Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- CONFIG:
- config setup
- protostack=netkey
- plutodebug="all"
- plutostderrlog=/var/log/pluto.log
- dumpdir=/var/run/pluto/
- nat_traversal=yes
- virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
- uniqueids=yes
- conn routers-12
- type=tunnel
- left=69.x.x.x
- leftsubnet=192.168.55.0/24
- leftnexthop=%defaultroute
- leftsourceip=192.168.55.254
- leftid=@router1
- right=%any <-- Have also tried IP of client, same result
- rightsubnet=192.168.22.0/24
- rightid=@router2
- forceencaps=yes
- nat_keepalive=yes
- dpddelay=30
- dpdtimeout=120
- dpdaction=clear
- authby=secret
- #aggrmode=yes
- #ike=3des-sha1-modp1536
- #ikev2=insist
- conn routers-13
- type=tunnel
- left=69.x.x.x
- leftsubnet=192.168.55.0/24
- leftnexthop=%defaultroute
- leftsourceip=192.168.55.254
- leftid=@router1
- right=%any <-- Have also tried IP of client, same result
- rightsubnet=192.168.33.0/24
- rightid=@router3
- forceencaps=yes
- nat_keepalive=yes
- dpddelay=30
- dpdtimeout=120
- dpdaction=clear
- authby=secret
- #aggrmode=yes
- #ike=3des-sha1-modp1536
- #ikev2=insist
- FULL EXAMPLE using IKEv2:
- root@server:~# ipsec start
- Redirecting to: start ipsec
- ipsec start/running, process 1834
- root@server:~# tail: `/var/log/pluto.log' has appeared; following end of new file
- ==> /var/log/pluto.log <==
- nss directory plutomain: /etc/ipsec.d
- ==> /var/log/pluto.log <==
- NSS Initialized
- FIPS integrity support [disabled]
- libcap-ng support [enabled]
- Linux audit support [disabled]
- Starting Pluto (Libreswan Version 3.5; Vendor ID OEN_RhPPH{d^) pid:1897
- FIPS: could not open /proc/sys/crypto/fips_enabled
- FIPS: could not open /proc/sys/crypto/fips_enabled
- ERROR: FIPS detection failed, Pluto running in non-FIPS mode
- core dump dir: /var/run/pluto/
- secrets file: /etc/ipsec.secrets
- LEAK_DETECTIVE support [disabled]
- OCF support for IKE [disabled]
- SAref support [disabled]: Protocol not available
- SAbind support [disabled]: Protocol not available
- NSS crypto [enabled]
- XAUTH PAM support [enabled]
- HAVE_STATSD notification support [disabled]
- Setting NAT-Traversal port-4500 floating to on
- port floating activation criteria nat_t=1/port_float=1
- NAT-Traversal support [enabled]
- | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
- | event added at head of queue
- | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
- | event added at head of queue
- | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
- | event added after event EVENT_PENDING_DDNS
- ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
- ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
- ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)
- ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
- starting up 7 cryptographic helpers
- started helper (thread) pid=-1234822336 (fd:7)
- started helper (thread) pid=-1244660928 (fd:9)
- | status value returned by setting the priority of this thread (id=0) 22
- | helper 0 waiting on fd: 8
- started helper (thread) pid=-1255146688 (fd:11)
- | status value returned by setting the priority of this thread (id=1) 22
- | helper 1 waiting on fd: 10
- started helper (thread) pid=-1265632448 (fd:14)
- | status value returned by setting the priority of this thread (id=3) 22
- | helper 3 waiting on fd: 15
- started helper (thread) pid=-1276118208 (fd:16)
- | status value returned by setting the priority of this thread (id=2) 22
- | helper 2 waiting on fd: 13
- started helper (thread) pid=-1286603968 (fd:18)
- | status value returned by setting the priority of this thread (id=4) 22
- | helper 4 waiting on fd: 17
- | status value returned by setting the priority of this thread (id=5) 22
- | helper 5 waiting on fd: 19
- | status value returned by setting the priority of this thread (id=6) 22
- | helper 6 waiting on fd: 21
- started helper (thread) pid=-1297089728 (fd:20)
- Using Linux XFRM/NETKEY IPsec interface code on 3.9.3-x86-linode52
- | process 1897 listening for PF_KEY_V2 on file descriptor 24
- | finish_pfkey_msg: K_SADB_REGISTER message 1 for AH
- | 02 07 00 02 02 00 00 00 01 00 00 00 69 07 00 00
- | pfkey_get: K_SADB_REGISTER message 1
- | AH registered with kernel.
- | finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP
- | 02 07 00 03 02 00 00 00 02 00 00 00 69 07 00 00
- | pfkey_get: K_SADB_REGISTER message 2
- | alg_init():memset(0xb7749320, 0, 2048) memset(0xb7749b20, 0, 2048)
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=72
- | kernel_alg_add():satype=3, exttype=14, alg_id=251
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14, satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=2
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14, satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=3
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14, satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=5
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14, satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=6
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14, satype=3, alg_id=6, alg_ivlen=0, alg_minbits=384, alg_maxbits=384, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=7
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14, satype=3, alg_id=7, alg_ivlen=0, alg_minbits=512, alg_maxbits=512, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=8
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=14, satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=9
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=14, satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=88
- | kernel_alg_add():satype=3, exttype=15, alg_id=11
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15, satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=2
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15, satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=3
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15, satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=6
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15, satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=7
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15, satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=12
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15, satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=252
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15, satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=22
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[15], exttype=15, satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=253
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[16], exttype=15, satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=13
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[17], exttype=15, satype=3, alg_id=13, alg_ivlen=8, alg_minbits=160, alg_maxbits=288, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=18
- | kernel_alg_add():satype=3, exttype=15, alg_id=19
- | kernel_alg_add():satype=3, exttype=15, alg_id=20
- | kernel_alg_add():satype=3, exttype=15, alg_id=14
- | kernel_alg_add():satype=3, exttype=15, alg_id=15
- | kernel_alg_add():satype=3, exttype=15, alg_id=16
- ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
- ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
- ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
- ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
- ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
- ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
- ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
- ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
- ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
- ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
- ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
- | ESP registered with kernel.
- | finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP
- | 02 07 00 09 02 00 00 00 03 00 00 00 69 07 00 00
- | pfkey_get: K_SADB_REGISTER message 3
- | IPCOMP registered with kernel.
- | Changed path to directory '/etc/ipsec.d/cacerts'
- | Changing to directory '/etc/ipsec.d/crls'
- | inserting event EVENT_LOG_DAILY, timeout in 61577 seconds
- | event added after event EVENT_REINIT_SECRET
- listening for IKE messages
- | Inspecting interface lo
- | found lo with address 127.0.0.1
- | Inspecting interface eth0
- | found eth0 with address 69.x.x.x
- | Inspecting interface eth0:1
- | found eth0:1 with address 192.168.55.254
- | NAT-Traversal: Trying new style NAT-T
- | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
- | NAT-Traversal: Trying old style NAT-T
- | NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
- adding interface eth0:1/eth0:1 192.168.55.254:500
- | NAT-Traversal: Trying new style NAT-T
- | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
- | NAT-Traversal: Trying old style NAT-T
- | NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
- adding interface eth0:1/eth0:1 192.168.55.254:4500
- | NAT-Traversal: Trying new style NAT-T
- | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
- | NAT-Traversal: Trying old style NAT-T
- | NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
- adding interface eth0/eth0 69.x.x.x:500
- | NAT-Traversal: Trying new style NAT-T
- | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
- | NAT-Traversal: Trying old style NAT-T
- | NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
- adding interface eth0/eth0 69.x.x.x:4500
- | NAT-Traversal: Trying new style NAT-T
- | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
- | NAT-Traversal: Trying old style NAT-T
- | NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
- adding interface lo/lo 127.0.0.1:500
- | NAT-Traversal: Trying new style NAT-T
- | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
- | NAT-Traversal: Trying old style NAT-T
- | NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
- adding interface lo/lo 127.0.0.1:4500
- | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
- | found he-ipv6 with address 2001:0470:1f0e:0ec4:0000:0000:0000:0002
- | found eth0 with address 2600:3c03:0000:0000:f03c:91ff:fedf:db97
- adding interface eth0/eth0 2600:3c03::f03c:91ff:fedf:db97:500
- adding interface he-ipv6/he-ipv6 2001:470:1f0e:ec4::2:500
- adding interface lo/lo ::1:500
- | certs and keys locked by 'free_preshared_secrets'
- | certs and keys unlocked by 'free_preshard_secrets'
- loading secrets from "/etc/ipsec.secrets"
- loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
- | id type added to secret(0xb8be2d48) PPK_PSK: @router1
- | id type added to secret(0xb8be2d48) PPK_PSK: @router4
- | Processing PSK at line 2: passed
- | certs and keys locked by 'process_secret'
- | certs and keys unlocked by 'process_secret'
- | id type added to secret(0xb8be2e58) PPK_PSK: @router1
- | id type added to secret(0xb8be2e58) PPK_PSK: @router2
- | Processing PSK at line 3: passed
- | certs and keys locked by 'process_secret'
- | certs and keys unlocked by 'process_secret'
- | id type added to secret(0xb8be7088) PPK_PSK: @router1
- | id type added to secret(0xb8be7088) PPK_PSK: @router3
- | Processing PSK at line 3: passed
- | certs and keys locked by 'process_secret'
- | certs and keys unlocked by 'process_secret'
- | next event EVENT_PENDING_DDNS in 60 seconds
- ==> /var/log/pluto.log <==
- | calling addconn helper using execve
- | next event EVENT_PENDING_DDNS in 59 seconds
- | reaped addconn helper child
- root@server:~# ls -ltrh /var/log/pluto.log
- -rw-r--r-- 1 root root 12K Aug 4 06:53 /var/log/pluto.log
- root@server:~# ipsec verify
- Verifying installed system and configuration files
- Version check and ipsec on-path [OK]
- Libreswan 3.5 (netkey) on 3.9.3-x86-linode52
- Checking for IPsec support in kernel [OK]
- NETKEY: Testing XFRM related proc values
- ICMP default/send_redirects [OK]
- ICMP default/accept_redirects [OK]
- XFRM larval drop [OK]
- Pluto ipsec.conf syntax [OK]
- Hardware random device [N/A]
- Two or more interfaces found, checking IP forwarding [FAILED]
- Checking rp_filter [ENABLED]
- /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
- /proc/sys/net/ipv4/conf/he-ipv6/rp_filter [ENABLED]
- /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
- rp_filter is not fully aware of IPsec and should be disabled
- Checking that pluto is running [OK]
- Pluto listening for IKE on udp 500 [OK]
- Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
- Pluto listening for IKE/NAT-T on udp 4500 [OK]
- Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
- Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
- |
- | *received whack message
- | certs and keys locked by 'free_preshared_secrets'
- forgetting secrets
- | certs and keys unlocked by 'free_preshard_secrets'
- loading secrets from "/etc/ipsec.secrets"
- loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
- | id type added to secret(0xb8be2d48) PPK_PSK: @router1
- | id type added to secret(0xb8be2d48) PPK_PSK: @router4
- | Processing PSK at line 2: passed
- | certs and keys locked by 'process_secret'
- | certs and keys unlocked by 'process_secret'
- | id type added to secret(0xb8be2e58) PPK_PSK: @router1
- | id type added to secret(0xb8be2e58) PPK_PSK: @router2
- | Processing PSK at line 3: passed
- | certs and keys locked by 'process_secret'
- | certs and keys unlocked by 'process_secret'
- | id type added to secret(0xb8be7088) PPK_PSK: @router1
- | id type added to secret(0xb8be7088) PPK_PSK: @router3
- | Processing PSK at line 3: passed
- | certs and keys locked by 'process_secret'
- | certs and keys unlocked by 'process_secret'
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 47 seconds
- | next event EVENT_PENDING_DDNS in 47 seconds
- Pluto ipsec.secret syntax [OK]
- Checking NAT and MASQUERADEing [TEST INCOMPLETE]
- Checking 'ip' command [OK]
- Checking 'iptables' command [OK]
- Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
- Opportunistic Encryption [DISABLED]
- ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help
- root@server:~#
- root@server:~#
- root@server:~# ipsec addconn routers-13
- |
- | *received whack message
- | find_host_pair_conn (check_connection_end): 69.x.x.x:500 %any:500 -> hp:none
- | Added new connection routers-13 with policy PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
- | counting wild cards for @router1 is 0
- | counting wild cards for @router3 is 0
- | based upon policy, the connection is a template.
- | connect_to_host_pair: 69.x.x.x:500 0.0.0.0:500 -> hp:none
- added connection description "routers-13"
- 002 added connection description "routers-13"
- | 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router3]===192.168.33.0/24
- | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 37 seconds
- | next event EVENT_PENDING_DDNS in 37 seconds
- root@server:~# ipsec addconn routers-12
- |
- | *received whack message
- | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
- | find_host_pair_conn (check_connection_end): 69.x.x.x:500 %any:500 -> hp:routers-13
- | Added new connection routers-12 with policy PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
- | counting wild cards for @router1 is 0
- | counting wild cards for @router2 is 0
- | based upon policy, the connection is a template.
- | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
- | connect_to_host_pair: 69.x.x.x:500 0.0.0.0:500 -> hp:routers-13
- added connection description "routers-12"
- 002 added connection description "routers-12"
- | 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router2]===192.168.22.0/24
- | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 36 seconds
- | next event EVENT_PENDING_DDNS in 36 seconds
- root@server:~#
- root@server:~# ipsec status
- |
- | *received whack message
- SElinux: could not open /sys/fs/selinux/enforce
- FIPS: could not open /proc/sys/crypto/fips_enabled
- 000 using kernel interface: netkey
- 000 interface lo/lo ::1
- 000 interface he-ipv6/he-ipv6 2001:470:1f0e:ec4::2
- 000 interface eth0/eth0 2600:3c03::f03c:91ff:fedf:db97
- 000 interface lo/lo 127.0.0.1
- 000 interface lo/lo 127.0.0.1
- 000 interface eth0/eth0 69.x.x.x
- 000 interface eth0/eth0 69.x.x.x
- 000 interface eth0:1/eth0:1 192.168.55.254
- 000 interface eth0:1/eth0:1 192.168.55.254
- 000
- 000 FIPS=error(disabled)
- 000 SElinux=indeterminate
- 000
- 000 config setup options:
- 000
- 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/
- | * processed 0 messages from cryptographic helpers
- 000 sbindir=/usr/local/sbin, libdir=/usr/local/libexec/ipsec, libexecdir=/usr/local/libexec/ipsec
- 000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
- 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
- | next event EVENT_PENDING_DDNS in 33 seconds
- 000 secctx_attr_value=<unsupported>
- | next event EVENT_PENDING_DDNS in 33 seconds
- 000 %myid = (none)
- 000 debug raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
- 000
- 000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500, disable_port_floating=no
- 000 virtual_private (%priv):
- 000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
- 000 - disallowed 0 subnets:
- 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
- 000 private address space in internal use, it should be excluded!
- 000
- 000 ESP algorithms supported:
- 000
- 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
- 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
- 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
- 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
- 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
- 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
- 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
- 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
- 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
- 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
- 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
- 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
- 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
- 000
- 000 IKE algorithms supported:
- 000
- 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
- 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
- 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
- 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
- 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
- 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
- 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
- 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
- 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
- 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
- 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
- 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
- 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
- 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
- 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
- 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
- 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
- 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
- 000
- 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
- 000
- 000 Connection list:
- 000
- 000 "routers-12": 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router2]===192.168.22.0/24; unrouted; eroute owner: #0
- 000 "routers-12": oriented; my_ip=192.168.55.254; their_ip=unset;
- 000 "routers-12": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;
- 000 "routers-12": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;
- 000 "routers-12": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;
- 000 "routers-12": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
- 000 "routers-12": prio: 24,24; interface: eth0; metric: 0, mtu: unset;
- 000 "routers-12": dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:yes; nat_keepalive:yes;
- 000 "routers-12": newest ISAKMP SA: #0; newest IPsec SA: #0;
- 000 "routers-13": 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router3]===192.168.33.0/24; unrouted; eroute owner: #0
- 000 "routers-13": oriented; my_ip=192.168.55.254; their_ip=unset;
- 000 "routers-13": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;
- 000 "routers-13": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;
- 000 "routers-13": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;
- 000 "routers-13": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
- 000 "routers-13": prio: 24,24; interface: eth0; metric: 0, mtu: unset;
- 000 "routers-13": dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:yes; nat_keepalive:yes;
- 000 "routers-13": newest ISAKMP SA: #0; newest IPsec SA: #0;
- 000
- 000 Total IPsec connections: loaded 2, active 0
- 000
- 000 State list:
- 000
- 000 Shunt list:
- 000
- root@server:~# |
- | *received 836 bytes from 2.x.x.x:4497 on eth0 (port=500)
- | 0e 4d 0f 13 eb 45 5d 5d 00 00 00 00 00 00 00 00
- | 21 20 22 08 00 00 00 00 00 00 03 44 22 00 01 fc
- | 02 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c
- | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
- | 02 00 00 02 00 00 00 08 04 00 00 0e 02 00 00 2c
- | 02 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 00 80
- | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
- | 00 00 00 08 04 00 00 0e 02 00 00 28 03 01 00 04
- | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02
- | 03 00 00 08 02 00 00 02 00 00 00 08 04 00 00 0e
- | 02 00 00 28 04 01 00 04 03 00 00 08 01 00 00 03
- | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
- | 00 00 00 08 04 00 00 0e 02 00 00 2c 05 01 00 04
- | 03 00 00 0c 01 00 00 0c 80 0e 00 80 03 00 00 08
- | 03 00 00 02 03 00 00 08 02 00 00 02 00 00 00 08
- | 04 00 00 05 02 00 00 2c 06 01 00 04 03 00 00 0c
- | 01 00 00 0c 80 0e 00 80 03 00 00 08 03 00 00 01
- | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05
- | 02 00 00 28 07 01 00 04 03 00 00 08 01 00 00 03
- | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
- | 00 00 00 08 04 00 00 05 02 00 00 28 08 01 00 04
- | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 01
- | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05
- | 02 00 00 2c 09 01 00 04 03 00 00 0c 01 00 00 0c
- | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
- | 02 00 00 02 00 00 00 08 04 00 00 02 02 00 00 2c
- ==> /var/log/pluto.log <==
- | 0a 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 00 80
- | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
- | 00 00 00 08 04 00 00 02 02 00 00 28 0b 01 00 04
- | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02
- | 03 00 00 08 02 00 00 02 00 00 00 08 04 00 00 02
- | 00 00 00 28 0c 01 00 04 03 00 00 08 01 00 00 03
- | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
- | 00 00 00 08 04 00 00 02 28 00 01 08 00 0e 00 00
- | 31 0d 41 e1 d8 e6 7d 24 50 ba 39 6a 00 5f 31 f8
- | c0 90 24 d0 09 02 f1 16 cc 0a fa f7 4c 5a f3 e1
- | a3 f0 15 70 3c dc 74 08 5d f6 c7 79 ef 64 e9 51
- | f4 e4 3a 2d e8 8a 0e 5f 77 a3 6d 12 0f 2a 82 15
- | c5 6f c6 c9 fe 66 c0 4d d7 c6 03 bb af 2e 3f e0
- | 75 bc ae d3 e6 b7 99 7b f4 c7 9b 58 82 da 60 7f
- | ca d0 01 74 2d f2 5c 24 b7 d0 8c 8e e5 5c ea 63
- | 95 d9 0e b9 54 72 4d eb 0d 0f 1e 48 fd 1b cd 40
- | 5e 3d 8f 50 98 6b c4 e8 ec 6a d9 46 3a 45 ea 65
- | df a6 ec 13 75 73 e8 d3 e0 15 7b 93 b6 71 d7 c2
- | b4 d9 f4 9e bf ed 72 28 df 2d 54 92 5b 39 a2 e3
- | 3b d2 41 72 13 61 b0 15 55 12 b1 a0 d1 91 17 b9
- | 90 8e e3 85 6d 3a 24 28 84 b3 18 ad 63 6e 50 e7
- | c3 53 23 f6 7b 37 f6 f5 14 2c b8 92 3b 34 e5 9c
- | 6d d0 13 58 d5 51 39 4d 77 40 b9 81 4c ae 2a 18
- | 07 89 a7 10 37 c2 80 f9 e0 55 b1 23 fb bd 74 e2
- | 2b 00 00 14 7f 6c 92 5f cd 34 8c eb 41 67 14 bc
- | f7 74 19 f3 00 00 00 10 4f 45 4e 5f 52 68 50 50
- | 48 7b 64 5e
- | **parse ISAKMP Message:
- | initiator cookie:
- | 0e 4d 0f 13 eb 45 5d 5d
- | responder cookie:
- | 00 00 00 00 00 00 00 00
- | next payload type: ISAKMP_NEXT_v2SA
- | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
- | exchange type: ISAKMP_v2_SA_INIT
- | flags: ISAKMP_FLAG_INIT
- | message ID: 00 00 00 00
- | length: 836
- | processing version=2.0 packet with exchange type=ISAKMP_v2_SA_INIT (34)
- | I am IKE SA Responder
- | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
- | RCOOKIE: 00 00 00 00 00 00 00 00
- | state hash entry 5
- | v2 state object not found
- | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
- | RCOOKIE: 00 00 00 00 00 00 00 00
- | state hash entry 5
- | v2 state object not found
- | Now lets proceed with payload (ISAKMP_NEXT_v2SA)
- | ***parse IKEv2 Security Association Payload:
- | next payload type: ISAKMP_NEXT_v2KE
- | critical bit: none
- | length: 508
- | processing payload: ISAKMP_NEXT_v2SA (len=508)
- | Now lets proceed with payload (ISAKMP_NEXT_v2KE)
- | ***parse IKEv2 Key Exchange Payload:
- | next payload type: ISAKMP_NEXT_v2Ni
- | critical bit: none
- | length: 264
- | transform type: 14
- | processing payload: ISAKMP_NEXT_v2KE (len=264)
- | Now lets proceed with payload (ISAKMP_NEXT_v2Ni)
- | ***parse IKEv2 Nonce Payload:
- | next payload type: ISAKMP_NEXT_v2V
- | critical bit: none
- | length: 20
- | processing payload: ISAKMP_NEXT_v2Ni (len=20)
- | Now lets proceed with payload (ISAKMP_NEXT_v2V)
- | ***parse IKEv2 Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | critical bit: none
- | length: 16
- | processing payload: ISAKMP_NEXT_v2V (len=16)
- | Finished and now at the end of ikev2_process_payload
- | Finished processing ikev2_process_payloads
- | Now lets proceed with state specific processing
- | find_host_connection2 called from ikev2parent_inI1outR1, me=69.x.x.x:500 him=2.x.x.x:4497 policy=IKEv2ALLOW
- | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
- | find_host_pair_conn (find_host_connection2): 69.x.x.x:500 2.x.x.x:4497 -> hp:none
- | searching for connection with policy = IKEv2ALLOW
- | find_host_connection2 returns empty
- | find_host_connection2 called from ikev2parent_inI1outR1, me=69.x.x.x:500 him=%any:4497 policy=IKEv2ALLOW
- | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
- | find_host_pair_conn (find_host_connection2): 69.x.x.x:500 %any:4497 -> hp:routers-12
- | searching for connection with policy = IKEv2ALLOW
- | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG (routers-12)
- | find_host_connection2 returns routers-12
- | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
- | connect_to_host_pair: 69.x.x.x:500 2.x.x.x:500 -> hp:none
- | instantiated "routers-12" for 2.x.x.x
- | found connection: routers-12
- | creating state object #1 at 0xb8be8720
- | processing connection routers-12[1] 2.x.x.x
- | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
- | RCOOKIE: 14 ca ca 1e f4 0f ab ef
- | state hash entry 22
- | inserting state object #1
- | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
- | event added at head of queue
- | processing connection routers-12[1] 2.x.x.x
- | will not send/process a dcookie
- | 1: w->pcw_dead: 0 w->pcw_work: 0 cnt: 7
- | asking helper 1 to do build_kenonce op on seq: 1 (len=2680, pcw_work=1)
- | crypto helper write of request: cnt=2680<wlen=2680.
- | deleting event for #1
- | helper 1 read 2676+4/2680 bytes fd: 10
- | helper 1 doing build_kenonce op id: 1
- | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
- | event added after event EVENT_PENDING_PHASE2
- | complete v2 state transition with STF_SUSPEND
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 13 seconds
- | next event EVENT_PENDING_DDNS in 13 seconds
- | NSS: Value of Prime:
- | ff ff ff ff ff ff ff ff c9 0f da a2 21 68 c2 34
- | c4 c6 62 8b 80 dc 1c d1 29 02 4e 08 8a 67 cc 74
- | 02 0b be a6 3b 13 9b 22 51 4a 08 79 8e 34 04 dd
- | ef 95 19 b3 cd 3a 43 1b 30 2b 0a 6d f2 5f 14 37
- | 4f e1 35 6d 6d 51 c2 45 e4 85 b5 76 62 5e 7e c6
- | f4 4c 42 e9 a6 37 ed 6b 0b ff 5c b6 f4 06 b7 ed
- | ee 38 6b fb 5a 89 9f a5 ae 9f 24 11 7c 4b 1f e6
- | 49 28 66 51 ec e4 5b 3d c2 00 7c b8 a1 63 bf 05
- | 98 da 48 36 1c 55 d3 9a 69 16 3f a8 fd 24 cf 5f
- | 83 65 5d 23 dc a3 ad 96 1c 62 f3 56 20 85 52 bb
- | 9e d5 29 07 70 96 96 6d 67 0c 35 4e 4a bc 98 04
- | f1 74 6c 08 ca 18 21 7c 32 90 5e 46 2e 36 ce 3b
- | e3 9e 77 2c 18 0e 86 03 9b 27 83 a2 ec 07 a2 8f
- | b5 c5 5d f0 6f 4c 52 c9 de 2b cb f6 95 58 17 18
- | 39 95 49 7c ea 95 6a e5 15 d2 26 18 98 fa 05 10
- | 15 72 8e 5a 8a ac aa 68 ff ff ff ff ff ff ff ff
- | NSS: Value of base:
- | 02
- | NSS: generated dh priv and pub keys: 256
- | NSS: Local DH secret (pointer):
- | 40 48 30 b5
- | NSS: Public DH value sent(computed in NSS):
- | dc df 8d fa 25 69 0b 45 02 91 81 9b 2f 11 94 6f
- | 2a 59 67 62 f3 12 df 90 3b 85 86 1f 70 10 e5 eb
- | 55 af 45 29 db f1 5c 56 d2 7e 0b 6e 94 8d ce 8b
- | 5b 32 91 99 6c c5 80 55 8d aa 23 a0 8c 06 93 57
- | d0 2e 6e 34 92 e0 1d 21 45 74 f7 e3 99 af 7a 6e
- | 93 3b 95 44 12 0e 8b 81 00 26 9b a5 b3 d2 15 63
- | 19 66 35 32 87 cc 8f 68 61 be 74 dd e0 d3 ac 8a
- | 7c 02 74 33 ac d5 97 41 bc e7 f3 cc a1 c5 0b 8c
- | 47 fa 67 44 f4 5f 0f 05 38 88 7b fa 8b 82 df b1
- | e1 79 b0 2c 33 c7 3f 51 70 e3 86 b1 1f 04 c1 88
- | 52 37 b3 90 87 bb 4f d2 5b 24 ea d5 b4 8b 93 69
- | cd 52 ea e4 24 af 1e 9d a8 96 ee 11 d5 87 f2 4b
- | 84 0a 2f 84 1c e4 bf dc 8f 0e f0 26 a0 02 a4 7d
- | 76 d6 90 1c f6 47 43 9c bd 8a 10 39 5b 29 c9 db
- | af 39 a1 22 16 f4 30 85 7b e9 81 7d 12 90 27 c6
- | 2f ee 51 b3 6f bf 84 fc 54 7d c9 c9 1b 6a 09 9a
- | NSS: Local DH public value (pointer):
- | 38 40 30 b5
- | Generated nonce:
- | a6 50 59 b5 b0 8b 7f 3b 9b e9 73 07 c1 60 d1 00
- |
- | helper 1 has finished work (cnt now 1)
- | helper 1 replies to id: q#1
- | calling callback function 0xb7660200
- | ikev2 parent inI1outR1: calculated ke+nonce, sending R1
- | processing connection routers-12[1] 2.x.x.x
- | **emit ISAKMP Message:
- | initiator cookie:
- | 0e 4d 0f 13 eb 45 5d 5d
- | responder cookie:
- | 14 ca ca 1e f4 0f ab ef
- | next payload type: ISAKMP_NEXT_v2SA
- | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
- | exchange type: ISAKMP_v2_SA_INIT
- | flags: ISAKMP_FLAG_RESPONSE
- | message ID: 00 00 00 00
- | ***emit IKEv2 Security Association Payload:
- | next payload type: ISAKMP_NEXT_v2KE
- | critical bit: none
- | no IKE algorithms for this connection
- | ****parse IKEv2 Proposal Substructure Payload:
- | next payload type: ISAKMP_NEXT_P
- | length: 44
- | prop #: 1
- | proto ID: 1
- | spi size: 0
- | # transforms: 4
- | *****parse IKEv2 Transform Substructure Payload:
- ==> /var/log/pluto.log <==
- | next payload type: ISAKMP_NEXT_T
- | length: 12
- | transform type: 1
- | transform ID: 12
- | ******parse IKEv2 Attribute Substructure Payload:
- | af+type: KEY_LENGTH
- | length/value: 128
- | *****parse IKEv2 Transform Substructure Payload:
- | next payload type: ISAKMP_NEXT_T
- | length: 8
- | transform type: 3
- | transform ID: 2
- | *****parse IKEv2 Transform Substructure Payload:
- | next payload type: ISAKMP_NEXT_T
- | length: 8
- | transform type: 2
- | transform ID: 2
- | *****parse IKEv2 Transform Substructure Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | length: 8
- | transform type: 4
- | transform ID: 14
- | ****parse IKEv2 Proposal Substructure Payload:
- | next payload type: ISAKMP_NEXT_P
- | length: 44
- | prop #: 2
- | proto ID: 1
- | spi size: 0
- | # transforms: 4
- | ****emit IKEv2 Proposal Substructure Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | prop #: 1
- | proto ID: 1
- | spi size: 0
- | # transforms: 4
- | *****emit IKEv2 Transform Substructure Payload:
- | next payload type: ISAKMP_NEXT_T
- | transform type: 1
- | transform ID: 12
- | ******emit IKEv2 Attribute Substructure Payload:
- | af+type: KEY_LENGTH
- | length/value: 128
- | [128 is 128??]
- | emitting length of IKEv2 Transform Substructure Payload: 12
- | *****emit IKEv2 Transform Substructure Payload:
- | next payload type: ISAKMP_NEXT_T
- | transform type: 3
- | transform ID: 2
- | emitting length of IKEv2 Transform Substructure Payload: 8
- | *****emit IKEv2 Transform Substructure Payload:
- | next payload type: ISAKMP_NEXT_T
- | transform type: 2
- | transform ID: 2
- | emitting length of IKEv2 Transform Substructure Payload: 8
- | *****emit IKEv2 Transform Substructure Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | transform type: 4
- | transform ID: 14
- | emitting length of IKEv2 Transform Substructure Payload: 8
- | emitting length of IKEv2 Proposal Substructure Payload: 44
- | emitting length of IKEv2 Security Association Payload: 48
- | DH public value received:
- | 31 0d 41 e1 d8 e6 7d 24 50 ba 39 6a 00 5f 31 f8
- | c0 90 24 d0 09 02 f1 16 cc 0a fa f7 4c 5a f3 e1
- | a3 f0 15 70 3c dc 74 08 5d f6 c7 79 ef 64 e9 51
- | f4 e4 3a 2d e8 8a 0e 5f 77 a3 6d 12 0f 2a 82 15
- | c5 6f c6 c9 fe 66 c0 4d d7 c6 03 bb af 2e 3f e0
- | 75 bc ae d3 e6 b7 99 7b f4 c7 9b 58 82 da 60 7f
- | ca d0 01 74 2d f2 5c 24 b7 d0 8c 8e e5 5c ea 63
- | 95 d9 0e b9 54 72 4d eb 0d 0f 1e 48 fd 1b cd 40
- | 5e 3d 8f 50 98 6b c4 e8 ec 6a d9 46 3a 45 ea 65
- | df a6 ec 13 75 73 e8 d3 e0 15 7b 93 b6 71 d7 c2
- | b4 d9 f4 9e bf ed 72 28 df 2d 54 92 5b 39 a2 e3
- | 3b d2 41 72 13 61 b0 15 55 12 b1 a0 d1 91 17 b9
- | 90 8e e3 85 6d 3a 24 28 84 b3 18 ad 63 6e 50 e7
- | c3 53 23 f6 7b 37 f6 f5 14 2c b8 92 3b 34 e5 9c
- | 6d d0 13 58 d5 51 39 4d 77 40 b9 81 4c ae 2a 18
- | 07 89 a7 10 37 c2 80 f9 e0 55 b1 23 fb bd 74 e2
- | saving DH priv (local secret) and pub key into state struc
- | ***emit IKEv2 Key Exchange Payload:
- | next payload type: ISAKMP_NEXT_v2Ni
- | critical bit: none
- | transform type: 14
- | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
- | ikev2 g^x dc df 8d fa 25 69 0b 45 02 91 81 9b 2f 11 94 6f
- | ikev2 g^x 2a 59 67 62 f3 12 df 90 3b 85 86 1f 70 10 e5 eb
- | ikev2 g^x 55 af 45 29 db f1 5c 56 d2 7e 0b 6e 94 8d ce 8b
- | ikev2 g^x 5b 32 91 99 6c c5 80 55 8d aa 23 a0 8c 06 93 57
- | ikev2 g^x d0 2e 6e 34 92 e0 1d 21 45 74 f7 e3 99 af 7a 6e
- | ikev2 g^x 93 3b 95 44 12 0e 8b 81 00 26 9b a5 b3 d2 15 63
- | ikev2 g^x 19 66 35 32 87 cc 8f 68 61 be 74 dd e0 d3 ac 8a
- | ikev2 g^x 7c 02 74 33 ac d5 97 41 bc e7 f3 cc a1 c5 0b 8c
- | ikev2 g^x 47 fa 67 44 f4 5f 0f 05 38 88 7b fa 8b 82 df b1
- | ikev2 g^x e1 79 b0 2c 33 c7 3f 51 70 e3 86 b1 1f 04 c1 88
- | ikev2 g^x 52 37 b3 90 87 bb 4f d2 5b 24 ea d5 b4 8b 93 69
- | ikev2 g^x cd 52 ea e4 24 af 1e 9d a8 96 ee 11 d5 87 f2 4b
- | ikev2 g^x 84 0a 2f 84 1c e4 bf dc 8f 0e f0 26 a0 02 a4 7d
- | ikev2 g^x 76 d6 90 1c f6 47 43 9c bd 8a 10 39 5b 29 c9 db
- | ikev2 g^x af 39 a1 22 16 f4 30 85 7b e9 81 7d 12 90 27 c6
- | ikev2 g^x 2f ee 51 b3 6f bf 84 fc 54 7d c9 c9 1b 6a 09 9a
- | emitting length of IKEv2 Key Exchange Payload: 264
- | ***emit IKEv2 Nonce Payload:
- | next payload type: ISAKMP_NEXT_v2V
- | critical bit: none
- | emitting 16 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
- | IKEv2 nonce a6 50 59 b5 b0 8b 7f 3b 9b e9 73 07 c1 60 d1 00
- | emitting length of IKEv2 Nonce Payload: 20
- | ***emit ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
- | Vendor ID 4f 45 4e 5f 52 68 50 50 48 7b 64 5e
- | emitting length of ISAKMP Vendor ID Payload: 16
- | emitting length of ISAKMP Message: 376
- | complete v2 state transition with STF_OK
- "routers-12"[1] 2.x.x.x #1: transition from state STATE_IKEv2_START to state STATE_PARENT_R1
- "routers-12"[1] 2.x.x.x #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp2048}
- | state #1 NAT-T: new mapping 2.x.x.x:4497
- | processing connection routers-12[1] 2.x.x.x
- "routers-12"[1] 2.x.x.x #1: new NAT mapping for #1, was 2.x.x.x:500, now 2.x.x.x:4497
- | sending reply packet to 2.x.x.x:4497 (from port 500)
- | sending 376 bytes for STATE_IKEv2_START through eth0:500 to 2.x.x.x:4497 (using #1)
- | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
- | 21 20 22 20 00 00 00 00 00 00 01 78 22 00 00 30
- | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c
- | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
- | 02 00 00 02 00 00 00 08 04 00 00 0e 28 00 01 08
- | 00 0e 00 00 dc df 8d fa 25 69 0b 45 02 91 81 9b
- | 2f 11 94 6f 2a 59 67 62 f3 12 df 90 3b 85 86 1f
- | 70 10 e5 eb 55 af 45 29 db f1 5c 56 d2 7e 0b 6e
- | 94 8d ce 8b 5b 32 91 99 6c c5 80 55 8d aa 23 a0
- | 8c 06 93 57 d0 2e 6e 34 92 e0 1d 21 45 74 f7 e3
- | 99 af 7a 6e 93 3b 95 44 12 0e 8b 81 00 26 9b a5
- | b3 d2 15 63 19 66 35 32 87 cc 8f 68 61 be 74 dd
- | e0 d3 ac 8a 7c 02 74 33 ac d5 97 41 bc e7 f3 cc
- | a1 c5 0b 8c 47 fa 67 44 f4 5f 0f 05 38 88 7b fa
- | 8b 82 df b1 e1 79 b0 2c 33 c7 3f 51 70 e3 86 b1
- | 1f 04 c1 88 52 37 b3 90 87 bb 4f d2 5b 24 ea d5
- | b4 8b 93 69 cd 52 ea e4 24 af 1e 9d a8 96 ee 11
- | d5 87 f2 4b 84 0a 2f 84 1c e4 bf dc 8f 0e f0 26
- | a0 02 a4 7d 76 d6 90 1c f6 47 43 9c bd 8a 10 39
- | 5b 29 c9 db af 39 a1 22 16 f4 30 85 7b e9 81 7d
- | 12 90 27 c6 2f ee 51 b3 6f bf 84 fc 54 7d c9 c9
- | 1b 6a 09 9a 2b 00 00 14 a6 50 59 b5 b0 8b 7f 3b
- | 9b e9 73 07 c1 60 d1 00 00 00 00 10 4f 45 4e 5f
- | 52 68 50 50 48 7b 64 5e
- | * processed 1 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 13 seconds
- | next event EVENT_PENDING_DDNS in 13 seconds
- ==> /var/log/pluto.log <==
- |
- | *received 316 bytes from 2.x.x.x:4497 on eth0 (port=500)
- | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
- | 2e 20 23 08 00 00 00 01 00 00 01 3c 23 00 01 20
- | b4 e3 03 80 b8 ab 0b fc be d0 70 87 2b 72 ec 03
- | 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
- | c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
- | 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
- | c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
- | 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
- | 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
- | af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
- ==> /var/log/pluto.log <==
- | 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
- | 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
- | d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
- | 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
- | 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
- | e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
- | e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
- | 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
- | c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
- | 04 93 78 4c a3 b9 e0 8c 6d 28 9d ca
- | **parse ISAKMP Message:
- | initiator cookie:
- | 0e 4d 0f 13 eb 45 5d 5d
- | responder cookie:
- | 14 ca ca 1e f4 0f ab ef
- | next payload type: ISAKMP_NEXT_v2E
- | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
- | exchange type: ISAKMP_v2_AUTH
- | flags: ISAKMP_FLAG_INIT
- | message ID: 00 00 00 01
- | length: 316
- | processing version=2.0 packet with exchange type=ISAKMP_v2_AUTH (35)
- | I am IKE SA Responder
- | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
- | RCOOKIE: 14 ca ca 1e f4 0f ab ef
- | state hash entry 22
- | v2 peer and cookies match on #1
- | v2 state object #1 found, in STATE_PARENT_R1
- | state found and its state is (STATE_PARENT_R1)
- | Now lets proceed with payload (ISAKMP_NEXT_v2E)
- | ***parse IKEv2 Encryption Payload:
- | next payload type: ISAKMP_NEXT_v2IDi
- | critical bit: none
- | length: 288
- | processing payload: ISAKMP_NEXT_v2E (len=288)
- | Finished and now at the end of ikev2_process_payload
- | Finished processing ikev2_process_payloads
- | Now lets proceed with state specific processing
- | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2
- | calculating skeyseed using prf=prf-hmac-sha1 integ=auth-hmac-sha1-96 cipherkey=aes-cbc
- | Copying DH pub key pointer to be sent to a thread helper
- | 2: w->pcw_dead: 0 w->pcw_work: 0 cnt: 7
- | asking helper 2 to do compute dh(v2) op on seq: 2 (len=2680, pcw_work=1)
- | crypto helper write of request: cnt=2680<wlen=2680.
- | deleting event for #1
- | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
- | event added after event EVENT_PENDING_PHASE2
- | complete v2 state transition with STF_SUSPEND
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 13 seconds
- | next event EVENT_PENDING_DDNS in 13 seconds
- | helper 2 read 2676+4/2680 bytes fd: 13
- | helper 2 doing compute dh(v2) op id: 2
- | peer's g: 31 0d 41 e1 d8 e6 7d 24 50 ba 39 6a 00 5f 31 f8
- | peer's g: c0 90 24 d0 09 02 f1 16 cc 0a fa f7 4c 5a f3 e1
- | peer's g: a3 f0 15 70 3c dc 74 08 5d f6 c7 79 ef 64 e9 51
- | peer's g: f4 e4 3a 2d e8 8a 0e 5f 77 a3 6d 12 0f 2a 82 15
- | peer's g: c5 6f c6 c9 fe 66 c0 4d d7 c6 03 bb af 2e 3f e0
- | peer's g: 75 bc ae d3 e6 b7 99 7b f4 c7 9b 58 82 da 60 7f
- | peer's g: ca d0 01 74 2d f2 5c 24 b7 d0 8c 8e e5 5c ea 63
- | peer's g: 95 d9 0e b9 54 72 4d eb 0d 0f 1e 48 fd 1b cd 40
- | peer's g: 5e 3d 8f 50 98 6b c4 e8 ec 6a d9 46 3a 45 ea 65
- | peer's g: df a6 ec 13 75 73 e8 d3 e0 15 7b 93 b6 71 d7 c2
- | peer's g: b4 d9 f4 9e bf ed 72 28 df 2d 54 92 5b 39 a2 e3
- | peer's g: 3b d2 41 72 13 61 b0 15 55 12 b1 a0 d1 91 17 b9
- | peer's g: 90 8e e3 85 6d 3a 24 28 84 b3 18 ad 63 6e 50 e7
- | peer's g: c3 53 23 f6 7b 37 f6 f5 14 2c b8 92 3b 34 e5 9c
- | peer's g: 6d d0 13 58 d5 51 39 4d 77 40 b9 81 4c ae 2a 18
- | peer's g: 07 89 a7 10 37 c2 80 f9 e0 55 b1 23 fb bd 74 e2
- | Started DH shared-secret computation in NSS:
- | Dropped no leading zeros 256
- | calc_dh_shared(): time elapsed (OAKLEY_GROUP_MODP2048): 5889 usec
- | DH shared-secret (pointer):
- | 50 10 90 b4
- | NSS: Started key computation
- | calculating skeyseed using prf=prf-hmac-sha1 integ=auth-hmac-sha1-96 cipherkey=16
- | skeyid inputs (digi+NI+NR+shared) hasher: oakley_sha
- | shared-secret: 50 10 90 b4
- | ni: 7f 6c 92 5f cd 34 8c eb 41 67 14 bc f7 74 19 f3
- | nr: a6 50 59 b5 b0 8b 7f 3b 9b e9 73 07 c1 60 d1 00
- | NSS: digisig skeyid pointer:
- | c8 58 90 b4
- | PRF+ input
- | Ni 7f 6c 92 5f cd 34 8c eb 41 67 14 bc f7 74 19 f3
- | Nr a6 50 59 b5 b0 8b 7f 3b 9b e9 73 07 c1 60 d1 00
- | SPIi 0e 4d 0f 13 eb 45 5d 5d
- | SPIr 14 ca ca 1e f4 0f ab ef
- | Total keysize needed 132
- | NSS ikev2: finished computing key material for IKEv2 SA
- | NSS ikev2: finished computing individual keys for IKEv2 SA
- | shared: 50 10 90 b4
- | skeyseed: c8 58 90 b4
- | SK_d: 28 8d 90 b4
- | SK_ai: 70 47 90 b4
- | SK_ar: 80 9f 90 b4
- | SK_ei: 78 b1 90 b4
- | SK_er: 18 c3 90 b4
- | SK_pi: 88 8d 90 b4
- | SK_pr: a0 7b 90 b4
- |
- | helper 2 has finished work (cnt now 1)
- | helper 2 replies to id: q#2
- | calling callback function 0xb765f990
- | ikev2 parent inI2outR2: calculating g^{xy}, sending R2
- | processing connection routers-12[1] 2.x.x.x
- | hmac_update data value:
- | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
- | 2e 20 23 08 00 00 00 01 00 00 01 3c 23 00 01 20
- | b4 e3 03 80 b8 ab 0b fc be d0 70 87 2b 72 ec 03
- | 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
- | c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
- | 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
- | c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
- | 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
- | 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
- | af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
- | 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
- | 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
- | d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
- | 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
- | 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
- | e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
- | e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
- | 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
- | c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
- | hmac_update: inside if
- | hmac_update: after digest
- | hmac_update: after assert
- | data being hmac: 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
- | data being hmac: 2e 20 23 08 00 00 00 01 00 00 01 3c 23 00 01 20
- | data being hmac: b4 e3 03 80 b8 ab 0b fc be d0 70 87 2b 72 ec 03
- | data being hmac: 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
- | data being hmac: c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
- | data being hmac: 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
- | data being hmac: c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
- | data being hmac: 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
- | data being hmac: 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
- | data being hmac: af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
- | data being hmac: 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
- | data being hmac: 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
- | data being hmac: d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
- | data being hmac: 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
- | data being hmac: 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
- | data being hmac: e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
- | data being hmac: e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
- | data being hmac: 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
- | data being hmac: c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
- | R2 calculated auth: 04 93 78 4c a3 b9 e0 8c 6d 28 9d ca
- | R2 provided auth: 04 93 78 4c a3 b9 e0 8c 6d 28 9d ca
- | authenticator matched
- | data before decryption:
- | 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
- | c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
- | 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
- | c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
- | 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
- | 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
- | af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
- | 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
- | 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
- | d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
- | 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
- | 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
- | e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
- | e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
- | 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
- | c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
- | NSS do_aes: enter
- | NSS do_aes: exit
- | decrypted payload: 27 00 00 0f 02 00 00 00 72 6f 75 74 65 72 33 21
- | decrypted payload: 00 00 1c 02 00 00 00 42 e5 d3 b9 ca 05 64 42 d2
- | decrypted payload: 29 11 4e f7 19 ae 14 11 17 be e7 2c 00 00 9c 02
- | decrypted payload: 00 00 28 01 03 04 03 30 2c e3 04 03 00 00 0c 01
- | decrypted payload: 00 00 0c 80 0e 00 80 03 00 00 08 03 00 00 02 00
- | decrypted payload: 00 00 08 05 00 00 00 02 00 00 28 02 03 04 03 30
- | decrypted payload: 2c e3 04 03 00 00 0c 01 00 00 0c 80 0e 00 80 03
- | decrypted payload: 00 00 08 03 00 00 01 00 00 00 08 05 00 00 00 02
- | decrypted payload: 00 00 24 03 03 04 03 30 2c e3 04 03 00 00 08 01
- | decrypted payload: 00 00 03 03 00 00 08 03 00 00 02 00 00 00 08 05
- | decrypted payload: 00 00 00 00 00 00 24 04 03 04 03 30 2c e3 04 03
- | decrypted payload: 00 00 08 01 00 00 03 03 00 00 08 03 00 00 01 00
- | decrypted payload: 00 00 08 05 00 00 00 2d 00 00 18 01 00 00 00 07
- | decrypted payload: 00 00 10 00 00 ff ff c0 a8 21 00 c0 a8 21 ff 00
- | decrypted payload: 00 00 18 01 00 00 00 07 00 00 10 00 00 ff ff c0
- | decrypted payload: a8 37 00 c0 a8 37 ff 00 01 02 03 04 05 06 07 08
- | striping 9 bytes as pad
- | Now lets proceed with payload (ISAKMP_NEXT_v2IDi)
- | **parse IKEv2 Identification Payload:
- | next payload type: ISAKMP_NEXT_v2AUTH
- | critical bit: none
- | length: 15
- | id_type: ID_FQDN
- | processing payload: ISAKMP_NEXT_v2IDi (len=15)
- | Now lets proceed with payload (ISAKMP_NEXT_v2AUTH)
- | **parse IKEv2 Authentication Payload:
- | next payload type: ISAKMP_NEXT_v2SA
- | critical bit: none
- | length: 28
- | auth method: v2_AUTH_SHARED
- | processing payload: ISAKMP_NEXT_v2AUTH (len=28)
- | Now lets proceed with payload (ISAKMP_NEXT_v2SA)
- | **parse IKEv2 Security Association Payload:
- | next payload type: ISAKMP_NEXT_v2TSi
- | critical bit: none
- | length: 156
- | processing payload: ISAKMP_NEXT_v2SA (len=156)
- | Now lets proceed with payload (ISAKMP_NEXT_v2TSi)
- | **parse IKEv2 Traffic Selector Payload:
- | next payload type: ISAKMP_NEXT_v2TSr
- | critical bit: none
- | length: 24
- | number of TS: 1
- | processing payload: ISAKMP_NEXT_v2TSi (len=24)
- | Now lets proceed with payload (ISAKMP_NEXT_v2TSr)
- | **parse IKEv2 Traffic Selector Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | critical bit: none
- | length: 24
- | number of TS: 1
- | processing payload: ISAKMP_NEXT_v2TSr (len=24)
- | Finished and now at the end of ikev2_process_payload
- "routers-12"[1] 2.x.x.x #1: IKEv2 mode peer ID is ID_FQDN: '@router3'
- | idhash verify pi 88 8d 90 b4
- | idhash verify I2 02 00 00 00 72 6f 75 74 65 72 33
- | hmac_update data value:
- | 02 00 00 00 72 6f 75 74 65 72 33
- | hmac_update: inside if
- | hmac_update: after digest
- | hmac_update: after assert
- | started looking for secret for @router1->@router2 of kind PPK_PSK
- | actually looking for secret for @router1->@router2 of kind PPK_PSK
- | line 3: key type PPK_PSK(@router1) to type PPK_PSK
- | 1: compared key @router3 to @router1 / @router2 -> 0
- | 2: compared key @router1 to @router1 / @router2 -> 8
- | line 3: match=8
- | line 2: key type PPK_PSK(@router1) to type PPK_PSK
- | 1: compared key @router2 to @router1 / @router2 -> 4
- | 2: compared key @router1 to @router1 / @router2 -> 12
- | line 2: match=12
- | best_match 0>12 best=0xb8be2e58 (line=2)
- | line 1: key type PPK_PSK(@router1) to type PPK_PSK
- | 1: compared key @router4 to @router1 / @router2 -> 0
- | 2: compared key @router1 to @router1 / @router2 -> 8
- | line 1: match=8
- | concluding with best_match=12 best=0xb8be2e58 (lineno=2)
- | hmac_update data value:
- | 4b 65 79 20 50 61 64 20 66 6f 72 20 49 4b 45 76
- | 32
- | hmac_update: inside if
- | hmac_update: after digest
- | hmac_update: after assert
- | negotiated prf: oakley_sha hash length: 20
- | inner prf output 8d 9a 73 0a ee c3 94 00 c0 6e 82 4b 7c aa 10 39
- | inner prf output b5 af 37 64
- | hmac_update data value:
- | 0e 4d 0f 13 eb 45 5d 5d 00 00 00 00 00 00 00 00
- | 21 20 22 08 00 00 00 00 00 00 03 44 22 00 01 fc
- | 02 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c
- | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
- | 02 00 00 02 00 00 00 08 04 00 00 0e 02 00 00 2c
- | 02 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 00 80
- | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
- | 00 00 00 08 04 00 00 0e 02 00 00 28 03 01 00 04
- | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02
- | 03 00 00 08 02 00 00 02 00 00 00 08 04 00 00 0e
- | 02 00 00 28 04 01 00 04 03 00 00 08 01 00 00 03
- | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
- | 00 00 00 08 04 00 00 0e 02 00 00 2c 05 01 00 04
- | 03 00 00 0c 01 00 00 0c 80 0e 00 80 03 00 00 08
- | 03 00 00 02 03 00 00 08 02 00 00 02 00 00 00 08
- | 04 00 00 05 02 00 00 2c 06 01 00 04 03 00 00 0c
- | 01 00 00 0c 80 0e 00 80 03 00 00 08 03 00 00 01
- | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05
- | 02 00 00 28 07 01 00 04 03 00 00 08 01 00 00 03
- | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
- | 00 00 00 08 04 00 00 05 02 00 00 28 08 01 00 04
- | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 01
- | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05
- | 02 00 00 2c 09 01 00 04 03 00 00 0c 01 00 00 0c
- | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
- | 02 00 00 02 00 00 00 08 04 00 00 02 02 00 00 2c
- | 0a 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 00 80
- | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
- | 00 00 00 08 04 00 00 02 02 00 00 28 0b 01 00 04
- | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02
- | 03 00 00 08 02 00 00 02 00 00 00 08 04 00 00 02
- | 00 00 00 28 0c 01 00 04 03 00 00 08 01 00 00 03
- | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
- | 00 00 00 08 04 00 00 02 28 00 01 08 00 0e 00 00
- | 31 0d 41 e1 d8 e6 7d 24 50 ba 39 6a 00 5f 31 f8
- | c0 90 24 d0 09 02 f1 16 cc 0a fa f7 4c 5a f3 e1
- | a3 f0 15 70 3c dc 74 08 5d f6 c7 79 ef 64 e9 51
- | f4 e4 3a 2d e8 8a 0e 5f 77 a3 6d 12 0f 2a 82 15
- | c5 6f c6 c9 fe 66 c0 4d d7 c6 03 bb af 2e 3f e0
- | 75 bc ae d3 e6 b7 99 7b f4 c7 9b 58 82 da 60 7f
- | ca d0 01 74 2d f2 5c 24 b7 d0 8c 8e e5 5c ea 63
- | 95 d9 0e b9 54 72 4d eb 0d 0f 1e 48 fd 1b cd 40
- | 5e 3d 8f 50 98 6b c4 e8 ec 6a d9 46 3a 45 ea 65
- | df a6 ec 13 75 73 e8 d3 e0 15 7b 93 b6 71 d7 c2
- | b4 d9 f4 9e bf ed 72 28 df 2d 54 92 5b 39 a2 e3
- | 3b d2 41 72 13 61 b0 15 55 12 b1 a0 d1 91 17 b9
- | 90 8e e3 85 6d 3a 24 28 84 b3 18 ad 63 6e 50 e7
- | c3 53 23 f6 7b 37 f6 f5 14 2c b8 92 3b 34 e5 9c
- | 6d d0 13 58 d5 51 39 4d 77 40 b9 81 4c ae 2a 18
- | 07 89 a7 10 37 c2 80 f9 e0 55 b1 23 fb bd 74 e2
- | 2b 00 00 14 7f 6c 92 5f cd 34 8c eb 41 67 14 bc
- | f7 74 19 f3 00 00 00 10 4f 45 4e 5f 52 68 50 50
- | 48 7b 64 5e
- | hmac_update: inside if
- | hmac_update: after digest
- | hmac_update: after assert
- | hmac_update data value:
- | a6 50 59 b5 b0 8b 7f 3b 9b e9 73 07 c1 60 d1 00
- | hmac_update: inside if
- | hmac_update: after digest
- | hmac_update: after assert
- | hmac_update data value:
- | bf 7f d3 b5 0b b3 6c ba 14 0d 82 14 62 b3 6d 05
- | d4 11 b0 12
- | hmac_update: inside if
- | hmac_update: after digest
- | hmac_update: after assert
- | inputs to hash1 (first packet)
- | 0e 4d 0f 13 eb 45 5d 5d 00 00 00 00 00 00 00 00
- | 21 20 22 08 00 00 00 00 00 00 03 44 22 00 01 fc
- | 02 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c
- | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
- | 02 00 00 02 00 00 00 08 04 00 00 0e 02 00 00 2c
- | 02 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 00 80
- | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
- | 00 00 00 08 04 00 00 0e 02 00 00 28 03 01 00 04
- | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02
- | 03 00 00 08 02 00 00 02 00 00 00 08 04 00 00 0e
- | 02 00 00 28 04 01 00 04 03 00 00 08 01 00 00 03
- | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
- | 00 00 00 08 04 00 00 0e 02 00 00 2c 05 01 00 04
- | 03 00 00 0c 01 00 00 0c 80 0e 00 80 03 00 00 08
- | 03 00 00 02 03 00 00 08 02 00 00 02 00 00 00 08
- | 04 00 00 05 02 00 00 2c 06 01 00 04 03 00 00 0c
- | 01 00 00 0c 80 0e 00 80 03 00 00 08 03 00 00 01
- | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05
- | 02 00 00 28 07 01 00 04 03 00 00 08 01 00 00 03
- | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
- | 00 00 00 08 04 00 00 05 02 00 00 28 08 01 00 04
- | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 01
- | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05
- | 02 00 00 2c 09 01 00 04 03 00 00 0c 01 00 00 0c
- | 80 0e 00 80 03 00 00 08 03 00 00 02 03 00 00 08
- | 02 00 00 02 00 00 00 08 04 00 00 02 02 00 00 2c
- | 0a 01 00 04 03 00 00 0c 01 00 00 0c 80 0e 00 80
- | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
- | 00 00 00 08 04 00 00 02 02 00 00 28 0b 01 00 04
- | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02
- | 03 00 00 08 02 00 00 02 00 00 00 08 04 00 00 02
- | 00 00 00 28 0c 01 00 04 03 00 00 08 01 00 00 03
- | 03 00 00 08 03 00 00 01 03 00 00 08 02 00 00 01
- | 00 00 00 08 04 00 00 02 28 00 01 08 00 0e 00 00
- | 31 0d 41 e1 d8 e6 7d 24 50 ba 39 6a 00 5f 31 f8
- | c0 90 24 d0 09 02 f1 16 cc 0a fa f7 4c 5a f3 e1
- | a3 f0 15 70 3c dc 74 08 5d f6 c7 79 ef 64 e9 51
- | f4 e4 3a 2d e8 8a 0e 5f 77 a3 6d 12 0f 2a 82 15
- | c5 6f c6 c9 fe 66 c0 4d d7 c6 03 bb af 2e 3f e0
- | 75 bc ae d3 e6 b7 99 7b f4 c7 9b 58 82 da 60 7f
- | ca d0 01 74 2d f2 5c 24 b7 d0 8c 8e e5 5c ea 63
- | 95 d9 0e b9 54 72 4d eb 0d 0f 1e 48 fd 1b cd 40
- | 5e 3d 8f 50 98 6b c4 e8 ec 6a d9 46 3a 45 ea 65
- | df a6 ec 13 75 73 e8 d3 e0 15 7b 93 b6 71 d7 c2
- | b4 d9 f4 9e bf ed 72 28 df 2d 54 92 5b 39 a2 e3
- | 3b d2 41 72 13 61 b0 15 55 12 b1 a0 d1 91 17 b9
- | 90 8e e3 85 6d 3a 24 28 84 b3 18 ad 63 6e 50 e7
- | c3 53 23 f6 7b 37 f6 f5 14 2c b8 92 3b 34 e5 9c
- | 6d d0 13 58 d5 51 39 4d 77 40 b9 81 4c ae 2a 18
- | 07 89 a7 10 37 c2 80 f9 e0 55 b1 23 fb bd 74 e2
- | 2b 00 00 14 7f 6c 92 5f cd 34 8c eb 41 67 14 bc
- | f7 74 19 f3 00 00 00 10 4f 45 4e 5f 52 68 50 50
- | 48 7b 64 5e
- | inputs to hash2 (responder nonce)
- | a6 50 59 b5 b0 8b 7f 3b 9b e9 73 07 c1 60 d1 00
- | idhash bf 7f d3 b5 0b b3 6c ba 14 0d 82 14 62 b3 6d 05
- | idhash d4 11 b0 12
- | Received PSK auth octets
- | 42 e5 d3 b9 ca 05 64 42 d2 29 11 4e f7 19 ae 14
- | 11 17 be e7
- | Calculated PSK auth octets
- | 01 d0 16 b4 6c 00 d2 76 e1 7b 59 0b 70 d5 87 f6
- | 9e 79 6b 83
- "routers-12"[1] 2.x.x.x #1: AUTH mismatch: Received AUTH != computed AUTH
- "routers-12"[1] 2.x.x.x #1: PSK authentication failed AUTH mismatch!
- "routers-12"[1] 2.x.x.x #1: sending notification v2N_AUTHENTICATION_FAILED to 2.x.x.x:4497
- | **emit ISAKMP Message:
- | initiator cookie:
- | 0e 4d 0f 13 eb 45 5d 5d
- | responder cookie:
- | 14 ca ca 1e f4 0f ab ef
- | next payload type: ISAKMP_NEXT_v2N
- | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
- | exchange type: ISAKMP_v2_SA_INIT
- | flags: ISAKMP_FLAG_RESPONSE
- | message ID: 00 00 00 00
- | Adding a v2N Payload
- | ***emit IKEv2 Notify Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | critical bit: none
- | Protocol ID: PROTO_ISAKMP
- | SPI size: 0
- | Notify Message Type: v2N_AUTHENTICATION_FAILED
- | emitting length of IKEv2 Notify Payload: 8
- | emitting length of ISAKMP Message: 36
- | sending 36 bytes for send_v2_notification through eth0:500 to 2.x.x.x:4497 (using #1)
- | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
- | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08
- | 01 00 00 18
- | ikev2_parent_inI2outR2_tail returned STF_FATAL
- | complete v2 state transition with STF_FATAL
- | deleting event for #1
- | deleting state #1
- | deleting event for #1
- | no suspended cryptographic state for 1
- | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
- | RCOOKIE: 14 ca ca 1e f4 0f ab ef
- | state hash entry 22
- | processing connection routers-12[1] 2.x.x.x
- "routers-12"[1] 2.x.x.x: deleting connection "routers-12" instance with peer 2.x.x.x {isakmp=#0/ipsec=#0}
- | rel_lease_addr:133 addresspool is null so nothing to free
- | * processed 1 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 13 seconds
- | next event EVENT_PENDING_DDNS in 13 seconds
- ==> /var/log/pluto.log <==
- |
- | *received 316 bytes from 2.x.x.x:4497 on eth0 (port=500)
- | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
- | 2e 20 23 08 00 00 00 01 00 00 01 3c 23 00 01 20
- | b4 e3 03 80 b8 ab 0b fc be d0 70 87 2b 72 ec 03
- | 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
- | c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
- | 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
- | c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
- | 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
- | 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
- | af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
- ==> /var/log/pluto.log <==
- | 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
- | 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
- | d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
- | 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
- | 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
- | e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
- | e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
- | 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
- | c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
- | 04 93 78 4c a3 b9 e0 8c 6d 28 9d ca
- | **parse ISAKMP Message:
- | initiator cookie:
- | 0e 4d 0f 13 eb 45 5d 5d
- | responder cookie:
- | 14 ca ca 1e f4 0f ab ef
- | next payload type: ISAKMP_NEXT_v2E
- | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
- | exchange type: ISAKMP_v2_AUTH
- | flags: ISAKMP_FLAG_INIT
- | message ID: 00 00 00 01
- | length: 316
- | processing version=2.0 packet with exchange type=ISAKMP_v2_AUTH (35)
- | I am IKE SA Responder
- | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
- | RCOOKIE: 14 ca ca 1e f4 0f ab ef
- | state hash entry 22
- | v2 state object not found
- | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
- | RCOOKIE: 00 00 00 00 00 00 00 00
- | state hash entry 5
- | v2 state object not found
- | ended up with STATE_IKEv2_ROOF
- packet from 2.x.x.x:4497: sending notification v2N_INVALID_MESSAGE_ID to 2.x.x.x:4497
- | **emit ISAKMP Message:
- | initiator cookie:
- | 0e 4d 0f 13 eb 45 5d 5d
- | responder cookie:
- | 14 ca ca 1e f4 0f ab ef
- | next payload type: ISAKMP_NEXT_v2N
- | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
- | exchange type: ISAKMP_v2_SA_INIT
- | flags: ISAKMP_FLAG_RESPONSE
- | message ID: 00 00 00 00
- | Adding a v2N Payload
- | ***emit IKEv2 Notify Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | critical bit: none
- | Protocol ID: PROTO_ISAKMP
- | SPI size: 0
- | Notify Message Type: v2N_INVALID_MESSAGE_ID
- | emitting length of IKEv2 Notify Payload: 8
- | emitting length of ISAKMP Message: 36
- | sending 36 bytes for send_v2_notification through eth0:500 to 2.x.x.x:4497 (using #0)
- | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
- | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08
- | 01 00 00 09
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 3 seconds
- | next event EVENT_PENDING_DDNS in 3 seconds
- ==> /var/log/pluto.log <==
- |
- | next event EVENT_PENDING_DDNS in 0 seconds
- | *time to handle event
- | handling event EVENT_PENDING_DDNS
- | event after this is EVENT_PENDING_PHASE2 in 60 seconds
- | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
- | event added at head of queue
- | next event EVENT_PENDING_DDNS in 60 seconds
- root@server:~# ipsec status
- |
- | *received whack message
- SElinux: could not open /sys/fs/selinux/enforce
- FIPS: could not open /proc/sys/crypto/fips_enabled
- 000 using kernel interface: netkey
- 000 interface lo/lo ::1
- 000 interface he-ipv6/he-ipv6 2001:470:1f0e:ec4::2
- 000 interface eth0/eth0 2600:3c03::f03c:91ff:fedf:db97
- 000 interface lo/lo 127.0.0.1
- 000 interface lo/lo 127.0.0.1
- 000 interface eth0/eth0 69.x.x.x
- 000 interface eth0/eth0 69.x.x.x
- 000 interface eth0:1/eth0:1 192.168.55.254
- 000 interface eth0:1/eth0:1 192.168.55.254
- 000
- 000 FIPS=error(disabled)
- 000 SElinux=indeterminate
- 000
- 000 config setup options:
- 000
- 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/
- 000 sbindir=/usr/local/sbin, libdir=/usr/local/libexec/ipsec, libexecdir=/usr/local/libexec/ipsec
- 000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
- 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
- 000 secctx_attr_value=<unsupported>
- 000 %myid = (none)
- 000 debug raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
- 000
- | * processed 0 messages from cryptographic helpers
- 000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500, disable_port_floating=no
- 000 virtual_private (%priv):
- 000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
- | next event EVENT_PENDING_DDNS in 47 seconds
- 000 - disallowed 0 subnets:
- 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
- 000 private address space in internal use, it should be excluded!
- 000
- 000 ESP algorithms supported:
- | next event EVENT_PENDING_DDNS in 47 seconds
- 000
- 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
- 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
- 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
- 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
- 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
- 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
- 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
- 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
- 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
- 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
- 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
- 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
- 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
- 000
- 000 IKE algorithms supported:
- 000
- 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
- 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
- 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
- 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
- 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
- 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
- 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
- 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
- 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
- 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
- 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
- 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
- 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
- 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
- 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
- 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
- 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
- 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
- 000
- 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
- 000
- 000 Connection list:
- 000
- 000 "routers-12": 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router2]===192.168.22.0/24; unrouted; eroute owner: #0
- 000 "routers-12": oriented; my_ip=192.168.55.254; their_ip=unset;
- 000 "routers-12": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;
- 000 "routers-12": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;
- 000 "routers-12": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;
- 000 "routers-12": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
- 000 "routers-12": prio: 24,24; interface: eth0; metric: 0, mtu: unset;
- 000 "routers-12": dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:yes; nat_keepalive:yes;
- 000 "routers-12": newest ISAKMP SA: #0; newest IPsec SA: #0;
- 000 "routers-13": 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router3]===192.168.33.0/24; unrouted; eroute owner: #0
- 000 "routers-13": oriented; my_ip=192.168.55.254; their_ip=unset;
- 000 "routers-13": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;
- 000 "routers-13": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;
- 000 "routers-13": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;
- 000 "routers-13": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
- 000 "routers-13": prio: 24,24; interface: eth0; metric: 0, mtu: unset;
- 000 "routers-13": dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:yes; nat_keepalive:yes;
- 000 "routers-13": newest ISAKMP SA: #0; newest IPsec SA: #0;
- 000
- 000 Total IPsec connections: loaded 2, active 0
- 000
- 000 State list:
- 000
- 000 Shunt list:
- 000
- root@server:~# |
- | *received 316 bytes from 2.x.x.x:4497 on eth0 (port=500)
- | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
- | 2e 20 23 08 00 00 00 01 00 00 01 3c 23 00 01 20
- | b4 e3 03 80 b8 ab 0b fc be d0 70 87 2b 72 ec 03
- ==> /var/log/pluto.log <==
- | 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
- | c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
- | 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
- | c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
- | 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
- | 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
- | af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
- | 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
- | 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
- | d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
- | 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
- | 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
- | e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
- | e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
- | 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
- | c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
- | 04 93 78 4c a3 b9 e0 8c 6d 28 9d ca
- | **parse ISAKMP Message:
- | initiator cookie:
- | 0e 4d 0f 13 eb 45 5d 5d
- | responder cookie:
- | 14 ca ca 1e f4 0f ab ef
- | next payload type: ISAKMP_NEXT_v2E
- | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
- | exchange type: ISAKMP_v2_AUTH
- | flags: ISAKMP_FLAG_INIT
- | message ID: 00 00 00 01
- | length: 316
- | processing version=2.0 packet with exchange type=ISAKMP_v2_AUTH (35)
- | I am IKE SA Responder
- | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
- | RCOOKIE: 14 ca ca 1e f4 0f ab ef
- | state hash entry 22
- | v2 state object not found
- | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
- | RCOOKIE: 00 00 00 00 00 00 00 00
- | state hash entry 5
- | v2 state object not found
- | ended up with STATE_IKEv2_ROOF
- packet from 2.x.x.x:4497: sending notification v2N_INVALID_MESSAGE_ID to 2.x.x.x:4497
- | **emit ISAKMP Message:
- | initiator cookie:
- | 0e 4d 0f 13 eb 45 5d 5d
- | responder cookie:
- | 14 ca ca 1e f4 0f ab ef
- | next payload type: ISAKMP_NEXT_v2N
- | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
- | exchange type: ISAKMP_v2_SA_INIT
- | flags: ISAKMP_FLAG_RESPONSE
- | message ID: 00 00 00 00
- | Adding a v2N Payload
- | ***emit IKEv2 Notify Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | critical bit: none
- | Protocol ID: PROTO_ISAKMP
- | SPI size: 0
- | Notify Message Type: v2N_INVALID_MESSAGE_ID
- | emitting length of IKEv2 Notify Payload: 8
- | emitting length of ISAKMP Message: 36
- | sending 36 bytes for send_v2_notification through eth0:500 to 2.x.x.x:4497 (using #0)
- | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
- | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08
- | 01 00 00 09
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 43 seconds
- | next event EVENT_PENDING_DDNS in 43 seconds
- |
- | *received 316 bytes from 2.x.x.x:4497 on eth0 (port=500)
- | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
- | 2e 20 23 08 00 00 00 01 00 00 01 3c 23 00 01 20
- | b4 e3 03 80 b8 ab 0b fc be d0 70 87 2b 72 ec 03
- | 56 66 ec bb 4e ae d4 af 48 9a 9a 38 33 1f d1 8c
- | c6 5c ed 4d ec c0 d0 4e 83 07 8a f0 2d 1c 64 86
- | 53 60 a4 25 7f 51 d8 c4 59 3d 70 a6 12 16 d6 e6
- | c9 57 f4 ce f7 39 66 4d 02 36 6b 4b 9d 79 37 f9
- | 68 70 8b 72 ad 50 f3 56 d4 cc c4 7a 98 35 cb c9
- | 1e b9 4a 58 1f 57 ab 7d 43 f0 29 2f ad 62 fb d1
- | af 9d 2b a3 22 d8 83 1b 2e 05 56 e2 c0 06 24 bd
- | 1a 8c 72 2f 2e 2b ca a4 c1 99 22 f5 90 91 8e 8a
- | 5b ec 2c d5 13 fd b2 70 1b 9d ae 91 e1 5b 3a 3a
- | d7 23 01 12 bd 3b fc b6 51 ec ba 6c cd b7 36 d0
- | 75 b7 d8 0b 9d 5a 89 09 c5 f0 a8 6c dd 93 ca a4
- | 27 04 1b 4d 30 04 3f 58 61 d7 c3 60 f5 bd 7c 1c
- | e9 3c 95 a1 0e 40 73 7c a7 0a 80 49 84 0c 2d d3
- | e9 69 78 7f aa 8f b9 ea eb 14 b6 39 a8 ab f8 b1
- | 2c 09 3c 4b 8b 80 cc fa 30 73 27 2c 83 da 2c 0a
- | c9 ca f1 3a d3 ef 1f 18 46 7c a7 56 ff f3 52 17
- | 04 93 78 4c a3 b9 e0 8c 6d 28 9d ca
- | **parse ISAKMP Message:
- | initiator cookie:
- | 0e 4d 0f 13 eb 45 5d 5d
- | responder cookie:
- | 14 ca ca 1e f4 0f ab ef
- | next payload type: ISAKMP_NEXT_v2E
- | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
- | exchange type: ISAKMP_v2_AUTH
- | flags: ISAKMP_FLAG_INIT
- | message ID: 00 00 00 01
- | length: 316
- | processing version=2.0 packet with exchange type=ISAKMP_v2_AUTH (35)
- | I am IKE SA Responder
- | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
- | RCOOKIE: 14 ca ca 1e f4 0f ab ef
- | state hash entry 22
- | v2 state object not found
- | ICOOKIE: 0e 4d 0f 13 eb 45 5d 5d
- | RCOOKIE: 00 00 00 00 00 00 00 00
- | state hash entry 5
- | v2 state object not found
- | ended up with STATE_IKEv2_ROOF
- packet from 2.x.x.x:4497: sending notification v2N_INVALID_MESSAGE_ID to 2.x.x.x:4497
- | **emit ISAKMP Message:
- | initiator cookie:
- | 0e 4d 0f 13 eb 45 5d 5d
- | responder cookie:
- | 14 ca ca 1e f4 0f ab ef
- | next payload type: ISAKMP_NEXT_v2N
- | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
- | exchange type: ISAKMP_v2_SA_INIT
- | flags: ISAKMP_FLAG_RESPONSE
- | message ID: 00 00 00 00
- | Adding a v2N Payload
- | ***emit IKEv2 Notify Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | critical bit: none
- | Protocol ID: PROTO_ISAKMP
- | SPI size: 0
- | Notify Message Type: v2N_INVALID_MESSAGE_ID
- | emitting length of IKEv2 Notify Payload: 8
- | emitting length of ISAKMP Message: 36
- | sending 36 bytes for send_v2_notification through eth0:500 to 2.x.x.x:4497 (using #0)
- | 0e 4d 0f 13 eb 45 5d 5d 14 ca ca 1e f4 0f ab ef
- | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08
- | 01 00 00 09
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 2 seconds
- | next event EVENT_PENDING_DDNS in 2 seconds
- ==> /var/log/pluto.log <==
- |
- | next event EVENT_PENDING_DDNS in 0 seconds
- | *time to handle event
- | handling event EVENT_PENDING_DDNS
- | event after this is EVENT_PENDING_PHASE2 in 0 seconds
- | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
- | event added after event EVENT_PENDING_PHASE2
- | handling event EVENT_PENDING_PHASE2
- | event after this is EVENT_PENDING_DDNS in 60 seconds
- | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
- | event added after event EVENT_PENDING_DDNS
- | pending review: connection "routers-12" was not up, skipped
- | pending review: connection "routers-13" was not up, skipped
- | next event EVENT_PENDING_DDNS in 60 seconds
- --- on client side ---
- [root@localhost ~]# ipsec auto --up routers-13
- 133 "routers-13" #1: STATE_PARENT_I1: initiate
- 133 "routers-13" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
- 134 "routers-13" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp2048}
- 010 "routers-13" #2: STATE_PARENT_I2: retransmission; will wait 20s for response
- 010 "routers-13" #2: STATE_PARENT_I2: retransmission; will wait 40s for response
- 010 "routers-13" #2: STATE_PARENT_I2: retransmission; will wait 40s for response
- 010 "routers-13" #2: STATE_PARENT_I2: retransmission; will wait 40s for response
- 010 "routers-13" #2: STATE_PARENT_I2: retransmission; will wait 40s for response
- FULL EXAMPLE USING IKEv1:
- root@server:~# ipsec start
- Redirecting to: start ipsec
- ipsec start/running, process 2118
- root@server:~#
- ==> /var/log/pluto.log <==
- nss directory plutomain: /etc/ipsec.d
- ==> /var/log/pluto.log <==
- NSS Initialized
- FIPS integrity support [disabled]
- libcap-ng support [enabled]
- Linux audit support [disabled]
- Starting Pluto (Libreswan Version 3.5; Vendor ID OEN_RhPPH{d^) pid:2181
- FIPS: could not open /proc/sys/crypto/fips_enabled
- FIPS: could not open /proc/sys/crypto/fips_enabled
- ERROR: FIPS detection failed, Pluto running in non-FIPS mode
- core dump dir: /var/run/pluto/
- secrets file: /etc/ipsec.secrets
- LEAK_DETECTIVE support [disabled]
- OCF support for IKE [disabled]
- SAref support [disabled]: Protocol not available
- SAbind support [disabled]: Protocol not available
- NSS crypto [enabled]
- XAUTH PAM support [enabled]
- HAVE_STATSD notification support [disabled]
- Setting NAT-Traversal port-4500 floating to on
- port floating activation criteria nat_t=1/port_float=1
- NAT-Traversal support [enabled]
- | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
- | event added at head of queue
- | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
- | event added at head of queue
- | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
- | event added after event EVENT_PENDING_DDNS
- ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
- ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
- ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)
- ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
- starting up 7 cryptographic helpers
- started helper (thread) pid=-1234736320 (fd:7)
- | status value returned by setting the priority of this thread (id=0) 22
- | helper 0 waiting on fd: 8
- started helper (thread) pid=-1244660928 (fd:9)
- | status value returned by setting the priority of this thread (id=1) 22
- | helper 1 waiting on fd: 10
- started helper (thread) pid=-1255146688 (fd:11)
- | status value returned by setting the priority of this thread (id=2) 22
- | helper 2 waiting on fd: 13
- started helper (thread) pid=-1265632448 (fd:14)
- | status value returned by setting the priority of this thread (id=3) 22
- | helper 3 waiting on fd: 15
- | status value returned by setting the priority of this thread (id=4) 22
- | helper 4 waiting on fd: 17
- started helper (thread) pid=-1276118208 (fd:16)
- started helper (thread) pid=-1286603968 (fd:18)
- | status value returned by setting the priority of this thread (id=5) 22
- | helper 5 waiting on fd: 19
- | status value returned by setting the priority of this thread (id=6) 22
- | helper 6 waiting on fd: 21
- started helper (thread) pid=-1297089728 (fd:20)
- Using Linux XFRM/NETKEY IPsec interface code on 3.9.3-x86-linode52
- | process 2181 listening for PF_KEY_V2 on file descriptor 24
- | finish_pfkey_msg: K_SADB_REGISTER message 1 for AH
- | 02 07 00 02 02 00 00 00 01 00 00 00 85 08 00 00
- | pfkey_get: K_SADB_REGISTER message 1
- | AH registered with kernel.
- | finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP
- | 02 07 00 03 02 00 00 00 02 00 00 00 85 08 00 00
- | pfkey_get: K_SADB_REGISTER message 2
- | alg_init():memset(0xb775e320, 0, 2048) memset(0xb775eb20, 0, 2048)
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=72
- | kernel_alg_add():satype=3, exttype=14, alg_id=251
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14, satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=2
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14, satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=3
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14, satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=5
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14, satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=6
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14, satype=3, alg_id=6, alg_ivlen=0, alg_minbits=384, alg_maxbits=384, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=7
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14, satype=3, alg_id=7, alg_ivlen=0, alg_minbits=512, alg_maxbits=512, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=8
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=14, satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=14, alg_id=9
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=14, satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=88
- | kernel_alg_add():satype=3, exttype=15, alg_id=11
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15, satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=2
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15, satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=3
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15, satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=6
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15, satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=7
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15, satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=12
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15, satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=252
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15, satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=22
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[15], exttype=15, satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=253
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[16], exttype=15, satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=13
- | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[17], exttype=15, satype=3, alg_id=13, alg_ivlen=8, alg_minbits=160, alg_maxbits=288, res=0, ret=1
- | kernel_alg_add():satype=3, exttype=15, alg_id=18
- | kernel_alg_add():satype=3, exttype=15, alg_id=19
- | kernel_alg_add():satype=3, exttype=15, alg_id=20
- | kernel_alg_add():satype=3, exttype=15, alg_id=14
- | kernel_alg_add():satype=3, exttype=15, alg_id=15
- | kernel_alg_add():satype=3, exttype=15, alg_id=16
- ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
- ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
- ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
- ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
- ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
- ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
- ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
- ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
- ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
- ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
- ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
- | ESP registered with kernel.
- | finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP
- | 02 07 00 09 02 00 00 00 03 00 00 00 85 08 00 00
- | pfkey_get: K_SADB_REGISTER message 3
- | IPCOMP registered with kernel.
- | Changed path to directory '/etc/ipsec.d/cacerts'
- | Changing to directory '/etc/ipsec.d/crls'
- | inserting event EVENT_LOG_DAILY, timeout in 61306 seconds
- | event added after event EVENT_REINIT_SECRET
- listening for IKE messages
- | Inspecting interface lo
- | found lo with address 127.0.0.1
- | Inspecting interface eth0
- | found eth0 with address 69.x.x.x
- | Inspecting interface eth0:1
- | found eth0:1 with address 192.168.55.254
- | NAT-Traversal: Trying new style NAT-T
- | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
- | NAT-Traversal: Trying old style NAT-T
- | NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
- adding interface eth0:1/eth0:1 192.168.55.254:500
- | NAT-Traversal: Trying new style NAT-T
- | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
- | NAT-Traversal: Trying old style NAT-T
- | NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
- adding interface eth0:1/eth0:1 192.168.55.254:4500
- | NAT-Traversal: Trying new style NAT-T
- | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
- | NAT-Traversal: Trying old style NAT-T
- | NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
- adding interface eth0/eth0 69.x.x.x:500
- | NAT-Traversal: Trying new style NAT-T
- | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
- | NAT-Traversal: Trying old style NAT-T
- | NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
- adding interface eth0/eth0 69.x.x.x:4500
- | NAT-Traversal: Trying new style NAT-T
- | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95)
- | NAT-Traversal: Trying old style NAT-T
- | NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
- adding interface lo/lo 127.0.0.1:500
- | NAT-Traversal: Trying new style NAT-T
- | NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=95)
- | NAT-Traversal: Trying old style NAT-T
- | NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
- adding interface lo/lo 127.0.0.1:4500
- | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
- | found he-ipv6 with address 2001:0470:1f0e:0ec4:0000:0000:0000:0002
- | found eth0 with address 2600:3c03:0000:0000:f03c:91ff:fedf:db97
- adding interface eth0/eth0 2600:3c03::f03c:91ff:fedf:db97:500
- adding interface he-ipv6/he-ipv6 2001:470:1f0e:ec4::2:500
- adding interface lo/lo ::1:500
- | certs and keys locked by 'free_preshared_secrets'
- | certs and keys unlocked by 'free_preshard_secrets'
- loading secrets from "/etc/ipsec.secrets"
- loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
- | id type added to secret(0xb8c4dd48) PPK_PSK: @router1
- | id type added to secret(0xb8c4dd48) PPK_PSK: @router4
- | Processing PSK at line 2: passed
- | certs and keys locked by 'process_secret'
- | certs and keys unlocked by 'process_secret'
- | id type added to secret(0xb8c4de58) PPK_PSK: @router1
- | id type added to secret(0xb8c4de58) PPK_PSK: @router2
- | Processing PSK at line 3: passed
- | certs and keys locked by 'process_secret'
- | certs and keys unlocked by 'process_secret'
- | id type added to secret(0xb8c52088) PPK_PSK: @router1
- | id type added to secret(0xb8c52088) PPK_PSK: @router3
- | Processing PSK at line 3: passed
- | certs and keys locked by 'process_secret'
- | certs and keys unlocked by 'process_secret'
- | next event EVENT_PENDING_DDNS in 60 seconds
- ipsec verify
- ==> /var/log/pluto.log <==
- | calling addconn helper using execve
- | next event EVENT_PENDING_DDNS in 59 seconds
- | reaped addconn helper child
- Verifying installed system and configuration files
- Version check and ipsec on-path [OK]
- Libreswan 3.5 (netkey) on 3.9.3-x86-linode52
- Checking for IPsec support in kernel [OK]
- NETKEY: Testing XFRM related proc values
- ICMP default/send_redirects [OK]
- ICMP default/accept_redirects [OK]
- XFRM larval drop [OK]
- Pluto ipsec.conf syntax [OK]
- Hardware random device [N/A]
- Two or more interfaces found, checking IP forwarding [FAILED]
- Checking rp_filter [ENABLED]
- /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
- /proc/sys/net/ipv4/conf/he-ipv6/rp_filter [ENABLED]
- /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
- rp_filter is not fully aware of IPsec and should be disabled
- Checking that pluto is running [OK]
- Pluto listening for IKE on udp 500 [OK]
- Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
- Pluto listening for IKE/NAT-T on udp 4500 [OK]
- Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
- Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
- |
- | *received whack message
- | certs and keys locked by 'free_preshared_secrets'
- forgetting secrets
- | certs and keys unlocked by 'free_preshard_secrets'
- loading secrets from "/etc/ipsec.secrets"
- loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
- | id type added to secret(0xb8c4dd48) PPK_PSK: @router1
- | id type added to secret(0xb8c4dd48) PPK_PSK: @router4
- | Processing PSK at line 2: passed
- | certs and keys locked by 'process_secret'
- | certs and keys unlocked by 'process_secret'
- | id type added to secret(0xb8c4de58) PPK_PSK: @router1
- ==> /var/log/pluto.log <==
- | id type added to secret(0xb8c4de58) PPK_PSK: @router2
- | Processing PSK at line 3: passed
- | certs and keys locked by 'process_secret'
- | certs and keys unlocked by 'process_secret'
- | id type added to secret(0xb8c52088) PPK_PSK: @router1
- | id type added to secret(0xb8c52088) PPK_PSK: @router3
- | Processing PSK at line 3: passed
- | certs and keys locked by 'process_secret'
- | certs and keys unlocked by 'process_secret'
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 57 seconds
- | next event EVENT_PENDING_DDNS in 57 seconds
- Pluto ipsec.secret syntax [OK]
- Checking NAT and MASQUERADEing [TEST INCOMPLETE]
- Checking 'ip' command [OK]
- Checking 'iptables' command [OK]
- Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
- Opportunistic Encryption [DISABLED]
- ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help
- root@server:~# ipsec status
- |
- | *received whack message
- SElinux: could not open /sys/fs/selinux/enforce
- FIPS: could not open /proc/sys/crypto/fips_enabled
- ==> /var/log/pluto.log <==
- 000 using kernel interface: netkey
- 000 interface lo/lo ::1
- 000 interface he-ipv6/he-ipv6 2001:470:1f0e:ec4::2
- 000 interface eth0/eth0 2600:3c03::f03c:91ff:fedf:db97
- | * processed 0 messages from cryptographic helpers
- 000 interface lo/lo 127.0.0.1
- | next event EVENT_PENDING_DDNS in 50 seconds
- 000 interface lo/lo 127.0.0.1
- 000 interface eth0/eth0 69.x.x.x
- 000 interface eth0/eth0 69.x.x.x
- 000 interface eth0:1/eth0:1 192.168.55.254
- 000 interface eth0:1/eth0:1 192.168.55.254
- 000
- | next event EVENT_PENDING_DDNS in 50 seconds
- 000 FIPS=error(disabled)
- 000 SElinux=indeterminate
- 000
- 000 config setup options:
- 000
- 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/
- 000 sbindir=/usr/local/sbin, libdir=/usr/local/libexec/ipsec, libexecdir=/usr/local/libexec/ipsec
- 000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
- 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
- 000 secctx_attr_value=<unsupported>
- 000 %myid = (none)
- 000 debug raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
- 000
- 000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500, disable_port_floating=no
- 000 virtual_private (%priv):
- 000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
- 000 - disallowed 0 subnets:
- 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
- 000 private address space in internal use, it should be excluded!
- 000
- 000 ESP algorithms supported:
- 000
- 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
- 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
- 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
- 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
- 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
- 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
- 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
- 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
- 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
- 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
- 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
- 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
- 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
- 000
- 000 IKE algorithms supported:
- 000
- 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
- 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
- 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
- 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
- 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
- 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
- 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
- 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
- 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
- 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
- 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
- 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
- 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
- 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
- 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
- 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
- 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
- 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
- 000
- 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
- 000
- 000 Connection list:
- 000
- 000
- 000 State list:
- 000
- 000 Shunt list:
- 000
- root@server:~#
- root@server:~# ipsec addconn routers-13
- |
- | *received whack message
- | find_host_pair_conn (check_connection_end): 69.x.x.x:500 %any:500 -> hp:none
- | Added new connection routers-13 with policy PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
- | counting wild cards for @router1 is 0
- | counting wild cards for @router3 is 0
- | based upon policy, the connection is a template.
- | connect_to_host_pair: 69.x.x.x:500 0.0.0.0:500 -> hp:none
- added connection description "routers-13"
- 002 added connection description "routers-13"
- | 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router3]===192.168.33.0/24
- | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 40 seconds
- | next event EVENT_PENDING_DDNS in 40 seconds
- root@server:~# ipsec addconn routers-12
- |
- | *received whack message
- | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
- | find_host_pair_conn (check_connection_end): 69.x.x.x:500 %any:500 -> hp:routers-13
- | Added new connection routers-12 with policy PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
- | counting wild cards for @router1 is 0
- | counting wild cards for @router2 is 0
- | based upon policy, the connection is a template.
- | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
- 002 added connection description "routers-12"
- | connect_to_host_pair: 69.x.x.x:500 0.0.0.0:500 -> hp:routers-13
- added connection description "routers-12"
- | 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router2]===192.168.22.0/24
- | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 38 seconds
- | next event EVENT_PENDING_DDNS in 38 seconds
- root@server:~# ipsec status
- |
- | *received whack message
- SElinux: could not open /sys/fs/selinux/enforce
- FIPS: could not open /proc/sys/crypto/fips_enabled
- 000 using kernel interface: netkey
- 000 interface lo/lo ::1
- 000 interface he-ipv6/he-ipv6 2001:470:1f0e:ec4::2
- 000 interface eth0/eth0 2600:3c03::f03c:91ff:fedf:db97
- 000 interface lo/lo 127.0.0.1
- 000 interface lo/lo 127.0.0.1
- 000 interface eth0/eth0 69.x.x.x
- 000 interface eth0/eth0 69.x.x.x
- 000 interface eth0:1/eth0:1 192.168.55.254
- 000 interface eth0:1/eth0:1 192.168.55.254
- 000
- 000 FIPS=error(disabled)
- 000 SElinux=indeterminate
- 000
- 000 config setup options:
- 000
- 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/
- 000 sbindir=/usr/local/sbin, libdir=/usr/local/libexec/ipsec, libexecdir=/usr/local/libexec/ipsec
- | * processed 0 messages from cryptographic helpers
- 000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
- 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
- | next event EVENT_PENDING_DDNS in 36 seconds
- 000 secctx_attr_value=<unsupported>
- | next event EVENT_PENDING_DDNS in 36 seconds
- 000 %myid = (none)
- 000 debug raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
- 000
- 000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500, disable_port_floating=no
- 000 virtual_private (%priv):
- 000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
- 000 - disallowed 0 subnets:
- 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
- 000 private address space in internal use, it should be excluded!
- 000
- 000 ESP algorithms supported:
- 000
- 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
- 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
- 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
- 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
- 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
- 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
- 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
- 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
- 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
- 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
- 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
- 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
- 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
- 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
- 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
- 000
- 000 IKE algorithms supported:
- 000
- 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
- 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
- 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
- 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
- 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
- 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
- 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
- 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
- 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
- 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
- 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
- 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
- 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
- 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
- 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
- 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
- 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
- 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
- 000
- 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
- 000
- 000 Connection list:
- 000
- 000 "routers-12": 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router2]===192.168.22.0/24; unrouted; eroute owner: #0
- 000 "routers-12": oriented; my_ip=192.168.55.254; their_ip=unset;
- 000 "routers-12": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;
- 000 "routers-12": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;
- 000 "routers-12": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;
- 000 "routers-12": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
- 000 "routers-12": prio: 24,24; interface: eth0; metric: 0, mtu: unset;
- 000 "routers-12": dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:yes; nat_keepalive:yes;
- 000 "routers-12": newest ISAKMP SA: #0; newest IPsec SA: #0;
- 000 "routers-13": 192.168.55.0/24===69.x.x.x<69.x.x.x>[@router1]---69.164.210.1...%any[@router3]===192.168.33.0/24; unrouted; eroute owner: #0
- 000 "routers-13": oriented; my_ip=192.168.55.254; their_ip=unset;
- 000 "routers-13": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;
- 000 "routers-13": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;
- 000 "routers-13": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; sha2_truncbug:no; initial_contact:no;
- 000 "routers-13": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
- 000 "routers-13": prio: 24,24; interface: eth0; metric: 0, mtu: unset;
- 000 "routers-13": dpd: action:clear; delay:30; timeout:120; nat-t: force_encaps:yes; nat_keepalive:yes;
- 000 "routers-13": newest ISAKMP SA: #0; newest IPsec SA: #0;
- 000
- 000 Total IPsec connections: loaded 2, active 0
- 000
- 000 State list:
- 000
- 000 Shunt list:
- 000
- root@server:~# |
- | *received 612 bytes from 2.x.x.x:4497 on eth0 (port=500)
- | 58 e4 79 be 51 14 61 49 00 00 00 00 00 00 00 00
- | 01 10 02 00 00 00 00 00 00 00 02 64 0d 00 01 ac
- | 00 00 00 01 00 00 00 01 00 00 01 a0 00 01 00 0c
- | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10
- | 80 01 00 07 80 02 00 02 80 03 00 01 80 04 00 0e
- | 80 0e 00 80 03 00 00 24 01 01 00 00 80 0b 00 01
- | 80 0c 0e 10 80 01 00 07 80 02 00 01 80 03 00 01
- | 80 04 00 0e 80 0e 00 80 03 00 00 20 02 01 00 00
- | 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 00 02
- | 80 03 00 01 80 04 00 0e 03 00 00 20 03 01 00 00
- | 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 00 01
- | 80 03 00 01 80 04 00 0e 03 00 00 24 04 01 00 00
- | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02
- | 80 03 00 01 80 04 00 05 80 0e 00 80 03 00 00 24
- | 05 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07
- | 80 02 00 01 80 03 00 01 80 04 00 05 80 0e 00 80
- | 03 00 00 20 06 01 00 00 80 0b 00 01 80 0c 0e 10
- | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 05
- | 03 00 00 20 07 01 00 00 80 0b 00 01 80 0c 0e 10
- | 80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 05
- | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 0e 10
- | 80 01 00 07 80 02 00 02 80 03 00 01 80 04 00 02
- | 80 0e 00 80 03 00 00 24 09 01 00 00 80 0b 00 01
- | 80 0c 0e 10 80 01 00 07 80 02 00 01 80 03 00 01
- | 80 04 00 02 80 0e 00 80 03 00 00 20 0a 01 00 00
- | 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 00 02
- | 80 03 00 01 80 04 00 02 00 00 00 20 0b 01 00 00
- | 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 00 01
- | 80 03 00 01 80 04 00 02 0d 00 00 10 4f 45 4e 5f
- | 52 68 50 50 48 7b 64 5e 0d 00 00 14 af ca d7 13
- | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 0d 00 00 14
- | 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
- | 0d 00 00 14 4a 13 1c 81 07 03 58 45 5c 57 28 f2
- | 0e 95 45 2f 0d 00 00 14 7d 94 19 a6 53 10 ca 6f
- | 2c 17 9d 92 15 52 9d 56 0d 00 00 14 90 cb 80 91
- | 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f 0d 00 00 14
- | cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
- | 00 00 00 14 44 85 15 2d 18 b6 bb cd 0b e8 a8 46
- | 95 79 dd cc
- | **parse ISAKMP Message:
- | initiator cookie:
- | 58 e4 79 be 51 14 61 49
- | responder cookie:
- | 00 00 00 00 00 00 00 00
- | next payload type: ISAKMP_NEXT_SA
- | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
- | exchange type: ISAKMP_XCHG_IDPROT
- | flags: none
- | message ID: 00 00 00 00
- | length: 612
- | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
- | got payload 0x2(ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080
- | ***parse ISAKMP Security Association Payload:
- | next payload type: ISAKMP_NEXT_VID
- | length: 428
- | DOI: ISAKMP_DOI_IPSEC
- | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
- | ***parse ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_VID
- | length: 16
- | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
- | ***parse ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_VID
- | length: 20
- | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
- | ***parse ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_VID
- | length: 20
- | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
- | ***parse ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_VID
- | length: 20
- | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
- | ***parse ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_VID
- | length: 20
- | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
- | ***parse ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_VID
- | length: 20
- | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
- | ***parse ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_VID
- | length: 20
- | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
- | ***parse ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | length: 20
- packet from 2.x.x.x:4497: received Vendor ID payload [Libreswan (this version) 3.5 ]
- packet from 2.x.x.x:4497: received Vendor ID payload [Dead Peer Detection]
- packet from 2.x.x.x:4497: received Vendor ID payload [FRAGMENTATION]
- | returning NATT method NAT_TRAVERSAL_METHOD_IETF_RFC
- | method set to=RFC 3947 (NAT-Traversal)
- packet from 2.x.x.x:4497: received Vendor ID payload [RFC 3947]
- | Ignoring older NAT-T Vendor ID paylad [draft-ietf-ipsec-nat-t-ike-03]
- packet from 2.x.x.x:4497: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
- | Ignoring older NAT-T Vendor ID paylad [draft-ietf-ipsec-nat-t-ike-02_n]
- packet from 2.x.x.x:4497: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
- | Ignoring older NAT-T Vendor ID paylad [draft-ietf-ipsec-nat-t-ike-02]
- packet from 2.x.x.x:4497: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
- packet from 2.x.x.x:4497: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
- | nat-t detected, sending nat-t VID
- | find_host_connection2 called from main_inI1_outR1, me=69.x.x.x:500 him=2.x.x.x:4497 policy=none
- | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
- | find_host_pair_conn (find_host_connection2): 69.x.x.x:500 2.x.x.x:4497 -> hp:none
- | find_host_connection2 returns empty
- | ****parse IPsec DOI SIT:
- | IPsec DOI SIT: SIT_IDENTITY_ONLY
- | ****parse ISAKMP Proposal Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | length: 416
- | proposal number: 0
- | protocol ID: PROTO_ISAKMP
- | SPI size: 0
- | number of transforms: 12
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_T
- | length: 36
- | transform number: 0
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 3600
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 7
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 2
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 14
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_KEY_LENGTH
- | length/value: 128
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_T
- | length: 36
- | transform number: 1
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 3600
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 7
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 1
- ==> /var/log/pluto.log <==
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 14
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_KEY_LENGTH
- | length/value: 128
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_T
- | length: 32
- | transform number: 2
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 3600
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 5
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 2
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 14
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_T
- | length: 32
- | transform number: 3
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 3600
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 5
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 14
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_T
- | length: 36
- | transform number: 4
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 3600
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 7
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 2
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 5
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_KEY_LENGTH
- | length/value: 128
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_T
- | length: 36
- | transform number: 5
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 3600
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 7
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 5
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_KEY_LENGTH
- | length/value: 128
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_T
- | length: 32
- | transform number: 6
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 3600
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 5
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 2
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 5
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_T
- | length: 32
- | transform number: 7
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 3600
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 5
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 5
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_T
- | length: 36
- | transform number: 8
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 3600
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 7
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 2
- ==> /var/log/pluto.log <==
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 2
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_KEY_LENGTH
- | length/value: 128
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_T
- | length: 36
- | transform number: 9
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 3600
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 7
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 2
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_KEY_LENGTH
- | length/value: 128
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_T
- | length: 32
- | transform number: 10
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 3600
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 5
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 2
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 2
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_NONE
- | length: 32
- | transform number: 11
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 3600
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 5
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 2
- | find_host_connection2 called from main_inI1_outR1, me=69.x.x.x:500 him=%any:4497 policy=PSK
- | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
- | find_host_pair_conn (find_host_connection2): 69.x.x.x:500 %any:4497 -> hp:routers-12
- | searching for connection with policy = PSK
- | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG (routers-12)
- | find_host_connection2 returns routers-12
- | instantiating "routers-12" for initial Main Mode message received on 69.x.x.x:500
- | find_host_pair: comparing to 69.x.x.x:500 0.0.0.0:500
- | connect_to_host_pair: 69.x.x.x:500 2.x.x.x:500 -> hp:none
- | instantiated "routers-12" for 2.x.x.x
- | creating state object #1 at 0xb8c53f80
- | processing connection routers-12[1] 2.x.x.x
- | ICOOKIE: 58 e4 79 be 51 14 61 49
- | RCOOKIE: 76 7f 51 65 c7 b5 d3 b0
- | state hash entry 4
- | inserting state object #1
- | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
- | event added at head of queue
- "routers-12"[1] 2.x.x.x #1: responding to Main Mode from unknown peer 2.x.x.x
- | **emit ISAKMP Message:
- | initiator cookie:
- | 58 e4 79 be 51 14 61 49
- | responder cookie:
- | 76 7f 51 65 c7 b5 d3 b0
- | next payload type: ISAKMP_NEXT_SA
- | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
- | exchange type: ISAKMP_XCHG_IDPROT
- | flags: none
- | message ID: 00 00 00 00
- | ***emit ISAKMP Security Association Payload:
- | next payload type: ISAKMP_NEXT_VID
- | DOI: ISAKMP_DOI_IPSEC
- | ****parse IPsec DOI SIT:
- | IPsec DOI SIT: SIT_IDENTITY_ONLY
- | ****parse ISAKMP Proposal Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | length: 416
- | proposal number: 0
- | protocol ID: PROTO_ISAKMP
- | SPI size: 0
- | number of transforms: 12
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_T
- | length: 36
- | transform number: 0
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | [1 is OAKLEY_LIFE_SECONDS]
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 3600
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 7
- | [7 is OAKLEY_AES_CBC]
- | ike_alg_enc_ok(ealg=7,key_len=0): blocksize=16, keyminlen=128, keydeflen=128, keymaxlen=256, ret=1
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 2
- | [2 is OAKLEY_SHA1]
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | [1 is OAKLEY_PRESHARED_KEY]
- | started looking for secret for @router1->@router2 of kind PPK_PSK
- | actually looking for secret for @router1->@router2 of kind PPK_PSK
- | line 3: key type PPK_PSK(@router1) to type PPK_PSK
- | 1: compared key @router3 to @router1 / @router2 -> 0
- | 2: compared key @router1 to @router1 / @router2 -> 8
- | line 3: match=8
- | line 2: key type PPK_PSK(@router1) to type PPK_PSK
- | 1: compared key @router2 to @router1 / @router2 -> 4
- | 2: compared key @router1 to @router1 / @router2 -> 12
- | line 2: match=12
- | best_match 0>12 best=0xb8c4de58 (line=2)
- | line 1: key type PPK_PSK(@router1) to type PPK_PSK
- | 1: compared key @router4 to @router1 / @router2 -> 0
- | 2: compared key @router1 to @router1 / @router2 -> 8
- | line 1: match=8
- | concluding with best_match=12 best=0xb8c4de58 (lineno=2)
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 14
- | [14 is OAKLEY_GROUP_MODP2048]
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_KEY_LENGTH
- | length/value: 128
- | ike_alg_enc_ok(ealg=7,key_len=128): blocksize=16, keyminlen=128, keydeflen=128, keymaxlen=256, ret=1
- | Oakley Transform 0 accepted
- | ****emit IPsec DOI SIT:
- | IPsec DOI SIT: SIT_IDENTITY_ONLY
- | ****emit ISAKMP Proposal Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | proposal number: 0
- | protocol ID: PROTO_ISAKMP
- | SPI size: 0
- | number of transforms: 1
- | *****emit ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_NONE
- | transform number: 0
- | transform ID: KEY_IKE
- | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP)
- | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02
- | attributes 80 03 00 01 80 04 00 0e 80 0e 00 80
- | emitting length of ISAKMP Transform Payload (ISAKMP): 36
- | emitting length of ISAKMP Proposal Payload: 44
- | emitting length of ISAKMP Security Association Payload: 56
- | ***emit ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_VID
- | emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
- | Vendor ID 4f 45 4e 5f 52 68 50 50 48 7b 64 5e
- | emitting length of ISAKMP Vendor ID Payload: 16
- | out_vid(): sending [Dead Peer Detection]
- | ***emit ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_VID
- | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
- | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
- | emitting length of ISAKMP Vendor ID Payload: 20
- | out_vid(): sending [FRAGMENTATION]
- | ***emit ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_VID
- | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
- | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
- | emitting length of ISAKMP Vendor ID Payload: 20
- | sender checking NAT-T: 1 and 116
- | returning NATT method NAT_TRAVERSAL_METHOD_IETF_RFC
- | out_vendorid(): sending [RFC 3947]
- | ***emit ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
- | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
- | emitting length of ISAKMP Vendor ID Payload: 20
- | emitting length of ISAKMP Message: 160
- | peer supports fragmentation
- | peer supports dpd
- | enabling sending dpd
- | complete state transition with STF_OK
- "routers-12"[1] 2.x.x.x #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
- | deleting event for #1
- | sending reply packet to 2.x.x.x:4497 (from port 500)
- | sending 160 bytes for STATE_MAIN_R0 through eth0:500 to 2.x.x.x:4497 (using #1)
- | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
- | 01 10 02 00 00 00 00 00 00 00 00 a0 0d 00 00 38
- | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01
- | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10
- | 80 01 00 07 80 02 00 02 80 03 00 01 80 04 00 0e
- | 80 0e 00 80 0d 00 00 10 4f 45 4e 5f 52 68 50 50
- | 48 7b 64 5e 0d 00 00 14 af ca d7 13 68 a1 f1 c9
- | 6b 86 96 fc 77 57 01 00 0d 00 00 14 40 48 b7 d5
- | 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 00 00 00 14
- | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
- | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
- | event added at head of queue
- "routers-12"[1] 2.x.x.x #1: STATE_MAIN_R1: sent MR1, expecting MI2
- | modecfg pull: noquirk policy:push not-client
- | phase 1 is done, looking for phase 2 to unpend
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- ==> /var/log/pluto.log <==
- |
- | *received 356 bytes from 2.x.x.x:4497 on eth0 (port=500)
- | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
- | 04 10 02 00 00 00 00 00 00 00 01 64 0a 00 01 04
- | 52 e7 5c 5f b9 33 9c 76 71 ae 3f 97 65 dc 72 a5
- | 84 c1 52 94 f1 d5 11 e0 ab dc a0 4e 9c 33 ee da
- | b9 dd a3 e1 84 b7 97 a3 89 15 a7 ce 2c e9 c1 5d
- | 15 18 36 d1 8b bd d9 03 46 69 88 49 57 a9 7d 96
- | 70 79 d8 9a 2e 15 31 29 a2 a1 bc dc 9f 58 3f 66
- | d8 0d 95 61 c8 87 de ab 06 5f f1 c4 c0 01 e0 27
- | ab c9 c9 3b d5 31 42 26 fa b0 ab 5a a0 4b 35 ee
- | fc 4d c1 26 26 b1 84 68 ee 91 14 0a 30 c5 63 24
- | e9 bc dd b6 57 cf 7c a2 ae f7 0e 05 be 35 36 f3
- | 4c 62 a6 48 a5 79 b3 c0 09 37 07 54 3b 7e d7 f1
- | c5 6d 19 a2 bd c9 d1 f7 45 9e 56 b1 bc fa 54 17
- | 54 52 5d f7 c7 f7 98 63 cf d1 c8 35 d4 e8 85 d1
- | e7 d6 18 3d db f1 97 93 fb a5 38 a5 0c 42 78 e3
- ==> /var/log/pluto.log <==
- | ec df 4c 84 fc 1b 8f 14 89 db 13 ba 67 cf ce 31
- | 6b e8 e8 94 07 78 33 5e e1 29 75 53 7d 35 c2 9e
- | cd 22 d4 89 7f cf b2 88 32 43 1b 22 ff 1e 4c c7
- | 14 00 00 14 cd df fd b7 2a a6 1b 6b f8 eb 4b a5
- | ba e9 9a 76 14 00 00 18 04 a2 c9 8d b5 d8 53 db
- | c7 76 e4 e0 b6 77 4b 2b a3 93 b1 57 00 00 00 18
- | 04 d4 36 6f 0a de ab 49 6f a2 8b 3e f1 c2 32 93
- | 57 b4 25 aa
- | **parse ISAKMP Message:
- | initiator cookie:
- | 58 e4 79 be 51 14 61 49
- | responder cookie:
- | 76 7f 51 65 c7 b5 d3 b0
- | next payload type: ISAKMP_NEXT_KE
- | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
- | exchange type: ISAKMP_XCHG_IDPROT
- | flags: none
- | message ID: 00 00 00 00
- | length: 356
- | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
- | ICOOKIE: 58 e4 79 be 51 14 61 49
- | RCOOKIE: 76 7f 51 65 c7 b5 d3 b0
- | state hash entry 4
- | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
- | v1 state object #1 found, in STATE_MAIN_R1
- | processing connection routers-12[1] 2.x.x.x
- | got payload 0x10(ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080
- | ***parse ISAKMP Key Exchange Payload:
- | next payload type: ISAKMP_NEXT_NONCE
- | length: 260
- | got payload 0x400(ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080
- | ***parse ISAKMP Nonce Payload:
- | next payload type: ISAKMP_NEXT_NAT-D
- | length: 20
- | got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080
- | ***parse ISAKMP NAT-D Payload:
- | next payload type: ISAKMP_NEXT_NAT-D
- | length: 24
- | got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080
- | ***parse ISAKMP NAT-D Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | length: 24
- | DH public value received:
- | 52 e7 5c 5f b9 33 9c 76 71 ae 3f 97 65 dc 72 a5
- | 84 c1 52 94 f1 d5 11 e0 ab dc a0 4e 9c 33 ee da
- | b9 dd a3 e1 84 b7 97 a3 89 15 a7 ce 2c e9 c1 5d
- | 15 18 36 d1 8b bd d9 03 46 69 88 49 57 a9 7d 96
- | 70 79 d8 9a 2e 15 31 29 a2 a1 bc dc 9f 58 3f 66
- | d8 0d 95 61 c8 87 de ab 06 5f f1 c4 c0 01 e0 27
- | ab c9 c9 3b d5 31 42 26 fa b0 ab 5a a0 4b 35 ee
- | fc 4d c1 26 26 b1 84 68 ee 91 14 0a 30 c5 63 24
- | e9 bc dd b6 57 cf 7c a2 ae f7 0e 05 be 35 36 f3
- | 4c 62 a6 48 a5 79 b3 c0 09 37 07 54 3b 7e d7 f1
- | c5 6d 19 a2 bd c9 d1 f7 45 9e 56 b1 bc fa 54 17
- | 54 52 5d f7 c7 f7 98 63 cf d1 c8 35 d4 e8 85 d1
- | e7 d6 18 3d db f1 97 93 fb a5 38 a5 0c 42 78 e3
- | ec df 4c 84 fc 1b 8f 14 89 db 13 ba 67 cf ce 31
- | 6b e8 e8 94 07 78 33 5e e1 29 75 53 7d 35 c2 9e
- | cd 22 d4 89 7f cf b2 88 32 43 1b 22 ff 1e 4c c7
- | inI2: checking NAT-T: 1 and 16
- | NAT_T_WITH_NATD detected
- | _natd_hash: hasher=0xb773c180(20)
- | _natd_hash: icookie=
- | 58 e4 79 be 51 14 61 49
- | _natd_hash: rcookie=
- | 76 7f 51 65 c7 b5 d3 b0
- | _natd_hash: ip= 45 a4 d2 8d
- | _natd_hash: port=500
- | _natd_hash: hash= 11 9d a5 4e 2d 90 8f 82 75 55 68 95 40 2b e7 22
- | _natd_hash: hash= 98 5b e7 4a
- | _natd_hash: hasher=0xb773c180(20)
- | _natd_hash: icookie=
- | 58 e4 79 be 51 14 61 49
- | _natd_hash: rcookie=
- | 76 7f 51 65 c7 b5 d3 b0
- | _natd_hash: ip= 02 dc 82 c8
- | _natd_hash: port=4497
- | _natd_hash: hash= 42 d3 f5 32 42 b0 dc a4 3c 63 4f 91 ff c2 3b 9c
- | _natd_hash: hash= 9f bf 57 79
- | NAT_TRAVERSAL hash=0 (me:0) (him:0)
- | expected NAT-D(me): 11 9d a5 4e 2d 90 8f 82 75 55 68 95 40 2b e7 22
- | expected NAT-D(me): 98 5b e7 4a
- | expected NAT-D(him):
- | 42 d3 f5 32 42 b0 dc a4 3c 63 4f 91 ff c2 3b 9c
- | 9f bf 57 79
- | received NAT-D: 04 a2 c9 8d b5 d8 53 db c7 76 e4 e0 b6 77 4b 2b
- | received NAT-D: a3 93 b1 57
- | NAT_TRAVERSAL hash=1 (me:0) (him:0)
- | expected NAT-D(me): 11 9d a5 4e 2d 90 8f 82 75 55 68 95 40 2b e7 22
- | expected NAT-D(me): 98 5b e7 4a
- | expected NAT-D(him):
- | 42 d3 f5 32 42 b0 dc a4 3c 63 4f 91 ff c2 3b 9c
- | 9f bf 57 79
- | received NAT-D: 04 d4 36 6f 0a de ab 49 6f a2 8b 3e f1 c2 32 93
- | received NAT-D: 57 b4 25 aa
- | NAT_TRAVERSAL hash=2 (me:0) (him:0)
- | NAT_TRAVERSAL forceencaps enabled
- | NAT_TRAVERSAL nat_keepalive enabled
- "routers-12"[1] 2.x.x.x #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
- | NAT_T_WITH_KA detected
- | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
- | event added after event EVENT_PENDING_DDNS
- | 1: w->pcw_dead: 0 w->pcw_work: 0 cnt: 7
- | asking helper 1 to do build_kenonce op on seq: 1 (len=2680, pcw_work=1)
- | crypto helper write of request: cnt=2680<wlen=2680.
- | deleting event for #1
- | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
- | event added after event EVENT_PENDING_PHASE2
- | complete state transition with STF_SUSPEND
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 15 seconds
- | next event EVENT_PENDING_DDNS in 15 seconds
- | helper 1 read 2676+4/2680 bytes fd: 10
- | helper 1 doing build_kenonce op id: 1
- | NSS: Value of Prime:
- | ff ff ff ff ff ff ff ff c9 0f da a2 21 68 c2 34
- | c4 c6 62 8b 80 dc 1c d1 29 02 4e 08 8a 67 cc 74
- | 02 0b be a6 3b 13 9b 22 51 4a 08 79 8e 34 04 dd
- | ef 95 19 b3 cd 3a 43 1b 30 2b 0a 6d f2 5f 14 37
- | 4f e1 35 6d 6d 51 c2 45 e4 85 b5 76 62 5e 7e c6
- | f4 4c 42 e9 a6 37 ed 6b 0b ff 5c b6 f4 06 b7 ed
- | ee 38 6b fb 5a 89 9f a5 ae 9f 24 11 7c 4b 1f e6
- | 49 28 66 51 ec e4 5b 3d c2 00 7c b8 a1 63 bf 05
- | 98 da 48 36 1c 55 d3 9a 69 16 3f a8 fd 24 cf 5f
- | 83 65 5d 23 dc a3 ad 96 1c 62 f3 56 20 85 52 bb
- | 9e d5 29 07 70 96 96 6d 67 0c 35 4e 4a bc 98 04
- | f1 74 6c 08 ca 18 21 7c 32 90 5e 46 2e 36 ce 3b
- | e3 9e 77 2c 18 0e 86 03 9b 27 83 a2 ec 07 a2 8f
- | b5 c5 5d f0 6f 4c 52 c9 de 2b cb f6 95 58 17 18
- | 39 95 49 7c ea 95 6a e5 15 d2 26 18 98 fa 05 10
- | 15 72 8e 5a 8a ac aa 68 ff ff ff ff ff ff ff ff
- | NSS: Value of base:
- | 02
- | NSS: generated dh priv and pub keys: 256
- | NSS: Local DH secret (pointer):
- | 40 48 30 b5
- | NSS: Public DH value sent(computed in NSS):
- | 1d a1 7e b1 6f 76 bb 9f 83 a4 3a 7e a1 1c 9b 82
- | b2 66 5f 6b 4e ff c5 a3 9d 23 6f af 92 3d 0b d5
- | e1 eb b0 d0 91 07 d5 8f 6f 7a a1 69 21 0e 95 f8
- | 98 3d 22 9d 17 17 45 34 fa 67 bc 47 76 b3 2c ea
- | 93 06 d1 3b d9 64 92 de c2 ea aa d2 94 b8 c1 0b
- | 73 5f 72 55 5c fd ae 13 9d 43 e2 4f 56 02 bb d3
- | f6 76 f0 c8 df a7 ee 0a 13 ca cc aa 70 3a 37 e5
- | 48 37 15 c7 d1 4d 7c 22 e2 ed 01 65 71 29 99 d1
- | 81 ee 50 33 0c 6f 2c 3c 5f 8f 8c e0 fc ca dd d0
- | ba cd 13 41 32 d2 f8 d3 f9 bc b6 5d 19 e2 e1 6e
- | 1d 54 fe 50 b7 f5 2e 22 59 47 92 88 18 aa 3a e3
- | 3a 26 fb 7d c0 db 79 43 f9 5b 45 70 f0 49 a0 db
- | 08 b1 d3 8b 9f 37 62 9f 85 24 ba f0 3e 93 06 19
- | c0 cb 4d 1b 2e dc 3b ab 9c 21 9a c5 22 25 b3 bc
- | 2c 68 c0 f3 66 77 9c d9 ba fc ad d7 62 5a 06 cd
- | 5a 08 2a 73 2b ba a8 9e 2b bb a2 6d b9 66 f4 cc
- | NSS: Local DH public value (pointer):
- | 38 40 30 b5
- | Generated nonce:
- | 96 5d 95 17 ff 5a 14 6e 7c ad 9e eb b3 2c 76 f9
- |
- | helper 1 has finished work (cnt now 1)
- | helper 1 replies to id: q#1
- | calling callback function 0xb7668f90
- | main inI2_outR2: calculated ke+nonce, sending R2
- | processing connection routers-12[1] 2.x.x.x
- | **emit ISAKMP Message:
- | initiator cookie:
- | 58 e4 79 be 51 14 61 49
- | responder cookie:
- | 76 7f 51 65 c7 b5 d3 b0
- | next payload type: ISAKMP_NEXT_KE
- | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
- | exchange type: ISAKMP_XCHG_IDPROT
- | flags: none
- | message ID: 00 00 00 00
- | saving DH priv (local secret) and pub key into state struc
- | ***emit ISAKMP Key Exchange Payload:
- | next payload type: ISAKMP_NEXT_NONCE
- | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload
- | keyex value 1d a1 7e b1 6f 76 bb 9f 83 a4 3a 7e a1 1c 9b 82
- | keyex value b2 66 5f 6b 4e ff c5 a3 9d 23 6f af 92 3d 0b d5
- | keyex value e1 eb b0 d0 91 07 d5 8f 6f 7a a1 69 21 0e 95 f8
- | keyex value 98 3d 22 9d 17 17 45 34 fa 67 bc 47 76 b3 2c ea
- | keyex value 93 06 d1 3b d9 64 92 de c2 ea aa d2 94 b8 c1 0b
- | keyex value 73 5f 72 55 5c fd ae 13 9d 43 e2 4f 56 02 bb d3
- | keyex value f6 76 f0 c8 df a7 ee 0a 13 ca cc aa 70 3a 37 e5
- | keyex value 48 37 15 c7 d1 4d 7c 22 e2 ed 01 65 71 29 99 d1
- | keyex value 81 ee 50 33 0c 6f 2c 3c 5f 8f 8c e0 fc ca dd d0
- | keyex value ba cd 13 41 32 d2 f8 d3 f9 bc b6 5d 19 e2 e1 6e
- | keyex value 1d 54 fe 50 b7 f5 2e 22 59 47 92 88 18 aa 3a e3
- | keyex value 3a 26 fb 7d c0 db 79 43 f9 5b 45 70 f0 49 a0 db
- | keyex value 08 b1 d3 8b 9f 37 62 9f 85 24 ba f0 3e 93 06 19
- | keyex value c0 cb 4d 1b 2e dc 3b ab 9c 21 9a c5 22 25 b3 bc
- | keyex value 2c 68 c0 f3 66 77 9c d9 ba fc ad d7 62 5a 06 cd
- | keyex value 5a 08 2a 73 2b ba a8 9e 2b bb a2 6d b9 66 f4 cc
- | emitting length of ISAKMP Key Exchange Payload: 260
- | ***emit ISAKMP Nonce Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | emitting 16 raw bytes of Nr into ISAKMP Nonce Payload
- | Nr 96 5d 95 17 ff 5a 14 6e 7c ad 9e eb b3 2c 76 f9
- | emitting length of ISAKMP Nonce Payload: 20
- | sending NAT-D payloads
- | NAT-T: forceencaps=yes, so mangling hash to force NAT-T detection
- | _natd_hash: hasher=0xb773c180(20)
- | _natd_hash: icookie=
- | 58 e4 79 be 51 14 61 49
- | _natd_hash: rcookie=
- | 76 7f 51 65 c7 b5 d3 b0
- | _natd_hash: ip= 02 dc 82 c8
- | _natd_hash: port=0
- | _natd_hash: hash= 8d fa b2 1b f7 97 67 8a ae f7 31 f9 41 1a d5 8a
- | _natd_hash: hash= 84 35 fc a1
- | ***emit ISAKMP NAT-D Payload:
- | next payload type: ISAKMP_NEXT_NAT-D
- | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
- | NAT-D 8d fa b2 1b f7 97 67 8a ae f7 31 f9 41 1a d5 8a
- | NAT-D 84 35 fc a1
- | emitting length of ISAKMP NAT-D Payload: 24
- | _natd_hash: hasher=0xb773c180(20)
- | _natd_hash: icookie=
- | 58 e4 79 be 51 14 61 49
- | _natd_hash: rcookie=
- | 76 7f 51 65 c7 b5 d3 b0
- | _natd_hash: ip= 45 a4 d2 8d
- | _natd_hash: port=0
- | _natd_hash: hash= 04 a2 c9 8d b5 d8 53 db c7 76 e4 e0 b6 77 4b 2b
- | _natd_hash: hash= a3 93 b1 57
- | ***emit ISAKMP NAT-D Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
- | NAT-D 04 a2 c9 8d b5 d8 53 db c7 76 e4 e0 b6 77 4b 2b
- | NAT-D a3 93 b1 57
- | emitting length of ISAKMP NAT-D Payload: 24
- | emitting length of ISAKMP Message: 356
- | main inI2_outR2: starting async DH calculation (group=14)
- | started looking for secret for @router1->@router2 of kind PPK_PSK
- | actually looking for secret for @router1->@router2 of kind PPK_PSK
- | line 3: key type PPK_PSK(@router1) to type PPK_PSK
- | 1: compared key @router3 to @router1 / @router2 -> 0
- | 2: compared key @router1 to @router1 / @router2 -> 8
- | line 3: match=8
- | line 2: key type PPK_PSK(@router1) to type PPK_PSK
- | 1: compared key @router2 to @router1 / @router2 -> 4
- | 2: compared key @router1 to @router1 / @router2 -> 12
- | line 2: match=12
- | best_match 0>12 best=0xb8c4de58 (line=2)
- | line 1: key type PPK_PSK(@router1) to type PPK_PSK
- | 1: compared key @router4 to @router1 / @router2 -> 0
- | 2: compared key @router1 to @router1 / @router2 -> 8
- | line 1: match=8
- | concluding with best_match=12 best=0xb8c4de58 (lineno=2)
- | parent1 type: 7 group: 14 len: 2680
- | Copying DH pub key pointer to be sent to a thread helper
- | 2: w->pcw_dead: 0 w->pcw_work: 0 cnt: 7
- | asking helper 2 to do compute dh+iv op on seq: 2 (len=2680, pcw_work=1)
- | crypto helper write of request: cnt=2680<wlen=2680.
- | deleting event for #1
- | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
- | event added after event EVENT_PENDING_PHASE2
- | started dh_secretiv, returned: stf=STF_SUSPEND
- | complete state transition with STF_OK
- "routers-12"[1] 2.x.x.x #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
- | deleting event for #1
- | sending reply packet to 2.x.x.x:4497 (from port 500)
- | sending 356 bytes for STATE_MAIN_R1 through eth0:500 to 2.x.x.x:4497 (using #1)
- | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
- | 04 10 02 00 00 00 00 00 00 00 01 64 0a 00 01 04
- | 1d a1 7e b1 6f 76 bb 9f 83 a4 3a 7e a1 1c 9b 82
- | b2 66 5f 6b 4e ff c5 a3 9d 23 6f af 92 3d 0b d5
- | e1 eb b0 d0 91 07 d5 8f 6f 7a a1 69 21 0e 95 f8
- | 98 3d 22 9d 17 17 45 34 fa 67 bc 47 76 b3 2c ea
- | 93 06 d1 3b d9 64 92 de c2 ea aa d2 94 b8 c1 0b
- | 73 5f 72 55 5c fd ae 13 9d 43 e2 4f 56 02 bb d3
- | f6 76 f0 c8 df a7 ee 0a 13 ca cc aa 70 3a 37 e5
- | 48 37 15 c7 d1 4d 7c 22 e2 ed 01 65 71 29 99 d1
- | 81 ee 50 33 0c 6f 2c 3c 5f 8f 8c e0 fc ca dd d0
- | ba cd 13 41 32 d2 f8 d3 f9 bc b6 5d 19 e2 e1 6e
- | 1d 54 fe 50 b7 f5 2e 22 59 47 92 88 18 aa 3a e3
- | 3a 26 fb 7d c0 db 79 43 f9 5b 45 70 f0 49 a0 db
- | 08 b1 d3 8b 9f 37 62 9f 85 24 ba f0 3e 93 06 19
- | c0 cb 4d 1b 2e dc 3b ab 9c 21 9a c5 22 25 b3 bc
- | 2c 68 c0 f3 66 77 9c d9 ba fc ad d7 62 5a 06 cd
- | 5a 08 2a 73 2b ba a8 9e 2b bb a2 6d b9 66 f4 cc
- | 14 00 00 14 96 5d 95 17 ff 5a 14 6e 7c ad 9e eb
- | b3 2c 76 f9 14 00 00 18 8d fa b2 1b f7 97 67 8a
- | ae f7 31 f9 41 1a d5 8a 84 35 fc a1 00 00 00 18
- | 04 a2 c9 8d b5 d8 53 db c7 76 e4 e0 b6 77 4b 2b
- | a3 93 b1 57
- | helper 2 read 2676+4/2680 bytes fd: 13
- | helper 2 doing compute dh+iv op id: 2
- | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
- | event added at head of queue
- "routers-12"[1] 2.x.x.x #1: STATE_MAIN_R2: sent MR2, expecting MI3
- | modecfg pull: noquirk policy:push not-client
- | phase 1 is done, looking for phase 2 to unpend
- | * processed 1 messages from cryptographic helpers
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- | peer's g: 52 e7 5c 5f b9 33 9c 76 71 ae 3f 97 65 dc 72 a5
- | peer's g: 84 c1 52 94 f1 d5 11 e0 ab dc a0 4e 9c 33 ee da
- | peer's g: b9 dd a3 e1 84 b7 97 a3 89 15 a7 ce 2c e9 c1 5d
- | peer's g: 15 18 36 d1 8b bd d9 03 46 69 88 49 57 a9 7d 96
- | peer's g: 70 79 d8 9a 2e 15 31 29 a2 a1 bc dc 9f 58 3f 66
- | peer's g: d8 0d 95 61 c8 87 de ab 06 5f f1 c4 c0 01 e0 27
- | peer's g: ab c9 c9 3b d5 31 42 26 fa b0 ab 5a a0 4b 35 ee
- | peer's g: fc 4d c1 26 26 b1 84 68 ee 91 14 0a 30 c5 63 24
- | peer's g: e9 bc dd b6 57 cf 7c a2 ae f7 0e 05 be 35 36 f3
- | peer's g: 4c 62 a6 48 a5 79 b3 c0 09 37 07 54 3b 7e d7 f1
- | peer's g: c5 6d 19 a2 bd c9 d1 f7 45 9e 56 b1 bc fa 54 17
- | peer's g: 54 52 5d f7 c7 f7 98 63 cf d1 c8 35 d4 e8 85 d1
- | peer's g: e7 d6 18 3d db f1 97 93 fb a5 38 a5 0c 42 78 e3
- | peer's g: ec df 4c 84 fc 1b 8f 14 89 db 13 ba 67 cf ce 31
- | peer's g: 6b e8 e8 94 07 78 33 5e e1 29 75 53 7d 35 c2 9e
- | peer's g: cd 22 d4 89 7f cf b2 88 32 43 1b 22 ff 1e 4c c7
- | Started DH shared-secret computation in NSS:
- | Dropped no leading zeros 256
- | calc_dh_shared(): time elapsed (OAKLEY_GROUP_MODP2048): 3911 usec
- | DH shared-secret (pointer):
- | 50 10 90 b4
- | NSS: skeyid inputs (pss+NI+NR+shared-secret) hasher: oakley_sha
- | shared-secret (pointer in chunk_t):
- | 50 10 90 b4
- | ni: cd df fd b7 2a a6 1b 6b f8 eb 4b a5 ba e9 9a 76
- | nr: 96 5d 95 17 ff 5a 14 6e 7c ad 9e eb b3 2c 76 f9
- | NSS: st_skeyid in skeyid_preshared() (pointer):
- | 80 7b 90 b4
- | NSS: Started key computation
- | NSS: dh shared param len=4
- | NSS: enc keysize=16
- | NSS: copied skeyid_d_chunk
- | NSS: copied skeyid_a_chunk
- | NSS: copied skeyid_e_chunk
- | NSS: copied enc_key_chunk
- | NSS: Freed symkeys 1-23
- | NSS: Freed padding chunks
- | DH_i: 52 e7 5c 5f b9 33 9c 76 71 ae 3f 97 65 dc 72 a5
- | DH_i: 84 c1 52 94 f1 d5 11 e0 ab dc a0 4e 9c 33 ee da
- | DH_i: b9 dd a3 e1 84 b7 97 a3 89 15 a7 ce 2c e9 c1 5d
- | DH_i: 15 18 36 d1 8b bd d9 03 46 69 88 49 57 a9 7d 96
- | DH_i: 70 79 d8 9a 2e 15 31 29 a2 a1 bc dc 9f 58 3f 66
- | DH_i: d8 0d 95 61 c8 87 de ab 06 5f f1 c4 c0 01 e0 27
- | DH_i: ab c9 c9 3b d5 31 42 26 fa b0 ab 5a a0 4b 35 ee
- | DH_i: fc 4d c1 26 26 b1 84 68 ee 91 14 0a 30 c5 63 24
- | DH_i: e9 bc dd b6 57 cf 7c a2 ae f7 0e 05 be 35 36 f3
- | DH_i: 4c 62 a6 48 a5 79 b3 c0 09 37 07 54 3b 7e d7 f1
- | DH_i: c5 6d 19 a2 bd c9 d1 f7 45 9e 56 b1 bc fa 54 17
- | DH_i: 54 52 5d f7 c7 f7 98 63 cf d1 c8 35 d4 e8 85 d1
- | DH_i: e7 d6 18 3d db f1 97 93 fb a5 38 a5 0c 42 78 e3
- | DH_i: ec df 4c 84 fc 1b 8f 14 89 db 13 ba 67 cf ce 31
- | DH_i: 6b e8 e8 94 07 78 33 5e e1 29 75 53 7d 35 c2 9e
- | DH_i: cd 22 d4 89 7f cf b2 88 32 43 1b 22 ff 1e 4c c7
- | DH_r: 1d a1 7e b1 6f 76 bb 9f 83 a4 3a 7e a1 1c 9b 82
- | DH_r: b2 66 5f 6b 4e ff c5 a3 9d 23 6f af 92 3d 0b d5
- | DH_r: e1 eb b0 d0 91 07 d5 8f 6f 7a a1 69 21 0e 95 f8
- | DH_r: 98 3d 22 9d 17 17 45 34 fa 67 bc 47 76 b3 2c ea
- | DH_r: 93 06 d1 3b d9 64 92 de c2 ea aa d2 94 b8 c1 0b
- | DH_r: 73 5f 72 55 5c fd ae 13 9d 43 e2 4f 56 02 bb d3
- | DH_r: f6 76 f0 c8 df a7 ee 0a 13 ca cc aa 70 3a 37 e5
- | DH_r: 48 37 15 c7 d1 4d 7c 22 e2 ed 01 65 71 29 99 d1
- | DH_r: 81 ee 50 33 0c 6f 2c 3c 5f 8f 8c e0 fc ca dd d0
- | DH_r: ba cd 13 41 32 d2 f8 d3 f9 bc b6 5d 19 e2 e1 6e
- | DH_r: 1d 54 fe 50 b7 f5 2e 22 59 47 92 88 18 aa 3a e3
- | DH_r: 3a 26 fb 7d c0 db 79 43 f9 5b 45 70 f0 49 a0 db
- | DH_r: 08 b1 d3 8b 9f 37 62 9f 85 24 ba f0 3e 93 06 19
- | DH_r: c0 cb 4d 1b 2e dc 3b ab 9c 21 9a c5 22 25 b3 bc
- | DH_r: 2c 68 c0 f3 66 77 9c d9 ba fc ad d7 62 5a 06 cd
- | DH_r: 5a 08 2a 73 2b ba a8 9e 2b bb a2 6d b9 66 f4 cc
- | end of IV generation
- |
- | helper 2 has finished work (cnt now 1)
- | helper 2 replies to id: q#2
- | calling callback function 0xb7665fd0
- | main inI2_outR2: calculated DH finished
- | processing connection routers-12[1] 2.x.x.x
- | * processed 1 messages from cryptographic helpers
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- |
- | *received 76 bytes from 2.x.x.x:4509 on eth0 (port=4500)
- | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
- | 05 10 02 01 00 00 00 00 00 00 00 4c 72 99 0d e7
- | 19 d4 f5 f8 da 77 00 69 85 4b 73 e9 18 5d 40 42
- | 70 76 fd c8 01 47 08 66 05 24 0d 3e 21 25 f0 de
- | a7 40 fd ec 88 c4 22 ac 18 66 cb fe
- | **parse ISAKMP Message:
- | initiator cookie:
- | 58 e4 79 be 51 14 61 49
- | responder cookie:
- | 76 7f 51 65 c7 b5 d3 b0
- | next payload type: ISAKMP_NEXT_ID
- | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
- | exchange type: ISAKMP_XCHG_IDPROT
- | flags: ISAKMP_FLAG_ENCRYPTION
- | message ID: 00 00 00 00
- | length: 76
- | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
- | ICOOKIE: 58 e4 79 be 51 14 61 49
- | RCOOKIE: 76 7f 51 65 c7 b5 d3 b0
- | state hash entry 4
- ==> /var/log/pluto.log <==
- | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
- | v1 state object #1 found, in STATE_MAIN_R2
- | processing connection routers-12[1] 2.x.x.x
- | received encrypted packet from 2.x.x.x:4509
- | decrypting 48 bytes using algorithm OAKLEY_AES_CBC
- | NSS do_aes: enter
- | NSS do_aes: exit
- | decrypted:
- | c6 2d ce 53 31 c7 3a 36 6d 50 8c bd 72 46 4f 30
- | 6c 68 f4 d4 c3 6a f0 00 3f 4e 38 0a 8a 3f f3 1f
- | 0a 43 48 71 05 13 8c 54 d5 02 c4 fd 2e 27 ba a5
- | next IV: 21 25 f0 de a7 40 fd ec 88 c4 22 ac 18 66 cb fe
- | got payload 0x20(ISAKMP_NEXT_ID) needed: 0x120 opt: 0x2080
- "routers-12"[1] 2.x.x.x #1: next payload type of ISAKMP Identification Payload has an unknown value: 198
- "routers-12"[1] 2.x.x.x #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
- | payload malformed after IV
- | 50 5c f3 1f bd 52 32 60 25 33 f5 71 cc cb a6 2c
- | 03 2d 42 c6
- "routers-12"[1] 2.x.x.x #1: sending notification PAYLOAD_MALFORMED to 2.x.x.x:4497
- | **emit ISAKMP Message:
- | initiator cookie:
- | 58 e4 79 be 51 14 61 49
- | responder cookie:
- | 76 7f 51 65 c7 b5 d3 b0
- | next payload type: ISAKMP_NEXT_N
- | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
- | exchange type: ISAKMP_XCHG_INFO
- | flags: none
- | message ID: e5 82 56 e4
- | ***emit ISAKMP Notification Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | DOI: ISAKMP_DOI_IPSEC
- | protocol ID: 1
- | SPI size: 0
- | Notify Message Type: PAYLOAD_MALFORMED
- | emitting length of ISAKMP Notification Payload: 12
- | emitting length of ISAKMP Message: 40
- | sending 40 bytes for notification packet through eth0:500 to 2.x.x.x:4497 (using #1)
- | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
- | 0b 10 05 00 e5 82 56 e4 00 00 00 28 00 00 00 0c
- | 00 00 00 01 01 00 00 10
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- |
- | next event EVENT_RETRANSMIT in 0 seconds for #1
- | *time to handle event
- | handling event EVENT_RETRANSMIT
- | event after this is EVENT_PENDING_DDNS in 5 seconds
- | processing connection routers-12[1] 2.x.x.x
- | handling event EVENT_RETRANSMIT for 2.x.x.x "routers-12" #1
- ==> /var/log/pluto.log <==
- | sending 356 bytes for EVENT_RETRANSMIT through eth0:500 to 2.x.x.x:4497 (using #1)
- | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
- | 04 10 02 00 00 00 00 00 00 00 01 64 0a 00 01 04
- | 1d a1 7e b1 6f 76 bb 9f 83 a4 3a 7e a1 1c 9b 82
- | b2 66 5f 6b 4e ff c5 a3 9d 23 6f af 92 3d 0b d5
- | e1 eb b0 d0 91 07 d5 8f 6f 7a a1 69 21 0e 95 f8
- | 98 3d 22 9d 17 17 45 34 fa 67 bc 47 76 b3 2c ea
- | 93 06 d1 3b d9 64 92 de c2 ea aa d2 94 b8 c1 0b
- | 73 5f 72 55 5c fd ae 13 9d 43 e2 4f 56 02 bb d3
- | f6 76 f0 c8 df a7 ee 0a 13 ca cc aa 70 3a 37 e5
- | 48 37 15 c7 d1 4d 7c 22 e2 ed 01 65 71 29 99 d1
- | 81 ee 50 33 0c 6f 2c 3c 5f 8f 8c e0 fc ca dd d0
- | ba cd 13 41 32 d2 f8 d3 f9 bc b6 5d 19 e2 e1 6e
- | 1d 54 fe 50 b7 f5 2e 22 59 47 92 88 18 aa 3a e3
- | 3a 26 fb 7d c0 db 79 43 f9 5b 45 70 f0 49 a0 db
- | 08 b1 d3 8b 9f 37 62 9f 85 24 ba f0 3e 93 06 19
- | c0 cb 4d 1b 2e dc 3b ab 9c 21 9a c5 22 25 b3 bc
- | 2c 68 c0 f3 66 77 9c d9 ba fc ad d7 62 5a 06 cd
- | 5a 08 2a 73 2b ba a8 9e 2b bb a2 6d b9 66 f4 cc
- | 14 00 00 14 96 5d 95 17 ff 5a 14 6e 7c ad 9e eb
- | b3 2c 76 f9 14 00 00 18 8d fa b2 1b f7 97 67 8a
- | ae f7 31 f9 41 1a d5 8a 84 35 fc a1 00 00 00 18
- | 04 a2 c9 8d b5 d8 53 db c7 76 e4 e0 b6 77 4b 2b
- | a3 93 b1 57
- | inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1
- | event added after event EVENT_NAT_T_KEEPALIVE
- | next event EVENT_PENDING_DDNS in 5 seconds
- |
- | *received 76 bytes from 2.x.x.x:4509 on eth0 (port=4500)
- | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
- | 05 10 02 01 00 00 00 00 00 00 00 4c 72 99 0d e7
- | 19 d4 f5 f8 da 77 00 69 85 4b 73 e9 18 5d 40 42
- | 70 76 fd c8 01 47 08 66 05 24 0d 3e 21 25 f0 de
- | a7 40 fd ec 88 c4 22 ac 18 66 cb fe
- | **parse ISAKMP Message:
- | initiator cookie:
- | 58 e4 79 be 51 14 61 49
- | responder cookie:
- | 76 7f 51 65 c7 b5 d3 b0
- | next payload type: ISAKMP_NEXT_ID
- | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
- | exchange type: ISAKMP_XCHG_IDPROT
- | flags: ISAKMP_FLAG_ENCRYPTION
- | message ID: 00 00 00 00
- | length: 76
- ==> /var/log/pluto.log <==
- | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
- | ICOOKIE: 58 e4 79 be 51 14 61 49
- | RCOOKIE: 76 7f 51 65 c7 b5 d3 b0
- | state hash entry 4
- | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
- | v1 state object #1 found, in STATE_MAIN_R2
- | processing connection routers-12[1] 2.x.x.x
- | received encrypted packet from 2.x.x.x:4509
- | decrypting 48 bytes using algorithm OAKLEY_AES_CBC
- | NSS do_aes: enter
- | NSS do_aes: exit
- | decrypted:
- | c6 2d ce 53 31 c7 3a 36 6d 50 8c bd 72 46 4f 30
- | 6c 68 f4 d4 c3 6a f0 00 3f 4e 38 0a 8a 3f f3 1f
- | 0a 43 48 71 05 13 8c 54 d5 02 c4 fd 2e 27 ba a5
- | next IV: 21 25 f0 de a7 40 fd ec 88 c4 22 ac 18 66 cb fe
- | got payload 0x20(ISAKMP_NEXT_ID) needed: 0x120 opt: 0x2080
- "routers-12"[1] 2.x.x.x #1: next payload type of ISAKMP Identification Payload has an unknown value: 198
- "routers-12"[1] 2.x.x.x #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
- | payload malformed after IV
- | 50 5c f3 1f bd 52 32 60 25 33 f5 71 cc cb a6 2c
- | 03 2d 42 c6
- "routers-12"[1] 2.x.x.x #1: sending notification PAYLOAD_MALFORMED to 2.x.x.x:4497
- | **emit ISAKMP Message:
- | initiator cookie:
- | 58 e4 79 be 51 14 61 49
- | responder cookie:
- | 76 7f 51 65 c7 b5 d3 b0
- | next payload type: ISAKMP_NEXT_N
- | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
- | exchange type: ISAKMP_XCHG_INFO
- | flags: none
- | message ID: 63 21 1b 71
- | ***emit ISAKMP Notification Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | DOI: ISAKMP_DOI_IPSEC
- | protocol ID: 1
- | SPI size: 0
- | Notify Message Type: PAYLOAD_MALFORMED
- | emitting length of ISAKMP Notification Payload: 12
- | emitting length of ISAKMP Message: 40
- | sending 40 bytes for notification packet through eth0:500 to 2.x.x.x:4497 (using #1)
- | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
- | 0b 10 05 00 63 21 1b 71 00 00 00 28 00 00 00 0c
- | 00 00 00 01 01 00 00 10
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 5 seconds
- | next event EVENT_PENDING_DDNS in 5 seconds
- |
- | next event EVENT_PENDING_DDNS in 0 seconds
- | *time to handle event
- | handling event EVENT_PENDING_DDNS
- | event after this is EVENT_NAT_T_KEEPALIVE in 5 seconds
- | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
- | event added after event EVENT_RETRANSMIT for #1
- | next event EVENT_NAT_T_KEEPALIVE in 5 seconds
- |
- | next event EVENT_NAT_T_KEEPALIVE in 0 seconds
- | *time to handle event
- | handling event EVENT_NAT_T_KEEPALIVE
- | event after this is EVENT_RETRANSMIT in 10 seconds
- | processing connection routers-12[1] 2.x.x.x
- | Sending of NAT-T KEEP-ALIVE enabled by per-conn configuration (nat_keepalive=yes)
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- |
- | next event EVENT_RETRANSMIT in 0 seconds for #1
- | *time to handle event
- | handling event EVENT_RETRANSMIT
- | event after this is EVENT_PENDING_DDNS in 45 seconds
- | processing connection routers-12[1] 2.x.x.x
- | handling event EVENT_RETRANSMIT for 2.x.x.x "routers-12" #1
- | sending 356 bytes for EVENT_RETRANSMIT through eth0:500 to 2.x.x.x:4497 (using #1)
- | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
- | 04 10 02 00 00 00 00 00 00 00 01 64 0a 00 01 04
- | 1d a1 7e b1 6f 76 bb 9f 83 a4 3a 7e a1 1c 9b 82
- | b2 66 5f 6b 4e ff c5 a3 9d 23 6f af 92 3d 0b d5
- | e1 eb b0 d0 91 07 d5 8f 6f 7a a1 69 21 0e 95 f8
- | 98 3d 22 9d 17 17 45 34 fa 67 bc 47 76 b3 2c ea
- | 93 06 d1 3b d9 64 92 de c2 ea aa d2 94 b8 c1 0b
- | 73 5f 72 55 5c fd ae 13 9d 43 e2 4f 56 02 bb d3
- | f6 76 f0 c8 df a7 ee 0a 13 ca cc aa 70 3a 37 e5
- | 48 37 15 c7 d1 4d 7c 22 e2 ed 01 65 71 29 99 d1
- | 81 ee 50 33 0c 6f 2c 3c 5f 8f 8c e0 fc ca dd d0
- | ba cd 13 41 32 d2 f8 d3 f9 bc b6 5d 19 e2 e1 6e
- | 1d 54 fe 50 b7 f5 2e 22 59 47 92 88 18 aa 3a e3
- | 3a 26 fb 7d c0 db 79 43 f9 5b 45 70 f0 49 a0 db
- | 08 b1 d3 8b 9f 37 62 9f 85 24 ba f0 3e 93 06 19
- | c0 cb 4d 1b 2e dc 3b ab 9c 21 9a c5 22 25 b3 bc
- | 2c 68 c0 f3 66 77 9c d9 ba fc ad d7 62 5a 06 cd
- | 5a 08 2a 73 2b ba a8 9e 2b bb a2 6d b9 66 f4 cc
- | 14 00 00 14 96 5d 95 17 ff 5a 14 6e 7c ad 9e eb
- | b3 2c 76 f9 14 00 00 18 8d fa b2 1b f7 97 67 8a
- | ae f7 31 f9 41 1a d5 8a 84 35 fc a1 00 00 00 18
- | 04 a2 c9 8d b5 d8 53 db c7 76 e4 e0 b6 77 4b 2b
- | a3 93 b1 57
- | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1
- | event added at head of queue
- | next event EVENT_RETRANSMIT in 40 seconds for #1
- |
- | *received 76 bytes from 2.x.x.x:4509 on eth0 (port=4500)
- | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
- | 05 10 02 01 00 00 00 00 00 00 00 4c 72 99 0d e7
- | 19 d4 f5 f8 da 77 00 69 85 4b 73 e9 18 5d 40 42
- | 70 76 fd c8 01 47 08 66 05 24 0d 3e 21 25 f0 de
- | a7 40 fd ec 88 c4 22 ac 18 66 cb fe
- | **parse ISAKMP Message:
- | initiator cookie:
- | 58 e4 79 be 51 14 61 49
- | responder cookie:
- | 76 7f 51 65 c7 b5 d3 b0
- | next payload type: ISAKMP_NEXT_ID
- | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
- | exchange type: ISAKMP_XCHG_IDPROT
- | flags: ISAKMP_FLAG_ENCRYPTION
- | message ID: 00 00 00 00
- | length: 76
- | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
- | ICOOKIE: 58 e4 79 be 51 14 61 49
- | RCOOKIE: 76 7f 51 65 c7 b5 d3 b0
- | state hash entry 4
- | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
- | v1 state object #1 found, in STATE_MAIN_R2
- | processing connection routers-12[1] 2.x.x.x
- ==> /var/log/pluto.log <==
- | received encrypted packet from 2.x.x.x:4509
- | decrypting 48 bytes using algorithm OAKLEY_AES_CBC
- | NSS do_aes: enter
- | NSS do_aes: exit
- | decrypted:
- | c6 2d ce 53 31 c7 3a 36 6d 50 8c bd 72 46 4f 30
- | 6c 68 f4 d4 c3 6a f0 00 3f 4e 38 0a 8a 3f f3 1f
- | 0a 43 48 71 05 13 8c 54 d5 02 c4 fd 2e 27 ba a5
- | next IV: 21 25 f0 de a7 40 fd ec 88 c4 22 ac 18 66 cb fe
- | got payload 0x20(ISAKMP_NEXT_ID) needed: 0x120 opt: 0x2080
- "routers-12"[1] 2.x.x.x #1: next payload type of ISAKMP Identification Payload has an unknown value: 198
- "routers-12"[1] 2.x.x.x #1: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
- | payload malformed after IV
- | 50 5c f3 1f bd 52 32 60 25 33 f5 71 cc cb a6 2c
- | 03 2d 42 c6
- "routers-12"[1] 2.x.x.x #1: sending notification PAYLOAD_MALFORMED to 2.x.x.x:4497
- | **emit ISAKMP Message:
- | initiator cookie:
- | 58 e4 79 be 51 14 61 49
- | responder cookie:
- | 76 7f 51 65 c7 b5 d3 b0
- | next payload type: ISAKMP_NEXT_N
- | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
- | exchange type: ISAKMP_XCHG_INFO
- | flags: none
- | message ID: 01 34 78 8e
- | ***emit ISAKMP Notification Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | DOI: ISAKMP_DOI_IPSEC
- | protocol ID: 1
- | SPI size: 0
- | Notify Message Type: PAYLOAD_MALFORMED
- | emitting length of ISAKMP Notification Payload: 12
- | emitting length of ISAKMP Message: 40
- | sending 40 bytes for notification packet through eth0:500 to 2.x.x.x:4497 (using #1)
- | 58 e4 79 be 51 14 61 49 76 7f 51 65 c7 b5 d3 b0
- | 0b 10 05 00 01 34 78 8e 00 00 00 28 00 00 00 0c
- | 00 00 00 01 01 00 00 10
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_RETRANSMIT in 40 seconds for #1
- | next event EVENT_RETRANSMIT in 40 seconds for #1
- --- client side ---
- [root@localhost ~]# ipsec start
- Redirecting to: service ipsec start
- Starting pluto IKE daemon for IPsec:
- [root@localhost ~]# ipsec addconn routers-13
- 002 added connection description "routers-13"
- [root@localhost ~]# ipsec auto --up routers-13
- 104 "routers-13" #1: STATE_MAIN_I1: initiate
- 003 "routers-13" #1: received Vendor ID payload [Libreswan (this version) 3.5 ]
- 003 "routers-13" #1: received Vendor ID payload [Dead Peer Detection]
- 003 "routers-13" #1: received Vendor ID payload [FRAGMENTATION]
- 003 "routers-13" #1: received Vendor ID payload [RFC 3947]
- 106 "routers-13" #1: STATE_MAIN_I2: sent MI2, expecting MR2
- 003 "routers-13" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
- 108 "routers-13" #1: STATE_MAIN_I3: sent MI3, expecting MR3
- 010 "routers-13" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
- 003 "routers-13" #1: discarding duplicate packet; already STATE_MAIN_I3
- 010 "routers-13" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
- 003 "routers-13" #1: discarding duplicate packet; already STATE_MAIN_I3
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement