We have intermittent tunnel failures that can usually be fixed by a manual
'ipsec auto --up <connection'. This is not an acceptable requirement, though.
The source was declared dead by the destination which makes no sense as the
source was up/running and communicating with 15+ other peers at the time. I
decided to allow the tunnel failure to remain without manual intervention to
see if it would eventually fix itself and in this case it did. It appears as
though the tunnel was down for about 4 hours and appears it was 'fixed' very
close to 8 hours after the last rekey (15:40:17 - 23:35:47), which seems to be
the default salifetime. Even if the source was unavailable to the destination,
why did both sides stop trying to communicate and why did the source all of a
sudden decide to start communicating again (at 23:35:47). Can anything be done
to diagnose, prevent, etc?
conn dst-to-src-on-80
leftid=%fromcert
left=10.109.190.151
rightid=%fromcert
right=10.88.180.213
rightrsasigkey=%cert
ike=aes-sha2_256-modp1536
phase2alg=aes_gcm_c-128-null
rightcert=dst.ourdomain.com
rightsendcert=always
dpddelay=20
dpdtimeout=30
dpdaction=restart
authby=rsasig
auto=start
conn src-to-dst-on-80
leftid=%fromcert
left=10.109.190.151
leftrsasigkey=%cert
rightid=%fromcert
right=10.88.180.213
ike=aes-sha2_256-modp1536
phase2alg=aes_gcm_c-128-null
leftcert=src.ourdomain.com
leftsendcert=always
dpddelay=20
dpdtimeout=30
dpdaction=restart
authby=rsasig
auto=start
--------------------------- source log --------------------------------
Aug 23 15:40:17 src pluto[16315]: "src-to-dst-on-80" #7165: keeping
refhim=4294901761 during rekey
...
Aug 23 17:13:52 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [Dead Peer Detection]
Aug 23 17:13:52 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [FRAGMENTATION]
Aug 23 17:13:52 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [RFC 3947]
Aug 23 17:13:52 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 17:13:52 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 17:13:52 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: responding to Main
Mode
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: STATE_MAIN_R2: sent
MR2, expecting MI3
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: Main mode peer ID
is ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: certificate
CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: I am sending my cert
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256
group=MODP1536}
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: Dead Peer Detection
(RFC 3706): enabled
Aug 23 17:29:20 src pluto[16315]: "src-to-dst-on-80" #7185: deleting state
#7185 (STATE_MAIN_R3)
Aug 23 18:01:16 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [Dead Peer Detection]
Aug 23 18:01:16 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [FRAGMENTATION]
Aug 23 18:01:16 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [RFC 3947]
Aug 23 18:01:16 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 18:01:16 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 18:01:16 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: responding to Main
Mode
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: STATE_MAIN_R2: sent
MR2, expecting MI3
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: Main mode peer ID
is ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: certificate
CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: I am sending my cert
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256
group=MODP1536}
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: Dead Peer Detection
(RFC 3706): enabled
Aug 23 18:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: deleting state
#7202 (STATE_MAIN_R3)
Aug 23 18:48:22 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [Dead Peer Detection]
Aug 23 18:48:22 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [FRAGMENTATION]
Aug 23 18:48:22 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [RFC 3947]
Aug 23 18:48:22 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 18:48:22 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 18:48:22 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: responding to Main
Mode
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: STATE_MAIN_R2: sent
MR2, expecting MI3
Aug 23 18:48:23 src pluto[16315]: "src-to-dst-on-80" #7248: Main mode peer ID
is ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 23 18:48:23 src pluto[16315]: "src-to-dst-on-80" #7248: certificate
CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 18:48:23 src pluto[16315]: "src-to-dst-on-80" #7248: I am sending my cert
Aug 23 18:48:23 src pluto[16315]: "src-to-dst-on-80" #7248: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 23 18:48:23 src pluto[16315]: "src-to-dst-on-80" #7248: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256
group=MODP1536}
Aug 23 18:48:23 src pluto[16315]: "src-to-dst-on-80" #7248: Dead Peer Detection
(RFC 3706): enabled
Aug 23 19:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: deleting state
#7221 (STATE_MAIN_R3)
Aug 23 19:25:41 src pluto[16315]: "src-to-dst-on-80" #7248: received Delete SA
payload: self-deleting ISAKMP State #7248
Aug 23 19:25:41 src pluto[16315]: "src-to-dst-on-80" #7248: deleting state
#7248 (STATE_MAIN_R3)
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: received and
ignored empty informational notification payload
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [RFC 3947]
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:41 src pluto[16315]: "src-to-dst-on-80" #7262: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:41 src pluto[16315]: "src-to-dst-on-80" #7262: responding to Main
Mode
Aug 23 19:25:41 src pluto[16315]: "src-to-dst-on-80" #7262: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:41 src pluto[16315]: "src-to-dst-on-80" #7262: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [RFC 3947]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7263: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7263: responding to Main
Mode
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7263: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7263: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [RFC 3947]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7264: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7264: responding to Main
Mode
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7264: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7264: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 23 19:25:43 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:43 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:43 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [RFC 3947]
Aug 23 19:25:43 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:43 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:43 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:43 src pluto[16315]: "src-to-dst-on-80" #7265: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:43 src pluto[16315]: "src-to-dst-on-80" #7265: responding to Main
Mode
Aug 23 19:25:43 src pluto[16315]: "src-to-dst-on-80" #7265: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:43 src pluto[16315]: "src-to-dst-on-80" #7265: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 23 19:25:45 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:45 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:45 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [RFC 3947]
Aug 23 19:25:45 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:45 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:45 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:45 src pluto[16315]: "src-to-dst-on-80" #7267: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:45 src pluto[16315]: "src-to-dst-on-80" #7267: responding to Main
Mode
Aug 23 19:25:45 src pluto[16315]: "src-to-dst-on-80" #7267: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:45 src pluto[16315]: "src-to-dst-on-80" #7267: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 23 19:25:49 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:49 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:49 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [RFC 3947]
Aug 23 19:25:49 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:49 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:49 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:49 src pluto[16315]: "src-to-dst-on-80" #7272: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:49 src pluto[16315]: "src-to-dst-on-80" #7272: responding to Main
Mode
Aug 23 19:25:49 src pluto[16315]: "src-to-dst-on-80" #7272: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:49 src pluto[16315]: "src-to-dst-on-80" #7272: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 23 19:25:51 src pluto[16315]: "src-to-dst-on-80" #7165: DPD: could not find
newest phase 1 state
Aug 23 19:25:57 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:57 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:57 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [RFC 3947]
Aug 23 19:25:57 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:57 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:57 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:57 src pluto[16315]: "src-to-dst-on-80" #7279: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:57 src pluto[16315]: "src-to-dst-on-80" #7279: responding to Main
Mode
Aug 23 19:25:57 src pluto[16315]: "src-to-dst-on-80" #7279: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:57 src pluto[16315]: "src-to-dst-on-80" #7279: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 23 19:26:13 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [Dead Peer Detection]
Aug 23 19:26:13 src pluto[16315]: packet from 10.88.180.213:500: received
Vendor ID payload [FRAGMENTATION]Aug 23 19:26:13 src pluto[16315]: packet from
10.88.180.213:500: received Vendor ID payload [RFC 3947]
Aug 23 19:26:13 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:26:13 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:26:13 src pluto[16315]: packet from 10.88.180.213:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:26:13 src pluto[16315]: "src-to-dst-on-80" #7283: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:26:13 src pluto[16315]: "src-to-dst-on-80" #7283: responding to Main
Mode
Aug 23 19:26:13 src pluto[16315]: "src-to-dst-on-80" #7283: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:26:13 src pluto[16315]: "src-to-dst-on-80" #7283: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 23 19:26:45 src pluto[16315]: "src-to-dst-on-80" #7262: max number of
retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:26:45 src pluto[16315]: "src-to-dst-on-80" #7262: deleting state
#7262 (STATE_MAIN_R1)
Aug 23 19:26:46 src pluto[16315]: "src-to-dst-on-80" #7263: max number of
retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:26:46 src pluto[16315]: "src-to-dst-on-80" #7263: deleting state
#7263 (STATE_MAIN_R1)
Aug 23 19:26:46 src pluto[16315]: "src-to-dst-on-80" #7264: max number of
retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:26:46 src pluto[16315]: "src-to-dst-on-80" #7264: deleting state
#7264 (STATE_MAIN_R1)
Aug 23 19:26:47 src pluto[16315]: "src-to-dst-on-80" #7265: max number of
retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:26:47 src pluto[16315]: "src-to-dst-on-80" #7265: deleting state
#7265 (STATE_MAIN_R1)
Aug 23 19:26:49 src pluto[16315]: "src-to-dst-on-80" #7267: max number of
retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:26:49 src pluto[16315]: "src-to-dst-on-80" #7267: deleting state
#7267 (STATE_MAIN_R1)
Aug 23 19:26:53 src pluto[16315]: "src-to-dst-on-80" #7272: max number of
retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:26:53 src pluto[16315]: "src-to-dst-on-80" #7272: deleting state
#7272 (STATE_MAIN_R1)
Aug 23 19:27:01 src pluto[16315]: "src-to-dst-on-80" #7279: max number of
retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:27:01 src pluto[16315]: "src-to-dst-on-80" #7279: deleting state
#7279 (STATE_MAIN_R1)
Aug 23 19:27:17 src pluto[16315]: "src-to-dst-on-80" #7283: max number of
retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:27:17 src pluto[16315]: "src-to-dst-on-80" #7283: deleting state
#7283 (STATE_MAIN_R1)
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: initiating Main Mode
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: received Vendor ID
payload [Dead Peer Detection]
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: received Vendor ID
payload [FRAGMENTATION]
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: received Vendor ID
payload [RFC 3947]
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: STATE_MAIN_I2: sent
MI2, expecting MR2
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: I am sending my cert
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: I am sending a
certificate request
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: STATE_MAIN_I3: sent
MI3, expecting MR3
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: received Vendor ID
payload [CAN-IKEv2]
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: Main mode peer ID
is ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: certificate
CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: STATE_MAIN_I4:
ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256
group=MODP1536}
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: Dead Peer Detection
(RFC 3706): enabled
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7388: initiating Quick
Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
{using isakmp#7387 msgid:6e9c076c proposal=AES_GCM_C(20)_128-NONE(0)_000
pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 23 23:35:48 src pluto[16315]: "src-to-dst-on-80" #7388: Dead Peer Detection
(RFC 3706): enabled
Aug 23 23:35:48 src pluto[16315]: "src-to-dst-on-80" #7388: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 23 23:35:48 src pluto[16315]: "src-to-dst-on-80" #7388: STATE_QUICK_I2:
sent QI2, IPsec SA established tunnel mode {ESP=>0x3e9a9ad2 <0x63abe737
xfrm=AES_GCM_C_128-NONE NATOA=none NATD=none DPD=active}
Aug 23 23:40:17 src pluto[16315]: "src-to-dst-on-80" #7165: deleting state
#7165 (STATE_QUICK_R2)
Aug 23 23:40:17 src pluto[16315]: "src-to-dst-on-80" #7165: ESP traffic
information: in=2KB out=2KB
--------------------------- destination log --------------------------------
Aug 23 17:13:52 dst pluto[3368]: "dst-to-src-on-80" #751: Dead Peer Detection
(RFC 3706): enabled
Aug 23 17:29:20 dst pluto[3368]: "dst-to-src-on-80" #748: received Delete SA
payload: self-deleting ISAKMP State #748
Aug 23 17:29:20 dst pluto[3368]: "dst-to-src-on-80" #748: deleting state #748
(STATE_MAIN_I4)
Aug 23 17:29:20 dst pluto[3368]: packet from 10.109.190.151:500: received and
ignored empty informational notification payload
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: initiating Main Mode
to replace #751
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: received Vendor ID
payload [Dead Peer Detection]
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: received Vendor ID
payload [FRAGMENTATION]
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: received Vendor ID
payload [RFC 3947]
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: STATE_MAIN_I2: sent
MI2, expecting MR2
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: I am sending my cert
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: I am sending a
certificate request
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: STATE_MAIN_I3: sent
MI3, expecting MR3
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: received Vendor ID
payload [CAN-IKEv2]
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: Main mode peer ID is
ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=src.ourdomain.com'
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: certificate
CN=src.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: STATE_MAIN_I4: ISAKMP
SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256
group=MODP1536}
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: Dead Peer Detection
(RFC 3706): enabled
Aug 23 18:13:52 dst pluto[3368]: "dst-to-src-on-80" #751: received Delete SA
payload: self-deleting ISAKMP State #751
Aug 23 18:13:52 dst pluto[3368]: "dst-to-src-on-80" #751: deleting state #751
(STATE_MAIN_I4)
Aug 23 18:13:52 dst pluto[3368]: packet from 10.109.190.151:500: received and
ignored empty informational notification payload
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: initiating Main Mode
to replace #754
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: received Vendor ID
payload [Dead Peer Detection]
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: received Vendor ID
payload [FRAGMENTATION]
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: received Vendor ID
payload [RFC 3947]
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: STATE_MAIN_I2: sent
MI2, expecting MR2
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: I am sending my cert
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: I am sending a
certificate request
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: STATE_MAIN_I3: sent
MI3, expecting MR3
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: received Vendor ID
payload [CAN-IKEv2]
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: Main mode peer ID is
ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=src.ourdomain.com'
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: certificate
CN=src.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: STATE_MAIN_I4: ISAKMP
SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256
group=MODP1536}
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: Dead Peer Detection
(RFC 3706): enabled
Aug 23 19:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: received Delete SA
payload: self-deleting ISAKMP State #754
Aug 23 19:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: deleting state #754
(STATE_MAIN_I4)
Aug 23 19:01:16 dst pluto[3368]: packet from 10.109.190.151:500: received and
ignored empty informational notification payload
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #757: DPD: No response from
peer - declaring peer dead
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #757: DPD: Restarting all
connections that share this peer
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #757: terminating SAs using
this connection
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #745: deleting state #745
(STATE_QUICK_I2)
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #745: ESP traffic
information: in=0B out=1KB
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #757: deleting state #757
(STATE_MAIN_I4)
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #760: initiating Main Mode
Aug 23 19:26:45 dst pluto[3368]: "dst-to-src-on-80" #760: max number of
retransmissions (8) reached STATE_MAIN_I1. No response (or no acceptable
response) to our first IKEv1 message
Aug 23 19:26:45 dst pluto[3368]: "dst-to-src-on-80" #760: deleting state #760
(STATE_MAIN_I1)
Aug 23 23:35:47 dst pluto[3368]: packet from 10.109.190.151:500: received
Vendor ID payload [Dead Peer Detection]
Aug 23 23:35:47 dst pluto[3368]: packet from 10.109.190.151:500: received
Vendor ID payload [FRAGMENTATION]
Aug 23 23:35:47 dst pluto[3368]: packet from 10.109.190.151:500: received
Vendor ID payload [RFC 3947]
Aug 23 23:35:47 dst pluto[3368]: packet from 10.109.190.151:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 23:35:47 dst pluto[3368]: packet from 10.109.190.151:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 23:35:47 dst pluto[3368]: packet from 10.109.190.151:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: responding to Main
Mode
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: STATE_MAIN_R2: sent
MR2, expecting MI3
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: Main mode peer ID is
ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=src.ourdomain.com'
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: certificate
CN=src.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: I am sending my cert
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256
group=MODP1536}
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: Dead Peer Detection
(RFC 3706): enabled
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: the peer proposed:
10.88.180.213/32:6/80 -> 10.109.190.151/32:0/0
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #775: responding to Quick
Mode proposal {msgid:6e9c076c}
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #775: us:
10.88.180.213<10.88.180.213>[C=US, O=YYY, OU=ZZZZZ-IPSEC,
CN=dst.ourdomain.com]:6/80
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #775: them:
10.109.190.151<10.109.190.151>[C=US, O=YYY, OU=ZZZZZ-IPSEC,
CN=src.ourdomain.com]
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #775: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #775: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x63abe737
<0x3e9a9ad2 xfrm=AES_GCM_C_128-NONE NATOA=none NATD=none DPD=active}
Aug 23 23:35:48 dst pluto[3368]: "dst-to-src-on-80" #775: Dead Peer Detection
(RFC 3706): enabled
Aug 23 23:35:48 dst pluto[3368]: "dst-to-src-on-80" #775: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 23 23:35:48 dst pluto[3368]: "dst-to-src-on-80" #775: STATE_QUICK_R2: IPsec
SA established tunnel mode {ESP=>0x63abe737 <0x3e9a9ad2 xfrm=AES_GCM_C_128-NONE
NATOA=none NATD=none DPD=active}
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
