Re: [Swan] Site-to-site with public member addresses, routing trouble

Jesse Butcher Wed, 06 Jul 2016 11:56:56 -0700

Thanks Paul.

> You do not need to manually change any routing for IPsec to work.

I'm aware of this in principle but the VPN endpoints aren't the default
gateway for the member hosts and the actual default gateway is unaware
of the tunnel.  Our side is in a datacenter that we are a client of so
configuration on the gateway is not trivial.  So there has to at least
be a route installed on the members to point to the tunnel, right?  In
the past a simple `ip route add <remote_subnet> via <our_endpoint>` on
the members was all I needed to get the magic to happen.

Iptables are a bit complicated due to using firewalld but from
firewalld's perspective the rules are quite simple.  I'm afraid my
experience with dealing with iptables directly is novice. 

Output of `firewall-cmd --list-all`:
dmz (default, active)
  interfaces: ens160 ens192
  sources:
  services: ssh
  ports: 500/udp 4500/udp
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:
        rule protocol value="ah" accept
        rule protocol value="esp" accept

After adding this:
iptables -t nat -I POSTROUTING -s 10.250.248.0/24 -o eth+ -m policy
--dir out --pol none -j MASQUERADE

No success with pings.  I'm attaching the output of `iptables-save` and
the logs after `ipsec whack --debug-all` and sending four pings from a
member hosts.  Also two pcaps.  One with the member using it's LAN IP
and one with it's public IP.

Thanks again for your assistance.  Is there any other diagnostic
information I can provide?

--
Jesse Butcher

On 7/6/16 10:30 AM, Paul Wouters wrote:
> On Wed, 6 Jul 2016, Jesse Butcher wrote:
>
>> We have successfully established SA's with no errors but I am having
>> trouble configuring the routing on our side.
>
> You do not need to manually change any routing for IPsec to work.
>
> More likely, you are NATing packets meant for IPsec. You might need
> to update your SNAT or MASQUERADE rules to not apply when the packets
> are meant for IPsec tunnels.
>
> something like:
>
> iptables -t nat -I POSTROUTING -s 10.0.0.0/8 -o eth+ -m policy --dir
> out --pol none -j MASQUERADE
>
> This would ensure packets that have a --pol ipsec would not get NAT'ed.
>
> Paul
>

# Generated by iptables-save v1.4.21 on Wed Jul  6 14:24:55 2016
*nat
:PREROUTING ACCEPT [2:428]
:INPUT ACCEPT [1:344]
:OUTPUT ACCEPT [12:870]
:POSTROUTING ACCEPT [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_dmz - [0:0]
:POST_dmz_allow - [0:0]
:POST_dmz_deny - [0:0]
:POST_dmz_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_dmz - [0:0]
:PRE_dmz_allow - [0:0]
:PRE_dmz_deny - [0:0]
:PRE_dmz_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 10.250.248.0/24 -o eth+ -m policy --dir out --pol none -j 
MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o ens192 -g POST_dmz
-A POSTROUTING_ZONES -o ens160 -g POST_dmz
-A POSTROUTING_ZONES -g POST_dmz
-A POST_dmz -j POST_dmz_log
-A POST_dmz -j POST_dmz_deny
-A POST_dmz -j POST_dmz_allow
-A POST_dmz_allow ! -i lo -j MASQUERADE
-A PREROUTING_ZONES -i ens192 -g PRE_dmz
-A PREROUTING_ZONES -i ens160 -g PRE_dmz
-A PREROUTING_ZONES -g PRE_dmz
-A PRE_dmz -j PRE_dmz_log
-A PRE_dmz -j PRE_dmz_deny
-A PRE_dmz -j PRE_dmz_allow
COMMIT
# Completed on Wed Jul  6 14:24:55 2016
# Generated by iptables-save v1.4.21 on Wed Jul  6 14:24:55 2016
*mangle
:PREROUTING ACCEPT [475:42810]
:INPUT ACCEPT [471:42530]
:FORWARD ACCEPT [4:280]
:OUTPUT ACCEPT [325:67632]
:POSTROUTING ACCEPT [329:67912]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_dmz - [0:0]
:PRE_dmz_allow - [0:0]
:PRE_dmz_deny - [0:0]
:PRE_dmz_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i ens192 -g PRE_dmz
-A PREROUTING_ZONES -i ens160 -g PRE_dmz
-A PREROUTING_ZONES -g PRE_dmz
-A PRE_dmz -j PRE_dmz_log
-A PRE_dmz -j PRE_dmz_deny
-A PRE_dmz -j PRE_dmz_allow
COMMIT
# Completed on Wed Jul  6 14:24:55 2016
# Generated by iptables-save v1.4.21 on Wed Jul  6 14:24:55 2016
*security
:INPUT ACCEPT [471:42530]
:FORWARD ACCEPT [4:280]
:OUTPUT ACCEPT [325:67632]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Wed Jul  6 14:24:55 2016
# Generated by iptables-save v1.4.21 on Wed Jul  6 14:24:55 2016
*raw
:PREROUTING ACCEPT [475:42810]
:OUTPUT ACCEPT [325:67632]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Wed Jul  6 14:24:55 2016
# Generated by iptables-save v1.4.21 on Wed Jul  6 14:24:55 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [325:67632]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_dmz - [0:0]
:FWDI_dmz_allow - [0:0]
:FWDI_dmz_deny - [0:0]
:FWDI_dmz_log - [0:0]
:FWDO_dmz - [0:0]
:FWDO_dmz_allow - [0:0]
:FWDO_dmz_deny - [0:0]
:FWDO_dmz_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_dmz - [0:0]
:IN_dmz_allow - [0:0]
:IN_dmz_deny - [0:0]
:IN_dmz_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens192 -g FWDI_dmz
-A FORWARD_IN_ZONES -i ens160 -g FWDI_dmz
-A FORWARD_IN_ZONES -g FWDI_dmz
-A FORWARD_OUT_ZONES -o ens192 -g FWDO_dmz
-A FORWARD_OUT_ZONES -o ens160 -g FWDO_dmz
-A FORWARD_OUT_ZONES -g FWDO_dmz
-A FWDI_dmz -j FWDI_dmz_log
-A FWDI_dmz -j FWDI_dmz_deny
-A FWDI_dmz -j FWDI_dmz_allow
-A FWDO_dmz -j FWDO_dmz_log
-A FWDO_dmz -j FWDO_dmz_deny
-A FWDO_dmz -j FWDO_dmz_allow
-A FWDO_dmz_allow -j ACCEPT
-A INPUT_ZONES -i ens192 -g IN_dmz
-A INPUT_ZONES -i ens160 -g IN_dmz
-A INPUT_ZONES -g IN_dmz
-A IN_dmz -j IN_dmz_log
-A IN_dmz -j IN_dmz_deny
-A IN_dmz -j IN_dmz_allow
-A IN_dmz_allow -p ah -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p esp -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p ah -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p esp -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p udp -m udp --dport 500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p udp -m udp --dport 500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p udp -m udp --dport 4500 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Wed Jul  6 14:24:55 2016

Jul 06 14:32:57 hcl-vpn.signetaccel.com pluto[7558]: | base debugging = 
raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
                                                       [163/9221]
Jul 06 14:32:57 hcl-vpn.signetaccel.com pluto[7558]: | handling event 
EVENT_PENDING_DDNS
Jul 06 14:32:57 hcl-vpn.signetaccel.com pluto[7558]: | event_schedule called 
for 60 seconds
Jul 06 14:32:57 hcl-vpn.signetaccel.com pluto[7558]: | event_schedule_tv called 
for about 60 seconds and change
Jul 06 14:32:57 hcl-vpn.signetaccel.com pluto[7558]: | inserting event 
EVENT_PENDING_DDNS, timeout in 60.000000 seconds
Jul 06 14:32:57 hcl-vpn.signetaccel.com pluto[7558]: | elapsed time in 
connection_check_ddns for hostname lookup 0.000000
Jul 06 14:32:59 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:32:59 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:32:59 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:32:59 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:32:59 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:32:59 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:01 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:01 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:01 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:01 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:01 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:01 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | handling event 
EVENT_SHUNT_SCAN
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | expiring aged bare shunts
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | event_schedule called 
for 20 seconds
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | event_schedule_tv called 
for about 20 seconds and change
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | inserting event 
EVENT_SHUNT_SCAN, timeout in 20.000000 seconds
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | *received 92 bytes from 
128.151.71.71:4500 on ens160 (port=4500)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   0b 9f fb d3  c5 ed a7 
b1  27 0e 5b dd  04 ce 67 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   08 10 05 01  4a de cd 
fa  00 00 00 5c  59 b5 77 df
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   04 47 97 95  f8 10 d2 
86  2f 10 86 bb  cd e0 74 a4
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   7c 25 3e 7c  8b bc 24 
2c  05 45 07 d6  63 d9 b9 12
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   00 6b c5 f2  34 64 d4 
e0  f6 84 d6 78  d4 f7 31 90
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   ae 18 0a 2a  d4 11 46 
f9  e3 55 d8 69
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | **parse ISAKMP Message:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    initiator cookie:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   0b 9f fb d3  c5 ed a7 
b1
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    responder cookie:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   27 0e 5b dd  04 ce 67 
a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    next payload type: 
ISAKMP_NEXT_HASH (0x8)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    ISAKMP version: 
ISAKMP Version 1.0 (rfc2407) (0x10)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    exchange type: 
ISAKMP_XCHG_INFO (0x5)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    flags: 
ISAKMP_FLAG_v1_ENCRYPTION (0x1)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    message ID:  4a de cd 
fa
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    length: 92 (0x5c)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |  processing version=1.0 
packet with exchange type=ISAKMP_XCHG_INFO (5)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | finding hash chain in 
state hash table
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   ICOOKIE:  0b 9f fb d3  
c5 ed a7 b1
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   RCOOKIE:  27 0e 5b dd  
04 ce 67 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | found hash chain 4
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | peer and cookies match 
on #206; msgid=00000000 st_msgid=58dc3bea st_msgid_phase15=00000000
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | peer and cookies match 
on #205; msgid=00000000 st_msgid=df9487ff st_msgid_phase15=00000000
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | peer and cookies match 
on #204; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | p15 state object #204 
found, in STATE_MAIN_I4
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | processing connection 
"URochesterMC/2x0"
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | last Phase 1 IV:  b5 58 
8d 67  5a d7 40 fd  66 a1 42 d0  a6 e1 4d ef
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | current Phase 1 IV:  b5 
58 8d 67  5a d7 40 fd  66 a1 42 d0  a6 e1 4d ef
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | computed Phase 2 IV:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   a2 44 04 ad  2d 2c a9 
5f  fb 00 4a 16  0e ad 92 3b
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   f2 49 2a 64
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | #204 state_busy:2235 st 
!= NULL && st->st_calculating == FALSE;
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | received encrypted 
packet from 128.151.71.71:4500
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | decrypting 64 bytes 
using algorithm OAKLEY_AES_CBC
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | NSS ike_alg_nss_cbc: aes 
- enter                                                                         
                                                                            
[104/9221]
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | NSS ike_alg_nss_cbc: aes 
- exit
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | decrypted:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   0b 00 00 18  97 4f 12 
9e  c4 3d 01 2a  85 c2 98 ee
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   3b e1 cb 10  7e 57 b4 
f8  00 00 00 20  00 00 00 01
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   01 10 8d 28  0b 9f fb 
d3  c5 ed a7 b1  27 0e 5b dd
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   04 ce 67 a2  07 fc a5 
07  00 00 00 00  00 00 00 00
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | next IV:  d4 f7 31 90  
ae 18 0a 2a  d4 11 46 f9  e3 55 d8 69
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | got payload 0x100  
(ISAKMP_NEXT_HASH) needed: 0x100opt: 0x0
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | ***parse ISAKMP Hash 
Payload:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    next payload type: 
ISAKMP_NEXT_N (0xb)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    length: 24 (0x18)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | got payload 0x800  
(ISAKMP_NEXT_N) needed: 0x0opt: 0x0
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | ***parse ISAKMP 
Notification Payload:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    next payload type: 
ISAKMP_NEXT_NONE (0x0)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    length: 32 (0x20)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    DOI: ISAKMP_DOI_IPSEC 
(0x1)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    protocol ID: 1 (0x1)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    SPI size: 16 (0x10)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    Notify Message Type: 
R_U_THERE (0x8d28)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | removing 8 bytes of 
padding
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | info:  0b 9f fb d3  c5 
ed a7 b1  27 0e 5b dd  04 ce 67 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | info:  07 fc a5 07
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | processing informational 
R_U_THERE (36136)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | DPD: received R_U_THERE 
seq:133997831 monotime:1467829983 (state=#204 name="URochesterMC/2x0")
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | **emit ISAKMP Message:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    initiator cookie:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   0b 9f fb d3  c5 ed a7 
b1
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    responder cookie:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   27 0e 5b dd  04 ce 67 
a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    next payload type: 
ISAKMP_NEXT_HASH (0x8)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    ISAKMP version: 
ISAKMP Version 1.0 (rfc2407) (0x10)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    exchange type: 
ISAKMP_XCHG_INFO (0x5)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    flags: 
ISAKMP_FLAG_v1_ENCRYPTION (0x1)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    message ID:  2d 05 f1 
b6
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | ***emit ISAKMP Hash 
Payload:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    next payload type: 
ISAKMP_NEXT_N (0xb)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting 20 zero bytes 
of HASH into ISAKMP Hash Payload
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting length of 
ISAKMP Hash Payload: 24
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | ***emit ISAKMP 
Notification Payload:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    next payload type: 
ISAKMP_NEXT_NONE (0x0)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    DOI: ISAKMP_DOI_IPSEC 
(0x1)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    protocol ID: 1 (0x1)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    SPI size: 16 (0x10)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |    Notify Message Type: 
R_U_THERE_ACK (0x8d29)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting 8 raw bytes of 
notify icookie into ISAKMP Notification Payload
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | notify icookie  0b 9f fb 
d3  c5 ed a7 b1
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting 8 raw bytes of 
notify rcookie into ISAKMP Notification Payload
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | notify rcookie  27 0e 5b 
dd  04 ce 67 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting 4 raw bytes of 
notify data into ISAKMP Notification Payload
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | notify data  07 fc a5 07
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting length of 
ISAKMP Notification Payload: 32
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | hmac prf: init 
0x7f8cb43b6f40
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | hmac prf: init symkey 
symkey 0x7f8cb457b9c0 (length 20)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | hmac prf: update
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat_symkey_bytes 
merge symkey(0x7f8cb457b9c0) bytes(0x7f8cb391d1e0/44) - 
derive(CONCATENATE_BASE_AND_DATA) target(SHA1_KEY_DERIVATION)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: 
key(0x7f8cb457b9c0) length(20) type/mechanism(CONCATENATE_BASE_AND_KEY 
0x00000360)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  00 00 00 00  00 
00 00 00  00 00 00 00  00 00 00 00
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  00 00 00 00  00 
00 00 00  00 00 00 00  00 00 00 00
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  00 00 00 00  00 
00 00 00  00 00 00 00                                                           
                                                                              
[45/9221]
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat_symkey_bytes 
key(0x7f8ca40a1050) length(64) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | xor_symkey_chunk merge 
symkey(0x7f8ca40a1050) bytes(0x7ffef46120b0/64) - derive(XOR_BASE_AND_DATA) 
target(CONCATENATE_BASE_AND_DATA)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: 
key(0x7f8ca40a1050) length(64) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  36 36 36 36  36 
36 36 36  36 36 36 36  36 36 36 36
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  36 36 36 36  36 
36 36 36  36 36 36 36  36 36 36 36
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  36 36 36 36  36 
36 36 36  36 36 36 36  36 36 36 36
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  36 36 36 36  36 
36 36 36  36 36 36 36  36 36 36 36
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | xor_symkey_chunk 
key(0x7f8ca406c220) length(64) type/mechanism(CONCATENATE_BASE_AND_DATA 
0x00000362)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | hmac prf: update bytes 
data 0x7ffef46121ac (length 4)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat_symkey_bytes 
merge symkey(0x7f8ca406c220) bytes(0x7ffef46121ac/4) - 
derive(CONCATENATE_BASE_AND_DATA) target(SHA1_KEY_DERIVATION)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: 
key(0x7f8ca406c220) length(64) type/mechanism(CONCATENATE_BASE_AND_DATA 
0x00000362)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  2d 05 f1 b6
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat_symkey_bytes 
key(0x7f8ca40974b0) length(68) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | append_symkey_bytes: 
free key 0x7f8ca406c220
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | hmac prf: update bytes 
data 0x7f8cb39255b4 (length 32)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat_symkey_bytes 
merge symkey(0x7f8ca40974b0) bytes(0x7f8cb39255b4/32) - 
derive(CONCATENATE_BASE_AND_DATA) target(SHA1_KEY_DERIVATION)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: 
key(0x7f8ca40974b0) length(68) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  00 00 00 20  00 
00 00 01  01 10 8d 29  0b 9f fb d3
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  c5 ed a7 b1  27 
0e 5b dd  04 ce 67 a2  07 fc a5 07
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat_symkey_bytes 
key(0x7f8ca406c220) length(100) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | append_symkey_bytes: 
free key 0x7f8ca40974b0
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | hmac prf: final
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf inner hash: 
hash(oakley_sha) symkey(0x7f8ca406c220) to symkey - derive(SHA1_KEY_DERIVATION)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: 
key(0x7f8ca406c220) length(100) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf inner hash: 
key(0x7f8ca40974b0) length(20) type/mechanism(CONCATENATE_BASE_AND_KEY 
0x00000360)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf inner:: free key 
0x7f8ca406c220
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | xor_symkey_chunk merge 
symkey(0x7f8ca40a1050) bytes(0x7ffef4612090/64) - derive(XOR_BASE_AND_DATA) 
target(CONCATENATE_BASE_AND_DATA)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: 
key(0x7f8ca40a1050) length(64) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  5c 5c 5c 5c  5c 
5c 5c 5c  5c 5c 5c 5c  5c 5c 5c 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  5c 5c 5c 5c  5c 
5c 5c 5c  5c 5c 5c 5c  5c 5c 5c 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  5c 5c 5c 5c  5c 
5c 5c 5c  5c 5c 5c 5c  5c 5c 5c 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes:  5c 5c 5c 5c  5c 
5c 5c 5c  5c 5c 5c 5c  5c 5c 5c 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | xor_symkey_chunk 
key(0x7f8ca406c220) length(64) type/mechanism(CONCATENATE_BASE_AND_DATA 
0x00000362)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat: merge symkey(1: 
0x7f8ca406c220) symkey(2: 0x7f8ca40974b0) - derive(CONCATENATE_BASE_AND_KEY) 
target(SHA1_KEY_DERIVATION)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey 1: 
key(0x7f8ca406c220) length(64) type/mechanism(CONCATENATE_BASE_AND_DATA 
0x00000362)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey 2: 
key(0x7f8ca40974b0) length(20) type/mechanism(CONCATENATE_BASE_AND_KEY 
0x00000360)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat: 
key(0x7f8ca4041700) length(84) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | append_symkey_symkey: 
free key 0x7f8ca406c220
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf hashed inner:: free 
key 0x7f8ca40974b0
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf key: free key 
0x7f8ca40a1050
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf outer hash 
hash(oakley_sha) symkey(0x7f8ca4041700) to bytes
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: 
key(0x7f8ca4041700) length(84) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf outer hash  76 ba e0 
d7  2e 31 a9 5f  90 8d a5 bb  fd fc e4 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf outer hash  84 c2 22 
a8
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf outer: free key 
0x7f8ca4041700
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf final bytes  76 ba 
e0 d7  2e 31 a9 5f  90 8d a5 bb  fd fc e4 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf final bytes  84 c2 
22 a8
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | HASH computed:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   76 ba e0 d7  2e 31 a9 
5f  90 8d a5 bb  fd fc e4 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   84 c2 22 a8
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | last Phase 1 IV:  b5 58 
8d 67  5a d7 40 fd  66 a1 42 d0  a6 e1 4d ef
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | current Phase 1 IV:  b5 
58 8d 67  5a d7 40 fd  66 a1 42 d0  a6 e1 4d ef
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | computed Phase 2 IV:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   08 fa 35 33  bf 3f e1 
62  59 70 3a 74  bb 82 84 e6
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   81 b3 c9 ae
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | encrypting:  0b 00 00 18 
 76 ba e0 d7  2e 31 a9 5f  90 8d a5 bb
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | encrypting:  fd fc e4 a2 
 84 c2 22 a8  00 00 00 20  00 00 00 01
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | encrypting:  01 10 8d 29 
 0b 9f fb d3  c5 ed a7 b1  27 0e 5b dd
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | encrypting:  04 ce 67 a2 
 07 fc a5 07
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | IV:  08 fa 35 33  bf 3f 
e1 62  59 70 3a 74  bb 82 84 e6
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | IV:  81 b3 c9 ae
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | unpadded size is: 56
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting 8 zero bytes of 
encryption padding into ISAKMP Message
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | encrypting 64 using 
OAKLEY_AES_CBC
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | NSS ike_alg_nss_cbc: aes 
- enter
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | NSS ike_alg_nss_cbc: aes 
- exit
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | next IV:  17 3c 5b 90  
c0 76 15 e6  4e 81 42 56  37 84 c9 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | no IKEv1 message padding 
required
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting length of 
ISAKMP Message: 92
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | sending 96 bytes for 
ISAKMP notify through ens160:4500 to 128.151.71.71:4500 (using #204)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   00 00 00 00  0b 9f fb 
d3  c5 ed a7 b1  27 0e 5b dd
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   04 ce 67 a2  08 10 05 
01  2d 05 f1 b6  00 00 00 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   6e 79 76 5b  4d 6e cc 
6b  f4 b1 11 02  dc d7 ef f4
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   0e 3b 97 cd  9a 40 c9 
66  88 f8 a6 5c  d1 ca 5b c9
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   ca 5c ed c8  81 2e b2 
12  52 33 10 8a  2b 23 06 21
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: |   17 3c 5b 90  c0 76 15 
e6  4e 81 42 56  37 84 c9 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | complete v1 state 
transition with STF_IGNORE
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:05 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:05 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:05 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:05 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:05 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:05 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:07 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:07 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:07 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:07 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:07 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:07 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:09 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:09 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:09 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:09 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:09 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:09 hcl-vpn.signetaccel.com pluto[7558]: | get 
[email protected]
Jul 06 14:33:10 hcl-vpn.signetaccel.com pluto[7558]: | base debugging = none

pings_pub.pcap
Description: Binary data

pings.pcap
Description: Binary data

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Site-to-site with public member addresses, routing trouble

Reply via email to