. | Finished processing ikev2_process_payloads
576. | Now lets proceed with state specific processing
577. | find_host_connection2 called from ikev2parent_inI1outR1, me=69.x.x.x:500 him=2.x.x.x:4497 policy=IKEv2ALLOW
578. | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
579. | find_host_pair_conn (find_host_connection2): 69.x.x.x:500 2.x.x.x:4497 -> hp:none
580. | searching for connection with policy = IKEv2ALLOW
581. | find_host_connection2 returns empty
582. | find_host_connection2 called from ikev2parent_inI1outR1, me=69.x.x.x:500 him=%any:4497 policy=IKEv2ALLOW
583. | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
584. | find_host_pair_conn (find_host_connection2): 69.x.x.x:500 %any:4497 -> hp:routers-12
585. | searching for connection with policy = IKEv2ALLOW
586. | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG (routers-12)
587. | find_host_connection2 returns routers-12
588. | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
589. | connect_to_host_pair: 69.x.x.x:500 2.x.x.x:500 -> hp:none
590. | instantiated "routers-12" for 2.x.x.x
591. | found connection: routers-12
592. | creating state object #1 at 0xb8be8720
593. | processing connection routers-12[1] 2.x.x.x
594. | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
595. | RCOOKIE: 14 ca ca 1e f4 0f ab ef
596. | state hash entry 22
597. | inserting state object #1
598. | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
599. | event added at head of queue
600. | processing connection routers-12[1] 2.x.x.x
601. | will not send/process a dcookie
602. | 1: w->pcw_dead: 0 w->pcw_work: 0 cnt: 7
603. | asking helper 1 to do build_kenonce op on seq: 1 (len=2680, pcw_work=1)
604. | crypto helper write of request: cnt=2680<wlen=2680.
605. | deleting event for #1
606. | helper 1 read 2676+4/2680 bytes fd: 10
607. | helper 1 doing build_kenonce op id: 1
608. | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
609. | event added after event EVENT_PENDING_PHASE2
610. | complete v2 state transition with STF_SUSPEND
611. | * processed 0 messages from cryptographic helpers
612. | next event EVENT_PENDING_DDNS in 13 seconds
613. | next event EVENT_PENDING_DDNS in 13 seconds
614. | NSS: Value of Prime:
615. | ff ff ff ff ff ff ff ff c9 0f da a2 21 68 c2 34
616. | c4 c6 62 8b 80 dc 1c d1 29 02 4e 08 8a 67 cc 74
617. | 02 0b be a6 3b 13 9b 22 51 4a 08 79 8e 34 04 dd
618. | ef 95 19 b3 cd 3a 43 1b 30 2b 0a 6d f2 5f 14 37
619. | 4f e1 35 6d 6d 51 c2 45 e4 85 b5 76 62 5e 7e c6
620. | f4 4c 42 e9 a6 37 ed 6b 0b ff 5c b6 f4 06 b7 ed
621. | ee 38 6b fb 5a 89 9f a5 ae 9f 24 11 7c 4b 1f e6
622. | 49 28 66 51 ec e4 5b 3d c2 00 7c b8 a1 63 bf 05
623. | 98 da 48 36 1c 55 d3 9a 69 16 3f a8 fd 24 cf 5f
624. | 83 65 5d 23 dc a3 ad 96 1c 62 f3 56 20 85 52 bb
625. | 9e d5 29 07 70 96 96 6d 67 0c 35 4e 4a bc 98 04
626. | f1 74 6c 08 ca 18 21 7c 32 90 5e 46 2e 36 ce 3b
627. | e3 9e 77 2c 18 0e 86 03 9b 27 83 a2 ec 07 a2 8f
628. | b5 c5 5d f0 6f 4c 52 c9 de 2b cb f6 95 58 17 18
629. | 39 95 49 7c ea 95 6a e5 15 d2 26 18 98 fa 05 10
630. | 15 72 8e 5a 8a ac aa 68 ff ff ff ff ff ff ff ff
631. | NSS: Value of base:
632. | 02
633. | NSS: generated dh priv and pub keys: 256
634. | NSS: Local DH secret (pointer):
635. | 40 48 30 b5
636. | NSS: Public DH value sent(computed in NSS):
637. | dc df 8d fa 25 69 0b 45 02 91 81 9b 2f 11 94 6f
638. | 2a 59 67 62 f3 12 df 90 3b 85 86 1f 70 10 e5 eb
639. | 55 af 45 29 db f1 5c 56 d2 7e 0b 6e 94 8d ce 8b
640. | 5b 32 91 99 6c c5 80 55 8d aa 23 a0 8c 06 93 57
641. | d0 2e 6e 34 92 e0 1d 21 45 74 f7 e3 99 af 7a 6e
642. | 93 3b 95 44 12 0e 8b 81 00 26 9b a5 b3 d2 15 63
643. | 19 66 35 32 87 cc 8f 68 61 be 74 dd e0 d3 ac 8a
644. | 7c 02 74 33 ac d5 97 41 bc e7 f3 cc a1 c5 0b 8c
645. | 47 fa 67 44 f4 5f 0f 05 38 88 7b fa 8b 82 df b1
646. | e1 79 b0 2c 33 c7 3f 51 70 e3 86 b1 1f 04 c1 88
647. | 52 37 b3 90 87 bb 4f d2 5b 24 ea d5 b4 8b 93 69
648. | cd 52 ea e4 24 af 1e 9d a8 96 ee 11 d5 87 f2 4b
649. | 84 0a 2f 84 1c e4 bf dc 8f 0e f0 26 a0 02 a4 7d
650. | 76 d6 90 1c f6 47 43 9c bd 8a 10 39 5b 29 c9 db
651. | af 39 a1 22 16 f4 30 85 7b e9 81 7d 12 90 27 c6
652. | 2f ee 51 b3 6f bf 84 fc 54 7d c9 c9 1b 6a 09 9a
653. | NSS: Local DH public value (pointer):
654. | 38 40 30 b5
655. | Generated nonce:
656. | a6 50 59 b5 b0 8b 7f 3b 9b e9 73 07 c1 60 d1 00
657. |
658. | helper 1 has finished work (cnt now 1)
659. | helper 1 replies to id: q#1
660. | calling callback function 0xb7660200
661. | ikev2 parent inI1outR1: calculated ke+nonce, sending R1
662. | processing connection routers-12[1] 2.x.x.x
663. | **emit ISAKMP Message:
664. | initiator cookie:
665. | 0e 4d 0f 13 eb 45 5d 5d
666. | responder cookie:
667. | 14 ca ca 1e f4 0f ab ef
668. | next payload type: ISAKMP_NEXT_v2SA
669. | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
670. | exchange type: ISAKMP_v2_SA_INIT
671. | flags: ISAKMP_FLAG_RESPONSE
672. | message ID: 00 00 00 00
673. | ***emit IKEv2 Security Association Payload:
674. | next payload type: ISAKMP_NEXT_v2KE
675. | critical bit: none
676. | no IKE algorithms for this connection
677. | ****parse IKEv2 Proposal Substructure Payload:
678. | next payload type: ISAKMP_NEXT_P
679. | length: 44
680. | prop #: 1
681. | proto ID: 1
682. | spi size: 0
683. | # transforms: 4
684. | *****parse IKEv2 Transform Substructure Payload:
685.  
686.  
687. ==> /var/log/pluto.log <==
688. | next payload type: ISAKMP_NEXT_T
689. | length: 12
690. | transform type: 1
691. | transform ID: 12
692. | ******parse IKEv2 Attribute Substructure Payload:
693. | af+type: KEY_LENGTH
694. | length/value: 128
695. | *****parse IKEv2 Transform Substructure Payload:
696. | next payload type: ISAKMP_NEXT_T
697. | length: 8
698. | transform type: 3
699. | transform ID: 2
700. | *****parse IKEv2 Transform Substructure Payload:
701. | next payload type: ISAKMP_NEXT_T
702. | length: 8
703. | transform type: 2
704. | transform ID: 2
705. | *****parse IKEv2 Transform Substructure Payload:
706. | next payload type: ISAKMP_NEXT_NONE
707. | length: 8
708. | transform type: 4
709. | transform ID: 14
710. | ****parse IKEv2 Proposal Substructure Payload:
711. | next payload type: ISAKMP_NEXT_P
712. | length: 44
713. | prop #: 2
714. | proto ID: 1
715. | spi size: 0
716. | # transforms: 4
717. | ****emit IKEv2 Proposal Substructure Payload:
718. | next payload type: ISAKMP_NEXT_NONE
719. | prop #: 1
720. | proto ID: 1
721. | spi size: 0
722. | # transforms: 4
723. | *****emit IKEv2 Transform Substructure Payload:
724. | next payload type: ISAKMP_NEXT_T
725. | transform type: 1
726. | transform ID: 12
727. | ******emit IKEv2 Attribute Substructure Payload:
728. | af+type: KEY_LENGTH
729. | length/value: 128
730. | [128 is 128??]
731. | emitting length of IKEv2 Transform Substructure Payload: 12
732. | *****emit IKEv2 Transform Substructure Payload:
733. | next payload type: ISAKMP_NEXT_T
734. | transform type: 3
735. | transform ID: 2
736. | emitting length of IKEv2 Transform Substructure Payload: 8
737. | *****emit IKEv2 Transform Substructure Payload:
738. | next payload type: ISAKMP_NEXT_T
739. | transform type: 2
740. | transform ID: 2
741. | emitting length of IKEv2 Transform Substructure Payload: 8
742. | *****emit IKEv2 Transform Substructure Payload:
743. | next payload type: ISAKMP_NEXT_NONE
744. | transform type: 4
745. | transform ID: 14
746. | emitting length of IKEv2 Transform Substructure Payload: 8
747. | emitting length of IKEv2 Proposal Substructure Payload: 44
748. | emitting length of IKEv2 Security Association Payload: 48
749. | DH public value received:
750. | 31 0d 41 e1 d8 e6 7d 24 50 ba 39 6a 00 5f 31 f8
751. | c0 90 24 d0 09 02 f1 16 cc 0a fa f7 4c 5a f3 e1
752. | a3 f0 15 70 3c dc 74 08 5d f6 c7 79 ef 64 e9 51
753. | f4 e4 3a 2d e8 8a 0e 5f 77 a3 6d 12 0f 2a 82 15
754. | c5 6f c6 c9 fe 66 c0 4d d7 c6 03 bb af 2e 3f e0
755. | 75 bc ae d3 e6 b7 99 7b f4 c7 9b 58 82 da 60 7f
756. | ca d0 01 74 2d f2 5c 24 b7 d0 8c 8e e5 5c ea 63
757. | 95 d9 0e b9 54 72 4d eb 0d 0f 1e 48 fd 1b cd 40
758. | 5e 3d 8f 50 98 6b c4 e8 ec 6a d9 46 3a 45 ea 65
759. | df a6 ec 13 75 73 e8 d3 e0 15 7b 93 b6 71 d7 c2
760. | b4 d9 f4 9e bf ed 72 28 df 2d 54 92 5b 39 a2 e3
761. | 3b d2 41 72 13 61 b0 15 55 12 b1 a0 d1 91 17 b9
762. | 90 8e e3 85 6d 3a 24 28 84 b3 18 ad 63 6e 50 e7
763. | c3 53 23 f6 7b 37 f6 f5 14 2c b8 92 3b 34 e5 9c
764. | 6d d0 13 58 d5 51 39 4d 77 40 b9 81 4c ae 2a 18
765. | 07 89 a7 10 37 c2 80 f9 e0 55 b1 23 fb bd 74 e2
766. | saving DH priv (local secret) and pub key into state struc
767. | ***emit IKEv2 Key Exchange Payload:
768. | next payload type: ISAKMP_NEXT_v2Ni
769. | critical bit: none
770. | transform type: 14
771. | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
772. | ikev2 g^x dc df 8d fa 25 69 0b 45 02 91 81 9b 2f 11 94 6f
773. | ikev2 g^x 2a 59 67 62 f3 12 df 90 3b 85 86 1f 70 10 e5 eb
774. | ikev2 g^x 55 af 45 29 db f1 5c 56 d2 7e 0b 6e 94 8d ce 8b
775. | ikev2 g^x 5b 32 91 99 6c c5 80 55 8d aa 23 a0 8c 06 93 57
776. | ikev2 g^x d0 2e 6e 34 92 e0 1d 21 45 74 f7 e3 99 af 7a 6e
777. | ikev2 g^x 93 3b 95 44 12 0e 8b 81 00 26 9b a5 b3 d2 15 63
778. | ikev2 g^x 19 66 35 32 87 cc 8f 68 61 be 74 dd e0 d3 ac 8a
779. | ikev2 g^x 7c 02 74 33 ac d5 97 41 bc e7 f3 cc a1 c5 0b 8c
780. | ikev2 g^x 47 fa 67 44 f4 5f 0f 05 38 88 7b fa 8b 82 df b1
781. | ikev2 g^x e1 79 b0 2c 33 c7 3f 51 70 e3 86 b1 1f 04 c1 88
782. | ikev2 g^x 52 37 b3 90 87 bb 4f d2 5b 24 ea d5 b4 8b 93 69
783. | ikev2 g^x cd 52 ea e4 24 af 1e 9d a8 96 ee 11 d5 87 f2 4b
784. | ikev2 g^x 84 0a 2f 84 1c e4 bf dc 8f 0e f0 26 a0 02 a4 7d
785. | ikev2 g^x 76 d6 90 1c f6 47 43 9c bd 8a 10 39 5b 29 c9 db
786. | ikev2 g^x af 39 a1 22 16 f4 30 85 7b e9 81 7d 12 90 27 c6
787. | ikev2 g^x 2f ee 51 b3 6f bf 84 fc 54 7d c9 c9 1b 6a 09 9a
788. | emitting length of IKEv2 Key Exchange Payload: 264
789. | ***emit IKEv2 Nonce Payload:
790. | next payload type: ISAKMP_NEXT_v2V
791. | critical bit: none
792. | emitting 16 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
793. | IKEv2 nonce a6 50 59 b5 b0 8b 7f 3b 9b e9 73 07 c1 60 d1 00
794. | emitting length of IKEv2 Nonce Payload: 20
795. | ***emit ISAKMP Vendor ID Payload:
796. | next payload type: ISAKMP_NEXT_NONE
797. | emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
798. | Vendor ID 4f 45 4e 5f 52 68 50 50 48 7b 64 5e
799. | emitting length of ISAKMP Vendor ID Payload: 16
800. | emitting length of ISAKMP Message: 376
801. | complete v2 state transition with STF_OK
802. "routers-12"[1] 2.x.x.x #1: transition from state STATE_IKEv2_START to state STATE_PARENT_R1
803. "routers-12"[1] 2.x.x.x #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp2048}
804. | state #1 NAT-T: new mapping 2.x.x.x:4497
805. | processing connection routers-12[1] 2.x.x.x
806. "routers-12"[1] 2.x.x.x #1: new NAT mapping for #1, was 2.x.x.x:500, now 2.x.x.x:4497
807. | sending reply packet to 2.x.x.x:4497 (from port 500)
808. | sending 376 bytes for STATE_IKEv2_START through eth0:500 to 2.x.x.x:4497 (using #1)
809. | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
810. | 21 20 22 20 00 00 00 00 00 00 01 78 22 00 00 30
811. | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c
812. | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
813. | 02 00 00 02 00 00 00 08 04 00 00 0e 28 00 01 08
814. | 00 0e 00 00 dc df 8d fa 25 69 0b 45 02 91 81 9b
815. | 2f 11 94 6f 2a 59 67 62 f3 12 df 90 3b 85 86 1f
816. | 70 10 e5 eb 55 af 45 29 db f1 5c 56 d2 7e 0b 6e
817. | 94 8d ce 8b 5b 32 91 99 6c c5 80 55 8d aa 23 a0
818. | 8c 06 93 57 d0 2e 6e 34 92 e0 1d 21 45 74 f7 e3
819. | 99 af 7a 6e 93 3b 95 44 12 0e 8b 81 00 26 9b a5
820. | b3 d2 15 63 19 66 35 32 87 cc 8f 68 61 be 74 dd
821. | e0 d3 ac 8a 7c 02 74 33 ac d5 97 41 bc e7 f3 cc
822. | a1 c5 0b 8c 47 fa 67 44 f4 5f 0f 05 38 88 7b fa
823. | 8b 82 df b1 e1 79 b0 2c 33 c7 3f 51 70 e3 86 b1
824. | 1f 04 c1 88 52 37 b3 90 87 bb 4f d2 5b 24 ea d5
825. | b4 8b 93 69 cd 52 ea e4 24 af 1e 9d a8 96 ee 11
826. | d5 87 f2 4b 84 0a 2f 84 1c e4 bf dc 8f 0e f0 26
827. | a0 02 a4 7d 76 d6 90 1c f6 47 43 9c bd 8a 10 39
828. | 5b 29 c9 db af 39 a1 22 16 f4 30 85 7b e9 81 7d
829. | 12 90 27 c6 2f ee 51 b3 6f bf 84 fc 54 7d c9 c9
830. | 1b 6a 09 9a 2b 00 00 14 a6 50 59 b5 b0 8b 7f 3b
831. | 9b e9 73 07 c1 60 d1 00 00 00 00 10 4f 45 4e 5f
832. | 52 68 50 50 48 7b 64 5e
833. | * processed 1 messages from cryptographic helpers
834. | next event EVENT_PENDING_DDNS in 13 seconds
835. | next event EVENT_PENDING_DDNS in 13 seconds
836.  
837. ==> /var/log/pluto.log <==
838. |
839. | *received 316 bytes from 2.x.x.x:4497 on eth0 (port=500)
840. | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
841. | 2e 20 23 08 00 00 00 01 00 00 01 3c 23 00 01 20
842. | b4 e3 03 80 b8 ab 0b fc be d0 70 87 2b 72 ec 03
843. | 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
844. | c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
845. | 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
846. | c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
847. | 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
848. | 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
849. | af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
850.  
851.  
852. ==> /var/log/pluto.log <==
853. | 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
854. | 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
855. | d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
856. | 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
857. | 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
858. | e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
859. | e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
860. | 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
861. | c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
862. | 04 93 78 4c a3 b9 e0 8c 6d 28 9d ca
863. | **parse ISAKMP Message:
864. | initiator cookie:
865. | 0e 4d 0f 13 eb 45 5d 5d
866. | responder cookie:
867. | 14 ca ca 1e f4 0f ab ef
868. | next payload type: ISAKMP_NEXT_v2E
869. | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
870. | exchange type: ISAKMP_v2_AUTH
871. | flags: ISAKMP_FLAG_INIT
872. | message ID: 00 00 00 01
873. | length: 316
874. | processing version=2.0 packet with exchange type=ISAKMP_v2_AUTH (35)
875. | I am IKE SA Responder
876. | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
877. | RCOOKIE: 14 ca ca 1e f4 0f ab ef
878. | state hash entry 22
879. | v2 peer and cookies match on #1
880. | v2 state object #1 found, in STATE_PARENT_R1
881. | state found and its state is (STATE_PARENT_R1)
882. | Now lets proceed with payload (ISAKMP_NEXT_v2E)
883. | ***parse IKEv2 Encryption Payload:
884. | next payload type: ISAKMP_NEXT_v2IDi
885. | critical bit: none
886. | length: 288
887. | processing payload: ISAKMP_NEXT_v2E (len=288)
888. | Finished and now at the end of ikev2_process_payload
889. | Finished processing ikev2_process_payloads
890. | Now lets proceed with state specific processing
891. | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2
892. | calculating skeyseed using prf=prf-hmac-sha1 integ=auth-hmac-sha1-96 cipherkey=aes-cbc
893. | Copying DH pub key pointer to be sent to a thread helper
894. | 2: w->pcw_dead: 0 w->pcw_work: 0 cnt: 7
895. | asking helper 2 to do compute dh(v2) op on seq: 2 (len=2680, pcw_work=1)
896. | crypto helper write of request: cnt=2680<wlen=2680.
897. | deleting event for #1
898. | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
899. | event added after event EVENT_PENDING_PHASE2
900. | complete v2 state transition with STF_SUSPEND
901. | * processed 0 messages from cryptographic helpers
902. | next event EVENT_PENDING_DDNS in 13 seconds
903. | next event EVENT_PENDING_DDNS in 13 seconds
904. | helper 2 read 2676+4/2680 bytes fd: 13
905. | helper 2 doing compute dh(v2) op id: 2
906. | peer's g: 31 0d 41 e1 d8 e6 7d 24 50 ba 39 6a 00 5f 31 f8
907. | peer's g: c0 90 24 d0 09 02 f1 16 cc 0a fa f7 4c 5a f3 e1
908. | peer's g: a3 f0 15 70 3c dc 74 08 5d f6 c7 79 ef 64 e9 51
909. | peer's g: f4 e4 3a 2d e8 8a 0e 5f 77 a3 6d 12 0f 2a 82 15
910. | peer's g: c5 6f c6 c9 fe 66 c0 4d d7 c6 03 bb af 2e 3f e0
911. | peer's g: 75 bc ae d3 e6 b7 99 7b f4 c7 9b 58 82 da 60 7f
912. | peer's g: ca d0 01 74 2d f2 5c 24 b7 d0 8c 8e e5 5c ea 63
913. | peer's g: 95 d9 0e b9 54 72 4d eb 0d 0f 1e 48 fd 1b cd 40
914. | peer's g: 5e 3d 8f 50 98 6b c4 e8 ec 6a d9 46 3a 45 ea 65
915. | peer's g: df a6 ec 13 75 73 e8 d3 e0 15 7b 93 b6 71 d7 c2
916. | peer's g: b4 d9 f4 9e bf ed 72 28 df 2d 54 92 5b 39 a2 e3
917. | peer's g: 3b d2 41 72 13 61 b0 15 55 12 b1 a0 d1 91 17 b9
918. | peer's g: 90 8e e3 85 6d 3a 24 28 84 b3 18 ad 63 6e 50 e7
919. | peer's g: c3 53 23 f6 7b 37 f6 f5 14 2c b8 92 3b 34 e5 9c
920. | peer's g: 6d d0 13 58 d5 51 39 4d 77 40 b9 81 4c ae 2a 18
921. | peer's g: 07 89 a7 10 37 c2 80 f9 e0 55 b1 23 fb bd 74 e2
922. | Started DH shared-secret computation in NSS:
923. | Dropped no leading zeros 256
924. | calc_dh_shared(): time elapsed (OAKLEY_GROUP_MODP2048): 5889 usec
925. | DH shared-secret (pointer):
926. | 50 10 90 b4
927. | NSS: Started key computation
928. | calculating skeyseed using prf=prf-hmac-sha1 integ=auth-hmac-sha1-96 cipherkey=16
929. | skeyid inputs (digi+NI+NR+shared) hasher: oakley_sha
930. | shared-secret: 50 10 90 b4
931. | ni: 7f 6c 92 5f cd 34 8c eb 41 67 14 bc f7 74 19 f3
932. | nr: a6 50 59 b5 b0 8b 7f 3b 9b e9 73 07 c1 60 d1 00
933. | NSS: digisig skeyid pointer:
934. | c8 58 90 b4
935. | PRF+ input
936. | Ni 7f 6c 92 5f cd 34 8c eb 41 67 14 bc f7 74 19 f3
937. | Nr a6 50 59 b5 b0 8b 7f 3b 9b e9 73 07 c1 60 d1 00
938. | SPIi 0e 4d 0f 13 eb 45 5d 5d
939. | SPIr 14 ca ca 1e f4 0f ab ef
940. | Total keysize needed 132
941. | NSS ikev2: finished computing key material for IKEv2 SA
942. | NSS ikev2: finished computing individual keys for IKEv2 SA
943. | shared: 50 10 90 b4
944. | skeyseed: c8 58 90 b4
945. | SK_d: 28 8d 90 b4
946. | SK_ai: 70 47 90 b4
947. | SK_ar: 80 9f 90 b4
948. | SK_ei: 78 b1 90 b4
949. | SK_er: 18 c3 90 b4
950. | SK_pi: 88 8d 90 b4
951. | SK_pr: a0 7b 90 b4
952. |
953. | helper 2 has finished work (cnt now 1)
954. | helper 2 replies to id: q#2
955. | calling callback function 0xb765f990
956. | ikev2 parent inI2outR2: calculating g^{xy}, sending R2
957. | processing connection routers-12[1] 2.x.x.x
958. | hmac_update data value:
959. | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
960. | 2e 20 23 08 00 00 00 01 00 00 01 3c 23 00 01 20
961. | b4 e3 03 80 b8 ab 0b fc be d0 70 87 2b 72 ec 03
962. | 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
963. | c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
964. | 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
965. | c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
966. | 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
967. | 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
968. | af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
969. | 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
970. | 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
971. | d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
972. | 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
973. | 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
974. | e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
975. | e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
976. | 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
977. | c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
978. | hmac_update: inside if
979. | hmac_update: after digest
980. | hmac_update: after assert
981. | data being hmac: 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
982. | data being hmac: 2e 20 23 08 00 00 00 01 00 00 01 3c 23 00 01 20
983. | data being hmac: b4 e3 03 80 b8 ab 0b fc be d0 70 87 2b 72 ec 03
984. | data being hmac: 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
985. | data being hmac: c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
986. | data being hmac: 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
987. | data being hmac: c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
988. | data being hmac: 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
989. | data being hmac: 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
990. | data being hmac: af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
991. | data being hmac: 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
992. | data being hmac: 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
993. | data being hmac: d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
994. | data being hmac: 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
995. | data being hmac: 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
996. | data being hmac: e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
997. | data being hmac: e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
998. | data being hmac: 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
999. | data being hmac: c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
1000. | R2 calculated auth: 04 93 78 4c a3 b9 e0 8c 6d 28 9d ca
1001. | R2 provided auth: 04 93 78 4c a3 b9 e0 8c 6d 28 9d ca
1002. | authenticator matched
1003. | data before decryption:
1004. | 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
1005. | c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
1006. | 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
1007. | c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
1008. | 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
1009. | 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
1010. | af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
1011. | 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
1012. | 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
1013. | d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
1014. | 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
1015. | 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
1016. | e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
1017. | e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
1018. | 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
1019. | c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
1020. | NSS do_aes: enter
1021. | NSS do_aes: exit
1022. | decrypted payload: 27 00 00 0f 02 00 00 00 72 6f 75 74 65 72 33 21
1023. | decrypted payload: 00 00 1c 02 00 00 00 42 e5 d3 b9 ca 05 64 42 d2
1024. | decrypted payload: 29 11 4e f7 19 ae 14 11 17 be e7 2c 00 00 9c 02
1025. | decrypted payload: 00 00 28 01 03 04 03 30 2c e3 04 03 00 00 0c 01
1026. | decrypted payload: 00 00 0c 80 0e 00 80 03 00 00 08 03 00 00 02 00
1027. | decrypted payload: 00 00 08 05 00 00 00 02 00 00 28 02 03 04 03 30
1028. | decrypted payload: 2c e3 04 03 00 00 0c 01 00 00 0c 80 0e 00 80 03
1029. | decrypted payload: 00 00 08 03 00 00 01 00 00 00 08 05 00 00 00 02
1030. | decrypted payload: 00 00 24 03 03 04 03 30 2c e3 04 03 00 00 08 01
1031. | decrypted payload: 00 00 03 03 00 00 08 03 00 00 02 00 00 00 08 05
1032. | decrypted payload: 00 00 00 00 00 00 24 04 03 04 03 30 2c e3 04 03
1033. | decrypted payload: 00 00 08 01 00 00 03 03 00 00 08 03 00 00 01 00
1034. | decrypted payload: 00 00 08 05 00 00 00 2d 00 00 18 01 00 00 00 07
1035. | decrypted payload: 00 00 10 00 00 ff ff c0 a8 21 00 c0 a8 21 ff 00
1036. | decrypted payload: 00 00 18 01 00 00 00 07 00 00 10 00 00 ff ff c0
1037. | decrypted payload: a8 37 00 c0 a8 37 ff 00 01 02 03 04 05 06 07 08
1038. | striping 9 bytes as pad
1039. | Now lets proceed with payload (ISAKMP_NEXT_v2IDi)
1040. | **parse IKEv2 Identification Payload:
1041. | next payload type: ISAKMP_NEXT_v2AUTH
1042. | critical bit: none
1043. | length: 15
1044. | id_type: ID_FQDN
1045. | processing payload: ISAKMP_NEXT_v2IDi (len=15)
1046. | Now lets proceed with payload (ISAKMP_NEXT_v2AUTH)
1047. | **parse IKEv2 Authentication Payload:
1048. | next payload type: ISAKMP_NEXT_v2SA
1049. | critical bit: none
1050. | length: 28
1051. | auth method: v2_AUTH_SHARED
1052. | processing payload: ISAKMP_NEXT_v2AUTH (len=28)
1053. | Now lets proceed with payload (ISAKMP_NEXT_v2SA)
1054. | **parse IKEv2 Security Association Payload:
1055. | next payload type: ISAKMP_NEXT_v2TSi
1056. | critical bit: none
1057. | length: 156
1058. | processing payload: ISAKMP_NEXT_v2SA (len=156)
1059. | Now lets proceed with payload (ISAKMP_NEXT_v2TSi)
1060. | **parse IKEv2 Traffic Selector Payload:
1061. | next payload type: ISAKMP_NEXT_v2TSr
1062. | critical bit: none
1063. | length: 24
1064. | number of TS: 1
1065. | processing payload: ISAKMP_NEXT_v2TSi (len=24)
1066. | Now lets proceed with payload (ISAKMP_NEXT_v2TSr)
1067. | **parse IKEv2 Traffic Selector Payload:
1068. | next payload type: ISAKMP_NEXT_NONE
1069. | critical bit: none
1070. | length: 24
1071. | number of TS: 1
1072. | processing payload: ISAKMP_NEXT_v2TSr (len=24)
1073. | Finished and now at the end of ikev2_process_payload
1074. "routers-12"[1] 2.x.x.x #1: IKEv2 mode peer ID is ID_FQDN: '@router3'
1075. | idhash verify pi 88 8d 90 b4
1076. | idhash verify I2 02 00 00 00 72 6f 75 74 65 72 33
1077. | hmac_update data value:
1078. | 02 00 00 00 72 6f 75 74 65 72 33
1079. | hmac_update: inside if
1080. | hmac_update: after digest
1081. | hmac_update: after assert
1082. | started looking for secret for @router1->@router2 of kind PPK_PSK
1083. | actually looking for secret for @router1->@router2 of kind PPK_PSK
1084. | line 3: key type PPK_PSK(@router1) to type PPK_PSK
1085. | 1: compared key @router3 to @router1 / @router2 -> 0
1086. | 2: compared key @router1 to @router1 / @router2 -> 8
1087. | line 3: match=8
1088. | line 2: key type PPK_PSK(@router1) to type PPK_PSK
1089. | 1: compared key @router2 to @router1 / @router2 -> 4
1090. | 2: compared key @router1 to @router1 / @router2 -> 12
1091. | line 2: match=12
1092. | best_match 0>12 best=0xb8be2e58 (line=2)
1093. | line 1: key type PPK_PSK(@router1) to type PPK_PSK
1094. | 1: compared key @router4 to @router1 / @router2 -> 0
1095. | 2: compared key @router1 to @router1 / @router2 -> 8
1096. | line 1: match=8
1097. | concluding with best_match=12 best=0xb8be2e58 (lineno=2)
1098. | hmac_update data value:
1099. | 4b 65 79 20 50 61 64 20 66 6f 72 20 49 4b 45 76
1100. | 32
1101. | hmac_update: inside if
1102. | hmac_update: after digest
1103. | hmac_update: after assert
1104. | negotiated prf: oakley_sha hash length: 20
1105. | inner prf output 8d 9a 73 0a ee c3 94 00 c0 6e 82 4b 7c aa 10 39
1106. | inner prf output b5 af 37 64
1107. | hmac_update data value:
1108. | 0e 4d 0f 13 eb 45 5d 5d 00 00 00 00 00 00 00 00
1109. | 21 20 22 08 00 00 00 00 00 00 03 44 22 00 01 fc
1110. | 02 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c
1111. | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
1112. | 02 00 00 02 00 00 00 08 04 00 00 0e 02 00 00 2c
1113. | 02 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 00 80
1114. | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
1115. | 00 00 00 08 04 00 00 0e 02 00 00 28 03 01 00 04
1116. | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02
1117. | 03 00 00 08 02 00 00 02 00 00 00 08 04 00 00 0e
1118. | 02 00 00 28 04 01 00 04 03 00 00 08 01 00 00 03
1119. | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
1120. | 00 00 00 08 04 00 00 0e 02 00 00 2c 05 01 00 04
1121. | 03 00 00 0c 01 00 00 0c 80 0e 00 80 03 00 00 08
1122. | 03 00 00 02 03 00 00 08 02 00 00 02 00 00 00 08
1123. | 04 00 00 05 02 00 00 2c 06 01 00 04 03 00 00 0c
1124. | 01 00 00 0c 80 0e 00 80 03 00 00 08 03 00 00 01
1125. | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05
1126. | 02 00 00 28 07 01 00 04 03 00 00 08 01 00 00 03
1127. | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
1128. | 00 00 00 08 04 00 00 05 02 00 00 28 08 01 00 04
1129. | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 01
1130. | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05
1131. | 02 00 00 2c 09 01 00 04 03 00 00 0c 01 00 00 0c
1132. | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
1133. | 02 00 00 02 00 00 00 08 04 00 00 02 02 00 00 2c
1134. | 0a 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 00 80
1135. | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
1136. | 00 00 00 08 04 00 00 02 02 00 00 28 0b 01 00 04
1137. | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02
1138. | 03 00 00 08 02 00 00 02 00 00 00 08 04 00 00 02
1139. | 00 00 00 28 0c 01 00 04 03 00 00 08 01 00 00 03
1140. | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
1141. | 00 00 00 08 04 00 00 02 28 00 01 08 00 0e 00 00
1142. | 31 0d 41 e1 d8 e6 7d 24 50 ba 39 6a 00 5f 31 f8
1143. | c0 90 24 d0 09 02 f1 16 cc 0a fa f7 4c 5a f3 e1
1144. | a3 f0 15 70 3c dc 74 08 5d f6 c7 79 ef 64 e9 51
1145. | f4 e4 3a 2d e8 8a 0e 5f 77 a3 6d 12 0f 2a 82 15
1146. | c5 6f c6 c9 fe 66 c0 4d d7 c6 03 bb af 2e 3f e0
1147. | 75 bc ae d3 e6 b7 99 7b f4 c7 9b 58 82 da 60 7f
1148. | ca d0 01 74 2d f2 5c 24 b7 d0 8c 8e e5 5c ea 63
1149. | 95 d9 0e b9 54 72 4d eb 0d 0f 1e 48 fd 1b cd 40
1150. | 5e 3d 8f 50 98 6b c4 e8 ec 6a d9 46 3a 45 ea 65
1151. | df a6 ec 13 75 73 e8 d3 e0 15 7b 93 b6 71 d7 c2
1152. | b4 d9 f4 9e bf ed 72 28 df 2d 54 92 5b 39 a2 e3
1153. | 3b d2 41 72 13 61 b0 15 55 12 b1 a0 d1 91 17 b9
1154. | 90 8e e3 85 6d 3a 24 28 84 b3 18 ad 63 6e 50 e7
1155. | c3 53 23 f6 7b 37 f6 f5 14 2c b8 92 3b 34 e5 9c
1156. | 6d d0 13 58 d5 51 39 4d 77 40 b9 81 4c ae 2a 18
1157. | 07 89 a7 10 37 c2 80 f9 e0 55 b1 23 fb bd 74 e2
1158. | 2b 00 00 14 7f 6c 92 5f cd 34 8c eb 41 67 14 bc
1159. | f7 74 19 f3 00 00 00 10 4f 45 4e 5f 52 68 50 50
1160. | 48 7b 64 5e
1161. | hmac_update: inside if
1162. | hmac_update: after digest
1163. | hmac_update: after assert
1164. | hmac_update data value:
1165. | a6 50 59 b5 b0 8b 7f 3b 9b e9 73 07 c1 60 d1 00
1166. | hmac_update: inside if
1167. | hmac_update: after digest
1168. | hmac_update: after assert
1169. | hmac_update data value:
1170. | bf 7f d3 b5 0b b3 6c ba 14 0d 82 14 62 b3 6d 05
1171. | d4 11 b0 12
1172. | hmac_update: inside if
1173. | hmac_update: after digest
1174. | hmac_update: after assert
1175. | inputs to hash1 (first packet)
1176. | 0e 4d 0f 13 eb 45 5d 5d 00 00 00 00 00 00 00 00
1177. | 21 20 22 08 00 00 00 00 00 00 03 44 22 00 01 fc
1178. | 02 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c
1179. | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
1180. | 02 00 00 02 00 00 00 08 04 00 00 0e 02 00 00 2c
1181. | 02 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 00 80
1182. | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
1183. | 00 00 00 08 04 00 00 0e 02 00 00 28 03 01 00 04
1184. | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02
1185. | 03 00 00 08 02 00 00 02 00 00 00 08 04 00 00 0e
1186. | 02 00 00 28 04 01 00 04 03 00 00 08 01 00 00 03
1187. | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
1188. | 00 00 00 08 04 00 00 0e 02 00 00 2c 05 01 00 04
1189. | 03 00 00 0c 01 00 00 0c 80 0e 00 80 03 00 00 08
1190. | 03 00 00 02 03 00 00 08 02 00 00 02 00 00 00 08
1191. | 04 00 00 05 02 00 00 2c 06 01 00 04 03 00 00 0c
1192. | 01 00 00 0c 80 0e 00 80 03 00 00 08 03 00 00 01
1193. | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05
1194. | 02 00 00 28 07 01 00 04 03 00 00 08 01 00 00 03
1195. | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
1196. | 00 00 00 08 04 00 00 05 02 00 00 28 08 01 00 04
1197. | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 01
1198. | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05
1199. | 02 00 00 2c 09 01 00 04 03 00 00 0c 01 00 00 0c
1200. | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
1201. | 02 00 00 02 00 00 00 08 04 00 00 02 02 00 00 2c
1202. | 0a 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 00 80
1203. | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
1204. | 00 00 00 08 04 00 00 02 02 00 00 28 0b 01 00 04
1205. | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02
1206. | 03 00 00 08 02 00 00 02 00 00 00 08 04 00 00 02
1207. | 00 00 00 28 0c 01 00 04 03 00 00 08 01 00 00 03
1208. | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
1209. | 00 00 00 08 04 00 00 02 28 00 01 08 00 0e 00 00
1210. | 31 0d 41 e1 d8 e6 7d 24 50 ba 39 6a 00 5f 31 f8
1211. | c0 90 24 d0 09 02 f1 16 cc 0a fa f7 4c 5a f3 e1
1212. | a3 f0 15 70 3c dc 74 08 5d f6 c7 79 ef 64 e9 51
1213. | f4 e4 3a 2d e8 8a 0e 5f 77 a3 6d 12 0f 2a 82 15
1214. | c5 6f c6 c9 fe 66 c0 4d d7 c6 03 bb af 2e 3f e0
1215. | 75 bc ae d3 e6 b7 99 7b f4 c7 9b 58 82 da 60 7f
1216. | ca d0 01 74 2d f2 5c 24 b7 d0 8c 8e e5 5c ea 63
1217. | 95 d9 0e b9 54 72 4d eb 0d 0f 1e 48 fd 1b cd 40
1218. | 5e 3d 8f 50 98 6b c4 e8 ec 6a d9 46 3a 45 ea 65
1219. | df a6 ec 13 75 73 e8 d3 e0 15 7b 93 b6 71 d7 c2
1220. | b4 d9 f4 9e bf ed 72 28 df 2d 54 92 5b 39 a2 e3
1221. | 3b d2 41 72 13 61 b0 15 55 12 b1 a0 d1 91 17 b9
1222. | 90 8e e3 85 6d 3a 24 28 84 b3 18 ad 63 6e 50 e7
1223. | c3 53 23 f6 7b 37 f6 f5 14 2c b8 92 3b 34 e5 9c
1224. | 6d d0 13 58 d5 51 39 4d 77 40 b9 81 4c ae 2a 18
1225. | 07 89 a7 10 37 c2 80 f9 e0 55 b1 23 fb bd 74 e2
1226. | 2b 00 00 14 7f 6c 92 5f cd 34 8c eb 41 67 14 bc
1227. | f7 74 19 f3 00 00 00 10 4f 45 4e 5f 52 68 50 50
1228. | 48 7b 64 5e
1229. | inputs to hash2 (responder nonce)
1230. | a6 50 59 b5 b0 8b 7f 3b 9b e9 73 07 c1 60 d1 00
1231. | idhash bf 7f d3 b5 0b b3 6c ba 14 0d 82 14 62 b3 6d 05
1232. | idhash d4 11 b0 12
1233. | Received PSK auth octets
1234. | 42 e5 d3 b9 ca 05 64 42 d2 29 11 4e f7 19 ae 14
1235. | 11 17 be e7
1236. | Calculated PSK auth octets
1237. | 01 d0 16 b4 6c 00 d2 76 e1 7b 59 0b 70 d5 87 f6
1238. | 9e 79 6b 83
1239. "routers-12"[1] 2.x.x.x #1: AUTH mismatch: Received AUTH != computed AUTH
1240. "routers-12"[1] 2.x.x.x #1: PSK authentication failed AUTH mismatch!
1241. "routers-12"[1] 2.x.x.x #1: sending notification v2N_AUTHENTICATION_FAILED to 2.x.x.x:4497
1242. | **emit ISAKMP Message:
1243. | initiator cookie:
1244. | 0e 4d 0f 13 eb 45 5d 5d
1245. | responder cookie:
1246. | 14 ca ca 1e f4 0f ab ef
1247. | next payload type: ISAKMP_NEXT_v2N
1248. | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
1249. | exchange type: ISAKMP_v2_SA_INIT
1250. | flags: ISAKMP_FLAG_RESPONSE
1251. | message ID: 00 00 00 00
1252. | Adding a v2N Payload
1253. | ***emit IKEv2 Notify Payload:
1254. | next payload type: ISAKMP_NEXT_NONE
1255. | critical bit: none
1256. | Protocol ID: PROTO_ISAKMP
1257. | SPI size: 0
1258. | Notify Message Type: v2N_AUTHENTICATION_FAILED
1259. | emitting length of IKEv2 Notify Payload: 8
1260. | emitting length of ISAKMP Message: 36
1261. | sending 36 bytes for send_v2_notification through eth0:500 to 2.x.x.x:4497 (using #1)
1262. | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
1263. | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08
1264. | 01 00 00 18
1265. | ikev2_parent_inI2outR2_tail returned STF_FATAL
1266. | complete v2 state transition with STF_FATAL
1267. | deleting event for #1
1268. | deleting state #1
1269. | deleting event for #1
1270. | no suspended cryptographic state for 1
1271. | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
1272. | RCOOKIE: 14 ca ca 1e f4 0f ab ef
1273. | state hash entry 22
1274. | processing connection routers-12[1] 2.x.x.x
1275. "routers-12"[1] 2.x.x.x: deleting connection "routers-12" instance with peer 2.x.x.x {isakmp=#0/ipsec=#0}
1276. | rel_lease_addr:133 addresspool is null so nothing to free
1277. | * processed 1 messages from cryptographic helpers
1278. | next event EVENT_PENDING_DDNS in 13 seconds
1279. | next event EVENT_PENDING_DDNS in 13 seconds
1280.  
1281.  
1282. ==> /var/log/pluto.log <==
1283. |
1284. | *received 316 bytes from 2.x.x.x:4497 on eth0 (port=500)
1285. | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
1286. | 2e 20 23 08 00 00 00 01 00 00 01 3c 23 00 01 20
1287. | b4 e3 03 80 b8 ab 0b fc be d0 70 87 2b 72 ec 03
1288. | 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
1289. | c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
1290. | 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
1291. | c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
1292. | 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
1293. | 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
1294. | af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
1295.  
1296. ==> /var/log/pluto.log <==
1297. | 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
1298. | 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
1299. | d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
1300. | 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
1301. | 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
1302. | e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
1303. | e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
1304. | 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
1305. | c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
1306. | 04 93 78 4c a3 b9 e0 8c 6d 28 9d ca
1307. | **parse ISAKMP Message:
1308. | initiator cookie:
1309. | 0e 4d 0f 13 eb 45 5d 5d
1310. | responder cookie:
1311. | 14 ca ca 1e f4 0f ab ef
1312. | next payload type: ISAKMP_NEXT_v2E
1313. | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
1314. | exchange type: ISAKMP_v2_AUTH
1315. | flags: ISAKMP_FLAG_INIT
1316. | message ID: 00 00 00 01
1317. | length: 316
1318. | processing version=2.0 packet with exchange type=ISAKMP_v2_AUTH (35)
1319. | I am IKE SA Responder
1320. | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
1321. | RCOOKIE: 14 ca ca 1e f4 0f ab ef
1322. | state hash entry 22
1323. | v2 state object not found
1324. | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
1325. | RCOOKIE: 00 00 00 00 00 00 00 00
1326. | state hash entry 5
1327. | v2 state object not found
1328. | ended up with STATE_IKEv2_ROOF
1329. packet from 2.x.x.x:4497: sending notification v2N_INVALID_MESSAGE_ID to 2.x.x.x:4497
1330. | **emit ISAKMP Message:
1331. | initiator cookie:
1332. | 0e 4d 0f 13 eb 45 5d 5d
1333. | responder cookie:
1334. | 14 ca ca 1e f4 0f ab ef
1335. | next payload type: ISAKMP_NEXT_v2N
1336. | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
1337. | exchange type: ISAKMP_v2_SA_INIT
1338. | flags: ISAKMP_FLAG_RESPONSE
1339. | message ID: 00 00 00 00
1340. | Adding a v2N Payload
1341. | ***emit IKEv2 Notify Payload:
1342. | next payload type: ISAKMP_NEXT_NONE
1343. | critical bit: none
1344. | Protocol ID: PROTO_ISAKMP
1345. | SPI size: 0
1346. | Notify Message Type: v2N_INVALID_MESSAGE_ID
1347. | emitting length of IKEv2 Notify Payload: 8
1348. | emitting length of ISAKMP Message: 36
1349. | sending 36 bytes for send_v2_notification through eth0:500 to 2.x.x.x:4497 (using #0)
1350. | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
1351. | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08
1352. | 01 00 00 09
1353. | * processed 0 messages from cryptographic helpers
1354. | next event EVENT_PENDING_DDNS in 3 seconds
1355. | next event EVENT_PENDING_DDNS in 3 seconds
1356.  
1357.  
1358. ==> /var/log/pluto.log <==
1359. |
1360. | next event EVENT_PENDING_DDNS in 0 seconds
1361. | *time to handle event
1362. | handling event EVENT_PENDING_DDNS
1363. | event after this is EVENT_PENDING_PHASE2 in 60 seconds
1364. | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
1365. | event added at head of queue
1366. | next event EVENT_PENDING_DDNS in 60 seconds
1367.  
1368. root@server:~# ipsec status
1369. |
1370. | *received whack message
1371. SElinux: could not open /sys/fs/selinux/enforce
1372. FIPS: could not open /proc/sys/crypto/fips_enabled
1373. 000 using kernel interface: netkey
1374. 000 interface lo/lo ::1
1375. 000 interface he-ipv6/he-ipv6 2001:470:1f0e:ec4::2
1376. 000 interface eth0/eth0 2600:3c03::f03c:91ff:fedf:db97
1377. 000 interface lo/lo 127.0.0.1
1378. 000 interface lo/lo 127.0.0.1
1379. 000 interface eth0/eth0 69.x.x.x
1380. 000 interface eth0/eth0 69.x.x.x
1381. 000 interface eth0:1/eth0:1 192.168.55.254
1382. 000 interface eth0:1/eth0:1 192.168.55.254
1383. 000
1384. 000 FIPS=error(disabled)
1385. 000 SElinux=indeterminate
1386. 000
1387. 000 config setup options:
1388. 000
1389. 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/
1390. 000 sbindir=/usr/local/sbin, libdir=/usr/local/libexec/ipsec, libexecdir=/usr/local/libexec/ipsec
1391. 000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
1392. 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
1393. 000 secctx_attr_value=<unsupported>
1394. 000 %myid = (none)
1395. 000 debug raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
1396. 000
1397. | * processed 0 messages from cryptographic helpers
1398. 000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500, disable_port_floating=no
1399. 000 virtual_private (%priv):
1400. 000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
1401. | next event EVENT_PENDING_DDNS in 47 seconds
1402. 000 - disallowed 0 subnets:
1403. 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
1404. 000 private address space in internal use, it should be excluded!
1405. 000
1406. 000 ESP algorithms supported:
1407. | next event EVENT_PENDING_DDNS in 47 seconds
1408. 000
1409. 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
1410. 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
1411. 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
1412. 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
1413. 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
1414. 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
1415. 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
1416. 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
1417. 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
1418. 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
1419. 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
1420. 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
1421. 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
1422. 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
1423. 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
1424. 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
1425. 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
1426. 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
1427. 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
1428. 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
1429. 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
1430. 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
1431. 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
1432. 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
1433. 000
1434. 000 IKE algorithms supported:
1435. 000
1436. 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
1437. 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
1438. 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
1439. 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
1440. 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
1441. 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
1442. 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
1443. 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
1444. 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
1445. 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
1446. 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
1447. 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
1448. 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
1449. 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
1450. 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
1451. 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
1452. 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
1453. 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
1454. 000
1455. 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
1456. 000
1457. 000 Connection list:
1458. 000
1459. 000 "routers-12": 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router2]===192.168.22.0/24; unrouted; eroute owner: #0
1460. 000 "routers-12": oriented; my_ip=192.168.55.254; their_ip=unset;
1461. 000 "routers-12": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;
1462. 000 "routers-12": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;
1463. 000 "routers-12": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;
1464. 000 "routers-12": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
1465. 000 "routers-12": prio: 24,24; interface: eth0; metric: 0, mtu: unset;
1466. 000 "routers-12": dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:yes; nat_keepalive:yes;
1467. 000 "routers-12": newest ISAKMP SA: #0; newest IPsec SA: #0;
1468. 000 "routers-13": 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router3]===192.168.33.0/24; unrouted; eroute owner: #0
1469. 000 "routers-13": oriented; my_ip=192.168.55.254; their_ip=unset;
1470. 000 "routers-13": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;
1471. 000 "routers-13": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;
1472. 000 "routers-13": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;
1473. 000 "routers-13": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
1474. 000 "routers-13": prio: 24,24; interface: eth0; metric: 0, mtu: unset;
1475. 000 "routers-13": dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:yes; nat_keepalive:yes;
1476. 000 "routers-13": newest ISAKMP SA: #0; newest IPsec SA: #0;
1477. 000
1478. 000 Total IPsec connections: loaded 2, active 0
1479. 000
1480. 000 State list:
1481. 000
1482. 000 Shunt list:
1483. 000
1484. root@server:~# |
1485. | *received 316 bytes from 2.x.x.x:4497 on eth0 (port=500)
1486. | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
1487. | 2e 20 23 08 00 00 00 01 00 00 01 3c 23 00 01 20
1488. | b4 e3 03 80 b8 ab 0b fc be d0 70 87 2b 72 ec 03
1489.  
1490.  
1491. ==> /var/log/pluto.log <==
1492. | 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
1493. | c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
1494. | 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
1495. | c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
1496. | 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
1497. | 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
1498. | af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
1499. | 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
1500. | 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
1501. | d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
1502. | 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
1503. | 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
1504. | e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
1505. | e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
1506. | 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
1507. | c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
1508. | 04 93 78 4c a3 b9 e0 8c 6d 28 9d ca
1509. | **parse ISAKMP Message:
1510. | initiator cookie:
1511. | 0e 4d 0f 13 eb 45 5d 5d
1512. | responder cookie:
1513. | 14 ca ca 1e f4 0f ab ef
1514. | next payload type: ISAKMP_NEXT_v2E
1515. | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
1516. | exchange type: ISAKMP_v2_AUTH
1517. | flags: ISAKMP_FLAG_INIT
1518. | message ID: 00 00 00 01
1519. | length: 316
1520. | processing version=2.0 packet with exchange type=ISAKMP_v2_AUTH (35)
1521. | I am IKE SA Responder
1522. | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
1523. | RCOOKIE: 14 ca ca 1e f4 0f ab ef
1524. | state hash entry 22
1525. | v2 state object not found
1526. | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
1527. | RCOOKIE: 00 00 00 00 00 00 00 00
1528. | state hash entry 5
1529. | v2 state object not found
1530. | ended up with STATE_IKEv2_ROOF
1531. packet from 2.x.x.x:4497: sending notification v2N_INVALID_MESSAGE_ID to 2.x.x.x:4497
1532. | **emit ISAKMP Message:
1533. | initiator cookie:
1534. | 0e 4d 0f 13 eb 45 5d 5d
1535. | responder cookie:
1536. | 14 ca ca 1e f4 0f ab ef
1537. | next payload type: ISAKMP_NEXT_v2N
1538. | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
1539. | exchange type: ISAKMP_v2_SA_INIT
1540. | flags: ISAKMP_FLAG_RESPONSE
1541. | message ID: 00 00 00 00
1542. | Adding a v2N Payload
1543. | ***emit IKEv2 Notify Payload:
1544. | next payload type: ISAKMP_NEXT_NONE
1545. | critical bit: none
1546. | Protocol ID: PROTO_ISAKMP
1547. | SPI size: 0
1548. | Notify Message Type: v2N_INVALID_MESSAGE_ID
1549. | emitting length of IKEv2 Notify Payload: 8
1550. | emitting length of ISAKMP Message: 36
1551. | sending 36 bytes for send_v2_notification through eth0:500 to 2.x.x.x:4497 (using #0)
1552. | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
1553. | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08
1554. | 01 00 00 09
1555. | * processed 0 messages from cryptographic helpers
1556. | next event EVENT_PENDING_DDNS in 43 seconds
1557. | next event EVENT_PENDING_DDNS in 43 seconds
1558. |
1559. | *received 316 bytes from 2.x.x.x:4497 on eth0 (port=500)
1560. | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
1561. | 2e 20 23 08 00 00 00 01 00 00 01 3c 23 00 01 20
1562. | b4 e3 03 80 b8 ab 0b fc be d0 70 87 2b 72 ec 03
1563. | 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
1564. | c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
1565. | 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
1566. | c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
1567. | 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
1568. | 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
1569. | af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
1570. | 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
1571. | 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
1572. | d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
1573. | 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
1574. | 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
1575. | e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
1576. | e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
1577. | 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
1578. | c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
1579. | 04 93 78 4c a3 b9 e0 8c 6d 28 9d ca
1580. | **parse ISAKMP Message:
1581. | initiator cookie:
1582. | 0e 4d 0f 13 eb 45 5d 5d
1583. | responder cookie:
1584. | 14 ca ca 1e f4 0f ab ef
1585. | next payload type: ISAKMP_NEXT_v2E
1586. | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
1587. | exchange type: ISAKMP_v2_AUTH
1588. | flags: ISAKMP_FLAG_INIT
1589. | message ID: 00 00 00 01
1590. | length: 316
1591. | processing version=2.0 packet with exchange type=ISAKMP_v2_AUTH (35)
1592. | I am IKE SA Responder
1593. | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
1594. | RCOOKIE: 14 ca ca 1e f4 0f ab ef
1595. | state hash entry 22
1596. | v2 state object not found
1597. | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
1598. | RCOOKIE: 00 00 00 00 00 00 00 00
1599. | state hash entry 5
1600. | v2 state object not found
1601. | ended up with STATE_IKEv2_ROOF
1602. packet from 2.x.x.x:4497: sending notification v2N_INVALID_MESSAGE_ID to 2.x.x.x:4497
1603. | **emit ISAKMP Message:
1604. | initiator cookie:
1605. | 0e 4d 0f 13 eb 45 5d 5d
1606. | responder cookie:
1607. | 14 ca ca 1e f4 0f ab ef
1608. | next payload type: ISAKMP_NEXT_v2N
1609. | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
1610. | exchange type: ISAKMP_v2_SA_INIT
1611. | flags: ISAKMP_FLAG_RESPONSE
1612. | message ID: 00 00 00 00
1613. | Adding a v2N Payload
1614. | ***emit IKEv2 Notify Payload:
1615. | next payload type: ISAKMP_NEXT_NONE
1616. | critical bit: none
1617. | Protocol ID: PROTO_ISAKMP
1618. | SPI size: 0
1619. | Notify Message Type: v2N_INVALID_MESSAGE_ID
1620. | emitting length of IKEv2 Notify Payload: 8
1621. | emitting length of ISAKMP Message: 36
1622. | sending 36 bytes for send_v2_notification through eth0:500 to 2.x.x.x:4497 (using #0)
1623. | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
1624. | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08
1625. | 01 00 00 09
1626. | * processed 0 messages from cryptographic helpers
1627. | next event EVENT_PENDING_DDNS in 2 seconds
1628. | next event EVENT_PENDING_DDNS in 2 seconds
1629.  
1630. ==> /var/log/pluto.log <==
1631. |
1632. | next event EVENT_PENDING_DDNS in 0 seconds
1633. | *time to handle event
1634. | handling event EVENT_PENDING_DDNS
1635. | event after this is EVENT_PENDING_PHASE2 in 0 seconds
1636. | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
1637. | event added after event EVENT_PENDING_PHASE2
1638. | handling event EVENT_PENDING_PHASE2
1639. | event after this is EVENT_PENDING_DDNS in 60 seconds
1640. | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
1641. | event added after event EVENT_PENDING_DDNS
1642. | pending review: connection "routers-12" was not up, skipped
1643. | pending review: connection "routers-13" was not up, skipped
1644. | next event EVENT_PENDING_DDNS in 60 seconds
1645.  
1646. --- on client side ---
1647. [root@localhost ~]# ipsec auto --up routers-13
1648. 133 "routers-13" #1: STATE_PARENT_I1: initiate
1649. 133 "routers-13" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
1650. 134 "routers-13" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp2048}
1651. 010 "routers-13" #2: STATE_PARENT_I2: retransmission; will wait 20s for response
1652. 010 "routers-13" #2: STATE_PARENT_I2: retransmission; will wait 40s for response
1653. 010 "routers-13" #2: STATE_PARENT_I2: retransmission; will wait 40s for response
1654. 010 "routers-13" #2: STATE_PARENT_I2: retransmission; will wait 40s for response
1655. 010 "routers-13" #2: STATE_PARENT_I2: retransmission; will wait 40s for response
1656.  
1657.  
1658. FULL EXAMPLE USING IKEv1:
1659. root@server:~# ipsec start
1660. Redirecting to: start ipsec
1661. ipsec start/running, process 2118
1662. root@server:~#
1663. ==> /var/log/pluto.log <==
1664. nss directory plutomain: /etc/ipsec.d
1665.  
1666. ==> /var/log/pluto.log <==
1667. NSS Initialized
1668. FIPS integrity support [disabled]
1669. libcap-ng support [enabled]
1670. Linux audit support [disabled]
1671. Starting Pluto (Libreswan Version 3.5; Vendor ID OEN_RhPPH{d^) pid:2181
1672. FIPS: could not open /proc/sys/crypto/fips_enabled
1673. FIPS: could not open /proc/sys/crypto/fips_enabled
1674. ERROR: FIPS detection failed, Pluto running in non-FIPS mode
1675. core dump dir: /var/run/pluto/
1676. secrets file: /etc/ipsec.secrets
1677. LEAK_DETECTIVE support [disabled]
1678. OCF support for IKE [disabled]
1679. SAref support [disabled]: Protocol not available
1680. SAbind support [disabled]: Protocol not available
1681. NSS crypto [enabled]
1682. XAUTH PAM support [enabled]
1683. HAVE_STATSD notification support [disabled]
1684. Setting NAT-Traversal port-4500 floating to on
1685. port floating activation criteria nat_t=1/port_float=1
1686. NAT-Traversal support [enabled]
1687. | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
1688. | event added at head of queue
1689. | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
1690. | event added at head of queue
1691. | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
1692. | event added after event EVENT_PENDING_DDNS
1693. ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
1694. ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
1695. ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)
1696. ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
1697. starting up 7 cryptographic helpers
1698. started helper (thread) pid=-1234736320 (fd:7)
1699. | status value returned by setting the priority of this thread (id=0) 22
1700. | helper 0 waiting on fd: 8
1701. started helper (thread) pid=-1244660928 (fd:9)
1702. | status value returned by setting the priority of this thread (id=1) 22
1703. | helper 1 waiting on fd: 10
1704. started helper (thread) pid=-1255146688 (fd:11)
1705. | status value returned by setting the priority of this thread (id=2) 22
1706. | helper 2 waiting on fd: 13
1707. started helper (thread) pid=-1265632448 (fd:14)
1708. | status value returned by setting the priority of this thread (id=3) 22
1709. | helper 3 waiting on fd: 15
1710. | status value returned by setting the priority of this thread (id=4) 22
1711. | helper 4 waiting on fd: 17
1712. started helper (thread) pid=-1276118208 (fd:16)
1713. started helper (thread) pid=-1286603968 (fd:18)
1714. | status value returned by setting the priority of this thread (id=5) 22
1715. | helper 5 waiting on fd: 19
1716. | status value returned by setting the priority of this thread (id=6) 22
1717. | helper 6 waiting on fd: 21
1718. started helper (thread) pid=-1297089728 (fd:20)
1719. Using Linux XFRM/NETKEY IPsec interface code on 3.9.3-x86-linode52
1720. | process 2181 listening for PF_KEY_V2 on file descriptor 24
1721. | finish_pfkey_msg: K_SADB_REGISTER message 1 for AH
1722. | 02 07 00 02 02 00 00 00 01 00 00 00 85 08 00 00
1723. | pfkey_get: K_SADB_REGISTER message 1
1724. | AH registered with kernel.
1725. | finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP
1726. | 02 07 00 03 02 00 00 00 02 00 00 00 85 08 00 00
1727. | pfkey_get: K_SADB_REGISTER message 2
1728. | alg_init():memset(0xb775e320, 0, 2048) memset(0xb775eb20, 0, 2048)
1729. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=72
1730. | kernel_alg_add():satype=3, exttype=14, alg_id=251
1731. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14, satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
1732. | kernel_alg_add():satype=3, exttype=14, alg_id=2
1733. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14, satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
1734. | kernel_alg_add():satype=3, exttype=14, alg_id=3
1735. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14, satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
1736. | kernel_alg_add():satype=3, exttype=14, alg_id=5
1737. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14, satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256, res=0, ret=1
1738. | kernel_alg_add():satype=3, exttype=14, alg_id=6
1739. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14, satype=3, alg_id=6, alg_ivlen=0, alg_minbits=384, alg_maxbits=384, res=0, ret=1
1740. | kernel_alg_add():satype=3, exttype=14, alg_id=7
1741. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14, satype=3, alg_id=7, alg_ivlen=0, alg_minbits=512, alg_maxbits=512, res=0, ret=1
1742. | kernel_alg_add():satype=3, exttype=14, alg_id=8
1743. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=14, satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
1744. | kernel_alg_add():satype=3, exttype=14, alg_id=9
1745. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=14, satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
1746. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=88
1747. | kernel_alg_add():satype=3, exttype=15, alg_id=11
1748. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15, satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
1749. | kernel_alg_add():satype=3, exttype=15, alg_id=2
1750. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15, satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0, ret=1
1751. | kernel_alg_add():satype=3, exttype=15, alg_id=3
1752. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15, satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
1753. | kernel_alg_add():satype=3, exttype=15, alg_id=6
1754. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15, satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0, ret=1
1755. | kernel_alg_add():satype=3, exttype=15, alg_id=7
1756. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15, satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0, ret=1
1757. | kernel_alg_add():satype=3, exttype=15, alg_id=12
1758. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15, satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
1759. | kernel_alg_add():satype=3, exttype=15, alg_id=252
1760. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15, satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
1761. | kernel_alg_add():satype=3, exttype=15, alg_id=22
1762. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[15], exttype=15, satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
1763. | kernel_alg_add():satype=3, exttype=15, alg_id=253
1764. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[16], exttype=15, satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
1765. | kernel_alg_add():satype=3, exttype=15, alg_id=13
1766. | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[17], exttype=15, satype=3, alg_id=13, alg_ivlen=8, alg_minbits=160, alg_maxbits=288, res=0, ret=1
1767. | kernel_alg_add():satype=3, exttype=15, alg_id=18
1768. | kernel_alg_add():satype=3, exttype=15, alg_id=19
1769. | kernel_alg_add():satype=3, exttype=15, alg_id=20
1770. | kernel_alg_add():satype=3, exttype=15, alg_id=14
1771. | kernel_alg_add():satype=3, exttype=15, alg_id=15
1772. | kernel_alg_add():satype=3, exttype=15, alg_id=16
1773. ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
1774. ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
1775. ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
1776. ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
1777. ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
1778. ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
1779. ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
1780. ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
1781. ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
1782. ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
1783. ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
1784. | ESP registered with kernel.
1785. | finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP
1786. | 02 07 00 09 02 00 00 00 03 00 00 00 85 08 00 00
1787. | pfkey_get: K_SADB_REGISTER message 3
1788. | IPCOMP registered with kernel.
1789. | Changed path to directory '/etc/ipsec.d/cacerts'
1790. | Changing to directory '/etc/ipsec.d/crls'
1791. | inserting event EVENT_LOG_DAILY, timeout in 61306 seconds
1792. | event added after event EVENT_REINIT_SECRET
1793. listening for IKE messages
1794. | Inspecting interface lo
1795. | found lo with address 127.0.0.1
1796. | Inspecting interface eth0
1797. | found eth0 with address 69.x.x.x
1798. | Inspecting interface eth0:1
1799. | found eth0:1 with address 192.168.55.254
1800. | NAT-Traversal: Trying new style NAT-T
1801. | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
1802. | NAT-Traversal: Trying old style NAT-T
1803. | NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
1804. adding interface eth0:1/eth0:1 192.168.55.254:500
1805. | NAT-Traversal: Trying new style NAT-T
1806. | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
1807. | NAT-Traversal: Trying old style NAT-T
1808. | NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
1809. adding interface eth0:1/eth0:1 192.168.55.254:4500
1810. | NAT-Traversal: Trying new style NAT-T
1811. | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
1812. | NAT-Traversal: Trying old style NAT-T
1813. | NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
1814. adding interface eth0/eth0 69.x.x.x:500
1815. | NAT-Traversal: Trying new style NAT-T
1816. | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
1817. | NAT-Traversal: Trying old style NAT-T
1818. | NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
1819. adding interface eth0/eth0 69.x.x.x:4500
1820. | NAT-Traversal: Trying new style NAT-T
1821. | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
1822. | NAT-Traversal: Trying old style NAT-T
1823. | NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
1824. adding interface lo/lo 127.0.0.1:500
1825. | NAT-Traversal: Trying new style NAT-T
1826. | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
1827. | NAT-Traversal: Trying old style NAT-T
1828. | NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
1829. adding interface lo/lo 127.0.0.1:4500
1830. | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
1831. | found he-ipv6 with address 2001:0470:1f0e:0ec4:0000:0000:0000:0002
1832. | found eth0 with address 2600:3c03:0000:0000:f03c:91ff:fedf:db97
1833. adding interface eth0/eth0 2600:3c03::f03c:91ff:fedf:db97:500
1834. adding interface he-ipv6/he-ipv6 2001:470:1f0e:ec4::2:500
1835. adding interface lo/lo ::1:500
1836. | certs and keys locked by 'free_preshared_secrets'
1837. | certs and keys unlocked by 'free_preshard_secrets'
1838. loading secrets from "/etc/ipsec.secrets"
1839. loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
1840. | id type added to secret(0xb8c4dd48) PPK_PSK: @router1
1841. | id type added to secret(0xb8c4dd48) PPK_PSK: @router4
1842. | Processing PSK at line 2: passed
1843. | certs and keys locked by 'process_secret'
1844. | certs and keys unlocked by 'process_secret'
1845. | id type added to secret(0xb8c4de58) PPK_PSK: @router1
1846. | id type added to secret(0xb8c4de58) PPK_PSK: @router2
1847. | Processing PSK at line 3: passed
1848. | certs and keys locked by 'process_secret'
1849. | certs and keys unlocked by 'process_secret'
1850. | id type added to secret(0xb8c52088) PPK_PSK: @router1
1851. | id type added to secret(0xb8c52088) PPK_PSK: @router3
1852. | Processing PSK at line 3: passed
1853. | certs and keys locked by 'process_secret'
1854. | certs and keys unlocked by 'process_secret'
1855. | next event EVENT_PENDING_DDNS in 60 seconds
1856.  
1857. ipsec verify
1858. ==> /var/log/pluto.log <==
1859. | calling addconn helper using execve
1860. | next event EVENT_PENDING_DDNS in 59 seconds
1861. | reaped addconn helper child
1862.  
1863. Verifying installed system and configuration files
1864.  
1865. Version check and ipsec on-path [OK]
1866. Libreswan 3.5 (netkey) on 3.9.3-x86-linode52
1867. Checking for IPsec support in kernel [OK]
1868. NETKEY: Testing XFRM related proc values
1869. ICMP default/send_redirects [OK]
1870. ICMP default/accept_redirects [OK]
1871. XFRM larval drop [OK]
1872. Pluto ipsec.conf syntax [OK]
1873. Hardware random device [N/A]
1874. Two or more interfaces found, checking IP forwarding [FAILED]
1875. Checking rp_filter [ENABLED]
1876. /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
1877. /proc/sys/net/ipv4/conf/he-ipv6/rp_filter [ENABLED]
1878. /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
1879. rp_filter is not fully aware of IPsec and should be disabled
1880. Checking that pluto is running [OK]
1881. Pluto listening for IKE on udp 500 [OK]
1882. Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
1883. Pluto listening for IKE/NAT-T on udp 4500 [OK]
1884. Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
1885. Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
1886. |
1887. | *received whack message
1888. | certs and keys locked by 'free_preshared_secrets'
1889. forgetting secrets
1890. | certs and keys unlocked by 'free_preshard_secrets'
1891. loading secrets from "/etc/ipsec.secrets"
1892. loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
1893. | id type added to secret(0xb8c4dd48) PPK_PSK: @router1
1894. | id type added to secret(0xb8c4dd48) PPK_PSK: @router4
1895. | Processing PSK at line 2: passed
1896. | certs and keys locked by 'process_secret'
1897. | certs and keys unlocked by 'process_secret'
1898. | id type added to secret(0xb8c4de58) PPK_PSK: @router1
1899.  
1900. ==> /var/log/pluto.log <==
1901. | id type added to secret(0xb8c4de58) PPK_PSK: @router2
1902. | Processing PSK at line 3: passed
1903. | certs and keys locked by 'process_secret'
1904. | certs and keys unlocked by 'process_secret'
1905. | id type added to secret(0xb8c52088) PPK_PSK: @router1
1906. | id type added to secret(0xb8c52088) PPK_PSK: @router3
1907. | Processing PSK at line 3: passed
1908. | certs and keys locked by 'process_secret'
1909. | certs and keys unlocked by 'process_secret'
1910. | * processed 0 messages from cryptographic helpers
1911. | next event EVENT_PENDING_DDNS in 57 seconds
1912. | next event EVENT_PENDING_DDNS in 57 seconds
1913. Pluto ipsec.secret syntax [OK]
1914. Checking NAT and MASQUERADEing [TEST INCOMPLETE]
1915. Checking 'ip' command [OK]
1916. Checking 'iptables' command [OK]
1917. Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
1918. Opportunistic Encryption [DISABLED]
1919.  
1920. ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help
1921. root@server:~# ipsec status
1922. |
1923. | *received whack message
1924. SElinux: could not open /sys/fs/selinux/enforce
1925. FIPS: could not open /proc/sys/crypto/fips_enabled
1926.  
1927. ==> /var/log/pluto.log <==
1928. 000 using kernel interface: netkey
1929. 000 interface lo/lo ::1
1930. 000 interface he-ipv6/he-ipv6 2001:470:1f0e:ec4::2
1931. 000 interface eth0/eth0 2600:3c03::f03c:91ff:fedf:db97
1932. | * processed 0 messages from cryptographic helpers
1933. 000 interface lo/lo 127.0.0.1
1934. | next event EVENT_PENDING_DDNS in 50 seconds
1935. 000 interface lo/lo 127.0.0.1
1936. 000 interface eth0/eth0 69.x.x.x
1937. 000 interface eth0/eth0 69.x.x.x
1938. 000 interface eth0:1/eth0:1 192.168.55.254
1939. 000 interface eth0:1/eth0:1 192.168.55.254
1940. 000
1941. | next event EVENT_PENDING_DDNS in 50 seconds
1942. 000 FIPS=error(disabled)
1943. 000 SElinux=indeterminate
1944. 000
1945. 000 config setup options:
1946. 000
1947. 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/
1948. 000 sbindir=/usr/local/sbin, libdir=/usr/local/libexec/ipsec, libexecdir=/usr/local/libexec/ipsec
1949. 000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
1950. 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
1951. 000 secctx_attr_value=<unsupported>
1952. 000 %myid = (none)
1953. 000 debug raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
1954. 000
1955. 000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500, disable_port_floating=no
1956. 000 virtual_private (%priv):
1957. 000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
1958. 000 - disallowed 0 subnets:
1959. 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
1960. 000 private address space in internal use, it should be excluded!
1961. 000
1962. 000 ESP algorithms supported:
1963. 000
1964. 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
1965. 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
1966. 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
1967. 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
1968. 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
1969. 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
1970. 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
1971. 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
1972. 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
1973. 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
1974. 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
1975. 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
1976. 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
1977. 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
1978. 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
1979. 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
1980. 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
1981. 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
1982. 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
1983. 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
1984. 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
1985. 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
1986. 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
1987. 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
1988. 000
1989. 000 IKE algorithms supported:
1990. 000
1991. 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
1992. 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
1993. 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
1994. 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
1995. 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
1996. 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
1997. 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
1998. 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
1999. 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
2000. 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
2001. 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
2002. 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
2003. 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
2004. 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
2005. 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
2006. 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
2007. 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
2008. 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
2009. 000
2010. 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
2011. 000
2012. 000 Connection list:
2013. 000
2014. 000
2015. 000 State list:
2016. 000
2017. 000 Shunt list:
2018. 000
2019. root@server:~#
2020. root@server:~# ipsec addconn routers-13
2021. |
2022. | *received whack message
2023. | find_host_pair_conn (check_connection_end): 69.x.x.x:500 %any:500 -> hp:none
2024. | Added new connection routers-13 with policy PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
2025. | counting wild cards for @router1 is 0
2026. | counting wild cards for @router3 is 0
2027. | based upon policy, the connection is a template.
2028. | connect_to_host_pair: 69.x.x.x:500 0.0.0.0:500 -> hp:none
2029. added connection description "routers-13"
2030. 002 added connection description "routers-13"
2031. | 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router3]===192.168.33.0/24
2032. | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
2033. | * processed 0 messages from cryptographic helpers
2034. | next event EVENT_PENDING_DDNS in 40 seconds
2035. | next event EVENT_PENDING_DDNS in 40 seconds
2036. root@server:~# ipsec addconn routers-12
2037. |
2038. | *received whack message
2039. | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
2040. | find_host_pair_conn (check_connection_end): 69.x.x.x:500 %any:500 -> hp:routers-13
2041. | Added new connection routers-12 with policy PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
2042. | counting wild cards for @router1 is 0
2043. | counting wild cards for @router2 is 0
2044. | based upon policy, the connection is a template.
2045. | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
2046. 002 added connection description "routers-12"
2047. | connect_to_host_pair: 69.x.x.x:500 0.0.0.0:500 -> hp:routers-13
2048. added connection description "routers-12"
2049. | 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router2]===192.168.22.0/24
2050. | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
2051. | * processed 0 messages from cryptographic helpers
2052. | next event EVENT_PENDING_DDNS in 38 seconds
2053. | next event EVENT_PENDING_DDNS in 38 seconds
2054. root@server:~# ipsec status
2055. |
2056. | *received whack message
2057. SElinux: could not open /sys/fs/selinux/enforce
2058. FIPS: could not open /proc/sys/crypto/fips_enabled
2059. 000 using kernel interface: netkey
2060. 000 interface lo/lo ::1
2061. 000 interface he-ipv6/he-ipv6 2001:470:1f0e:ec4::2
2062. 000 interface eth0/eth0 2600:3c03::f03c:91ff:fedf:db97
2063. 000 interface lo/lo 127.0.0.1
2064. 000 interface lo/lo 127.0.0.1
2065. 000 interface eth0/eth0 69.x.x.x
2066. 000 interface eth0/eth0 69.x.x.x
2067. 000 interface eth0:1/eth0:1 192.168.55.254
2068. 000 interface eth0:1/eth0:1 192.168.55.254
2069. 000
2070. 000 FIPS=error(disabled)
2071. 000 SElinux=indeterminate
2072. 000
2073. 000 config setup options:
2074. 000
2075. 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/
2076. 000 sbindir=/usr/local/sbin, libdir=/usr/local/libexec/ipsec, libexecdir=/usr/local/libexec/ipsec
2077. | * processed 0 messages from cryptographic helpers
2078. 000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
2079. 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
2080. | next event EVENT_PENDING_DDNS in 36 seconds
2081. 000 secctx_attr_value=<unsupported>
2082. | next event EVENT_PENDING_DDNS in 36 seconds
2083. 000 %myid = (none)
2084. 000 debug raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
2085. 000
2086. 000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500, disable_port_floating=no
2087. 000 virtual_private (%priv):
2088. 000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
2089. 000 - disallowed 0 subnets:
2090. 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
2091. 000 private address space in internal use, it should be excluded!
2092. 000
2093. 000 ESP algorithms supported:
2094. 000
2095. 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
2096. 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
2097. 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
2098. 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
2099. 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
2100. 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
2101. 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
2102. 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
2103. 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
2104. 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
2105. 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
2106. 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
2107. 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
2108. 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
2109. 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
2110. 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
2111. 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
2112. 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
2113. 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
2114. 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
2115. 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
2116. 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
2117. 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
2118. 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
2119. 000
2120. 000 IKE algorithms supported:
2121. 000
2122. 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
2123. 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
2124. 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
2125. 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
2126. 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
2127. 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
2128. 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
2129. 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
2130. 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
2131. 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
2132. 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
2133. 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
2134. 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
2135. 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
2136. 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
2137. 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
2138. 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
2139. 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
2140. 000
2141. 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
2142. 000
2143. 000 Connection list:
2144. 000
2145. 000 "routers-12": 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router2]===192.168.22.0/24; unrouted; eroute owner: #0
2146. 000 "routers-12": oriented; my_ip=192.168.55.254; their_ip=unset;
2147. 000 "routers-12": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;
2148. 000 "routers-12": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;
2149. 000 "routers-12": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;
2150. 000 "routers-12": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
2151. 000 "routers-12": prio: 24,24; interface: eth0; metric: 0, mtu: unset;
2152. 000 "routers-12": dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:yes; nat_keepalive:yes;
2153. 000 "routers-12": newest ISAKMP SA: #0; newest IPsec SA: #0;
2154. 000 "routers-13": 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router3]===192.168.33.0/24; unrouted; eroute owner: #0
2155. 000 "routers-13": oriented; my_ip=192.168.55.254; their_ip=unset;
2156. 000 "routers-13": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;
2157. 000 "routers-13": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;
2158. 000 "routers-13": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;
2159. 000 "routers-13": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
2160. 000 "routers-13": prio: 24,24; interface: eth0; metric: 0, mtu: unset;
2161. 000 "routers-13": dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:yes; nat_keepalive:yes;
2162. 000 "routers-13": newest ISAKMP SA: #0; newest IPsec SA: #0;
2163. 000
2164. 000 Total IPsec connections: loaded 2, active 0
2165. 000
2166. 000 State list:
2167. 000
2168. 000 Shunt list:
2169. 000
2170. root@server:~# |
2171. | *received 612 bytes from 2.x.x.x:4497 on eth0 (port=500)
2172. | 58 e4 79 be 51 14 61 49 00 00 00 00 00 00 00 00
2173. | 01 10 02 00 00 00 00 00 00 00 02 64 0d 00 01 ac
2174. | 00 00 00 01 00 00 00 01 00 00 01 a0 00 01 00 0c
2175. | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10
2176. | 80 01 00 07 80 02 00 02 80 03 00 01 80 04 00 0e
2177. | 80 0e 00 80 03 00 00 24 01 01 00 00 80 0b 00 01
2178. | 80 0c 0e 10 80 01 00 07 80 02 00 01 80 03 00 01
2179. | 80 04 00 0e 80 0e 00 80 03 00 00 20 02 01 00 00
2180. | 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 00 02
2181. | 80 03 00 01 80 04 00 0e 03 00 00 20 03 01 00 00
2182. | 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 00 01
2183. | 80 03 00 01 80 04 00 0e 03 00 00 24 04 01 00 00
2184. | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02
2185. | 80 03 00 01 80 04 00 05 80 0e 00 80 03 00 00 24
2186. | 05 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07
2187. | 80 02 00 01 80 03 00 01 80 04 00 05 80 0e 00 80
2188. | 03 00 00 20 06 01 00 00 80 0b 00 01 80 0c 0e 10
2189. | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 05
2190. | 03 00 00 20 07 01 00 00 80 0b 00 01 80 0c 0e 10
2191. | 80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 05
2192. | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 0e 10
2193. | 80 01 00 07 80 02 00 02 80 03 00 01 80 04 00 02
2194. | 80 0e 00 80 03 00 00 24 09 01 00 00 80 0b 00 01
2195. | 80 0c 0e 10 80 01 00 07 80 02 00 01 80 03 00 01
2196. | 80 04 00 02 80 0e 00 80 03 00 00 20 0a 01 00 00
2197. | 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 00 02
2198. | 80 03 00 01 80 04 00 02 00 00 00 20 0b 01 00 00
2199. | 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 00 01
2200. | 80 03 00 01 80 04 00 02 0d 00 00 10 4f 45 4e 5f
2201. | 52 68 50 50 48 7b 64 5e 0d 00 00 14 af ca d7 13
2202. | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 0d 00 00 14
2203. | 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
2204. | 0d 00 00 14 4a 13 1c 81 07 03 58 45 5c 57 28 f2
2205. | 0e 95 45 2f 0d 00 00 14 7d 94 19 a6 53 10 ca 6f
2206. | 2c 17 9d 92 15 52 9d 56 0d 00 00 14 90 cb 80 91
2207. | 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f 0d 00 00 14
2208. | cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
2209. | 00 00 00 14 44 85 15 2d 18 b6 bb cd 0b e8 a8 46
2210. | 95 79 dd cc
2211. | **parse ISAKMP Message:
2212. | initiator cookie:
2213. | 58 e4 79 be 51 14 61 49
2214. | responder cookie:
2215. | 00 00 00 00 00 00 00 00
2216. | next payload type: ISAKMP_NEXT_SA
2217. | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
2218. | exchange type: ISAKMP_XCHG_IDPROT
2219. | flags: none
2220. | message ID: 00 00 00 00
2221. | length: 612
2222. | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
2223. | got payload 0x2(ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080
2224. | ***parse ISAKMP Security Association Payload:
2225. | next payload type: ISAKMP_NEXT_VID
2226. | length: 428
2227. | DOI: ISAKMP_DOI_IPSEC
2228. | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
2229. | ***parse ISAKMP Vendor ID Payload:
2230. | next payload type: ISAKMP_NEXT_VID
2231. | length: 16
2232. | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
2233. | ***parse ISAKMP Vendor ID Payload:
2234. | next payload type: ISAKMP_NEXT_VID
2235. | length: 20
2236. | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
2237. | ***parse ISAKMP Vendor ID Payload:
2238. | next payload type: ISAKMP_NEXT_VID
2239. | length: 20
2240. | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
2241. | ***parse ISAKMP Vendor ID Payload:
2242. | next payload type: ISAKMP_NEXT_VID
2243. | length: 20
2244. | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
2245. | ***parse ISAKMP Vendor ID Payload:
2246. | next payload type: ISAKMP_NEXT_VID
2247. | length: 20
2248. | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
2249. | ***parse ISAKMP Vendor ID Payload:
2250. | next payload type: ISAKMP_NEXT_VID
2251. | length: 20
2252. | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
2253. | ***parse ISAKMP Vendor ID Payload:
2254. | next payload type: ISAKMP_NEXT_VID
2255. | length: 20
2256. | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
2257. | ***parse ISAKMP Vendor ID Payload:
2258. | next payload type: ISAKMP_NEXT_NONE
2259. | length: 20
2260. packet from 2.x.x.x:4497: received Vendor ID payload [Libreswan (this version) 3.5 ]
2261. packet from 2.x.x.x:4497: received Vendor ID payload [Dead Peer Detection]
2262. packet from 2.x.x.x:4497: received Vendor ID payload [FRAGMENTATION]
2263. | returning NATT method NAT_TRAVERSAL_METHOD_IETF_RFC
2264. | method set to=RFC 3947 (NAT-Traversal)
2265. packet from 2.x.x.x:4497: received Vendor ID payload [RFC 3947]
2266. | Ignoring older NAT-T Vendor ID paylad [draft-ietf-ipsec-nat-t-ike-03]
2267. packet from 2.x.x.x:4497: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2268. | Ignoring older NAT-T Vendor ID paylad [draft-ietf-ipsec-nat-t-ike-02_n]
2269. packet from 2.x.x.x:4497: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2270. | Ignoring older NAT-T Vendor ID paylad [draft-ietf-ipsec-nat-t-ike-02]
2271. packet from 2.x.x.x:4497: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2272. packet from 2.x.x.x:4497: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2273. | nat-t detected, sending nat-t VID
2274. | find_host_connection2 called from main_inI1_outR1, me=69.x.x.x:500 him=2.x.x.x:4497 policy=none
2275. | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
2276. | find_host_pair_conn (find_host_connection2): 69.x.x.x:500 2.x.x.x:4497 -> hp:none
2277. | find_host_connection2 returns empty
2278. | ****parse IPsec DOI SIT:
2279. | IPsec DOI SIT: SIT_IDENTITY_ONLY
2280. | ****parse ISAKMP Proposal Payload:
2281. | next payload type: ISAKMP_NEXT_NONE
2282. | length: 416
2283. | proposal number: 0
2284. | protocol ID: PROTO_ISAKMP
2285. | SPI size: 0
2286. | number of transforms: 12
2287. | *****parse ISAKMP Transform Payload (ISAKMP):
2288. | next payload type: ISAKMP_NEXT_T
2289. | length: 36
2290. | transform number: 0
2291. | transform ID: KEY_IKE
2292. | ******parse ISAKMP Oakley attribute:
2293. | af+type: OAKLEY_LIFE_TYPE
2294. | length/value: 1
2295. | ******parse ISAKMP Oakley attribute:
2296. | af+type: OAKLEY_LIFE_DURATION
2297. | length/value: 3600
2298. | ******parse ISAKMP Oakley attribute:
2299. | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2300. | length/value: 7
2301. | ******parse ISAKMP Oakley attribute:
2302. | af+type: OAKLEY_HASH_ALGORITHM
2303. | length/value: 2
2304. | ******parse ISAKMP Oakley attribute:
2305. | af+type: OAKLEY_AUTHENTICATION_METHOD
2306. | length/value: 1
2307. | ******parse ISAKMP Oakley attribute:
2308. | af+type: OAKLEY_GROUP_DESCRIPTION
2309. | length/value: 14
2310. | ******parse ISAKMP Oakley attribute:
2311. | af+type: OAKLEY_KEY_LENGTH
2312. | length/value: 128
2313. | *****parse ISAKMP Transform Payload (ISAKMP):
2314. | next payload type: ISAKMP_NEXT_T
2315. | length: 36
2316. | transform number: 1
2317. | transform ID: KEY_IKE
2318. | ******parse ISAKMP Oakley attribute:
2319. | af+type: OAKLEY_LIFE_TYPE
2320. | length/value: 1
2321. | ******parse ISAKMP Oakley attribute:
2322. | af+type: OAKLEY_LIFE_DURATION
2323. | length/value: 3600
2324. | ******parse ISAKMP Oakley attribute:
2325. | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2326. | length/value: 7
2327. | ******parse ISAKMP Oakley attribute:
2328. | af+type: OAKLEY_HASH_ALGORITHM
2329. | length/value: 1
2330.  
2331. ==> /var/log/pluto.log <==
2332. | ******parse ISAKMP Oakley attribute:
2333. | af+type: OAKLEY_AUTHENTICATION_METHOD
2334. | length/value: 1
2335. | ******parse ISAKMP Oakley attribute:
2336. | af+type: OAKLEY_GROUP_DESCRIPTION
2337. | length/value: 14
2338. | ******parse ISAKMP Oakley attribute:
2339. | af+type: OAKLEY_KEY_LENGTH
2340. | length/value: 128
2341. | *****parse ISAKMP Transform Payload (ISAKMP):
2342. | next payload type: ISAKMP_NEXT_T
2343. | length: 32
2344. | transform number: 2
2345. | transform ID: KEY_IKE
2346. | ******parse ISAKMP Oakley attribute:
2347. | af+type: OAKLEY_LIFE_TYPE
2348. | length/value: 1
2349. | ******parse ISAKMP Oakley attribute:
2350. | af+type: OAKLEY_LIFE_DURATION
2351. | length/value: 3600
2352. | ******parse ISAKMP Oakley attribute:
2353. | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2354. | length/value: 5
2355. | ******parse ISAKMP Oakley attribute:
2356. | af+type: OAKLEY_HASH_ALGORITHM
2357. | length/value: 2
2358. | ******parse ISAKMP Oakley attribute:
2359. | af+type: OAKLEY_AUTHENTICATION_METHOD
2360. | length/value: 1
2361. | ******parse ISAKMP Oakley attribute:
2362. | af+type: OAKLEY_GROUP_DESCRIPTION
2363. | length/value: 14
2364. | *****parse ISAKMP Transform Payload (ISAKMP):
2365. | next payload type: ISAKMP_NEXT_T
2366. | length: 32
2367. | transform number: 3
2368. | transform ID: KEY_IKE
2369. | ******parse ISAKMP Oakley attribute:
2370. | af+type: OAKLEY_LIFE_TYPE
2371. | length/value: 1
2372. | ******parse ISAKMP Oakley attribute:
2373. | af+type: OAKLEY_LIFE_DURATION
2374. | length/value: 3600
2375. | ******parse ISAKMP Oakley attribute:
2376. | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2377. | length/value: 5
2378. | ******parse ISAKMP Oakley attribute:
2379. | af+type: OAKLEY_HASH_ALGORITHM
2380. | length/value: 1
2381. | ******parse ISAKMP Oakley attribute:
2382. | af+type: OAKLEY_AUTHENTICATION_METHOD
2383. | length/value: 1
2384. | ******parse ISAKMP Oakley attribute:
2385. | af+type: OAKLEY_GROUP_DESCRIPTION
2386. | length/value: 14
2387. | *****parse ISAKMP Transform Payload (ISAKMP):
2388. | next payload type: ISAKMP_NEXT_T
2389. | length: 36
2390. | transform number: 4
2391. | transform ID: KEY_IKE
2392. | ******parse ISAKMP Oakley attribute:
2393. | af+type: OAKLEY_LIFE_TYPE
2394. | length/value: 1
2395. | ******parse ISAKMP Oakley attribute:
2396. | af+type: OAKLEY_LIFE_DURATION
2397. | length/value: 3600
2398. | ******parse ISAKMP Oakley attribute:
2399. | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2400. | length/value: 7
2401. | ******parse ISAKMP Oakley attribute:
2402. | af+type: OAKLEY_HASH_ALGORITHM
2403. | length/value: 2
2404. | ******parse ISAKMP Oakley attribute:
2405. | af+type: OAKLEY_AUTHENTICATION_METHOD
2406. | length/value: 1
2407. | ******parse ISAKMP Oakley attribute:
2408. | af+type: OAKLEY_GROUP_DESCRIPTION
2409. | length/value: 5
2410. | ******parse ISAKMP Oakley attribute:
2411. | af+type: OAKLEY_KEY_LENGTH
2412. | length/value: 128
2413. | *****parse ISAKMP Transform Payload (ISAKMP):
2414. | next payload type: ISAKMP_NEXT_T
2415. | length: 36
2416. | transform number: 5
2417. | transform ID: KEY_IKE
2418. | ******parse ISAKMP Oakley attribute:
2419. | af+type: OAKLEY_LIFE_TYPE
2420. | length/value: 1
2421. | ******parse ISAKMP Oakley attribute:
2422. | af+type: OAKLEY_LIFE_DURATION
2423. | length/value: 3600
2424. | ******parse ISAKMP Oakley attribute:
2425. | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2426. | length/value: 7
2427. | ******parse ISAKMP Oakley attribute:
2428. | af+type: OAKLEY_HASH_ALGORITHM
2429. | length/value: 1
2430. | ******parse ISAKMP Oakley attribute:
2431. | af+type: OAKLEY_AUTHENTICATION_METHOD
2432. | length/value: 1
2433. | ******parse ISAKMP Oakley attribute:
2434. | af+type: OAKLEY_GROUP_DESCRIPTION
2435. | length/value: 5
2436. | ******parse ISAKMP Oakley attribute:
2437. | af+type: OAKLEY_KEY_LENGTH
2438. | length/value: 128
2439. | *****parse ISAKMP Transform Payload (ISAKMP):
2440. | next payload type: ISAKMP_NEXT_T
2441. | length: 32
2442. | transform number: 6
2443. | transform ID: KEY_IKE
2444. | ******parse ISAKMP Oakley attribute:
2445. | af+type: OAKLEY_LIFE_TYPE
2446. | length/value: 1
2447. | ******parse ISAKMP Oakley attribute:
2448. | af+type: OAKLEY_LIFE_DURATION
2449. | length/value: 3600
2450. | ******parse ISAKMP Oakley attribute:
2451. | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2452. | length/value: 5
2453. | ******parse ISAKMP Oakley attribute:
2454. | af+type: OAKLEY_HASH_ALGORITHM
2455. | length/value: 2
2456. | ******parse ISAKMP Oakley attribute:
2457. | af+type: OAKLEY_AUTHENTICATION_METHOD
2458. | length/value: 1
2459. | ******parse ISAKMP Oakley attribute:
2460. | af+type: OAKLEY_GROUP_DESCRIPTION
2461. | length/value: 5
2462. | *****parse ISAKMP Transform Payload (ISAKMP):
2463. | next payload type: ISAKMP_NEXT_T
2464. | length: 32
2465. | transform number: 7
2466. | transform ID: KEY_IKE
2467. | ******parse ISAKMP Oakley attribute:
2468. | af+type: OAKLEY_LIFE_TYPE
2469. | length/value: 1
2470. | ******parse ISAKMP Oakley attribute:
2471. | af+type: OAKLEY_LIFE_DURATION
2472. | length/value: 3600
2473. | ******parse ISAKMP Oakley attribute:
2474. | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2475. | length/value: 5
2476. | ******parse ISAKMP Oakley attribute:
2477. | af+type: OAKLEY_HASH_ALGORITHM
2478. | length/value: 1
2479. | ******parse ISAKMP Oakley attribute:
2480. | af+type: OAKLEY_AUTHENTICATION_METHOD
2481. | length/value: 1
2482. | ******parse ISAKMP Oakley attribute:
2483. | af+type: OAKLEY_GROUP_DESCRIPTION
2484. | length/value: 5
2485. | *****parse ISAKMP Transform Payload (ISAKMP):
2486. | next payload type: ISAKMP_NEXT_T
2487. | length: 36
2488. | transform number: 8
2489. | transform ID: KEY_IKE
2490. | ******parse ISAKMP Oakley attribute:
2491. | af+type: OAKLEY_LIFE_TYPE
2492. | length/value: 1
2493. | ******parse ISAKMP Oakley attribute:
2494. | af+type: OAKLEY_LIFE_DURATION
2495. | length/value: 3600
2496. | ******parse ISAKMP Oakley attribute:
2497. | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2498. | length/value: 7
2499. | ******parse ISAKMP Oakley attribute:
2500. | af+type: OAKLEY_HASH_ALGORITHM
2501. | length/value: 2
2502.  
2503. ==> /var/log/pluto.log <==
2504. | ******parse ISAKMP Oakley attribute:
2505. | af+type: OAKLEY_AUTHENTICATION_METHOD
2506. | length/value: 1
2507. | ******parse ISAKMP Oakley attribute:
2508. | af+type: OAKLEY_GROUP_DESCRIPTION
2509. | length/value: 2
2510. | ******parse ISAKMP Oakley attribute:
2511. | af+type: OAKLEY_KEY_LENGTH
2512. | length/value: 128
2513. | *****parse ISAKMP Transform Payload (ISAKMP):
2514. | next payload type: ISAKMP_NEXT_T
2515. | length: 36
2516. | transform number: 9
2517. | transform ID: KEY_IKE
2518. | ******parse ISAKMP Oakley attribute:
2519. | af+type: OAKLEY_LIFE_TYPE
2520. | length/value: 1
2521. | ******parse ISAKMP Oakley attribute:
2522. | af+type: OAKLEY_LIFE_DURATION
2523. | length/value: 3600
2524. | ******parse ISAKMP Oakley attribute:
2525. | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2526. | length/value: 7
2527. | ******parse ISAKMP Oakley attribute:
2528. | af+type: OAKLEY_HASH_ALGORITHM
2529. | length/value: 1
2530. | ******parse ISAKMP Oakley attribute:
2531. | af+type: OAKLEY_AUTHENTICATION_METHOD
2532. | length/value: 1
2533. | ******parse ISAKMP Oakley attribute:
2534. | af+type: OAKLEY_GROUP_DESCRIPTION
2535. | length/value: 2
2536. | ******parse ISAKMP Oakley attribute:
2537. | af+type: OAKLEY_KEY_LENGTH
2538. | length/value: 128
2539. | *****parse ISAKMP Transform Payload (ISAKMP):
2540. | next payload type: ISAKMP_NEXT_T
2541. | length: 32
2542. | transform number: 10
2543. | transform ID: KEY_IKE
2544. | ******parse ISAKMP Oakley attribute:
2545. | af+type: OAKLEY_LIFE_TYPE
2546. | length/value: 1
2547. | ******parse ISAKMP Oakley attribute:
2548. | af+type: OAKLEY_LIFE_DURATION
2549. | length/value: 3600
2550. | ******parse ISAKMP Oakley attribute:
2551. | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2552. | length/value: 5
2553. | ******parse ISAKMP Oakley attribute:
2554. | af+type: OAKLEY_HASH_ALGORITHM
2555. | length/value: 2
2556. | ******parse ISAKMP Oakley attribute:
2557. | af+type: OAKLEY_AUTHENTICATION_METHOD
2558. | length/value: 1
2559. | ******parse ISAKMP Oakley attribute:
2560. | af+type: OAKLEY_GROUP_DESCRIPTION
2561. | length/value: 2
2562. | *****parse ISAKMP Transform Payload (ISAKMP):
2563. | next payload type: ISAKMP_NEXT_NONE
2564. | length: 32
2565. | transform number: 11
2566. | transform ID: KEY_IKE
2567. | ******parse ISAKMP Oakley attribute:
2568. | af+type: OAKLEY_LIFE_TYPE
2569. | length/value: 1
2570. | ******parse ISAKMP Oakley attribute:
2571. | af+type: OAKLEY_LIFE_DURATION
2572. | length/value: 3600
2573. | ******parse ISAKMP Oakley attribute:
2574. | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2575. | length/value: 5
2576. | ******parse ISAKMP Oakley attribute:
2577. | af+type: OAKLEY_HASH_ALGORITHM
2578. | length/value: 1
2579. | ******parse ISAKMP Oakley attribute:
2580. | af+type: OAKLEY_AUTHENTICATION_METHOD
2581. | length/value: 1
2582. | ******parse ISAKMP Oakley attribute:
2583. | af+type: OAKLEY_GROUP_DESCRIPTION
2584. | length/value: 2
2585. | find_host_connection2 called from main_inI1_outR1, me=69.x.x.x:500 him=%any:4497 policy=PSK
2586. | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
2587. | find_host_pair_conn (find_host_connection2): 69.x.x.x:500 %any:4497 -> hp:routers-12
2588. | searching for connection with policy = PSK
2589. | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG (routers-12)
2590. | find_host_connection2 returns routers-12
2591. | instantiating "routers-12" for initial Main Mode message received on 69.x.x.x:500
2592. | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
2593. | connect_to_host_pair: 69.x.x.x:500 2.x.x.x:500 -> hp:none
2594. | instantiated "routers-12" for 2.x.x.x
2595. | creating state object #1 at 0xb8c53f80
2596. | processing connection routers-12[1] 2.x.x.x
2597. | ICOOKIE: 58 e4 79 be 51 14 61 49
2598. | RCOOKIE: 76 7f 51 65 c7 b5 d3 b0
2599. | state hash entry 4
2600. | inserting state object #1
2601. | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
2602. | event added at head of queue
2603. "routers-12"[1] 2.x.x.x #1: responding to Main Mode from unknown peer 2.x.x.x
2604. | **emit ISAKMP Message:
2605. | initiator cookie:
2606. | 58 e4 79 be 51 14 61 49
2607. | responder cookie:
2608. | 76 7f 51 65 c7 b5 d3 b0
2609. | next payload type: ISAKMP_NEXT_SA
2610. | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
2611. | exchange type: ISAKMP_XCHG_IDPROT
2612. | flags: none
2613. | message ID: 00 00 00 00
2614. | ***emit ISAKMP Security Association Payload:
2615. | next payload type: ISAKMP_NEXT_VID
2616. | DOI: ISAKMP_DOI_IPSEC
2617. | ****parse IPsec DOI SIT:
2618. | IPsec DOI SIT: SIT_IDENTITY_ONLY
2619. | ****parse ISAKMP Proposal Payload:
2620. | next payload type: ISAKMP_NEXT_NONE
2621. | length: 416
2622. | proposal number: 0
2623. | protocol ID: PROTO_ISAKMP
2624. | SPI size: 0
2625. | number of transforms: 12
2626. | *****parse ISAKMP Transform Payload (ISAKMP):
2627. | next payload type: ISAKMP_NEXT_T
2628. | length: 36
2629. | transform number: 0
2630. | transform ID: KEY_IKE
2631. | ******parse ISAKMP Oakley attribute:
2632. | af+type: OAKLEY_LIFE_TYPE
2633. | length/value: 1
2634. | [1 is OAKLEY_LIFE_SECONDS]
2635. | ******parse ISAKMP Oakley attribute:
2636. | af+type: OAKLEY_LIFE_DURATION
2637. | length/value: 3600
2638. | ******parse ISAKMP Oakley attribute:
2639. | af+type: OAKLEY_ENCRYPTION_ALGORITHM
2640. | length/value: 7
2641. | [7 is OAKLEY_AES_CBC]
2642. | ike_alg_enc_ok(ealg=7,key_len=0): blocksize=16, keyminlen=128, keydeflen=128, keymaxlen=256, ret=1
2643. | ******parse ISAKMP Oakley attribute:
2644. | af+type: OAKLEY_HASH_ALGORITHM
2645. | length/value: 2
2646. | [2 is OAKLEY_SHA1]
2647. | ******parse ISAKMP Oakley attribute:
2648. | af+type: OAKLEY_AUTHENTICATION_METHOD
2649. | length/value: 1
2650. | [1 is OAKLEY_PRESHARED_KEY]
2651. | started looking for secret for @router1->@router2 of kind PPK_PSK
2652. | actually looking for secret for @router1->@router2 of kind PPK_PSK
2653. | line 3: key type PPK_PSK(@router1) to type PPK_PSK
2654. | 1: compared key @router3 to @router1 / @router2 -> 0
2655. | 2: compared key @router1 to @router1 / @router2 -> 8
2656. | line 3: match=8
2657. | line 2: key type PPK_PSK(@router1) to type PPK_PSK
2658. | 1: compared key @router2 to @router1 / @router2 -> 4
2659. | 2: compared key @router1 to @router1 / @router2 -> 12
2660. | line 2: match=12
2661. | best_match 0>12 best=0xb8c4de58 (line=2)
2662. | line 1: key type PPK_PSK(@router1) to type PPK_PSK
2663. | 1: compared key @router4 to @router1 / @router2 -> 0
2664. | 2: compared key @router1 to @router1 / @router2 -> 8
2665. | line 1: match=8
2666. | concluding with best_match=12 best=0xb8c4de58 (lineno=2)
2667. | ******parse ISAKMP Oakley attribute:
2668. | af+type: OAKLEY_GROUP_DESCRIPTION
2669. | length/value: 14
2670. | [14 is OAKLEY_GROUP_MODP2048]
2671. | ******parse ISAKMP Oakley attribute:
2672. | af+type: OAKLEY_KEY_LENGTH
2673. | length/value: 128
2674. | ike_alg_enc_ok(ealg=7,key_len=128): blocksize=16, keyminlen=128, keydeflen=128, keymaxlen=256, ret=1
2675. | Oakley Transform 0 accepted
2676. | ****emit IPsec DOI SIT:
2677. | IPsec DOI SIT: SIT_IDENTITY_ONLY
2678. | ****emit ISAKMP Proposal Payload:
2679. | next payload type: ISAKMP_NEXT_NONE
2680. | proposal number: 0
2681. | protocol ID: PROTO_ISAKMP
2682. | SPI size: 0
2683. | number of transforms: 1
2684. | *****emit ISAKMP Transform Payload (ISAKMP):
2685. | next payload type: ISAKMP_NEXT_NONE
2686. | transform number: 0
2687. | transform ID: KEY_IKE
2688. | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP)
2689. | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02
2690. | attributes 80 03 00 01 80 04 00 0e 80 0e 00 80
2691. | emitting length of ISAKMP Transform Payload (ISAKMP): 36
2692. | emitting length of ISAKMP Proposal Payload: 44
2693. | emitting length of ISAKMP Security Association Payload: 56
2694. | ***emit ISAKMP Vendor ID Payload:
2695. | next payload type: ISAKMP_NEXT_VID
2696. | emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
2697. | Vendor ID 4f 45 4e 5f 52 68 50 50 48 7b 64 5e
2698. | emitting length of ISAKMP Vendor ID Payload: 16
2699. | out_vid(): sending [Dead Peer Detection]
2700. | ***emit ISAKMP Vendor ID Payload:
2701. | next payload type: ISAKMP_NEXT_VID
2702. | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
2703. | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
2704. | emitting length of ISAKMP Vendor ID Payload: 20
2705. | out_vid(): sending [FRAGMENTATION]
2706. | ***emit ISAKMP Vendor ID Payload:
2707. | next payload type: ISAKMP_NEXT_VID
2708. | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
2709. | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
2710. | emitting length of ISAKMP Vendor ID Payload: 20
2711. | sender checking NAT-T: 1 and 116
2712. | returning NATT method NAT_TRAVERSAL_METHOD_IETF_RFC
2713. | out_vendorid(): sending [RFC 3947]
2714. | ***emit ISAKMP Vendor ID Payload:
2715. | next payload type: ISAKMP_NEXT_NONE
2716. | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
2717. | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
2718. | emitting length of ISAKMP Vendor ID Payload: 20
2719. | emitting length of ISAKMP Message: 160
2720. | peer supports fragmentation
2721. | peer supports dpd
2722. | enabling sending dpd
2723. | complete state transition with STF_OK
2724. "routers-12"[1] 2.x.x.x #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2725. | deleting event for #1
2726. | sending reply packet to 2.x.x.x:4497 (from port 500)
2727. | sending 160 bytes for STATE_MAIN_R0 through eth0:500 to 2.x.x.x:4497 (using #1)
2728. | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
2729. | 01 10 02 00 00 00 00 00 00 00 00 a0 0d 00 00 38
2730. | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01
2731. | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10
2732. | 80 01 00 07 80 02 00 02 80 03 00 01 80 04 00 0e
2733. | 80 0e 00 80 0d 00 00 10 4f 45 4e 5f 52 68 50 50
2734. | 48 7b 64 5e 0d 00 00 14 af ca d7 13 68 a1 f1 c9
2735. | 6b 86 96 fc 77 57 01 00 0d 00 00 14 40 48 b7 d5
2736. | 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 00 00 00 14
2737. | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
2738. | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
2739. | event added at head of queue
2740. "routers-12"[1] 2.x.x.x #1: STATE_MAIN_R1: sent MR1, expecting MI2
2741. | modecfg pull: noquirk policy:push not-client
2742. | phase 1 is done, looking for phase 2 to unpend
2743. | * processed 0 messages from cryptographic helpers
2744. | next event EVENT_RETRANSMIT in 10 seconds for #1
2745. | next event EVENT_RETRANSMIT in 10 seconds for #1
2746.  
2747. ==> /var/log/pluto.log <==
2748. |
2749. | *received 356 bytes from 2.x.x.x:4497 on eth0 (port=500)
2750. | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
2751. | 04 10 02 00 00 00 00 00 00 00 01 64 0a 00 01 04
2752. | 52 e7 5c 5f b9 33 9c 76 71 ae 3f 97 65 dc 72 a5
2753. | 84 c1 52 94 f1 d5 11 e0 ab dc a0 4e 9c 33 ee da
2754. | b9 dd a3 e1 84 b7 97 a3 89 15 a7 ce 2c e9 c1 5d
2755. | 15 18 36 d1 8b bd d9 03 46 69 88 49 57 a9 7d 96
2756. | 70 79 d8 9a 2e 15 31 29 a2 a1 bc dc 9f 58 3f 66
2757. | d8 0d 95 61 c8 87 de ab 06 5f f1 c4 c0 01 e0 27
2758. | ab c9 c9 3b d5 31 42 26 fa b0 ab 5a a0 4b 35 ee
2759. | fc 4d c1 26 26 b1 84 68 ee 91 14 0a 30 c5 63 24
2760. | e9 bc dd b6 57 cf 7c a2 ae f7 0e 05 be 35 36 f3
2761. | 4c 62 a6 48 a5 79 b3 c0 09 37 07 54 3b 7e d7 f1
2762. | c5 6d 19 a2 bd c9 d1 f7 45 9e 56 b1 bc fa 54 17
2763. | 54 52 5d f7 c7 f7 98 63 cf d1 c8 35 d4 e8 85 d1
2764. | e7 d6 18 3d db f1 97 93 fb a5 38 a5 0c 42 78 e3
2765.  
2766. ==> /var/log/pluto.log <==
2767. | ec df 4c 84 fc 1b 8f 14 89 db 13 ba 67 cf ce 31
2768. | 6b e8 e8 94 07 78 33 5e e1 29 75 53 7d 35 c2 9e
2769. | cd 22 d4 89 7f cf b2 88 32 43 1b 22 ff 1e 4c c7
2770. | 14 00 00 14 cd df fd b7 2a a6 1b 6b f8 eb 4b a5
2771. | ba e9 9a 76 14 00 00 18 04 a2 c9 8d b5 d8 53 db
2772. | c7 76 e4 e0 b6 77 4b 2b a3 93 b1 57 00 00 00 18
2773. | 04 d4 36 6f 0a de ab 49 6f a2 8b 3e f1 c2 32 93
2774. | 57 b4 25 aa
2775. | **parse ISAKMP Message:
2776. | initiator cookie:
2777. | 58 e4 79 be 51 14 61 49
2778. | responder cookie:
2779. | 76 7f 51 65 c7 b5 d3 b0
2780. | next payload type: ISAKMP_NEXT_KE
2781. | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
2782. | exchange type: ISAKMP_XCHG_IDPROT
2783. | flags: none
2784. | message ID: 00 00 00 00
2785. | length: 356
2786. | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
2787. | ICOOKIE: 58 e4 79 be 51 14 61 49
2788. | RCOOKIE: 76 7f 51 65 c7 b5 d3 b0
2789. | state hash entry 4
2790. | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
2791. | v1 state object #1 found, in STATE_MAIN_R1
2792. | processing connection routers-12[1] 2.x.x.x
2793. | got payload 0x10(ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080
2794. | ***parse ISAKMP Key Exchange Payload:
2795. | next payload type: ISAKMP_NEXT_NONCE
2796. | length: 260
2797. | got payload 0x400(ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080
2798. | ***parse ISAKMP Nonce Payload:
2799. | next payload type: ISAKMP_NEXT_NAT-D
2800. | length: 20
2801. | got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080
2802. | ***parse ISAKMP NAT-D Payload:
2803. | next payload type: ISAKMP_NEXT_NAT-D
2804. | length: 24
2805. | got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080
2806. | ***parse ISAKMP NAT-D Payload:
2807. | next payload type: ISAKMP_NEXT_NONE
2808. | length: 24
2809. | DH public value received:
2810. | 52 e7 5c 5f b9 33 9c 76 71 ae 3f 97 65 dc 72 a5
2811. | 84 c1 52 94 f1 d5 11 e0 ab dc a0 4e 9c 33 ee da
2812. | b9 dd a3 e1 84 b7 97 a3 89 15 a7 ce 2c e9 c1 5d
2813. | 15 18 36 d1 8b bd d9 03 46 69 88 49 57 a9 7d 96
2814. | 70 79 d8 9a 2e 15 31 29 a2 a1 bc dc 9f 58 3f 66
2815. | d8 0d 95 61 c8 87 de ab 06 5f f1 c4 c0 01 e0 27
2816. | ab c9 c9 3b d5 31 42 26 fa b0 ab 5a a0 4b 35 ee
2817. | fc 4d c1 26 26 b1 84 68 ee 91 14 0a 30 c5 63 24
2818. | e9 bc dd b6 57 cf 7c a2 ae f7 0e 05 be 35 36 f3
2819. | 4c 62 a6 48 a5 79 b3 c0 09 37 07 54 3b 7e d7 f1
2820. | c5 6d 19 a2 bd c9 d1 f7 45 9e 56 b1 bc fa 54 17
2821. | 54 52 5d f7 c7 f7 98 63 cf d1 c8 35 d4 e8 85 d1
2822. | e7 d6 18 3d db f1 97 93 fb a5 38 a5 0c 42 78 e3
2823. | ec df 4c 84 fc 1b 8f 14 89 db 13 ba 67 cf ce 31
2824. | 6b e8 e8 94 07 78 33 5e e1 29 75 53 7d 35 c2 9e
2825. | cd 22 d4 89 7f cf b2 88 32 43 1b 22 ff 1e 4c c7
2826. | inI2: checking NAT-T: 1 and 16
2827. | NAT_T_WITH_NATD detected
2828. | _natd_hash: hasher=0xb773c180(20)
2829. | _natd_hash: icookie=
2830. | 58 e4 79 be 51 14 61 49
2831. | _natd_hash: rcookie=
2832. | 76 7f 51 65 c7 b5 d3 b0
2833. | _natd_hash: ip= 45 a4 d2 8d
2834. | _natd_hash: port=500
2835. | _natd_hash: hash= 11 9d a5 4e 2d 90 8f 82 75 55 68 95 40 2b e7 22
2836. | _natd_hash: hash= 98 5b e7 4a
2837. | _natd_hash: hasher=0xb773c180(20)
2838. | _natd_hash: icookie=
2839. | 58 e4 79 be 51 14 61 49
2840. | _natd_hash: rcookie=
2841. | 76 7f 51 65 c7 b5 d3 b0
2842. | _natd_hash: ip= 02 dc 82 c8
2843. | _natd_hash: port=4497
2844. | _natd_hash: hash= 42 d3 f5 32 42 b0 dc a4 3c 63 4f 91 ff c2 3b 9c
2845. | _natd_hash: hash= 9f bf 57 79
2846. | NAT_TRAVERSAL hash=0 (me:0) (him:0)
2847. | expected NAT-D(me): 11 9d a5 4e 2d 90 8f 82 75 55 68 95 40 2b e7 22
2848. | expected NAT-D(me): 98 5b e7 4a
2849. | expected NAT-D(him):
2850. | 42 d3 f5 32 42 b0 dc a4 3c 63 4f 91 ff c2 3b 9c
2851. | 9f bf 57 79
2852. | received NAT-D: 04 a2 c9 8d b5 d8 53 db c7 76 e4 e0 b6 77 4b 2b
2853. | received NAT-D: a3 93 b1 57
2854. | NAT_TRAVERSAL hash=1 (me:0) (him:0)
2855. | expected NAT-D(me): 11 9d a5 4e 2d 90 8f 82 75 55 68 95 40 2b e7 22
2856. | expected NAT-D(me): 98 5b e7 4a
2857. | expected NAT-D(him):
2858. | 42 d3 f5 32 42 b0 dc a4 3c 63 4f 91 ff c2 3b 9c
2859. | 9f bf 57 79
2860. | received NAT-D: 04 d4 36 6f 0a de ab 49 6f a2 8b 3e f1 c2 32 93
2861. | received NAT-D: 57 b4 25 aa
2862. | NAT_TRAVERSAL hash=2 (me:0) (him:0)
2863. | NAT_TRAVERSAL forceencaps enabled
2864. | NAT_TRAVERSAL nat_keepalive enabled
2865. "routers-12"[1] 2.x.x.x #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
2866. | NAT_T_WITH_KA detected
2867. | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
2868. | event added after event EVENT_PENDING_DDNS
2869. | 1: w->pcw_dead: 0 w->pcw_work: 0 cnt: 7
2870. | asking helper 1 to do build_kenonce op on seq: 1 (len=2680, pcw_work=1)
2871. | crypto helper write of request: cnt=2680<wlen=2680.
2872. | deleting event for #1
2873. | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
2874. | event added after event EVENT_PENDING_PHASE2
2875. | complete state transition with STF_SUSPEND
2876. | * processed 0 messages from cryptographic helpers
2877. | next event EVENT_PENDING_DDNS in 15 seconds
2878. | next event EVENT_PENDING_DDNS in 15 seconds
2879. | helper 1 read 2676+4/2680 bytes fd: 10
2880. | helper 1 doing build_kenonce op id: 1
2881. | NSS: Value of Prime:
2882. | ff ff ff ff ff ff ff ff c9 0f da a2 21 68 c2 34
2883. | c4 c6 62 8b 80 dc 1c d1 29 02 4e 08 8a 67 cc 74
2884. | 02 0b be a6 3b 13 9b 22 51 4a 08 79 8e 34 04 dd
2885. | ef 95 19 b3 cd 3a 43 1b 30 2b 0a 6d f2 5f 14 37
2886. | 4f e1 35 6d 6d 51 c2 45 e4 85 b5 76 62 5e 7e c6
2887. | f4 4c 42 e9 a6 37 ed 6b 0b ff 5c b6 f4 06 b7 ed
2888. | ee 38 6b fb 5a 89 9f a5 ae 9f 24 11 7c 4b 1f e6
2889. | 49 28 66 51 ec e4 5b 3d c2 00 7c b8 a1 63 bf 05
2890. | 98 da 48 36 1c 55 d3 9a 69 16 3f a8 fd 24 cf 5f
2891. | 83 65 5d 23 dc a3 ad 96 1c 62 f3 56 20 85 52 bb
2892. | 9e d5 29 07 70 96 96 6d 67 0c 35 4e 4a bc 98 04
2893. | f1 74 6c 08 ca 18 21 7c 32 90 5e 46 2e 36 ce 3b
2894. | e3 9e 77 2c 18 0e 86 03 9b 27 83 a2 ec 07 a2 8f
2895. | b5 c5 5d f0 6f 4c 52 c9 de 2b cb f6 95 58 17 18
2896. | 39 95 49 7c ea 95 6a e5 15 d2 26 18 98 fa 05 10
2897. | 15 72 8e 5a 8a ac aa 68 ff ff ff ff ff ff ff ff
2898. | NSS: Value of base:
2899. | 02
2900. | NSS: generated dh priv and pub keys: 256
2901. | NSS: Local DH secret (pointer):
2902. | 40 48 30 b5
2903. | NSS: Public DH value sent(computed in NSS):
2904. | 1d a1 7e b1 6f 76 bb 9f 83 a4 3a 7e a1 1c 9b 82
2905. | b2 66 5f 6b 4e ff c5 a3 9d 23 6f af 92 3d 0b d5
2906. | e1 eb b0 d0 91 07 d5 8f 6f 7a a1 69 21 0e 95 f8
2907. | 98 3d 22 9d 17 17 45 34 fa 67 bc 47 76 b3 2c ea
2908. | 93 06 d1 3b d9 64 92 de c2 ea aa d2 94 b8 c1 0b
2909. | 73 5f 72 55 5c fd ae 13 9d 43 e2 4f 56 02 bb d3
2910. | f6 76 f0 c8 df a7 ee 0a 13 ca cc aa 70 3a 37 e5
2911. | 48 37 15 c7 d1 4d 7c 22 e2 ed 01 65 71 29 99 d1
2912. | 81 ee 50 33 0c 6f 2c 3c 5f 8f 8c e0 fc ca dd d0
2913. | ba cd 13 41 32 d2 f8 d3 f9 bc b6 5d 19 e2 e1 6e
2914. | 1d 54 fe 50 b7 f5 2e 22 59 47 92 88 18 aa 3a e3
2915. | 3a 26 fb 7d c0 db 79 43 f9 5b 45 70 f0 49 a0 db
2916. | 08 b1 d3 8b 9f 37 62 9f 85 24 ba f0 3e 93 06 19
2917. | c0 cb 4d 1b 2e dc 3b ab 9c 21 9a c5 22 25 b3 bc
2918. | 2c 68 c0 f3 66 77 9c d9 ba fc ad d7 62 5a 06 cd
2919. | 5a 08 2a 73 2b ba a8 9e 2b bb a2 6d b9 66 f4 cc
2920. | NSS: Local DH public value (pointer):
2921. | 38 40 30 b5
2922. | Generated nonce:
2923. | 96 5d 95 17 ff 5a 14 6e 7c ad 9e eb b3 2c 76 f9
2924. |
2925. | helper 1 has finished work (cnt now 1)
2926. | helper 1 replies to id: q#1
2927. | calling callback function 0xb7668f90
2928. | main inI2_outR2: calculated ke+nonce, sending R2
2929. | processing connection routers-12[1] 2.x.x.x
2930. | **emit ISAKMP Message:
2931. | initiator cookie:
2932. | 58 e4 79 be 51 14 61 49
2933. | responder cookie:
2934. | 76 7f 51 65 c7 b5 d3 b0
2935. | next payload type: ISAKMP_NEXT_KE
2936. | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
2937. | exchange type: ISAKMP_XCHG_IDPROT
2938. | flags: none
2939. | message ID: 00 00 00 00
2940. | saving DH priv (local secret) and pub key into state struc
2941. | ***emit ISAKMP Key Exchange Payload:
2942. | next payload type: ISAKMP_NEXT_NONCE
2943. | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload
2944. | keyex value 1d a1 7e b1 6f 76 bb 9f 83 a4 3a 7e a1 1c 9b 82
2945. | keyex value b2 66 5f 6b 4e ff c5 a3 9d 23 6f af 92 3d 0b d5
2946. | keyex value e1 eb b0 d0 91 07 d5 8f 6f 7a a1 69 21 0e 95 f8
2947. | keyex value 98 3d 22 9d 17 17 45 34 fa 67 bc 47 76 b3 2c ea
2948. | keyex value 93 06 d1 3b d9 64 92 de c2 ea aa d2 94 b8 c1 0b
2949. | keyex value 73 5f 72 55 5c fd ae 13 9d 43 e2 4f 56 02 bb d3
2950. | keyex value f6 76 f0 c8 df a7 ee 0a 13 ca cc aa 70 3a 37 e5
2951. | keyex value 48 37 15 c7 d1 4d 7c 22 e2 ed 01 65 71 29 99 d1
2952. | keyex value 81 ee 50 33 0c 6f 2c 3c 5f 8f 8c e0 fc ca dd d0
2953. | keyex value ba cd 13 41 32 d2 f8 d3 f9 bc b6 5d 19 e2 e1 6e
2954. | keyex value 1d 54 fe 50 b7 f5 2e 22 59 47 92 88 18 aa 3a e3
2955. | keyex value 3a 26 fb 7d c0 db 79 43 f9 5b 45 70 f0 49 a0 db
2956. | keyex value 08 b1 d3 8b 9f 37 62 9f 85 24 ba f0 3e 93 06 19
2957. | keyex value c0 cb 4d 1b 2e dc 3b ab 9c 21 9a c5 22 25 b3 bc
2958. | keyex value 2c 68 c0 f3 66 77 9c d9 ba fc ad d7 62 5a 06 cd
2959. | keyex value 5a 08 2a 73 2b ba a8 9e 2b bb a2 6d b9 66 f4 cc
2960. | emitting length of ISAKMP Key Exchange Payload: 260
2961. | ***emit ISAKMP Nonce Payload:
2962. | next payload type: ISAKMP_NEXT_NONE
2963. | emitting 16 raw bytes of Nr into ISAKMP Nonce Payload
2964. | Nr 96 5d 95 17 ff 5a 14 6e 7c ad 9e eb b3 2c 76 f9
2965. | emitting length of ISAKMP Nonce Payload: 20
2966. | sending NAT-D payloads
2967. | NAT-T: forceencaps=yes, so mangling hash to force NAT-T detection
2968. | _natd_hash: hasher=0xb773c180(20)
2969. | _natd_hash: icookie=
2970. | 58 e4 79 be 51 14 61 49
2971. | _natd_hash: rcookie=
2972. | 76 7f 51 65 c7 b5 d3 b0
2973. | _natd_hash: ip= 02 dc 82 c8
2974. | _natd_hash: port=0
2975. | _natd_hash: hash= 8d fa b2 1b f7 97 67 8a ae f7 31 f9 41 1a d5 8a
2976. | _natd_hash: hash= 84 35 fc a1
2977. | ***emit ISAKMP NAT-D Payload:
2978. | next payload type: ISAKMP_NEXT_NAT-D
2979. | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
2980. | NAT-D 8d fa b2 1b f7 97 67 8a ae f7 31 f9 41 1a d5 8a
2981. | NAT-D 84 35 fc a1
2982. | emitting length of ISAKMP NAT-D Payload: 24
2983. | _natd_hash: hasher=0xb773c180(20)
2984. | _natd_hash: icookie=
2985. | 58 e4 79 be 51 14 61 49
2986. | _natd_hash: rcookie=
2987. | 76 7f 51 65 c7 b5 d3 b0
2988. | _natd_hash: ip= 45 a4 d2 8d
2989. | _natd_hash: port=0
2990. | _natd_hash: hash= 04 a2 c9 8d b5 d8 53 db c7 76 e4 e0 b6 77 4b 2b
2991. | _natd_hash: hash= a3 93 b1 57
2992. | ***emit ISAKMP NAT-D Payload:
2993. | next payload type: ISAKMP_NEXT_NONE
2994. | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
2995. | NAT-D 04 a2 c9 8d b5 d8 53 db c7 76 e4 e0 b6 77 4b 2b
2996. | NAT-D a3 93 b1 57
2997. | emitting length of ISAKMP NAT-D Payload: 24
2998. | emitting length of ISAKMP Message: 356
2999. | main inI2_outR2: starting async DH calculation (group=14)
3000. | started looking for secret for @router1->@router2 of kind PPK_PSK
3001. | actually looking for secret for @router1->@router2 of kind PPK_PSK
3002. | line 3: key type PPK_PSK(@router1) to type PPK_PSK
3003. | 1: compared key @router3 to @router1 / @router2 -> 0
3004. | 2: compared key @router1 to @router1 / @router2 -> 8
3005. | line 3: match=8
3006. | line 2: key type PPK_PSK(@router1) to type PPK_PSK
3007. | 1: compared key @router2 to @router1 / @router2 -> 4
3008. | 2: compared key @router1 to @router1 / @router2 -> 12
3009. | line 2: match=12
3010. | best_match 0>12 best=0xb8c4de58 (line=2)
3011. | line 1: key type PPK_PSK(@router1) to type PPK_PSK
3012. | 1: compared key @router4 to @router1 / @router2 -> 0
3013. | 2: compared key @router1 to @router1 / @router2 -> 8
3014. | line 1: match=8
3015. | concluding with best_match=12 best=0xb8c4de58 (lineno=2)
3016. | parent1 type: 7 group: 14 len: 2680
3017. | Copying DH pub key pointer to be sent to a thread helper
3018. | 2: w->pcw_dead: 0 w->pcw_work: 0 cnt: 7
3019. | asking helper 2 to do compute dh+iv op on seq: 2 (len=2680, pcw_work=1)
3020. | crypto helper write of request: cnt=2680<wlen=2680.
3021. | deleting event for #1
3022. | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
3023. | event added after event EVENT_PENDING_PHASE2
3024. | started dh_secretiv, returned: stf=STF_SUSPEND
3025. | complete state transition with STF_OK
3026. "routers-12"[1] 2.x.x.x #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
3027. | deleting event for #1
3028. | sending reply packet to 2.x.x.x:4497 (from port 500)
3029. | sending 356 bytes for STATE_MAIN_R1 through eth0:500 to 2.x.x.x:4497 (using #1)
3030. | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
3031. | 04 10 02 00 00 00 00 00 00 00 01 64 0a 00 01 04
3032. | 1d a1 7e b1 6f 76 bb 9f 83 a4 3a 7e a1 1c 9b 82
3033. | b2 66 5f 6b 4e ff c5 a3 9d 23 6f af 92 3d 0b d5
3034. | e1 eb b0 d0 91 07 d5 8f 6f 7a a1 69 21 0e 95 f8
3035. | 98 3d 22 9d 17 17 45 34 fa 67 bc 47 76 b3 2c ea
3036. | 93 06 d1 3b d9 64 92 de c2 ea aa d2 94 b8 c1 0b
3037. | 73 5f 72 55 5c fd ae 13 9d 43 e2 4f 56 02 bb d3
3038. | f6 76 f0 c8 df a7 ee 0a 13 ca cc aa 70 3a 37 e5
3039. | 48 37 15 c7 d1 4d 7c 22 e2 ed 01 65 71 29 99 d1
3040. | 81 ee 50 33 0c 6f 2c 3c 5f 8f 8c e0 fc ca dd d0
3041. | ba cd 13 41 32 d2 f8 d3 f9 bc b6 5d 19 e2 e1 6e
3042. | 1d 54 fe 50 b7 f5 2e 22 59 47 92 88 18 aa 3a e3
3043. | 3a 26 fb 7d c0 db 79 43 f9 5b 45 70 f0 49 a0 db
3044. | 08 b1 d3 8b 9f 37 62 9f 85 24 ba f0 3e 93 06 19
3045. | c0 cb 4d 1b 2e dc 3b ab 9c 21 9a c5 22 25 b3 bc
3046. | 2c 68 c0 f3 66 77 9c d9 ba fc ad d7 62 5a 06 cd
3047. | 5a 08 2a 73 2b ba a8 9e 2b bb a2 6d b9 66 f4 cc
3048. | 14 00 00 14 96 5d 95 17 ff 5a 14 6e 7c ad 9e eb
3049. | b3 2c 76 f9 14 00 00 18 8d fa b2 1b f7 97 67 8a
3050. | ae f7 31 f9 41 1a d5 8a 84 35 fc a1 00 00 00 18
3051. | 04 a2 c9 8d b5 d8 53 db c7 76 e4 e0 b6 77 4b 2b
3052. | a3 93 b1 57
3053. | helper 2 read 2676+4/2680 bytes fd: 13
3054. | helper 2 doing compute dh+iv op id: 2
3055. | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
3056. | event added at head of queue
3057. "routers-12"[1] 2.x.x.x #1: STATE_MAIN_R2: sent MR2, expecting MI3
3058. | modecfg pull: noquirk policy:push not-client
3059. | phase 1 is done, looking for phase 2 to unpend
3060. | * processed 1 messages from cryptographic helpers
3061. | next event EVENT_RETRANSMIT in 10 seconds for #1
3062. | next event EVENT_RETRANSMIT in 10 seconds for #1
3063. | peer's g: 52 e7 5c 5f b9 33 9c 76 71 ae 3f 97 65 dc 72 a5
3064. | peer's g: 84 c1 52 94 f1 d5 11 e0 ab dc a0 4e 9c 33 ee da
3065. | peer's g: b9 dd a3 e1 84 b7 97 a3 89 15 a7 ce 2c e9 c1 5d
3066. | peer's g: 15 18 36 d1 8b bd d9 03 46 69 88 49 57 a9 7d 96
3067. | peer's g: 70 79 d8 9a 2e 15 31 29 a2 a1 bc dc 9f 58 3f 66
3068. | peer's g: d8 0d 95 61 c8 87 de ab 06 5f f1 c4 c0 01 e0 27
3069. | peer's g: ab c9 c9 3b d5 31 42 26 fa b0 ab 5a a0 4b 35 ee
3070. | peer's g: fc 4d c1 26 26 b1 84 68 ee 91 14 0a 30 c5 63 24
3071. | peer's g: e9 bc dd b6 57 cf 7c a2 ae f7 0e 05 be 35 36 f3
3072. | peer's g: 4c 62 a6 48 a5 79 b3 c0 09 37 07 54 3b 7e d7 f1
3073. | peer's g: c5 6d 19 a2 bd c9 d1 f7 45 9e 56 b1 bc fa 54 17
3074. | peer's g: 54 52 5d f7 c7 f7 98 63 cf d1 c8 35 d4 e8 85 d1
3075. | peer's g: e7 d6 18 3d db f1 97 93 fb a5 38 a5 0c 42 78 e3
3076. | peer's g: ec df 4c 84 fc 1b 8f 14 89 db 13 ba 67 cf ce 31
3077. | peer's g: 6b e8 e8 94 07 78 33 5e e1 29 75 53 7d 35 c2 9e
3078. | peer's g: cd 22 d4 89 7f cf b2 88 32 43 1b 22 ff 1e 4c c7
3079. | Started DH shared-secret computation in NSS:
3080. | Dropped no leading zeros 256
3081. | calc_dh_shared(): time elapsed (OAKLEY_GROUP_MODP2048): 3911 usec
3082. | DH shared-secret (pointer):
3083. | 50 10 90 b4
3084. | NSS: skeyid inputs (pss+NI+NR+shared-secret) hasher: oakley_sha
3085. | shared-secret (pointer in chunk_t):
3086. | 50 10 90 b4
3087. | ni: cd df fd b7 2a a6 1b 6b f8 eb 4b a5 ba e9 9a 76
3088. | nr: 96 5d 95 17 ff 5a 14 6e 7c ad 9e eb b3 2c 76 f9
3089. | NSS: st_skeyid in skeyid_preshared() (pointer):
3090. | 80 7b 90 b4
3091. | NSS: Started key computation
3092. | NSS: dh shared param len=4
3093. | NSS: enc keysize=16
3094. | NSS: copied skeyid_d_chunk
3095. | NSS: copied skeyid_a_chunk
3096. | NSS: copied skeyid_e_chunk
3097. | NSS: copied enc_key_chunk
3098. | NSS: Freed symkeys 1-23
3099. | NSS: Freed padding chunks
3100. | DH_i: 52 e7 5c 5f b9 33 9c 76 71 ae 3f 97 65 dc 72 a5
3101. | DH_i: 84 c1 52 94 f1 d5 11 e0 ab dc a0 4e 9c 33 ee da
3102. | DH_i: b9 dd a3 e1 84 b7 97 a3 89 15 a7 ce 2c e9 c1 5d
3103. | DH_i: 15 18 36 d1 8b bd d9 03 46 69 88 49 57 a9 7d 96
3104. | DH_i: 70 79 d8 9a 2e 15 31 29 a2 a1 bc dc 9f 58 3f 66
3105. | DH_i: d8 0d 95 61 c8 87 de ab 06 5f f1 c4 c0 01 e0 27
3106. | DH_i: ab c9 c9 3b d5 31 42 26 fa b0 ab 5a a0 4b 35 ee
3107. | DH_i: fc 4d c1 26 26 b1 84 68 ee 91 14 0a 30 c5 63 24
3108. | DH_i: e9 bc dd b6 57 cf 7c a2 ae f7 0e 05 be 35 36 f3
3109. | DH_i: 4c 62 a6 48 a5 79 b3 c0 09 37 07 54 3b 7e d7 f1
3110. | DH_i: c5 6d 19 a2 bd c9 d1 f7 45 9e 56 b1 bc fa 54 17
3111. | DH_i: 54 52 5d f7 c7 f7 98 63 cf d1 c8 35 d4 e8 85 d1
3112. | DH_i: e7 d6 18 3d db f1 97 93 fb a5 38 a5 0c 42 78 e3
3113. | DH_i: ec df 4c 84 fc 1b 8f 14 89 db 13 ba 67 cf ce 31
3114. | DH_i: 6b e8 e8 94 07 78 33 5e e1 29 75 53 7d 35 c2 9e
3115. | DH_i: cd 22 d4 89 7f cf b2 88 32 43 1b 22 ff 1e 4c c7
3116. | DH_r: 1d a1 7e b1 6f 76 bb 9f 83 a4 3a 7e a1 1c 9b 82
3117. | DH_r: b2 66 5f 6b 4e ff c5 a3 9d 23 6f af 92 3d 0b d5
3118. | DH_r: e1 eb b0 d0 91 07 d5 8f 6f 7a a1 69 21 0e 95 f8
3119. | DH_r: 98 3d 22 9d 17 17 45 34 fa 67 bc 47 76 b3 2c ea
3120. | DH_r: 93 06 d1 3b d9 64 92 de c2 ea aa d2 94 b8 c1 0b
3121. | DH_r: 73 5f 72 55 5c fd ae 13 9d 43 e2 4f 56 02 bb d3
3122. | DH_r: f6 76 f0 c8 df a7 ee 0a 13 ca cc aa 70 3a 37 e5
3123. | DH_r: 48 37 15 c7 d1 4d 7c 22 e2 ed 01 65 71 29 99 d1
3124. | DH_r: 81 ee 50 33 0c 6f 2c 3c 5f 8f 8c e0 fc ca dd d0
3125. | DH_r: ba cd 13 41 32 d2 f8 d3 f9 bc b6 5d 19 e2 e1 6e
3126. | DH_r: 1d 54 fe 50 b7 f5 2e 22 59 47 92 88 18 aa 3a e3
3127. | DH_r: 3a 26 fb 7d c0 db 79 43 f9 5b 45 70 f0 49 a0 db
3128. | DH_r: 08 b1 d3 8b 9f 37 62 9f 85 24 ba f0 3e 93 06 19
3129. | DH_r: c0 cb 4d 1b 2e dc 3b ab 9c 21 9a c5 22 25 b3 bc
3130. | DH_r: 2c 68 c0 f3 66 77 9c d9 ba fc ad d7 62 5a 06 cd
3131. | DH_r: 5a 08 2a 73 2b ba a8 9e 2b bb a2 6d b9 66 f4 cc
3132. | end of IV generation
3133. |
3134. | helper 2 has finished work (cnt now 1)
3135. | helper 2 replies to id: q#2
3136. | calling callback function 0xb7665fd0
3137. | main inI2_outR2: calculated DH finished
3138. | processing connection routers-12[1] 2.x.x.x
3139. | * processed 1 messages from cryptographic helpers
3140. | next event EVENT_RETRANSMIT in 10 seconds for #1
3141. | next event EVENT_RETRANSMIT in 10 seconds for #1
3142. |
3143. | *received 76 bytes from 2.x.x.x:4509 on eth0 (port=4500)
3144. | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
3145. | 05 10 02 01 00 00 00 00 00 00 00 4c 72 99 0d e7
3146. | 19 d4 f5 f8 da 77 00 69 85 4b 73 e9 18 5d 40 42
3147. | 70 76 fd c8 01 47 08 66 05 24 0d 3e 21 25 f0 de
3148. | a7 40 fd ec 88 c4 22 ac 18 66 cb fe
3149. | **parse ISAKMP Message:
3150. | initiator cookie:
3151. | 58 e4 79 be 51 14 61 49
3152. | responder cookie:
3153. | 76 7f 51 65 c7 b5 d3 b0
3154. | next payload type: ISAKMP_NEXT_ID
3155. | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
3156. | exchange type: ISAKMP_XCHG_IDPROT
3157. | flags: ISAKMP_FLAG_ENCRYPTION
3158. | message ID: 00 00 00 00
3159. | length: 76
3160. | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
3161. | ICOOKIE: 58 e4 79 be 51 14 61 49
3162. | RCOOKIE: 76 7f 51 65 c7 b5 d3 b0
3163. | state hash entry 4
3164.  
3165.  
3166. ==> /var/log/pluto.log <==
3167. | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
3168. | v1 state object #1 found, in STATE_MAIN_R2
3169. | processing connection routers-12[1] 2.x.x.x
3170. | received encrypted packet from 2.x.x.x:4509
3171. | decrypting 48 bytes using algorithm OAKLEY_AES_CBC
3172. | NSS do_aes: enter
3173. | NSS do_aes: exit
3174. | decrypted:
3175. | c6 2d ce 53 31 c7 3a 36 6d 50 8c bd 72 46 4f 30
3176. | 6c 68 f4 d4 c3 6a f0 00 3f 4e 38 0a 8a 3f f3 1f
3177. | 0a 43 48 71 05 13 8c 54 d5 02 c4 fd 2e 27 ba a5
3178. | next IV: 21 25 f0 de a7 40 fd ec 88 c4 22 ac 18 66 cb fe
3179. | got payload 0x20(ISAKMP_NEXT_ID) needed: 0x120 opt: 0x2080
3180. "routers-12"[1] 2.x.x.x #1: next payload type of ISAKMP Identification Payload has an unknown value: 198
3181. "routers-12"[1] 2.x.x.x #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
3182. | payload malformed after IV
3183. | 50 5c f3 1f bd 52 32 60 25 33 f5 71 cc cb a6 2c
3184. | 03 2d 42 c6
3185. "routers-12"[1] 2.x.x.x #1: sending notification PAYLOAD_MALFORMED to 2.x.x.x:4497
3186. | **emit ISAKMP Message:
3187. | initiator cookie:
3188. | 58 e4 79 be 51 14 61 49
3189. | responder cookie:
3190. | 76 7f 51 65 c7 b5 d3 b0
3191. | next payload type: ISAKMP_NEXT_N
3192. | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
3193. | exchange type: ISAKMP_XCHG_INFO
3194. | flags: none
3195. | message ID: e5 82 56 e4
3196. | ***emit ISAKMP Notification Payload:
3197. | next payload type: ISAKMP_NEXT_NONE
3198. | DOI: ISAKMP_DOI_IPSEC
3199. | protocol ID: 1
3200. | SPI size: 0
3201. | Notify Message Type: PAYLOAD_MALFORMED
3202. | emitting length of ISAKMP Notification Payload: 12
3203. | emitting length of ISAKMP Message: 40
3204. | sending 40 bytes for notification packet through eth0:500 to 2.x.x.x:4497 (using #1)
3205. | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
3206. | 0b 10 05 00 e5 82 56 e4 00 00 00 28 00 00 00 0c
3207. | 00 00 00 01 01 00 00 10
3208. | * processed 0 messages from cryptographic helpers
3209. | next event EVENT_RETRANSMIT in 10 seconds for #1
3210. | next event EVENT_RETRANSMIT in 10 seconds for #1
3211. |
3212. | next event EVENT_RETRANSMIT in 0 seconds for #1
3213. | *time to handle event
3214. | handling event EVENT_RETRANSMIT
3215. | event after this is EVENT_PENDING_DDNS in 5 seconds
3216. | processing connection routers-12[1] 2.x.x.x
3217. | handling event EVENT_RETRANSMIT for 2.x.x.x "routers-12" #1
3218.  
3219. ==> /var/log/pluto.log <==
3220. | sending 356 bytes for EVENT_RETRANSMIT through eth0:500 to 2.x.x.x:4497 (using #1)
3221. | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
3222. | 04 10 02 00 00 00 00 00 00 00 01 64 0a 00 01 04
3223. | 1d a1 7e b1 6f 76 bb 9f 83 a4 3a 7e a1 1c 9b 82
3224. | b2 66 5f 6b 4e ff c5 a3 9d 23 6f af 92 3d 0b d5
3225. | e1 eb b0 d0 91 07 d5 8f 6f 7a a1 69 21 0e 95 f8
3226. | 98 3d 22 9d 17 17 45 34 fa 67 bc 47 76 b3 2c ea
3227. | 93 06 d1 3b d9 64 92 de c2 ea aa d2 94 b8 c1 0b
3228. | 73 5f 72 55 5c fd ae 13 9d 43 e2 4f 56 02 bb d3
3229. | f6 76 f0 c8 df a7 ee 0a 13 ca cc aa 70 3a 37 e5
3230. | 48 37 15 c7 d1 4d 7c 22 e2 ed 01 65 71 29 99 d1
3231. | 81 ee 50 33 0c 6f 2c 3c 5f 8f 8c e0 fc ca dd d0
3232. | ba cd 13 41 32 d2 f8 d3 f9 bc b6 5d 19 e2 e1 6e
3233. | 1d 54 fe 50 b7 f5 2e 22 59 47 92 88 18 aa 3a e3
3234. | 3a 26 fb 7d c0 db 79 43 f9 5b 45 70 f0 49 a0 db
3235. | 08 b1 d3 8b 9f 37 62 9f 85 24 ba f0 3e 93 06 19
3236. | c0 cb 4d 1b 2e dc 3b ab 9c 21 9a c5 22 25 b3 bc
3237. | 2c 68 c0 f3 66 77 9c d9 ba fc ad d7 62 5a 06 cd
3238. | 5a 08 2a 73 2b ba a8 9e 2b bb a2 6d b9 66 f4 cc
3239. | 14 00 00 14 96 5d 95 17 ff 5a 14 6e 7c ad 9e eb
3240. | b3 2c 76 f9 14 00 00 18 8d fa b2 1b f7 97 67 8a
3241. | ae f7 31 f9 41 1a d5 8a 84 35 fc a1 00 00 00 18
3242. | 04 a2 c9 8d b5 d8 53 db c7 76 e4 e0 b6 77 4b 2b
3243. | a3 93 b1 57
3244. | inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1
3245. | event added after event EVENT_NAT_T_KEEPALIVE
3246. | next event EVENT_PENDING_DDNS in 5 seconds
3247. |
3248. | *received 76 bytes from 2.x.x.x:4509 on eth0 (port=4500)
3249. | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
3250. | 05 10 02 01 00 00 00 00 00 00 00 4c 72 99 0d e7
3251. | 19 d4 f5 f8 da 77 00 69 85 4b 73 e9 18 5d 40 42
3252. | 70 76 fd c8 01 47 08 66 05 24 0d 3e 21 25 f0 de
3253. | a7 40 fd ec 88 c4 22 ac 18 66 cb fe
3254. | **parse ISAKMP Message:
3255. | initiator cookie:
3256. | 58 e4 79 be 51 14 61 49
3257. | responder cookie:
3258. | 76 7f 51 65 c7 b5 d3 b0
3259. | next payload type: ISAKMP_NEXT_ID
3260. | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
3261. | exchange type: ISAKMP_XCHG_IDPROT
3262. | flags: ISAKMP_FLAG_ENCRYPTION
3263. | message ID: 00 00 00 00
3264. | length: 76
3265.  
3266. ==> /var/log/pluto.log <==
3267. | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
3268. | ICOOKIE: 58 e4 79 be 51 14 61 49
3269. | RCOOKIE: 76 7f 51 65 c7 b5 d3 b0
3270. | state hash entry 4
3271. | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
3272. | v1 state object #1 found, in STATE_MAIN_R2
3273. | processing connection routers-12[1] 2.x.x.x
3274. | received encrypted packet from 2.x.x.x:4509
3275. | decrypting 48 bytes using algorithm OAKLEY_AES_CBC
3276. | NSS do_aes: enter
3277. | NSS do_aes: exit
3278. | decrypted:
3279. | c6 2d ce 53 31 c7 3a 36 6d 50 8c bd 72 46 4f 30
3280. | 6c 68 f4 d4 c3 6a f0 00 3f 4e 38 0a 8a 3f f3 1f
3281. | 0a 43 48 71 05 13 8c 54 d5 02 c4 fd 2e 27 ba a5
3282. | next IV: 21 25 f0 de a7 40 fd ec 88 c4 22 ac 18 66 cb fe
3283. | got payload 0x20(ISAKMP_NEXT_ID) needed: 0x120 opt: 0x2080
3284. "routers-12"[1] 2.x.x.x #1: next payload type of ISAKMP Identification Payload has an unknown value: 198
3285. "routers-12"[1] 2.x.x.x #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
3286. | payload malformed after IV
3287. | 50 5c f3 1f bd 52 32 60 25 33 f5 71 cc cb a6 2c
3288. | 03 2d 42 c6
3289. "routers-12"[1] 2.x.x.x #1: sending notification PAYLOAD_MALFORMED to 2.x.x.x:4497
3290. | **emit ISAKMP Message:
3291. | initiator cookie:
3292. | 58 e4 79 be 51 14 61 49
3293. | responder cookie:
3294. | 76 7f 51 65 c7 b5 d3 b0
3295. | next payload type: ISAKMP_NEXT_N
3296. | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
3297. | exchange type: ISAKMP_XCHG_INFO
3298. | flags: none
3299. | message ID: 63 21 1b 71
3300. | ***emit ISAKMP Notification Payload:
3301. | next payload type: ISAKMP_NEXT_NONE
3302. | DOI: ISAKMP_DOI_IPSEC
3303. | protocol ID: 1
3304. | SPI size: 0
3305. | Notify Message Type: PAYLOAD_MALFORMED
3306. | emitting length of ISAKMP Notification Payload: 12
3307. | emitting length of ISAKMP Message: 40
3308. | sending 40 bytes for notification packet through eth0:500 to 2.x.x.x:4497 (using #1)
3309. | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
3310. | 0b 10 05 00 63 21 1b 71 00 00 00 28 00 00 00 0c
3311. | 00 00 00 01 01 00 00 10
3312. | * processed 0 messages from cryptographic helpers
3313. | next event EVENT_PENDING_DDNS in 5 seconds
3314. | next event EVENT_PENDING_DDNS in 5 seconds
3315. |
3316. | next event EVENT_PENDING_DDNS in 0 seconds
3317. | *time to handle event
3318. | handling event EVENT_PENDING_DDNS
3319. | event after this is EVENT_NAT_T_KEEPALIVE in 5 seconds
3320. | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
3321. | event added after event EVENT_RETRANSMIT for #1
3322. | next event EVENT_NAT_T_KEEPALIVE in 5 seconds
3323. |
3324. | next event EVENT_NAT_T_KEEPALIVE in 0 seconds
3325. | *time to handle event
3326. | handling event EVENT_NAT_T_KEEPALIVE
3327. | event after this is EVENT_RETRANSMIT in 10 seconds
3328. | processing connection routers-12[1] 2.x.x.x
3329. | Sending of NAT-T KEEP-ALIVE enabled by per-conn configuration (nat_keepalive=yes)
3330. | next event EVENT_RETRANSMIT in 10 seconds for #1
3331. |
3332. | next event EVENT_RETRANSMIT in 0 seconds for #1
3333. | *time to handle event
3334. | handling event EVENT_RETRANSMIT
3335. | event after this is EVENT_PENDING_DDNS in 45 seconds
3336. | processing connection routers-12[1] 2.x.x.x
3337. | handling event EVENT_RETRANSMIT for 2.x.x.x "routers-12" #1
3338. | sending 356 bytes for EVENT_RETRANSMIT through eth0:500 to 2.x.x.x:4497 (using #1)
3339. | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
3340. | 04 10 02 00 00 00 00 00 00 00 01 64 0a 00 01 04
3341. | 1d a1 7e b1 6f 76 bb 9f 83 a4 3a 7e a1 1c 9b 82
3342. | b2 66 5f 6b 4e ff c5 a3 9d 23 6f af 92 3d 0b d5
3343. | e1 eb b0 d0 91 07 d5 8f 6f 7a a1 69 21 0e 95 f8
3344. | 98 3d 22 9d 17 17 45 34 fa 67 bc 47 76 b3 2c ea
3345. | 93 06 d1 3b d9 64 92 de c2 ea aa d2 94 b8 c1 0b
3346. | 73 5f 72 55 5c fd ae 13 9d 43 e2 4f 56 02 bb d3
3347. | f6 76 f0 c8 df a7 ee 0a 13 ca cc aa 70 3a 37 e5
3348. | 48 37 15 c7 d1 4d 7c 22 e2 ed 01 65 71 29 99 d1
3349. | 81 ee 50 33 0c 6f 2c 3c 5f 8f 8c e0 fc ca dd d0
3350. | ba cd 13 41 32 d2 f8 d3 f9 bc b6 5d 19 e2 e1 6e
3351. | 1d 54 fe 50 b7 f5 2e 22 59 47 92 88 18 aa 3a e3
3352. | 3a 26 fb 7d c0 db 79 43 f9 5b 45 70 f0 49 a0 db
3353. | 08 b1 d3 8b 9f 37 62 9f 85 24 ba f0 3e 93 06 19
3354. | c0 cb 4d 1b 2e dc 3b ab 9c 21 9a c5 22 25 b3 bc
3355. | 2c 68 c0 f3 66 77 9c d9 ba fc ad d7 62 5a 06 cd
3356. | 5a 08 2a 73 2b ba a8 9e 2b bb a2 6d b9 66 f4 cc
3357. | 14 00 00 14 96 5d 95 17 ff 5a 14 6e 7c ad 9e eb
3358. | b3 2c 76 f9 14 00 00 18 8d fa b2 1b f7 97 67 8a
3359. | ae f7 31 f9 41 1a d5 8a 84 35 fc a1 00 00 00 18
3360. | 04 a2 c9 8d b5 d8 53 db c7 76 e4 e0 b6 77 4b 2b
3361. | a3 93 b1 57
3362. | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1
3363. | event added at head of queue
3364. | next event EVENT_RETRANSMIT in 40 seconds for #1
3365. |
3366. | *received 76 bytes from 2.x.x.x:4509 on eth0 (port=4500)
3367. | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
3368. | 05 10 02 01 00 00 00 00 00 00 00 4c 72 99 0d e7
3369. | 19 d4 f5 f8 da 77 00 69 85 4b 73 e9 18 5d 40 42
3370. | 70 76 fd c8 01 47 08 66 05 24 0d 3e 21 25 f0 de
3371. | a7 40 fd ec 88 c4 22 ac 18 66 cb fe
3372. | **parse ISAKMP Message:
3373. | initiator cookie:
3374. | 58 e4 79 be 51 14 61 49
3375. | responder cookie:
3376. | 76 7f 51 65 c7 b5 d3 b0
3377. | next payload type: ISAKMP_NEXT_ID
3378. | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
3379. | exchange type: ISAKMP_XCHG_IDPROT
3380. | flags: ISAKMP_FLAG_ENCRYPTION
3381. | message ID: 00 00 00 00
3382. | length: 76
3383. | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
3384. | ICOOKIE: 58 e4 79 be 51 14 61 49
3385. | RCOOKIE: 76 7f 51 65 c7 b5 d3 b0
3386. | state hash entry 4
3387. | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
3388. | v1 state object #1 found, in STATE_MAIN_R2
3389. | processing connection routers-12[1] 2.x.x.x
3390.  
3391. ==> /var/log/pluto.log <==
3392. | received encrypted packet from 2.x.x.x:4509
3393. | decrypting 48 bytes using algorithm OAKLEY_AES_CBC
3394. | NSS do_aes: enter
3395. | NSS do_aes: exit
3396. | decrypted:
3397. | c6 2d ce 53 31 c7 3a 36 6d 50 8c bd 72 46 4f 30
3398. | 6c 68 f4 d4 c3 6a f0 00 3f 4e 38 0a 8a 3f f3 1f
3399. | 0a 43 48 71 05 13 8c 54 d5 02 c4 fd 2e 27 ba a5
3400. | next IV: 21 25 f0 de a7 40 fd ec 88 c4 22 ac 18 66 cb fe
3401. | got payload 0x20(ISAKMP_NEXT_ID) needed: 0x120 opt: 0x2080
3402. "routers-12"[1] 2.x.x.x #1: next payload type of ISAKMP Identification Payload has an unknown value: 198
3403. "routers-12"[1] 2.x.x.x #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
3404. | payload malformed after IV
3405. | 50 5c f3 1f bd 52 32 60 25 33 f5 71 cc cb a6 2c
3406. | 03 2d 42 c6
3407. "routers-12"[1] 2.x.x.x #1: sending notification PAYLOAD_MALFORMED to 2.x.x.x:4497
3408. | **emit ISAKMP Message:
3409. | initiator cookie:
3410. | 58 e4 79 be 51 14 61 49
3411. | responder cookie:
3412. | 76 7f 51 65 c7 b5 d3 b0
3413. | next payload type: ISAKMP_NEXT_N
3414. | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
3415. | exchange type: ISAKMP_XCHG_INFO
3416. | flags: none
3417. | message ID: 01 34 78 8e
3418. | ***emit ISAKMP Notification Payload:
3419. | next payload type: ISAKMP_NEXT_NONE
3420. | DOI: ISAKMP_DOI_IPSEC
3421. | protocol ID: 1
3422. | SPI size: 0
3423. | Notify Message Type: PAYLOAD_MALFORMED
3424. | emitting length of ISAKMP Notification Payload: 12
3425. | emitting length of ISAKMP Message: 40
3426. | sending 40 bytes for notification packet through eth0:500 to 2.x.x.x:4497 (using #1)
3427. | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
3428. | 0b 10 05 00 01 34 78 8e 00 00 00 28 00 00 00 0c
3429. | 00 00 00 01 01 00 00 10
3430. | * processed 0 messages from cryptographic helpers
3431. | next event EVENT_RETRANSMIT in 40 seconds for #1
3432. | next event EVENT_RETRANSMIT in 40 seconds for #1
3433.  
3434. --- client side ---
3435. [root@localhost ~]# ipsec start
3436. Redirecting to: service ipsec start
3437. Starting pluto IKE daemon for IPsec:
3438. [root@localhost ~]# ipsec addconn routers-13
3439. 002 added connection description "routers-13"
3440. [root@localhost ~]# ipsec auto --up routers-13
3441. 104 "routers-13" #1: STATE_MAIN_I1: initiate
3442. 003 "routers-13" #1: received Vendor ID payload [Libreswan (this version) 3.5 ]
3443. 003 "routers-13" #1: received Vendor ID payload [Dead Peer Detection]
3444. 003 "routers-13" #1: received Vendor ID payload [FRAGMENTATION]
3445. 003 "routers-13" #1: received Vendor ID payload [RFC 3947]
3446. 106 "routers-13" #1: STATE_MAIN_I2: sent MI2, expecting MR2
3447. 003 "routers-13" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
3448. 108 "routers-13" #1: STATE_MAIN_I3: sent MI3, expecting MR3
3449. 010 "routers-13" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
3450. 003 "routers-13" #1: discarding duplicate packet; already STATE_MAIN_I3
3451. 010 "routers-13" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
3452. 003 "routers-13" #1: discarding duplicate packet; already STATE_MAIN_I3