On 13/06/2018 7:49 am, Paul Wouters wrote:
Is there any way to support both families concurrently (a type of
autodetect)
Not yet. You will have to define a v4 and a v6 conn.
Ok - that's fine. That works (but for anyone else who tries this as I
did - just remember you need to have a different conn name for each one
even if the policies are otherwise almost identical, otherwise Libreswan
starts normally but only applies one of the two conns)
I have copied my original and appended it with -ipv4 and the new one
with -ipv6. The only difference aside from the conn name is the left=
and right= parameters.
But back to this connection, it's now progressing a lot further - but
not quite completing still and data is still not flowing:
The below only shows liveness. So that assumes the connection
established? So can you show "ip xfrm pol" and "ip xfrm state" and
"ipsec status |grep router-2.reub.net"
It looks more or less OK but there's still no data flow. I still cannot
ping IPv4 between the two devices over IPv6.
Just to recap - this is what I have on the Cisco side:
interface Tunnel1
<snip>
tunnel mode ipsec ipv6 v4-overlay
tunnel destination 2400:8901::F03C:91FF:FE6E:9DC
end
The router is an 819 with IOS 15.7(3)M2, which is the latest release for
this platform.
Do the mark or any other values of the two separate conn's need to be
different even if only one is used at a time?
Here are the outputs requested above:
lightning /etc/ipsec.d # ip xfrm pol
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 1048575
mark 0xc/0xffffff
tmpl src 2400:8901::f03c:91ff:fe6e:9dc dst
2001:8004:1400:20c9:1863:feff:fea4:d208
proto esp reqid 16397 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir fwd priority 1048575
mark 0xc/0xffffff
tmpl src 2001:8004:1400:20c9:1863:feff:fea4:d208 dst
2400:8901::f03c:91ff:fe6e:9dc
proto esp reqid 16397 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 1048575
mark 0xc/0xffffff
tmpl src 2001:8004:1400:20c9:1863:feff:fea4:d208 dst
2400:8901::f03c:91ff:fe6e:9dc
proto esp reqid 16397 mode tunnel
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir out priority 1
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir fwd priority 1
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir in priority 1
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir out priority 1
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir fwd priority 1
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir in priority 1
lightning /etc/ipsec.d #
lightning /etc/ipsec.d # ip xfrm state
src 2001:8004:1400:20c9:1863:feff:fea4:d208 dst
2400:8901::f03c:91ff:fe6e:9dc
proto esp spi 0x1d6f43e9 reqid 16397 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x56130393b7b349ff0c61ee45a0ed58dc1db52b3a 96
enc cbc(aes) 0x909d165e146fcd52272a4946a3bea41d
anti-replay context: seq 0x12, oseq 0x0, bitmap 0x0003ffff
src 2400:8901::f03c:91ff:fe6e:9dc dst
2001:8004:1400:20c9:1863:feff:fea4:d208
proto esp spi 0x2867ffcc reqid 16397 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xb8aba431f6d67229bca8fb3d66fca8edeb7f8f8f 96
enc cbc(aes) 0xb406eb113427edb19abcc0c752dbc1d1
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
lightning /etc/ipsec.d #
Ignore the ipv4 connection below because it's not used in this test, but:
lightning /etc/ipsec.d # ipsec status |grep router-2.reub.net
000 "router-2.reub.net-ipv4":
0.0.0.0/0===139.162.51.249<139.162.51.249>[@lightning.reub.net]...%any[[email protected]]===0.0.0.0/0;
unrouted; eroute owner: #0
000 "router-2.reub.net-ipv4": oriented; my_ip=unset; their_ip=unset;
my_updown=ipsec _updown;
000 "router-2.reub.net-ipv4": xauth us:none, xauth them:none,
my_username=[any]; their_username=[any]
000 "router-2.reub.net-ipv4": our auth:secret, their auth:secret
000 "router-2.reub.net-ipv4": modecfg info: us:none, them:none,
modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "router-2.reub.net-ipv4": labeled_ipsec:no;
000 "router-2.reub.net-ipv4": policy_label:unset;
000 "router-2.reub.net-ipv4": ike_life: 86400s; ipsec_life: 3600s;
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "router-2.reub.net-ipv4": retransmit-interval: 500ms;
retransmit-timeout: 60s;
000 "router-2.reub.net-ipv4": initial-contact:no; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "router-2.reub.net-ipv4": policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "router-2.reub.net-ipv4": conn_prio: 0,0; interface: eth0; metric:
0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "router-2.reub.net-ipv4": nflog-group: unset; mark: 12/0xffffff,
12/0xffffff; vti-iface:vti-1; vti-routing:no; vti-shared:no;
nic-offload:auto;
000 "router-2.reub.net-ipv4": our idtype: ID_FQDN; our
[email protected]; their idtype: ID_USER_FQDN; their
[email protected]
000 "router-2.reub.net-ipv4": dpd: action:clear; delay:15; timeout:45;
nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "router-2.reub.net-ipv4": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "router-2.reub.net-ipv4": IKE algorithms:
AES_CBC_256-HMAC_SHA1-MODP1536
000 "router-2.reub.net-ipv6":
0.0.0.0/0===2400:8901::f03c:91ff:fe6e:9dc<2400:8901::f03c:91ff:fe6e:09dc>[@lightning.reub.net]...%any[[email protected]]===0.0.0.0/0;
unrouted; eroute owner: #0
000 "router-2.reub.net-ipv6": oriented; my_ip=unset; their_ip=unset;
my_updown=ipsec _updown;
000 "router-2.reub.net-ipv6": xauth us:none, xauth them:none,
my_username=[any]; their_username=[any]
000 "router-2.reub.net-ipv6": our auth:secret, their auth:secret
000 "router-2.reub.net-ipv6": modecfg info: us:none, them:none,
modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "router-2.reub.net-ipv6": labeled_ipsec:no;
000 "router-2.reub.net-ipv6": policy_label:unset;
000 "router-2.reub.net-ipv6": ike_life: 86400s; ipsec_life: 3600s;
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "router-2.reub.net-ipv6": retransmit-interval: 500ms;
retransmit-timeout: 60s;
000 "router-2.reub.net-ipv6": initial-contact:no; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "router-2.reub.net-ipv6": policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "router-2.reub.net-ipv6": conn_prio: 0,0; interface: eth0; metric:
0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "router-2.reub.net-ipv6": nflog-group: unset; mark: 12/0xffffff,
12/0xffffff; vti-iface:vti-1; vti-routing:no; vti-shared:no;
nic-offload:auto;
000 "router-2.reub.net-ipv6": our idtype: ID_FQDN; our
[email protected]; their idtype: ID_USER_FQDN; their
[email protected]
000 "router-2.reub.net-ipv6": dpd: action:clear; delay:15; timeout:45;
nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "router-2.reub.net-ipv6": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "router-2.reub.net-ipv6": IKE algorithms:
AES_CBC_256-HMAC_SHA1-MODP1536
000 "router-2.reub.net-ipv6"[1]:
0.0.0.0/0===2400:8901::f03c:91ff:fe6e:9dc<2400:8901::f03c:91ff:fe6e:09dc>[@lightning.reub.net]...2001:8004:1400:20c9:1863:feff:fea4:d208<::>[[email protected]]===0.0.0.0/0;
erouted; eroute owner: #2
000 "router-2.reub.net-ipv6"[1]: oriented; my_ip=unset;
their_ip=unset; my_updown=ipsec _updown;
000 "router-2.reub.net-ipv6"[1]: xauth us:none, xauth them:none,
my_username=[any]; their_username=[any]
000 "router-2.reub.net-ipv6"[1]: our auth:secret, their auth:secret
000 "router-2.reub.net-ipv6"[1]: modecfg info: us:none, them:none,
modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "router-2.reub.net-ipv6"[1]: labeled_ipsec:no;
000 "router-2.reub.net-ipv6"[1]: policy_label:unset;
000 "router-2.reub.net-ipv6"[1]: ike_life: 86400s; ipsec_life: 3600s;
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "router-2.reub.net-ipv6"[1]: retransmit-interval: 500ms;
retransmit-timeout: 60s;
000 "router-2.reub.net-ipv6"[1]: initial-contact:no; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "router-2.reub.net-ipv6"[1]: policy:
PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "router-2.reub.net-ipv6"[1]: conn_prio: 0,0; interface: eth0;
metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "router-2.reub.net-ipv6"[1]: nflog-group: unset; mark:
12/0xffffff, 12/0xffffff; vti-iface:vti-1; vti-routing:no;
vti-shared:no; nic-offload:auto;
000 "router-2.reub.net-ipv6"[1]: our idtype: ID_FQDN; our
[email protected]; their idtype: ID_USER_FQDN; their
[email protected]
000 "router-2.reub.net-ipv6"[1]: dpd: action:clear; delay:15;
timeout:45; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "router-2.reub.net-ipv6"[1]: newest ISAKMP SA: #1; newest IPsec
SA: #2;
000 "router-2.reub.net-ipv6"[1]: IKE algorithms:
AES_CBC_256-HMAC_SHA1-MODP1536
000 "router-2.reub.net-ipv6"[1]: IKEv2 algorithm newest:
AES_CBC_256-HMAC_SHA1-MODP1536
000 "router-2.reub.net-ipv6"[1]: ESP algorithm newest:
AES_CBC_128-HMAC_SHA1_96; pfsgroup=<Phase1>
000 #1: "router-2.reub.net-ipv6"[1]
2001:8004:1400:20c9:1863:feff:fea4:d208:500 STATE_PARENT_R2 (received
v2I2, PARENT SA established); EVENT_SA_REPLACE in 85640s; newest ISAKMP;
idle; import:respond to stranger
000 #2: "router-2.reub.net-ipv6"[1]
2001:8004:1400:20c9:1863:feff:fea4:d208:500 STATE_V2_IPSEC_R (IPsec SA
established); EVENT_SA_REPLACE in 2840s; newest IPSEC; eroute owner;
isakmp#1; idle; import:respond to stranger
000 #2: "router-2.reub.net-ipv6"[1]
2001:8004:1400:20c9:1863:feff:fea4:d208
esp:2867ffcc@2001:8004:1400:20c9:1863:feff:fea4:d208
esp:1d6f43e9@2400:8901::f03c:91ff:fe6e:9dc
tun:0@2001:8004:1400:20c9:1863:feff:fea4:d208
tun:0@2400:8901::f03c:91ff:fe6e:9dc ref=0 refhim=0 Traffic: ESPin=1KB
ESPout=0B! ESPmax=0B
lightning /etc/ipsec.d #
The Cisco is logging this:
Jun 13 22:07:30: IKEv2:(SESSION ID = 43,SA ID = 1):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 34
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Jun 13 22:07:30: IKEv2:(SESSION ID = 43,SA ID = 1):Processing ACK to
informational exchange
Jun 13 22:07:42: IKEv2:Send NAT keepalive packet local
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500 remote
2400:8901::F03C:91FF:FE6E:9DC:500
Jun 13 22:07:42: IKEv2-ERROR:Couldn't find matching SA: Received an IKE
msg id outside supported window
Jun 13 22:07:42: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 30
IKEv2 INFORMATIONAL Exchange REQUEST
Jun 13 22:07:42: IKEv2-ERROR:: A supplied parameter is incorrect
Jun 13 22:07:45: IKEv2:(SESSION ID = 43,SA ID = 1):Sending DPD/liveness
query
Jun 13 22:07:45: IKEv2:(SESSION ID = 43,SA ID = 1):Building packet for
encryption.
Jun 13 22:07:45: IKEv2:(SESSION ID = 43,SA ID = 1):Checking if request
will fit in peer window
Jun 13 22:07:45: IKEv2:(SESSION ID = 43,SA ID = 1):Sending Packet [To
2400:8901::F03C:91FF:FE6E:9DC:500/From
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 35
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Jun 13 22:07:45: IKEv2:(SESSION ID = 43,SA ID = 1):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 35
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Jun 13 22:07:45: IKEv2:(SESSION ID = 43,SA ID = 1):Processing ACK to
informational exchange
Jun 13 22:07:57: IKEv2-ERROR:Couldn't find matching SA: Received an IKE
msg id outside supported window
Jun 13 22:07:57: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 31
IKEv2 INFORMATIONAL Exchange REQUEST
Jun 13 22:07:57: IKEv2-ERROR:: A supplied parameter is incorrect
Jun 13 22:08:00: IKEv2:(SESSION ID = 43,SA ID = 1):Sending DPD/liveness
query
Jun 13 22:08:00: IKEv2:(SESSION ID = 43,SA ID = 1):Building packet for
encryption.
Jun 13 22:08:00: IKEv2:(SESSION ID = 43,SA ID = 1):Checking if request
will fit in peer window
Jun 13 22:08:00: IKEv2:(SESSION ID = 43,SA ID = 1):Sending Packet [To
2400:8901::F03C:91FF:FE6E:9DC:500/From
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 36
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Jun 13 22:08:00: IKEv2:(SESSION ID = 43,SA ID = 1):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 36
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Jun 13 22:08:00: IKEv2:(SESSION ID = 43,SA ID = 1):Processing ACK to
informational exchange
Jun 13 22:08:12: IKEv2:Send NAT keepalive packet local
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500 remote
2400:8901::F03C:91FF:FE6E:9DC:500
Jun 13 22:08:12: IKEv2-ERROR:Couldn't find matching SA: Received an IKE
msg id outside supported window
Jun 13 22:08:12: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 32
IKEv2 INFORMATIONAL Exchange REQUEST
Jun 13 22:08:12: IKEv2-ERROR:: A supplied parameter is incorrect
Jun 13 22:08:15: IKEv2:(SESSION ID = 43,SA ID = 1):Sending DPD/liveness
query
Jun 13 22:08:15: IKEv2:(SESSION ID = 43,SA ID = 1):Building packet for
encryption.
Jun 13 22:08:15: IKEv2:(SESSION ID = 43,SA ID = 1):Checking if request
will fit in peer window
Jun 13 22:08:15: IKEv2:(SESSION ID = 43,SA ID = 1):Sending Packet [To
2400:8901::F03C:91FF:FE6E:9DC:500/From
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 37
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Jun 13 22:08:17: IKEv2:(SESSION ID = 43,SA ID = 1):Retransmitting packet
Jun 13 22:08:17: IKEv2:(SESSION ID = 43,SA ID = 1):Sending Packet [To
2400:8901::F03C:91FF:FE6E:9DC:500/From
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 37
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Jun 13 22:08:17: IKEv2:(SESSION ID = 43,SA ID = 1):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 37
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Jun 13 22:08:17: IKEv2:(SESSION ID = 43,SA ID = 1):Processing ACK to
informational exchange
Jun 13 22:08:27: IKEv2-ERROR:Couldn't find matching SA: Received an IKE
msg id outside supported window
Jun 13 22:08:27: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 33
IKEv2 INFORMATIONAL Exchange REQUEST
Jun 13 22:08:27: IKEv2-ERROR:: A supplied parameter is incorrect
Jun 13 22:08:32: IKEv2:(SESSION ID = 43,SA ID = 1):Sending DPD/liveness
query
Jun 13 22:08:32: IKEv2:(SESSION ID = 43,SA ID = 1):Building packet for
encryption.
Jun 13 22:08:32: IKEv2:(SESSION ID = 43,SA ID = 1):Checking if request
will fit in peer window
Jun 13 22:08:32: IKEv2:(SESSION ID = 43,SA ID = 1):Sending Packet [To
2400:8901::F03C:91FF:FE6E:9DC:500/From
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 38
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Jun 13 22:08:33: IKEv2:(SESSION ID = 43,SA ID = 1):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 38
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Jun 13 22:08:33: IKEv2:(SESSION ID = 43,SA ID = 1):Processing ACK to
informational exchange
router-2#
router-2#
Jun 13 22:08:42: IKEv2:Send NAT keepalive packet local
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500 remote
2400:8901::F03C:91FF:FE6E:9DC:500
Jun 13 22:08:42: IKEv2-ERROR:Couldn't find matching SA: Received an IKE
msg id outside supported window
Jun 13 22:08:42: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 34
IKEv2 INFORMATIONAL Exchange REQUEST
Jun 13 22:08:42: IKEv2-ERROR:: A supplied parameter is incorrect
Jun 13 22:08:48: IKEv2:(SESSION ID = 43,SA ID = 1):Sending DPD/liveness
query
Jun 13 22:08:48: IKEv2:(SESSION ID = 43,SA ID = 1):Building packet for
encryption.
Jun 13 22:08:48: IKEv2:(SESSION ID = 43,SA ID = 1):Checking if request
will fit in peer window
Jun 13 22:08:48: IKEv2:(SESSION ID = 43,SA ID = 1):Sending Packet [To
2400:8901::F03C:91FF:FE6E:9DC:500/From
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 39
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Jun 13 22:08:48: IKEv2:(SESSION ID = 43,SA ID = 1):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 39
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Jun 13 22:08:48: IKEv2:(SESSION ID = 43,SA ID = 1):Processing ACK to
informational exchange
router-2#
Jun 13 22:08:57: IKEv2-ERROR:Couldn't find matching SA: Received an IKE
msg id outside supported window
Jun 13 22:08:57: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From
2400:8901::F03C:91FF:FE6E:9DC:500/To
2001:8004:1400:20C9:1863:FEFF:FEA4:D208:500/VRF i0:f0]
Initiator SPI : 6840CF33E4136A03 - Responder SPI : 8169A2EC2CE3E2A2
Message id: 35
IKEv2 INFORMATIONAL Exchange REQUEST
Jun 13 22:08:57: IKEv2-ERROR:: A supplied parameter is incorrect
router-2#
and Libreswan is logging this:
Jun 13 20:09:03.797874: | *received 76 bytes from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 on eth0 (port=500)
Jun 13 20:09:03.797973: | 68 40 cf 33 e4 13 6a 03 81 69 a2 ec 2c e3
e2 a2
Jun 13 20:09:03.797981: | 2e 20 25 08 00 00 00 28 00 00 00 4c 00 00
00 30
Jun 13 20:09:03.797986: | dd e2 a7 93 5c 22 4a 6a dd f8 8e a8 04 d1
16 28
Jun 13 20:09:03.797991: | 45 8c e3 3a 28 bf 0e 73 92 eb da 19 f7 1a
8e f2
Jun 13 20:09:03.797996: | 18 3c bd fa e1 e1 2d c4 93 83 e7 3c
Jun 13 20:09:03.798011: | processing: start from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in process_md() at demux.c:391)
Jun 13 20:09:03.798022: | **parse ISAKMP Message:
Jun 13 20:09:03.798028: | initiator cookie:
Jun 13 20:09:03.798034: | 68 40 cf 33 e4 13 6a 03
Jun 13 20:09:03.798038: | responder cookie:
Jun 13 20:09:03.798043: | 81 69 a2 ec 2c e3 e2 a2
Jun 13 20:09:03.798049: | next payload type: ISAKMP_NEXT_v2SK (0x2e)
Jun 13 20:09:03.798054: | ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20)
Jun 13 20:09:03.798060: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
Jun 13 20:09:03.798066: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
Jun 13 20:09:03.798071: | message ID: 00 00 00 28
Jun 13 20:09:03.798076: | length: 76 (0x4c)
Jun 13 20:09:03.798083: | processing version=2.0 packet with exchange
type=ISAKMP_v2_INFORMATIONAL (37)
Jun 13 20:09:03.798090: | I am receiving an IKEv2 Request
ISAKMP_v2_INFORMATIONAL
Jun 13 20:09:03.798095: | I am the IKE SA Original Responder
Jun 13 20:09:03.798112: | cookies table: hash icookie 68 40 cf 33 e4 13
6a 03 rcookie 81 69 a2 ec 2c e3 e2 a2 to 12656043768357558533 slot
0x56241087a9c0
Jun 13 20:09:03.798120: | parent v2 peer and cookies match on #1
Jun 13 20:09:03.798166: | v2 state object #1 found, in STATE_PARENT_R2
Jun 13 20:09:03.798184: | processing: start state #1 connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in processed_retransmit()
at ikev2.c:1187)
Jun 13 20:09:03.798190: | found state #1
Jun 13 20:09:03.798200: | processing: [RE]START state #1 connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in ikev2_process_packet()
at ikev2.c:1538)
Jun 13 20:09:03.798209: | processing: start connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
(BACKGROUND) (in ikev2_process_packet() at ikev2.c:1543)
Jun 13 20:09:03.798215: | #1 is idle
Jun 13 20:09:03.798220: | #1 idle
Jun 13 20:09:03.798226: | #1 in state PARENT_R2: received v2I2, PARENT
SA established
Jun 13 20:09:03.798233: | Unpacking clear payload for svm: R2: process
INFORMATIONAL Request
Jun 13 20:09:03.798238: | Now let's proceed with payload (ISAKMP_NEXT_v2SK)
Jun 13 20:09:03.798245: | ***parse IKEv2 Encryption Payload:
Jun 13 20:09:03.798250: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jun 13 20:09:03.798255: | flags: none (0x0)
Jun 13 20:09:03.798259: | length: 48 (0x30)
Jun 13 20:09:03.798264: | processing payload: ISAKMP_NEXT_v2SK (len=48)
Jun 13 20:09:03.798383: | data for hmac: 68 40 cf 33 e4 13 6a 03 81
69 a2 ec 2c e3 e2 a2
Jun 13 20:09:03.798394: | data for hmac: 2e 20 25 08 00 00 00 28 00
00 00 4c 00 00 00 30
Jun 13 20:09:03.798398: | data for hmac: dd e2 a7 93 5c 22 4a 6a dd
f8 8e a8 04 d1 16 28
Jun 13 20:09:03.798402: | data for hmac: 45 8c e3 3a 28 bf 0e 73 92
eb da 19 f7 1a 8e f2
Jun 13 20:09:03.798407: | calculated auth: 18 3c bd fa e1 e1 2d c4 93
83 e7 3c
Jun 13 20:09:03.798411: | provided auth: 18 3c bd fa e1 e1 2d c4 93
83 e7 3c
Jun 13 20:09:03.798416: | authenticator matched
Jun 13 20:09:03.798448: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success
Jun 13 20:09:03.798455: | selected state microcode R2: process
INFORMATIONAL Request
Jun 13 20:09:03.798460: | Now lets proceed with state specific processing
Jun 13 20:09:03.798465: | calling processor R2: process INFORMATIONAL
Request
Jun 13 20:09:03.798471: | an informational request should send a response
Jun 13 20:09:03.798476: | MOBIKE request: not updating IPsec SA
Jun 13 20:09:03.798496: | Received an INFORMATIONAL response, updating
st_last_liveness, no pending_liveness
Jun 13 20:09:03.798506: | **emit ISAKMP Message:
Jun 13 20:09:03.798511: | initiator cookie:
Jun 13 20:09:03.798516: | 68 40 cf 33 e4 13 6a 03
Jun 13 20:09:03.798521: | responder cookie:
Jun 13 20:09:03.798526: | 81 69 a2 ec 2c e3 e2 a2
Jun 13 20:09:03.798531: | next payload type: ISAKMP_NEXT_v2SK (0x2e)
Jun 13 20:09:03.798536: | ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20)
Jun 13 20:09:03.798541: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
Jun 13 20:09:03.798546: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
Jun 13 20:09:03.798551: | message ID: 00 00 00 28
Jun 13 20:09:03.798558: | next payload type: saving message location
'ISAKMP Message' 'next payload type'
Jun 13 20:09:03.798564: | ***emit IKEv2 Encryption Payload:
Jun 13 20:09:03.798570: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jun 13 20:09:03.798575: | flags: none (0x0)
Jun 13 20:09:03.798581: | next payload type: previous 'ISAKMP Message'
'next payload type' matches 'IKEv2 Encryption Payload' (46:ISAKMP_NEXT_v2SK)
Jun 13 20:09:03.798586: | next payload type: saving payload location
'IKEv2 Encryption Payload' 'next payload type'
Jun 13 20:09:03.798602: | emitting 16 raw bytes of IV into IKEv2
Encryption Payload
Jun 13 20:09:03.798608: | IV fa 21 c1 e1 0d e2 0a 38 c0 8f 11 20 41
b3 6c 1e
Jun 13 20:09:03.798614: | emitting 16 raw bytes of padding and length
into cleartext
Jun 13 20:09:03.798619: | padding and length 00 01 02 03 04 05 06 07
08 09 0a 0b 0c 0d 0e 0f
Jun 13 20:09:03.798625: | emitting 12 zero bytes of length of truncated
HMAC/KEY into IKEv2 Encryption Payload
Jun 13 20:09:03.798644: | emitting length of IKEv2 Encryption Payload: 48
Jun 13 20:09:03.798650: | emitting length of ISAKMP Message: 76
Jun 13 20:09:03.798700: | data being hmac: 68 40 cf 33 e4 13 6a 03 81
69 a2 ec 2c e3 e2 a2
Jun 13 20:09:03.798710: | data being hmac: 2e 20 25 20 00 00 00 28 00
00 00 4c 00 00 00 30
Jun 13 20:09:03.798715: | data being hmac: fa 21 c1 e1 0d e2 0a 38 c0
8f 11 20 41 b3 6c 1e
Jun 13 20:09:03.798718: | data being hmac: f1 87 2c be f7 f7 81 6e c7
d6 c6 08 c7 34 4b 4e
Jun 13 20:09:03.798722: | out calculated auth:
Jun 13 20:09:03.798726: | df a2 38 22 6e 0e ef 44 90 ed f3 64
Jun 13 20:09:03.798742: | sending 76 bytes for reply packet for
process_encrypted_informational_ikev2 through eth0:500 to
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (using #1)
Jun 13 20:09:03.798747: | 68 40 cf 33 e4 13 6a 03 81 69 a2 ec 2c e3
e2 a2
Jun 13 20:09:03.798751: | 2e 20 25 20 00 00 00 28 00 00 00 4c 00 00
00 30
Jun 13 20:09:03.798756: | fa 21 c1 e1 0d e2 0a 38 c0 8f 11 20 41 b3
6c 1e
Jun 13 20:09:03.798759: | f1 87 2c be f7 f7 81 6e c7 d6 c6 08 c7 34
4b 4e
Jun 13 20:09:03.798765: | df a2 38 22 6e 0e ef 44 90 ed f3 64
Jun 13 20:09:03.798946: | message ID #1 STATE_PARENT_R2
router-2.reub.net-ipv6 pst #1 st_msgid_nextuse(before=36) 36
st_msgid_lastack 4294967295 st_msgid_lastrecv 40 md is a request
Jun 13 20:09:03.798968: | processing: [RE]START state #1 connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in
complete_v2_state_transition() at ikev2.c:2787)
Jun 13 20:09:03.798976: | #1 complete v2 state transition from
STATE_PARENT_R2 with STF_OK
Jun 13 20:09:03.798983: | message ID #1 STATE_PARENT_R2
router-2.reub.net-ipv6 pst #1 st_msgid_nextuse(before=36) 36
st_msgid_lastack 4294967295 st_msgid_lastrecv 40 md is a request
Jun 13 20:09:03.798993: | processing: stop from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (BACKGROUND) (in
process_md() at demux.c:393)
Jun 13 20:09:03.799005: | processing: stop state #1 connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in process_md() at demux.c:395)
Jun 13 20:09:03.799012: | serialno table: hash serialno #0 to head
0x562410880980
Jun 13 20:09:03.799017: | serialno table: hash serialno #0 to head
0x562410880980
Jun 13 20:09:03.799024: | processing: resume connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208 (in
process_md() at demux.c:395)
Jun 13 20:09:03.799032: | processing: stop connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208 (in
process_md() at demux.c:396)
Jun 13 20:09:04.113877: | kernel_process_msg_cb process netlink message
Jun 13 20:09:04.115823: | netlink_get: XFRM_MSG_DELPOLICY message
Jun 13 20:09:04.115908: | xfrm netlink address change RTM_NEWADDR msg len 72
Jun 13 20:09:05.738698: | *received 76 bytes from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 on eth0 (port=500)
Jun 13 20:09:05.739344: | 68 40 cf 33 e4 13 6a 03 81 69 a2 ec 2c e3
e2 a2
Jun 13 20:09:05.739383: | 2e 20 25 08 00 00 00 28 00 00 00 4c 00 00
00 30
Jun 13 20:09:05.739398: | dd e2 a7 93 5c 22 4a 6a dd f8 8e a8 04 d1
16 28
Jun 13 20:09:05.739411: | 45 8c e3 3a 28 bf 0e 73 92 eb da 19 f7 1a
8e f2
Jun 13 20:09:05.739424: | 18 3c bd fa e1 e1 2d c4 93 83 e7 3c
Jun 13 20:09:05.739450: | processing: start from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in process_md() at demux.c:391)
Jun 13 20:09:05.739471: | **parse ISAKMP Message:
Jun 13 20:09:05.739487: | initiator cookie:
Jun 13 20:09:05.739500: | 68 40 cf 33 e4 13 6a 03
Jun 13 20:09:05.739513: | responder cookie:
Jun 13 20:09:05.739526: | 81 69 a2 ec 2c e3 e2 a2
Jun 13 20:09:05.739539: | next payload type: ISAKMP_NEXT_v2SK (0x2e)
Jun 13 20:09:05.739553: | ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20)
Jun 13 20:09:05.739566: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
Jun 13 20:09:05.739580: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
Jun 13 20:09:05.739622: | message ID: 00 00 00 28
Jun 13 20:09:05.739636: | length: 76 (0x4c)
Jun 13 20:09:05.739650: | processing version=2.0 packet with exchange
type=ISAKMP_v2_INFORMATIONAL (37)
Jun 13 20:09:05.739666: | I am receiving an IKEv2 Request
ISAKMP_v2_INFORMATIONAL
Jun 13 20:09:05.739679: | I am the IKE SA Original Responder
Jun 13 20:09:05.739702: | cookies table: hash icookie 68 40 cf 33 e4 13
6a 03 rcookie 81 69 a2 ec 2c e3 e2 a2 to 12656043768357558533 slot
0x56241087a9c0
Jun 13 20:09:05.739717: | parent v2 peer and cookies match on #1
Jun 13 20:09:05.739730: | v2 state object #1 found, in STATE_PARENT_R2
Jun 13 20:09:05.739753: | processing: start state #1 connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in processed_retransmit()
at ikev2.c:1187)
Jun 13 20:09:05.739769: | #1 is idle
Jun 13 20:09:05.739785: | #1 STATE_PARENT_R2: retransmits: retransmit
response for message ID: 40 exchange ISAKMP_v2_INFORMATIONAL
Jun 13 20:09:05.739804: | sending 76 bytes for
ikev2-responder-retransmit through eth0:500 to
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (using #1)
Jun 13 20:09:05.739819: | 68 40 cf 33 e4 13 6a 03 81 69 a2 ec 2c e3
e2 a2
Jun 13 20:09:05.739832: | 2e 20 25 20 00 00 00 28 00 00 00 4c 00 00
00 30
Jun 13 20:09:05.739845: | fa 21 c1 e1 0d e2 0a 38 c0 8f 11 20 41 b3
6c 1e
Jun 13 20:09:05.739857: | f1 87 2c be f7 f7 81 6e c7 d6 c6 08 c7 34
4b 4e
Jun 13 20:09:05.739869: | df a2 38 22 6e 0e ef 44 90 ed f3 64
Jun 13 20:09:05.739964: | processing: stop from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (BACKGROUND) (in
process_md() at demux.c:393)
Jun 13 20:09:05.739998: | processing: stop state #1 connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in process_md() at demux.c:395)
Jun 13 20:09:05.740014: | serialno table: hash serialno #0 to head
0x562410880980
Jun 13 20:09:05.740028: | serialno table: hash serialno #0 to head
0x562410880980
Jun 13 20:09:05.740042: | processing: STOP connection NULL (in
process_md() at demux.c:396)
Jun 13 20:09:09.139826: | kernel_process_msg_cb process netlink message
Jun 13 20:09:09.140242: | netlink_get: XFRM_MSG_DELPOLICY message
Jun 13 20:09:09.140358: | xfrm netlink address change RTM_NEWADDR msg len 72
Jun 13 20:09:12.399906: | timer_event_cb: processing event@0x562411ee3540
Jun 13 20:09:12.400286: | handling event EVENT_SHUNT_SCAN
Jun 13 20:09:12.400371: | expiring aged bare shunts from shunt table
Jun 13 20:09:12.400440: | event_schedule: new
EVENT_SHUNT_SCAN-pe@0x562411ecb210
Jun 13 20:09:12.400507: | inserting event EVENT_SHUNT_SCAN, timeout in
20.000 seconds
Jun 13 20:09:12.400581: | free_event_entry: release
EVENT_SHUNT_SCAN-pe@0x562411ee3540
Jun 13 20:09:12.400647: | timer_event_cb: processing event@0x562411eeaf60
Jun 13 20:09:12.400713: | handling event EVENT_v2_LIVENESS for child
state #2
Jun 13 20:09:12.400826: | processing: start state #2 connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in timer_event_cb() at
timer.c:296)
Jun 13 20:09:12.400914: | processing: [RE]START state #2 connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in liveness_check() at
timer.c:114)
Jun 13 20:09:12.400997: | serialno table: hash serialno #1 to head
0x5624108809a0
Jun 13 20:09:12.401072: | serialno table: hash serialno #1 to head
0x5624108809a0
Jun 13 20:09:12.401136: | serialno table: hash serialno #1 to head
0x5624108809a0
Jun 13 20:09:12.401201: | serialno table: hash serialno #1 to head
0x5624108809a0
Jun 13 20:09:12.401266: | get_sa_info
esp:1d6f43e9@2400:8901::f03c:91ff:fe6e:9dc
Jun 13 20:09:12.401362: | #2 liveness_check - peer
2001:8004:1400:20c9:1863:feff:fea4:d208 is ok schedule new
Jun 13 20:09:12.401422: | event_schedule: new
EVENT_v2_LIVENESS-pe@0x562411ee3540
Jun 13 20:09:12.401477: | inserting event EVENT_v2_LIVENESS, timeout in
15.000 seconds for #2
Jun 13 20:09:12.401567: | free_event_entry: release
EVENT_v2_LIVENESS-pe@0x562411eeaf60
Jun 13 20:09:12.401628: | processing: stop state #2 connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in timer_event_cb() at
timer.c:641)
Jun 13 20:09:12.401682: | serialno table: hash serialno #0 to head
0x562410880980
Jun 13 20:09:12.401733: | serialno table: hash serialno #0 to head
0x562410880980
Jun 13 20:09:12.490503: | NAT-T keep-alive (boggus ?) should not reach
this point. Ignored. Sender: 2001:8004:1400:20c9:1863:feff:fea4:d208:500
Jun 13 20:09:14.155455: | kernel_process_msg_cb process netlink message
Jun 13 20:09:14.155831: | netlink_get: XFRM_MSG_DELPOLICY message
Jun 13 20:09:14.161263: | xfrm netlink address change RTM_NEWADDR msg len 72
Jun 13 20:09:19.167250: | kernel_process_msg_cb process netlink message
Jun 13 20:09:19.167502: | netlink_get: XFRM_MSG_DELPOLICY message
Jun 13 20:09:19.181616: | xfrm netlink address change RTM_NEWADDR msg len 72
Jun 13 20:09:20.997768: | *received 76 bytes from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 on eth0 (port=500)
Jun 13 20:09:20.998119: | 68 40 cf 33 e4 13 6a 03 81 69 a2 ec 2c e3
e2 a2
Jun 13 20:09:20.998202: | 2e 20 25 08 00 00 00 29 00 00 00 4c 00 00
00 30
Jun 13 20:09:20.998260: | e7 7f a7 57 a8 12 9f d7 60 8a 1f 10 7b 45
74 6a
Jun 13 20:09:20.998344: | f2 3d 5e 5e fe 87 83 20 e3 f7 8f f2 d9 ef
c3 f6
Jun 13 20:09:20.998404: | f3 71 5d f4 61 c7 08 49 b6 de 1c 5b
Jun 13 20:09:20.998469: | processing: start from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in process_md() at demux.c:391)
Jun 13 20:09:20.998530: | **parse ISAKMP Message:
Jun 13 20:09:20.998587: | initiator cookie:
Jun 13 20:09:20.998640: | 68 40 cf 33 e4 13 6a 03
Jun 13 20:09:20.998692: | responder cookie:
Jun 13 20:09:20.998740: | 81 69 a2 ec 2c e3 e2 a2
Jun 13 20:09:20.998800: | next payload type: ISAKMP_NEXT_v2SK (0x2e)
Jun 13 20:09:20.998916: | ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20)
Jun 13 20:09:20.998982: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
Jun 13 20:09:20.999044: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
Jun 13 20:09:20.999096: | message ID: 00 00 00 29
Jun 13 20:09:20.999146: | length: 76 (0x4c)
Jun 13 20:09:20.999196: | processing version=2.0 packet with exchange
type=ISAKMP_v2_INFORMATIONAL (37)
Jun 13 20:09:20.999250: | I am receiving an IKEv2 Request
ISAKMP_v2_INFORMATIONAL
Jun 13 20:09:20.999300: | I am the IKE SA Original Responder
Jun 13 20:09:20.999358: | cookies table: hash icookie 68 40 cf 33 e4 13
6a 03 rcookie 81 69 a2 ec 2c e3 e2 a2 to 12656043768357558533 slot
0x56241087a9c0
Jun 13 20:09:20.999410: | parent v2 peer and cookies match on #1
Jun 13 20:09:20.999459: | v2 state object #1 found, in STATE_PARENT_R2
Jun 13 20:09:20.999520: | processing: start state #1 connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in processed_retransmit()
at ikev2.c:1187)
Jun 13 20:09:20.999575: | found state #1
Jun 13 20:09:20.999630: | processing: [RE]START state #1 connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in ikev2_process_packet()
at ikev2.c:1538)
Jun 13 20:09:20.999686: | processing: start connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
(BACKGROUND) (in ikev2_process_packet() at ikev2.c:1543)
Jun 13 20:09:20.999739: | #1 is idle
Jun 13 20:09:20.999788: | #1 idle
Jun 13 20:09:20.999836: | #1 in state PARENT_R2: received v2I2, PARENT
SA established
Jun 13 20:09:20.999899: | Unpacking clear payload for svm: R2: process
INFORMATIONAL Request
Jun 13 20:09:20.999956: | Now let's proceed with payload (ISAKMP_NEXT_v2SK)
Jun 13 20:09:21.000008: | ***parse IKEv2 Encryption Payload:
Jun 13 20:09:21.000059: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jun 13 20:09:21.000109: | flags: none (0x0)
Jun 13 20:09:21.000159: | length: 48 (0x30)
Jun 13 20:09:21.000238: | processing payload: ISAKMP_NEXT_v2SK (len=48)
Jun 13 20:09:21.000387: | data for hmac: 68 40 cf 33 e4 13 6a 03 81
69 a2 ec 2c e3 e2 a2
Jun 13 20:09:21.000447: | data for hmac: 2e 20 25 08 00 00 00 29 00
00 00 4c 00 00 00 30
Jun 13 20:09:21.000497: | data for hmac: e7 7f a7 57 a8 12 9f d7 60
8a 1f 10 7b 45 74 6a
Jun 13 20:09:21.000547: | data for hmac: f2 3d 5e 5e fe 87 83 20 e3
f7 8f f2 d9 ef c3 f6
Jun 13 20:09:21.000596: | calculated auth: f3 71 5d f4 61 c7 08 49 b6
de 1c 5b
Jun 13 20:09:21.000645: | provided auth: f3 71 5d f4 61 c7 08 49 b6
de 1c 5b
Jun 13 20:09:21.000694: | authenticator matched
Jun 13 20:09:21.000802: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success
Jun 13 20:09:21.000856: | selected state microcode R2: process
INFORMATIONAL Request
Jun 13 20:09:21.000912: | Now lets proceed with state specific processing
Jun 13 20:09:21.000958: | calling processor R2: process INFORMATIONAL
Request
Jun 13 20:09:21.001002: | an informational request should send a response
Jun 13 20:09:21.001046: | MOBIKE request: not updating IPsec SA
Jun 13 20:09:21.001108: | Received an INFORMATIONAL response, updating
st_last_liveness, no pending_liveness
Jun 13 20:09:21.001156: | **emit ISAKMP Message:
Jun 13 20:09:21.001202: | initiator cookie:
Jun 13 20:09:21.001251: | 68 40 cf 33 e4 13 6a 03
Jun 13 20:09:21.001303: | responder cookie:
Jun 13 20:09:21.001367: | 81 69 a2 ec 2c e3 e2 a2
Jun 13 20:09:21.001425: | next payload type: ISAKMP_NEXT_v2SK (0x2e)
Jun 13 20:09:21.001489: | ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20)
Jun 13 20:09:21.001552: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25)
Jun 13 20:09:21.001614: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
Jun 13 20:09:21.001675: | message ID: 00 00 00 29
Jun 13 20:09:21.001747: | next payload type: saving message location
'ISAKMP Message' 'next payload type'
Jun 13 20:09:21.001809: | ***emit IKEv2 Encryption Payload:
Jun 13 20:09:21.001865: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Jun 13 20:09:21.001940: | flags: none (0x0)
Jun 13 20:09:21.001992: | next payload type: previous 'ISAKMP Message'
'next payload type' matches 'IKEv2 Encryption Payload' (46:ISAKMP_NEXT_v2SK)
Jun 13 20:09:21.002038: | next payload type: saving payload location
'IKEv2 Encryption Payload' 'next payload type'
Jun 13 20:09:21.002107: | emitting 16 raw bytes of IV into IKEv2
Encryption Payload
Jun 13 20:09:21.002155: | IV 58 6e 1c db 0e 93 a6 26 64 a4 3e ac e4
b7 e4 4d
Jun 13 20:09:21.002243: | emitting 16 raw bytes of padding and length
into cleartext
Jun 13 20:09:21.002290: | padding and length 00 01 02 03 04 05 06 07
08 09 0a 0b 0c 0d 0e 0f
Jun 13 20:09:21.002336: | emitting 12 zero bytes of length of truncated
HMAC/KEY into IKEv2 Encryption Payload
Jun 13 20:09:21.002381: | emitting length of IKEv2 Encryption Payload: 48
Jun 13 20:09:21.002424: | emitting length of ISAKMP Message: 76
Jun 13 20:09:21.002555: | data being hmac: 68 40 cf 33 e4 13 6a 03 81
69 a2 ec 2c e3 e2 a2
Jun 13 20:09:21.002613: | data being hmac: 2e 20 25 20 00 00 00 29 00
00 00 4c 00 00 00 30
Jun 13 20:09:21.002667: | data being hmac: 58 6e 1c db 0e 93 a6 26 64
a4 3e ac e4 b7 e4 4d
Jun 13 20:09:21.002724: | data being hmac: f0 92 79 4c 9c 3a 58 ac 47
84 2c 4a f0 0b fe 0e
Jun 13 20:09:21.002776: | out calculated auth:
Jun 13 20:09:21.002830: | f2 7e 93 f5 7c b7 bd 05 53 90 1a 0a
Jun 13 20:09:21.002922: | sending 76 bytes for reply packet for
process_encrypted_informational_ikev2 through eth0:500 to
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (using #1)
Jun 13 20:09:21.002984: | 68 40 cf 33 e4 13 6a 03 81 69 a2 ec 2c e3
e2 a2
Jun 13 20:09:21.003038: | 2e 20 25 20 00 00 00 29 00 00 00 4c 00 00
00 30
Jun 13 20:09:21.003099: | 58 6e 1c db 0e 93 a6 26 64 a4 3e ac e4 b7
e4 4d
Jun 13 20:09:21.003159: | f0 92 79 4c 9c 3a 58 ac 47 84 2c 4a f0 0b
fe 0e
Jun 13 20:09:21.003216: | f2 7e 93 f5 7c b7 bd 05 53 90 1a 0a
Jun 13 20:09:21.003481: | message ID #1 STATE_PARENT_R2
router-2.reub.net-ipv6 pst #1 st_msgid_nextuse(before=36) 36
st_msgid_lastack 4294967295 st_msgid_lastrecv 41 md is a request
Jun 13 20:09:21.003595: | processing: [RE]START state #1 connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in
complete_v2_state_transition() at ikev2.c:2787)
Jun 13 20:09:21.003655: | #1 complete v2 state transition from
STATE_PARENT_R2 with STF_OK
Jun 13 20:09:21.003720: | message ID #1 STATE_PARENT_R2
router-2.reub.net-ipv6 pst #1 st_msgid_nextuse(before=36) 36
st_msgid_lastack 4294967295 st_msgid_lastrecv 41 md is a request
Jun 13 20:09:21.003783: | processing: stop from
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (BACKGROUND) (in
process_md() at demux.c:393)
Jun 13 20:09:21.003847: | processing: stop state #1 connection
"router-2.reub.net-ipv6"[1] 2001:8004:1400:20c9:1863:feff:fea4:d208
2001:8004:1400:20c9:1863:feff:fea4:d208:500 (in process_md() at demux.c:395)
Jun 13 20:09:21.003922: | serialno table: hash serialno #0 to head
0x562410880980
Jun 13 20:09:21.003979: | serialno table: hash serialno #0 to head
0x562410880980
Thanks,
Reuben
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
