Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Plutorun started on Sun Oct 30 20:26:40 SAST 2016
- adjusting ipsec.d to /etc/ipsec.d
- nss directory plutomain: /etc/ipsec.d
- NSS Initialized
- Non-fips mode set in /proc/sys/crypto/fips_enabled
- FIPS: not a FIPS product
- FIPS HMAC integrity verification test passed
- Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:694
- Non-fips mode set in /proc/sys/crypto/fips_enabled
- LEAK_DETECTIVE support [disabled]
- OCF support for IKE [disabled]
- SAref support [disabled]: Protocol not available
- SAbind support [disabled]: Protocol not available
- NSS support [enabled]
- HAVE_STATSD notification support not compiled in
- Setting NAT-Traversal port-4500 floating to on
- port floating activation criteria nat_t=1/port_float=1
- NAT-Traversal support [enabled]
- 1 bad entries in virtual_private - none loaded
- | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
- | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
- | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
- ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
- ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
- ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
- ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
- ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
- ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
- ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)
- ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
- starting up 3 cryptographic helpers
- started helper (thread) pid=140588861937408 (fd:7)
- started helper (thread) pid=140588851447552 (fd:9)
- started helper (thread) pid=140588708001536 (fd:11)
- | status value returned by setting the priority of this thread (id=0) 22
- | helper 0 waiting on fd: 8
- Using Linux 2.6 IPsec interface code on 2.6.32-504.16.2.el6.x86_64 (experimental code)
- | status value returned by setting the priority of this thread (id=1) 22
- | helper 1 waiting on fd: 10
- | status value returned by setting the priority of this thread (id=2) 22
- | helper 2 waiting on fd: 12
- ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
- ike_alg_register_enc(): Activating aes_ccm_12: Ok (ret=0)
- ike_alg_register_enc(): Activating aes_ccm_16: Ok (ret=0)
- ike_alg_register_enc(): Activating aes_gcm_8: Ok (ret=0)
- ike_alg_register_enc(): Activating aes_gcm_12: Ok (ret=0)
- ike_alg_register_enc(): Activating aes_gcm_16: Ok (ret=0)
- Could not change to directory '/etc/ipsec.d/cacerts': /
- Could not change to directory '/etc/ipsec.d/aacerts': /
- Could not change to directory '/etc/ipsec.d/ocspcerts': /
- Could not change to directory '/etc/ipsec.d/crls'
- | selinux support is NOT enabled.
- | inserting event EVENT_LOG_DAILY, timeout in 12799 seconds
- | next event EVENT_PENDING_DDNS in 60 seconds
- |
- | *received whack message
- | alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
- | Added new connection host-prd/0x1 with policy PSK+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW+SAREFTRACK
- | from whack: got --esp=3des-sha1
- | alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
- | esp string values: 3DES(3)_000-SHA1(2)_000
- | ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
- | loopback=0 labeled_ipsec=0, policy_label=(null)
- | counting wild cards for @LEFTID is 0
- | counting wild cards for REMOTEIP/ID is 0
- | alg_info_addref() alg_info->ref_cnt=1
- | alg_info_addref() alg_info->ref_cnt=1
- added connection description "host-prd/0x1"
- | externalIP/32===externalIP<externalIP>[@LEFTID,+S=C]---defGateway...defGateway---REMOTEIP/ID<REMOTEIP/ID>[+S=C]===172.
- 25.48.43/32
- | ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW+SAREFTRACK
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 60 seconds
- | next event EVENT_PENDING_DDNS in 60 seconds
- |
- | *received whack message
- | alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
- | Added new connection host-prd/0x2 with policy PSK+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW+SAREFTRACK
- | from whack: got --esp=3des-sha1
- | alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
- | esp string values: 3DES(3)_000-SHA1(2)_000
- | ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
- | loopback=0 labeled_ipsec=0, policy_label=(null)
- | counting wild cards for @LEFTID is 0
- | counting wild cards for REMOTEIP/ID is 0
- | alg_info_addref() alg_info->ref_cnt=1
- | alg_info_addref() alg_info->ref_cnt=1
- added connection description "host-prd/0x2"
- | externalIP/32===externalIP<externalIP>[@LEFTID,+S=C]---defGateway...defGateway---REMOTEIP/ID<REMOTEIP/ID>[+S=C]===172.
- 25.48.36/32
- | ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW+SAREFTRACK
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 60 seconds
- | next event EVENT_PENDING_DDNS in 60 seconds
- |
- | *received whack message
- listening for IKE messages
- | found lo with address 127.0.0.1
- | found eth0 with address externalIP
- | found eth1 with address 10.0.64.10
- adding interface eth1/eth1 10.0.64.10:500
- adding interface eth1/eth1 10.0.64.10:4500
- adding interface eth0/eth0 externalIP:500
- adding interface eth0/eth0 externalIP:4500
- adding interface lo/lo 127.0.0.1:500
- adding interface lo/lo 127.0.0.1:4500
- | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
- adding interface lo/lo ::1:500
- loading secrets from "/etc/ipsec.secrets"
- loading secrets from "/etc/ipsec.d/ipsec.secrets"
- | id type added to secret(0x7fdd6cc2f6a0) PPK_PSK: @LEFTID
- | id type added to secret(0x7fdd6cc2f6a0) PPK_PSK: REMOTEIP/ID
- | Processing PSK at line 10: passed
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 60 seconds
- | next event EVENT_PENDING_DDNS in 60 seconds
- |
- | *received whack message
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 60 seconds
- | next event EVENT_PENDING_DDNS in 60 seconds
- |
- | *received whack message
- initiating all conns with alias='host-prd'
- | processing connection host-prd/0x2
- | kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
- | kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
- | returning new proposal from esp_info
- | creating state object #1 at 0x7fdd6cc2f850
- | processing connection host-prd/0x2
- | ICOOKIE: 9b 9f 27 9e d4 4c bf 1e
- | RCOOKIE: 00 00 00 00 00 00 00 00
- | state hash entry 10
- | inserting state object #1 on chain 10
- | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
- | processing connection host-prd/0x2
- | Queuing pending Quick Mode with REMOTEIP/ID "host-prd/0x2"
- "host-prd/0x2" #1: initiating Main Mode
- | sending 216 bytes for main_outI1 through eth0:500 to REMOTEIP/ID:500 (using #1)
- | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
- | processing connection host-prd/0x1
- | kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
- | kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
- | returning new proposal from esp_info
- | Queuing pending Quick Mode with REMOTEIP/ID "host-prd/0x1"
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- [root@htz001prdknl001 ~]# more /var/log/ipsec.log
- Plutorun started on Sun Oct 30 20:26:40 SAST 2016
- adjusting ipsec.d to /etc/ipsec.d
- nss directory plutomain: /etc/ipsec.d
- NSS Initialized
- Non-fips mode set in /proc/sys/crypto/fips_enabled
- FIPS: not a FIPS product
- FIPS HMAC integrity verification test passed
- Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:694
- Non-fips mode set in /proc/sys/crypto/fips_enabled
- LEAK_DETECTIVE support [disabled]
- OCF support for IKE [disabled]
- SAref support [disabled]: Protocol not available
- SAbind support [disabled]: Protocol not available
- NSS support [enabled]
- HAVE_STATSD notification support not compiled in
- Setting NAT-Traversal port-4500 floating to on
- port floating activation criteria nat_t=1/port_float=1
- NAT-Traversal support [enabled]
- 1 bad entries in virtual_private - none loaded
- | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
- | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
- | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
- ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
- ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
- ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
- ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
- ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
- ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
- ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok (ret=0)
- ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
- starting up 3 cryptographic helpers
- started helper (thread) pid=140588861937408 (fd:7)
- started helper (thread) pid=140588851447552 (fd:9)
- started helper (thread) pid=140588708001536 (fd:11)
- | status value returned by setting the priority of this thread (id=0) 22
- | helper 0 waiting on fd: 8
- Using Linux 2.6 IPsec interface code on 2.6.32-504.16.2.el6.x86_64 (experimental code)
- | status value returned by setting the priority of this thread (id=1) 22
- | helper 1 waiting on fd: 10
- | status value returned by setting the priority of this thread (id=2) 22
- | helper 2 waiting on fd: 12
- ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
- ike_alg_register_enc(): Activating aes_ccm_12: Ok (ret=0)
- ike_alg_register_enc(): Activating aes_ccm_16: Ok (ret=0)
- ike_alg_register_enc(): Activating aes_gcm_8: Ok (ret=0)
- ike_alg_register_enc(): Activating aes_gcm_12: Ok (ret=0)
- ike_alg_register_enc(): Activating aes_gcm_16: Ok (ret=0)
- Could not change to directory '/etc/ipsec.d/cacerts': /
- Could not change to directory '/etc/ipsec.d/aacerts': /
- Could not change to directory '/etc/ipsec.d/ocspcerts': /
- Could not change to directory '/etc/ipsec.d/crls'
- | selinux support is NOT enabled.
- | inserting event EVENT_LOG_DAILY, timeout in 12799 seconds
- | next event EVENT_PENDING_DDNS in 60 seconds
- |
- | *received whack message
- | alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
- | Added new connection host-prd/0x1 with policy PSK+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW+SAREFTRACK
- | from whack: got --esp=3des-sha1
- | alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
- | esp string values: 3DES(3)_000-SHA1(2)_000
- | ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
- | loopback=0 labeled_ipsec=0, policy_label=(null)
- | counting wild cards for @LEFTID is 0
- | counting wild cards for REMOTEIP/ID is 0
- | alg_info_addref() alg_info->ref_cnt=1
- | alg_info_addref() alg_info->ref_cnt=1
- added connection description "host-prd/0x1"
- | externalIP/32===externalIP<externalIP>[@LEFTID,+S=C]---defGateway...defGateway---REMOTEIP/ID<REMOTEIP/ID>[+S=C]===172.
- 25.48.43/32
- | ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW+SAREFTRACK
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 60 seconds
- | next event EVENT_PENDING_DDNS in 60 seconds
- |
- | *received whack message
- | alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
- | Added new connection host-prd/0x2 with policy PSK+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW+SAREFTRACK
- | from whack: got --esp=3des-sha1
- | alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
- | esp string values: 3DES(3)_000-SHA1(2)_000
- | ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
- | loopback=0 labeled_ipsec=0, policy_label=(null)
- | counting wild cards for @LEFTID is 0
- | counting wild cards for REMOTEIP/ID is 0
- | alg_info_addref() alg_info->ref_cnt=1
- | alg_info_addref() alg_info->ref_cnt=1
- added connection description "host-prd/0x2"
- | externalIP/32===externalIP<externalIP>[@LEFTID,+S=C]---defGateway...defGateway---REMOTEIP/ID<REMOTEIP/ID>[+S=C]===172.
- 25.48.36/32
- | ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW+SAREFTRACK
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 60 seconds
- | next event EVENT_PENDING_DDNS in 60 seconds
- |
- | *received whack message
- listening for IKE messages
- | found lo with address 127.0.0.1
- | found eth0 with address externalIP
- | found eth1 with address 10.0.64.10
- adding interface eth1/eth1 10.0.64.10:500
- adding interface eth1/eth1 10.0.64.10:4500
- adding interface eth0/eth0 externalIP:500
- adding interface eth0/eth0 externalIP:4500
- adding interface lo/lo 127.0.0.1:500
- adding interface lo/lo 127.0.0.1:4500
- | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
- adding interface lo/lo ::1:500
- loading secrets from "/etc/ipsec.secrets"
- loading secrets from "/etc/ipsec.d/ipsec.secrets"
- | id type added to secret(0x7fdd6cc2f6a0) PPK_PSK: @LEFTID
- | id type added to secret(0x7fdd6cc2f6a0) PPK_PSK: REMOTEIP/ID
- | Processing PSK at line 10: passed
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 60 seconds
- | next event EVENT_PENDING_DDNS in 60 seconds
- |
- | *received whack message
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 60 seconds
- | next event EVENT_PENDING_DDNS in 60 seconds
- |
- | *received whack message
- initiating all conns with alias='host-prd'
- | processing connection host-prd/0x2
- | kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
- | kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
- | returning new proposal from esp_info
- | creating state object #1 at 0x7fdd6cc2f850
- | processing connection host-prd/0x2
- | ICOOKIE: 9b 9f 27 9e d4 4c bf 1e
- | RCOOKIE: 00 00 00 00 00 00 00 00
- | state hash entry 10
- | inserting state object #1 on chain 10
- | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
- | processing connection host-prd/0x2
- | Queuing pending Quick Mode with REMOTEIP/ID "host-prd/0x2"
- "host-prd/0x2" #1: initiating Main Mode
- | sending 216 bytes for main_outI1 through eth0:500 to REMOTEIP/ID:500 (using #1)
- | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
- | processing connection host-prd/0x1
- | kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
- | kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
- | returning new proposal from esp_info
- | Queuing pending Quick Mode with REMOTEIP/ID "host-prd/0x1"
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- |
- | next event EVENT_RETRANSMIT in 0 seconds for #1
- | *time to handle event
- | handling event EVENT_RETRANSMIT
- | event after this is EVENT_PENDING_DDNS in 50 seconds
- | processing connection host-prd/0x2
- | handling event EVENT_RETRANSMIT for REMOTEIP/ID "host-prd/0x2" #1
- | sending 216 bytes for EVENT_RETRANSMIT through eth0:500 to REMOTEIP/ID:500 (using #1)
- | inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1
- | next event EVENT_RETRANSMIT in 20 seconds for #1
- |
- | next event EVENT_RETRANSMIT in 0 seconds for #1
- | *time to handle event
- | handling event EVENT_RETRANSMIT
- | event after this is EVENT_PENDING_DDNS in 30 seconds
- | processing connection host-prd/0x2
- | handling event EVENT_RETRANSMIT for REMOTEIP/ID "host-prd/0x2" #1
- | sending 216 bytes for EVENT_RETRANSMIT through eth0:500 to REMOTEIP/ID:500 (using #1)
- | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1
- | next event EVENT_PENDING_DDNS in 30 seconds
- |
- | next event EVENT_PENDING_DDNS in 0 seconds
- | *time to handle event
- | handling event EVENT_PENDING_DDNS
- | event after this is EVENT_RETRANSMIT in 10 seconds
- | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- |
- | next event EVENT_RETRANSMIT in 0 seconds for #1
- | *time to handle event
- | handling event EVENT_RETRANSMIT
- | event after this is EVENT_PENDING_DDNS in 50 seconds
- | processing connection host-prd/0x2
- | handling event EVENT_RETRANSMIT for REMOTEIP/ID "host-prd/0x2" #1
- | sending 216 bytes for EVENT_RETRANSMIT through eth0:500 to REMOTEIP/ID:500 (using #1)
- | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1
- | next event EVENT_RETRANSMIT in 40 seconds for #1
- |
- | *received 100 bytes from REMOTEIP/ID:500 on eth0 (port=500)
- | **parse ISAKMP Message:
- | initiator cookie:
- | 9b 9f 27 9e d4 4c bf 1e
- | responder cookie:
- | 75 03 7c 62 ed 65 2b 80
- | next payload type: ISAKMP_NEXT_SA
- | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
- | exchange type: ISAKMP_XCHG_IDPROT
- | flags: none
- | message ID: 00 00 00 00
- | length: 100
- | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
- | ICOOKIE: 9b 9f 27 9e d4 4c bf 1e
- | RCOOKIE: 75 03 7c 62 ed 65 2b 80
- | state hash entry 3
- | v1 state object not found
- | ICOOKIE: 9b 9f 27 9e d4 4c bf 1e
- | RCOOKIE: 00 00 00 00 00 00 00 00
- | state hash entry 10
- | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
- | v1 state object #1 found, in STATE_MAIN_I1
- | processing connection host-prd/0x2
- | got payload 0x2(ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080
- | ***parse ISAKMP Security Association Payload:
- | next payload type: ISAKMP_NEXT_VID
- | length: 52
- | DOI: ISAKMP_DOI_IPSEC
- | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
- | ***parse ISAKMP Vendor ID Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | length: 20
- "host-prd/0x2" #1: ignoring unknown Vendor ID payload [4855415745492d494b45763144534350]
- | ****parse IPsec DOI SIT:
- | IPsec DOI SIT: SIT_IDENTITY_ONLY
- | ****parse ISAKMP Proposal Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | length: 40
- | proposal number: 0
- | protocol ID: PROTO_ISAKMP
- | SPI size: 0
- | number of transforms: 1
- | *****parse ISAKMP Transform Payload (ISAKMP):
- | next payload type: ISAKMP_NEXT_NONE
- | length: 32
- | transform number: 0
- | transform ID: KEY_IKE
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_TYPE
- | length/value: 1
- | [1 is OAKLEY_LIFE_SECONDS]
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_LIFE_DURATION
- | length/value: 14400
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- | length/value: 5
- | [5 is OAKLEY_3DES_CBC]
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_HASH_ALGORITHM
- | length/value: 2
- | [2 is OAKLEY_SHA1]
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_AUTHENTICATION_METHOD
- | length/value: 1
- | [1 is OAKLEY_PRESHARED_KEY]
- | started looking for secret for @LEFTID->REMOTEIP/ID of kind PPK_PSK
- | actually looking for secret for @LEFTID->REMOTEIP/ID of kind PPK_PSK
- | 1: compared key REMOTEIP/ID to @LEFTID / REMOTEIP/ID -> 4
- | 2: compared key @LEFTID to @LEFTID / REMOTEIP/ID -> 12
- | line 9: match=12
- | best_match 0>12 best=0x7fdd6cc2f6a0 (line=9)
- | concluding with best_match=12 best=0x7fdd6cc2f6a0 (lineno=9)
- | ******parse ISAKMP Oakley attribute:
- | af+type: OAKLEY_GROUP_DESCRIPTION
- | length/value: 2
- | [2 is OAKLEY_GROUP_MODP1024]
- | Oakley Transform 0 accepted
- | 1: w->pcw_dead: 0 w->pcw_work: 0 cnt: 3
- | asking helper 1 to do build_kenonce op on seq: 1 (len=2776, pcw_work=1)
- | crypto helper write of request: cnt=2776<wlen=2776.
- | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
- | complete state transition with STF_SUSPEND
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 50 seconds
- | next event EVENT_PENDING_DDNS in 50 seconds
- | helper 1 read 2768+4/2776 bytes fd: 10
- | helper 1 doing build_kenonce op id: 1
- |
- | helper 1 has finished work (cnt now 1)
- | helper 1 replies to id: q#1
- | processing connection host-prd/0x2
- | ICOOKIE: 9b 9f 27 9e d4 4c bf 1e
- | RCOOKIE: 00 00 00 00 00 00 00 00
- | state hash entry 10
- | ICOOKIE: 9b 9f 27 9e d4 4c bf 1e
- | RCOOKIE: 75 03 7c 62 ed 65 2b 80
- | state hash entry 3
- | inserting state object #1 on chain 3
- | complete state transition with STF_OK
- "host-prd/0x2" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
- | sending reply packet to REMOTEIP/ID:500 (from port 500)
- | sending 180 bytes for STATE_MAIN_I1 through eth0:500 to REMOTEIP/ID:500 (using #1)
- | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
- "host-prd/0x2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
- | modecfg pull: noquirk policy:push not-client
- | phase 1 is done, looking for phase 2 to unpend
- | * processed 1 messages from cryptographic helpers
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- |
- | *received 180 bytes from REMOTEIP/ID:500 on eth0 (port=500)
- | **parse ISAKMP Message:
- | initiator cookie:
- | 9b 9f 27 9e d4 4c bf 1e
- | responder cookie:
- | 75 03 7c 62 ed 65 2b 80
- | next payload type: ISAKMP_NEXT_KE
- | ISAKMP version: ISAKMP Version 1.0 (rfc2407)
- | exchange type: ISAKMP_XCHG_IDPROT
- | flags: none
- | message ID: 00 00 00 00
- | length: 180
- | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
- | ICOOKIE: 9b 9f 27 9e d4 4c bf 1e
- | RCOOKIE: 75 03 7c 62 ed 65 2b 80
- | state hash entry 3
- | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
- | v1 state object #1 found, in STATE_MAIN_I2
- | processing connection host-prd/0x2
- | got payload 0x10(ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080
- | ***parse ISAKMP Key Exchange Payload:
- | next payload type: ISAKMP_NEXT_NONCE
- | length: 132
- | got payload 0x400(ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080
- | ***parse ISAKMP Nonce Payload:
- | next payload type: ISAKMP_NEXT_NONE
- | length: 20
- | started looking for secret for @LEFTID->REMOTEIP/ID of kind PPK_PSK
- | actually looking for secret for @LEFTID->REMOTEIP/ID of kind PPK_PSK
- | 1: compared key REMOTEIP/ID to @LEFTID / REMOTEIP/ID -> 4
- | 2: compared key @LEFTID to @LEFTID / REMOTEIP/ID -> 12
- | line 9: match=12
- | best_match 0>12 best=0x7fdd6cc2f6a0 (line=9)
- | concluding with best_match=12 best=0x7fdd6cc2f6a0 (lineno=9)
- | parent1 type: 7 group: 2 len: 2776
- | 2: w->pcw_dead: 0 w->pcw_work: 0 cnt: 3
- | asking helper 2 to do compute dh+iv op on seq: 2 (len=2776, pcw_work=1)
- | crypto helper write of request: cnt=2776<wlen=2776.
- | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
- | complete state transition with STF_SUSPEND
- | * processed 0 messages from cryptographic helpers
- | next event EVENT_PENDING_DDNS in 50 seconds
- | next event EVENT_PENDING_DDNS in 50 seconds
- | helper 2 read 2768+4/2776 bytes fd: 12
- | helper 2 doing compute dh+iv op id: 2
- |
- | helper 2 has finished work (cnt now 1)
- | helper 2 replies to id: q#2
- | processing connection host-prd/0x2
- | thinking about whether to send my certificate:
- | I have RSA key: OAKLEY_PRESHARED_KEY cert.type: CERT_NONE
- | sendcert: CERT_ALWAYSSEND and I did not get a certificate request
- | so do not send cert.
- | I did not send a certificate because digital signatures are not being used. (PSK)
- | I am not sending a certificate request
- "host-prd/0x2" #1: I will NOT send an initial contact payload
- "host-prd/0x2" #1: Not sending INITIAL_CONTACT
- | complete state transition with STF_OK
- "host-prd/0x2" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
- | sending reply packet to REMOTEIP/ID:500 (from port 500)
- | sending 68 bytes for STATE_MAIN_I2 through eth0:500 to REMOTEIP/ID:500 (using #1)
- | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
- "host-prd/0x2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
- | modecfg pull: noquirk policy:push not-client
- | phase 1 is done, looking for phase 2 to unpend
- | * processed 1 messages from cryptographic helpers
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- | next event EVENT_RETRANSMIT in 10 seconds for #1
- |
- | next event EVENT_RETRANSMIT in 0 seconds for #1
- | *time to handle event
- | handling event EVENT_RETRANSMIT
- | event after this is EVENT_PENDING_DDNS in 40 seconds
- | processing connection host-prd/0x2
- | handling event EVENT_RETRANSMIT for REMOTEIP/ID "host-prd/0x2" #1
- | sending 68 bytes for EVENT_RETRANSMIT through eth0:500 to REMOTEIP/ID:500 (using #1)
- | inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1
- | next event EVENT_RETRANSMIT in 20 seconds for #1
- |
- | next event EVENT_RETRANSMIT in 0 seconds for #1
- | *time to handle event
- | handling event EVENT_RETRANSMIT
- | event after this is EVENT_PENDING_DDNS in 20 seconds
- | processing connection host-prd/0x2
- | handling event EVENT_RETRANSMIT for REMOTEIP/ID "host-prd/0x2" #1
- | sending 68 bytes for EVENT_RETRANSMIT through eth0:500 to REMOTEIP/ID:500 (using #1)
- | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1
- | next event EVENT_PENDING_DDNS in 20 seconds
Add Comment
Please, Sign In to add comment