We have been using Openswan to Openswan ipsec successfully on CentOS to RHEL.
The biggest problem we had with OpenSwan was that it crashed when
re-configuring tunnels during a rekey. Now we are forced to move to Libreswan
and it has so far been a failure with tons of time spent on it. We have found
issues that we have tried to fix, so far unsuccessfully.
The system is:
- Both sides of the tunnel are Libreswan.
- Source is Centos, destination is RHEL.
- Both sides are using X509 keys from the same Certificate Authority.
- Each side has multiple tunnels configured for different end points. The
CentOS box is routing traffic from a network device to all the destinations.
The destination has connections to multiple CentOS boxes. There are never
multiple tunnels to the same end point.
Things we see that totally make Libreswan unusable (these were not a problem in
Openswan):
1. Random INVALID_ID_INFORMATION responses. Libreswan goes into a state where
it simply will not accept the connection that it has accepted numerous times
before. Libreswan says "cert verify failed with internal error" and "Peer
public key is not available for this exchange". A restart of Libreswan
sometimes fixes this but not always. The worst part is that libreswan allows
unencypted traffic between the two points in this situation. There is nothing
wrong with the cert. It works sometimes, it always worked for OpenSwan.
2. Tunnels working and then stopping to work and never working again until
manual intervention (--up for example), which is a totally unacceptable
requirement. This failure usually happens after one side has restarted. We
had used auto=start with Openswan but we have found during testing that
auto=ondemand may have made the problem in Libreswan less reproducible (but
still very,very reproducible).
What can we do to fix these issues? Any help appreciated.
Below are lots of details. The examples are from two sets of source and
destination. But all the configs are the same, except for IPs and certs. All
use same CA.
==============================================================================================================================================
Source (Centos) ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-642.3.1.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete
ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
==============================================================================================================================================
Destination (RHEL) ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-642.1.1.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
==============================================================================================================================================
Example source and destination configuration:
conn src-to-dst-on-80
leftid=%fromcert
left=10.90.156.167
leftrsasigkey=%cert
rightid=%fromcert
right=10.88.180.151
ike=aes-sha2_256-modp1536
phase2alg=aes_gcm_c-128-null
leftcert=src.ourdomain.com
leftsendcert=always
dpddelay=20
dpdtimeout=30
dpdaction=restart
authby=rsasig
auto=ondemand
conn dst-to-src-on-80
leftid=%fromcert
left=10.90.156.167
rightid=%fromcert
right=10.88.180.151
rightrsasigkey=%cert
ike=aes-sha2_256-modp1536
phase2alg=aes_gcm_c-128-null
rightcert=dst.ourdomain.com
rightsendcert=always
dpddelay=20
dpdtimeout=30
dpdaction=restart
authby=rsasig
auto=ondemand
==============================================================================================================================================
Example source and destination NSS database
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
src.ourdomain.com u,u,u
our_ca_nickname CT,,
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
dst.ourdomain.com u,u,u
our_ca_nickname CT,,
==============================================================================================================================================
Example source and destination ipsec.secrets
: RSA "src.ourdomain.com"
: RSA "dst.ourdomain.com"
==============================================================================================================================================
Example of Libreswan throwing INVALID_ID_INFORMATION and example of the exact
same tunnel working at some point later. Source is 10.90.156.167, destination
is 10.102.14.96
> ipsec auto --up src-to-dst-on-80
002 "src-to-dst-on-80" #347: initiating Main Mode
104 "src-to-dst-on-80" #347: STATE_MAIN_I1: initiate
003 "src-to-dst-on-80" #347: received Vendor ID payload [Dead Peer Detection]
003 "src-to-dst-on-80" #347: received Vendor ID payload [FRAGMENTATION]
003 "src-to-dst-on-80" #347: received Vendor ID payload [RFC 3947]
002 "src-to-dst-on-80" #347: enabling possible NAT-traversal with method RFC
3947 (NAT-Traversal)
002 "src-to-dst-on-80" #347: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "src-to-dst-on-80" #347: STATE_MAIN_I2: sent MI2, expecting MR2
003 "src-to-dst-on-80" #347: NAT-Traversal: Result using RFC 3947
(NAT-Traversal) sender port 500: no NAT detected
002 "src-to-dst-on-80" #347: I am sending my cert
002 "src-to-dst-on-80" #347: I am sending a certificate request
002 "src-to-dst-on-80" #347: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "src-to-dst-on-80" #347: STATE_MAIN_I3: sent MI3, expecting MR3
003 "src-to-dst-on-80" #347: received Vendor ID payload [CAN-IKEv2]
002 "src-to-dst-on-80" #347: Main mode peer ID is ID_DER_ASN1_DN: 'C=XX, O=YYY,
OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
002 "src-to-dst-on-80" #347: cert verify failed with internal error
002 "src-to-dst-on-80" #347: Peer public key is not available for this exchange
218 "src-to-dst-on-80" #347: STATE_MAIN_I3: INVALID_ID_INFORMATION
002 "src-to-dst-on-80" #347: sending encrypted notification
INVALID_ID_INFORMATION to 10.102.14.96:500
> ipsec auto --up src-to-dst-on-80
002 "src-to-dst-on-80" #3: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
{using isakmp#1 msgid:030e4c99 proposal=AES_GCM_C(20)_128-NONE(0)_000
pfsgroup=OAKLEY_GROUP_MODP1536}
117 "src-to-dst-on-80" #3: STATE_QUICK_I1: initiate
002 "src-to-dst-on-80" #3: Dead Peer Detection (RFC 3706): enabled
002 "src-to-dst-on-80" #3: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
004 "src-to-dst-on-80" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode {ESP=>0x6ea9bb5f <0x233a3f4f xfrm=AES_GCM_C_128-NONE NATOA=none
NATD=none DPD=active}
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: responding to Main Mode
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: STATE_MAIN_R2: sent
MR2, expecting MI3
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: certificate
CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=XX OK
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: I am sending my cert
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256
group=MODP1536}
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: Dead Peer Detection
(RFC 3706): enabled
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: the peer proposed:
10.102.14.96/32:6/80 -> 10.90.156.167/32:0/0
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: responding to Quick
Mode proposal {msgid:3526a400}
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: us:
10.102.14.96<10.102.14.96>[C=XX, O=YYY, OU=ZZZZZ-IPSEC,
CN=dst.ourdomain.com]:6/80
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: them:
10.90.156.167<10.90.156.167>[C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com]
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x79004908
<0x49e18c34 xfrm=AES_GCM_C_128-NONE NATOA=none NATD=none DPD=active}
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: Dead Peer Detection
(RFC 3706): enabled
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: STATE_QUICK_R2: IPsec
SA established tunnel mode {ESP=>0x79004908 <0x49e18c34 xfrm=AES_GCM_C_128-NONE
NATOA=none NATD=none DPD=active}
==============================================================================================================================================
Example source and destination connection configured when Libreswan fails to
reconnect a tunnel after destination restarts Source is 10.90.156.167,
destination is 10.88.180.151
000 "src-to-dst-on-80": 10.90.156.167<10.90.156.167>[C=XX, O=YYY,
OU=ZZZZZ-IPSEC, CN=src.ourdomain.com]...10.88.180.151<10.88.180.151>[C=XX,
O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com]:6/80; erouted; eroute owner: #167
000 "src-to-dst-on-80": oriented; my_ip=unset; their_ip=unset;
mycert=src.ourdomain.com
000 "src-to-dst-on-80": xauth info: us:none, them:none, my_xauthuser=[any];
their_xauthuser=[any]
000 "src-to-dst-on-80": modecfg info: us:none, them:none, modecfg
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "src-to-dst-on-80": labeled_ipsec:no;
000 "src-to-dst-on-80": policy_label:unset;
000 "src-to-dst-on-80": CAs: 'C=XX, O=YYY, OU=ZZZZZ-IPSEC,
CN=our_ca_cn'...'%any'
000 "src-to-dst-on-80": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0;
000 "src-to-dst-on-80": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "src-to-dst-on-80": sha2_truncbug:no; initial_contact:no; cisco_unity:no;
send_vendorid:no;
000 "src-to-dst-on-80": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "src-to-dst-on-80": conn_prio: 32,32; interface: eth0; metric: 0; mtu:
unset; sa_prio:auto; nflog-group: unset;
000 "src-to-dst-on-80": dpd: action:restart; delay:20; timeout:30; nat-t:
force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "src-to-dst-on-80": newest ISAKMP SA: #0; newest IPsec SA: #167;
000 "src-to-dst-on-80": IKE algorithms wanted:
AES_CBC(7)_000-SHA2_256(4)_000-MODP1536(5)
000 "src-to-dst-on-80": IKE algorithms found:
AES_CBC(7)_128-SHA2_256(4)_256-MODP1536(5)
000 "src-to-dst-on-80": ESP algorithms wanted: AES_GCM_C(20)_128-NONE(0)_000
000 "src-to-dst-on-80": ESP algorithms loaded: AES_GCM_C(20)_128-NONE(0)_000
000 "src-to-dst-on-80": ESP algorithm newest: AES_GCM_C_128-NONE;
pfsgroup=<Phase1>
000 "dst-to-src-on-80": 10.88.180.151<10.88.180.151>[C=XX, O=YYY,
OU=ZZZZZ-IPSEC,
CN=dst.ourdomain.com]:6/80...10.90.156.167<10.90.156.167>[%fromcert];
prospective erouted; eroute owner: #0
000 "dst-to-src-on-80": oriented; my_ip=unset; their_ip=unset;
mycert=dst.ourdomain.com
000 "dst-to-src-on-80": xauth info: us:none, them:none, my_xauthuser=[any];
their_xauthuser=[any]
000 "dst-to-src-on-80": modecfg info: us:none, them:none, modecfg
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "dst-to-src-on-80": labeled_ipsec:no;
000 "dst-to-src-on-80": policy_label:unset;
000 "dst-to-src-on-80": CAs: 'C=XX, O=YYY, OU=ZZZZZ-IPSEC,
CN=our_ca_cn'...'%any'
000 "dst-to-src-on-80": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0;
000 "dst-to-src-on-80": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "dst-to-src-on-80": sha2_truncbug:no; initial_contact:no; cisco_unity:no;
send_vendorid:no;
000 "dst-to-src-on-80": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "dst-to-src-on-80": conn_prio: 32,32; interface: bond0; metric: 0; mtu:
unset; sa_prio:auto; nflog-group: unset;
000 "dst-to-src-on-80": dpd: action:restart; delay:20; timeout:30; nat-t:
force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "dst-to-src-on-80": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "dst-to-src-on-80": IKE algorithms wanted:
AES_CBC(7)_000-SHA2_256(4)_000-MODP1536(5)
000 "dst-to-src-on-80": IKE algorithms found:
AES_CBC(7)_128-SHA2_256(4)_256-MODP1536(5)
000 "dst-to-src-on-80": ESP algorithms wanted: AES_GCM_C(20)_128-NONE(0)_000
000 "dst-to-src-on-80": ESP algorithms loaded: AES_GCM_C(20)_128-NONE(0)_000
==============================================================================================================================================
Example source and destination log snippets when Libreswan fails to reconnect a
tunnel after destination has restarted. There is traffic trying to get from
source to destination and Libreswan isn't even trying to re-establish a
connection. We can't be expected to have manual intervention. Source is
10.90.156.167, destination is 10.88.180.151
Aug 13 11:03:43 src pluto[4431]: "src-to-dst-on-80" #167: STATE_QUICK_R2: IPsec
SA established tunnel mode {ESP=>0xb9f042f6 <0x1949bfe3 xfrm=AES_GCM_C_128-NONE
NATOA=none NATD=none DPD=active}
Aug 13 11:06:46 src pluto[4431]: packet from 10.88.180.151:500: received Vendor
ID payload [Dead Peer Detection]
Aug 13 11:06:46 src pluto[4431]: packet from 10.88.180.151:500: received Vendor
ID payload [FRAGMENTATION]
Aug 13 11:06:46 src pluto[4431]: packet from 10.88.180.151:500: received Vendor
ID payload [RFC 3947]
Aug 13 11:06:46 src pluto[4431]: packet from 10.88.180.151:500: ignoring Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 13 11:06:46 src pluto[4431]: packet from 10.88.180.151:500: ignoring Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 13 11:06:46 src pluto[4431]: packet from 10.88.180.151:500: ignoring Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: responding to Main
Mode
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: STATE_MAIN_R2: sent
MR2, expecting MI3
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: Main mode peer ID is
ID_DER_ASN1_DN: 'C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: certificate
CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=XX OK
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: I am sending my cert
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256
group=MODP1536}
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: Dead Peer Detection
(RFC 3706): enabled
Aug 13 11:20:23 src pluto[4431]: "src-to-dst-on-80" #156: deleting state #156
(STATE_MAIN_R3)
Aug 13 11:20:55 src pluto[4431]: "src-to-dst-on-80" #56: deleting state #56
(STATE_QUICK_R2)
Aug 13 11:20:55 src pluto[4431]: "src-to-dst-on-80" #56: ESP traffic
information: in=0B out=6KB
Aug 13 11:49:32 src pluto[4431]: packet from 10.88.180.151:500: received Vendor
ID payload [Dead Peer Detection]
Aug 13 11:49:32 src pluto[4431]: packet from 10.88.180.151:500: received Vendor
ID payload [FRAGMENTATION]
Aug 13 11:49:32 src pluto[4431]: packet from 10.88.180.151:500: received Vendor
ID payload [RFC 3947]
Aug 13 11:49:32 src pluto[4431]: packet from 10.88.180.151:500: ignoring Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 13 11:49:32 src pluto[4431]: packet from 10.88.180.151:500: ignoring Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 13 11:49:32 src pluto[4431]: packet from 10.88.180.151:500: ignoring Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: responding to Main
Mode
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: STATE_MAIN_R2: sent
MR2, expecting MI3
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: Main mode peer ID is
ID_DER_ASN1_DN: 'C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: certificate
CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=XX OK
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: I am sending my cert
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256
group=MODP1536}
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: Dead Peer Detection
(RFC 3706): enabled
Aug 13 11:51:59 src pluto[4431]: "src-to-dst-on-80" #185: received Delete SA
payload: self-deleting ISAKMP State #185
Aug 13 11:51:59 src pluto[4431]: "src-to-dst-on-80" #185: deleting state #185
(STATE_MAIN_R3)
Aug 13 11:51:59 src pluto[4431]: packet from 10.88.180.151:500: received and
ignored empty informational notification payload
Aug 13 11:51:59 src pluto[4431]: "src-to-dst-on-80" #168: received Delete SA
payload: self-deleting ISAKMP State #168
Aug 13 11:51:59 src pluto[4431]: "src-to-dst-on-80" #168: deleting state #168
(STATE_MAIN_R3)
Aug 13 11:51:59 src pluto[4431]: packet from 10.88.180.151:500: received and
ignored empty informational notification payload
Aug 13 11:52:12 src pluto[4431]: "src-to-dst-on-80" #167: DPD: could not find
newest phase 1 state
Aug 13 12:00:37 dst pluto[19668]: Starting Pluto (Libreswan Version 3.15
XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT
XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:19668
Aug 13 12:00:37 dst pluto[19668]: core dump dir: /var/run/pluto/
Aug 13 12:00:37 dst pluto[19668]: secrets file: /etc/ipsec.secrets
Aug 13 12:00:37 dst pluto[19668]: leak-detective disabled
Aug 13 12:00:37 dst pluto[19668]: NSS crypto [enabled]
Aug 13 12:00:37 dst pluto[19668]: XAUTH PAM support [enabled]
Aug 13 12:00:37 dst pluto[19668]: NAT-Traversal support [enabled]
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating
OAKLEY_AES_CTR: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating
OAKLEY_AES_GCM_A: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating
OAKLEY_AES_GCM_B: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating
OAKLEY_AES_GCM_C: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_hash(): Activating
DISABLED-OAKLEY_AES_XCBC: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating
OAKLEY_CAMELLIA_CBC: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating
OAKLEY_CAMELLIA_CTR: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_384: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok
Aug 13 12:00:37 dst pluto[19668]: starting up 23 crypto helpers
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 0 (master fd
10)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 1 (master fd
13)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 2 (master fd
15)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 3 (master fd
17)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 4 (master fd
19)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 5 (master fd
21)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 6 (master fd
23)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 7 (master fd
25)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 8 (master fd
27)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 9 (master fd
29)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 10 (master
fd 31)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 11 (master
fd 33)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 12 (master
fd 35)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 13 (master
fd 37)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 14 (master
fd 39)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 15 (master
fd 41)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 16 (master
fd 43)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 17 (master
fd 45)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 18 (master
fd 47)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 19 (master
fd 49)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 20 (master
fd 51)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 21 (master
fd 53)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 22 (master
fd 55)
Aug 13 12:00:37 dst pluto[19668]: Using Linux XFRM/NETKEY IPsec interface code
on 2.6.32-642.3.1.el6.x86_64
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating aes_ccm_8:
Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating
aes_ccm_12: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating
aes_ccm_16: Ok
Aug 13 12:00:37 dst pluto[19668]: | selinux support is NOT enabled.
Aug 13 12:00:38 dst pluto[19668]: | certificate not loaded for this end
Aug 13 12:00:38 dst pluto[19668]: added connection description
"dst-to-src-on-80"
Aug 13 12:00:38 dst pluto[19668]: | certificate not loaded for this end
Aug 13 12:00:38 dst pluto[19668]: | certificate not loaded for this end
Aug 13 12:00:38 dst pluto[19668]: added connection description
"v6neighbor-hole-in"
Aug 13 12:00:38 dst pluto[19668]: | certificate not loaded for this end
Aug 13 12:00:38 dst pluto[19668]: | certificate not loaded for this end
Aug 13 12:00:38 dst pluto[19668]: added connection description
"v6neighbor-hole-out"
Aug 13 12:00:38 dst pluto[19668]: listening for IKE messages
Aug 13 12:00:38 dst pluto[19668]: adding interface bond0/bond0 10.88.180.151:500
Aug 13 12:00:38 dst pluto[19668]: adding interface bond0/bond0
10.88.180.151:4500
Aug 13 12:00:38 dst pluto[19668]: adding interface lo/lo 127.0.0.1:500
Aug 13 12:00:38 dst pluto[19668]: adding interface lo/lo 127.0.0.1:4500
Aug 13 12:00:38 dst pluto[19668]: adding interface lo/lo ::1:500
Aug 13 12:00:38 dst pluto[19668]: | setup callback for interface lo:500 fd 66
Aug 13 12:00:38 dst pluto[19668]: | setup callback for interface lo:4500 fd 65
Aug 13 12:00:38 dst pluto[19668]: | setup callback for interface lo:500 fd 64
Aug 13 12:00:38 dst pluto[19668]: | setup callback for interface bond0:4500 fd
63
Aug 13 12:00:38 dst pluto[19668]: | setup callback for interface bond0:500 fd 62
Aug 13 12:00:38 dst pluto[19668]: loading secrets from "/etc/ipsec.secrets"
Aug 13 12:00:38 dst pluto[19668]: loading secrets from
"/etc/ipsec.d/ipsec.secrets"
Aug 13 12:00:38 dst pluto[19668]: loaded private key for keyid: PPK_RSA:
Aug 13 12:16:07 dst pluto[19668]: forgetting secrets
Aug 13 12:16:07 dst pluto[19668]: loading secrets from "/etc/ipsec.secrets"
Aug 13 12:16:07 dst pluto[19668]: loading secrets from
"/etc/ipsec.d/ipsec.secrets"
Aug 13 12:16:07 dst pluto[19668]: loaded private key for keyid: PPK_RSA:
Aug 13 12:20:29 dst pluto[19668]: forgetting secrets
Aug 13 12:20:29 dst pluto[19668]: loading secrets from "/etc/ipsec.secrets"
Aug 13 12:20:29 dst pluto[19668]: loading secrets from
"/etc/ipsec.d/ipsec.secrets"
Aug 13 12:20:29 dst pluto[19668]: loaded private key for keyid: PPK_RSA:
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
