On Wednesday, 9 May 2018 19:48:20 CEST you wrote:
> On Wed, 9 May 2018, Thomas Stein wrote:
>
> > Now I have the routes in question. But still no internet connectivity.
>
> > 000
> > 000 #2: "my-vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
> > EVENT_SA_REPLACE_IF_USED in 27905s; newest IPSEC; eroute owner; isakmp#1;
> > idle; import:admin initiate
> > 000 #2: "my-vpn" [email protected] [email protected]
> > [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B
> > ESPout=2KB! ESPmax=4194303B username=myself
>
> This is odd. Your IKE SA established, setup the IPsec SA successfully,
> and then vanished?
>
> > rather /etc/ipsec.d # ip r
> > 0.0.0.0/1 dev wlan0 scope link src xxx.xxx.xxx.193
> > default via 192.168.178.1 dev wlan0 proto dhcp src 192.168.178.21 metric
> > 2007
> > 128.0.0.0/1 dev wlan0 scope link src xxx.xxx.xxx.193
> > 192.168.178.0/24 dev wlan0 proto dhcp scope link src 192.168.178.21 metric
> > 200
>
> That looks good.
>
> > Am I supposed to have some iptables rules? I have non so far:
>
> Nope.
>
> What does "ipsec whack --trafficstatus" show for the traffic counters?
rather ~ # ipsec whack --trafficstatus
006 #2: "my-vpn", username=myself, type=ESP, add_time=1525892039, inBytes=0,
outBytes=95061
> It would be useful to see the pluto logs too and see why your IKE SA
> died.
May 9 20:53:22 rather pluto[31225]: NSS DB directory: sql:/etc/ipsec.d
May 9 20:53:22 rather pluto[31225]: Initializing NSS
May 9 20:53:22 rather pluto[31225]: Opening NSS database "sql:/etc/ipsec.d"
read-only
May 9 20:53:22 rather pluto[31225]: NSS initialized
May 9 20:53:22 rather pluto[31225]: NSS crypto library initialized
May 9 20:53:22 rather pluto[31225]: FIPS HMAC integrity support [disabled]
May 9 20:53:22 rather pluto[31225]: libcap-ng support [disabled]
May 9 20:53:22 rather pluto[31225]: Linux audit support [disabled]
May 9 20:53:22 rather pluto[31225]: Starting Pluto (Libreswan Version 3.24rc4
XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS SECCOMP XAUTH_PAM
NETWORKMANAGER) pid:31225
May 9 20:53:22 rather pluto[31225]: core dump dir: /run/pluto
May 9 20:53:22 rather pluto[31225]: secrets file: /etc/ipsec.secrets
May 9 20:53:22 rather pluto[31225]: leak-detective disabled
May 9 20:53:22 rather pluto[31225]: NSS crypto [enabled]
May 9 20:53:22 rather pluto[31225]: XAUTH PAM support [enabled]
May 9 20:53:22 rather pluto[31225]: NAT-Traversal support [enabled]
May 9 20:53:22 rather pluto[31225]: Initializing libevent in pthreads mode:
headers: 2.1.7-beta (2010700); library: 2.1.7-beta (2010700)
May 9 20:53:22 rather pluto[31225]: Encryption algorithms:
May 9 20:53:22 rather pluto[31225]: AES_CCM_16 IKEv1: ESP
IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)
May 9 20:53:22 rather pluto[31225]: AES_CCM_12 IKEv1: ESP
IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b)
May 9 20:53:22 rather pluto[31225]: AES_CCM_8 IKEv1: ESP
IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a)
May 9 20:53:22 rather pluto[31225]: 3DES_CBC IKEv1: IKE ESP
IKEv2: IKE ESP FIPS [*192] (3des)
May 9 20:53:22 rather pluto[31225]: CAMELLIA_CTR IKEv1: ESP
IKEv2: ESP {256,192,*128}
May 9 20:53:22 rather pluto[31225]: CAMELLIA_CBC IKEv1: IKE ESP
IKEv2: IKE ESP {256,192,*128} (camellia)
May 9 20:53:22 rather pluto[31225]: AES_GCM_16 IKEv1: ESP
IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)
May 9 20:53:22 rather pluto[31225]: AES_GCM_12 IKEv1: ESP
IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b)
May 9 20:53:22 rather pluto[31225]: AES_GCM_8 IKEv1: ESP
IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a)
May 9 20:53:22 rather pluto[31225]: AES_CTR IKEv1: IKE ESP
IKEv2: IKE ESP FIPS {256,192,*128} (aesctr)
May 9 20:53:22 rather pluto[31225]: AES_CBC IKEv1: IKE ESP
IKEv2: IKE ESP FIPS {256,192,*128} (aes)
May 9 20:53:22 rather pluto[31225]: SERPENT_CBC IKEv1: IKE ESP
IKEv2: IKE ESP {256,192,*128} (serpent)
May 9 20:53:22 rather pluto[31225]: TWOFISH_CBC IKEv1: IKE ESP
IKEv2: IKE ESP {256,192,*128} (twofish)
May 9 20:53:22 rather pluto[31225]: TWOFISH_SSH IKEv1: IKE
IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh)
May 9 20:53:22 rather pluto[31225]: CAST_CBC IKEv1: ESP
IKEv2: ESP {*128} (cast)
May 9 20:53:22 rather pluto[31225]: NULL_AUTH_AES_GMAC IKEv1: ESP
IKEv2: ESP {256,192,*128} (aes_gmac)
May 9 20:53:22 rather pluto[31225]: NULL IKEv1: ESP
IKEv2: ESP []
May 9 20:53:22 rather pluto[31225]: Hash algorithms:
May 9 20:53:22 rather pluto[31225]: MD5 IKEv1: IKE
IKEv2:
May 9 20:53:22 rather pluto[31225]: SHA1 IKEv1: IKE
IKEv2: FIPS (sha)
May 9 20:53:22 rather pluto[31225]: SHA2_256 IKEv1: IKE
IKEv2: FIPS (sha2 sha256)
May 9 20:53:22 rather pluto[31225]: SHA2_384 IKEv1: IKE
IKEv2: FIPS (sha384)
May 9 20:53:22 rather pluto[31225]: SHA2_512 IKEv1: IKE
IKEv2: FIPS (sha512)
May 9 20:53:22 rather pluto[31225]: PRF algorithms:
May 9 20:53:22 rather pluto[31225]: HMAC_MD5 IKEv1: IKE
IKEv2: IKE (md5)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA1 IKEv1: IKE
IKEv2: IKE FIPS (sha sha1)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_256 IKEv1: IKE
IKEv2: IKE FIPS (sha2 sha256 sha2_256)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_384 IKEv1: IKE
IKEv2: IKE FIPS (sha384 sha2_384)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_512 IKEv1: IKE
IKEv2: IKE FIPS (sha512 sha2_512)
May 9 20:53:22 rather pluto[31225]: AES_XCBC IKEv1:
IKEv2: IKE (aes128_xcbc)
May 9 20:53:22 rather pluto[31225]: Integrity algorithms:
May 9 20:53:22 rather pluto[31225]: HMAC_MD5_96 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH (md5 hmac_md5)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA1_96 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)
May 9 20:53:22 rather pluto[31225]: AES_XCBC_96 IKEv1: ESP AH
IKEv2: IKE ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96)
May 9 20:53:22 rather pluto[31225]: AES_CMAC_96 IKEv1: ESP AH
IKEv2: ESP AH FIPS (aes_cmac)
May 9 20:53:22 rather pluto[31225]: NONE IKEv1: ESP
IKEv2: ESP FIPS (null)
May 9 20:53:22 rather pluto[31225]: DH algorithms:
May 9 20:53:22 rather pluto[31225]: NONE IKEv1:
IKEv2: IKE ESP AH (null dh0)
May 9 20:53:22 rather pluto[31225]: MODP1024 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH (dh2)
May 9 20:53:22 rather pluto[31225]: MODP1536 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH (dh5)
May 9 20:53:22 rather pluto[31225]: MODP2048 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh14)
May 9 20:53:22 rather pluto[31225]: MODP3072 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh15)
May 9 20:53:22 rather pluto[31225]: MODP4096 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh16)
May 9 20:53:22 rather pluto[31225]: MODP6144 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh17)
May 9 20:53:22 rather pluto[31225]: MODP8192 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh18)
May 9 20:53:22 rather pluto[31225]: DH19 IKEv1: IKE
IKEv2: IKE ESP AH FIPS (ecp_256)
May 9 20:53:22 rather pluto[31225]: DH20 IKEv1: IKE
IKEv2: IKE ESP AH FIPS (ecp_384)
May 9 20:53:22 rather pluto[31225]: DH21 IKEv1: IKE
IKEv2: IKE ESP AH FIPS (ecp_521)
May 9 20:53:22 rather pluto[31225]: DH23 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS
May 9 20:53:22 rather pluto[31225]: DH24 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS
May 9 20:53:22 rather pluto[31225]: starting up 3 crypto helpers
May 9 20:53:22 rather pluto[31225]: started thread for crypto helper 0
May 9 20:53:22 rather pluto[31225]: started thread for crypto helper 1
May 9 20:53:22 rather pluto[31225]: started thread for crypto helper 2
May 9 20:53:22 rather pluto[31225]: Using Linux XFRM/NETKEY IPsec interface
code on 4.16.5
May 9 20:53:22 rather pluto[31225]: added connection description "my-vpn"
May 9 20:53:22 rather pluto[31225]: listening for IKE messages
May 9 20:53:22 rather pluto[31225]: adding interface wlan0/wlan0
192.168.178.21:500
May 9 20:53:22 rather pluto[31225]: adding interface wlan0/wlan0
192.168.178.21:4500
May 9 20:53:22 rather pluto[31225]: adding interface lo/lo 127.0.0.1:500
May 9 20:53:22 rather pluto[31225]: adding interface lo/lo 127.0.0.1:4500
May 9 20:53:22 rather pluto[31225]: adding interface lo/lo ::1:500
May 9 20:53:22 rather pluto[31225]: | setup callback for interface lo:500 fd 19
May 9 20:53:22 rather pluto[31225]: | setup callback for interface lo:4500 fd
18
May 9 20:53:22 rather pluto[31225]: | setup callback for interface lo:500 fd 17
May 9 20:53:22 rather pluto[31225]: | setup callback for interface wlan0:4500
fd 16
May 9 20:53:22 rather pluto[31225]: | setup callback for interface wlan0:500
fd 15
May 9 20:53:22 rather pluto[31225]: loading secrets from "/etc/ipsec.secrets"
May 9 20:53:49 rather pluto[31225]: "my-vpn": deleting non-instance connection
May 9 20:53:49 rather pluto[31225]: added connection description "my-vpn"
May 9 20:53:49 rather pluto[31225]: "my-vpn": IKEv1 Aggressive Mode with PSK
is vulnerable to dictionary attacks and is cracked on large scale by TLA's
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: multiple DH groups in
aggressive mode can cause interop failure
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Deleting previous proposal in
the hopes of selecting DH 2 or DH 5
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: initiating Aggressive Mode
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: multiple DH groups in
aggressive mode can cause interop failure
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Deleting previous proposal in
the hopes of selecting DH 2 or DH 5
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: ignoring unknown Vendor ID
payload [8299031757a36082c6a621de000502f2]
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Peer ID is ID_IPV4_ADDR:
'xxx.xxx.xxx.5'
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Peer ID is ID_IPV4_ADDR:
'xxx.xxx.xxx.5'
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: STATE_AGGR_I2: sent AI2,
ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha
group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: XAUTH: Answering XAUTH
challenge with user='myself'
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: XAUTH client
- possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha
group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1:
retransmission; will wait 0.5 seconds for response
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: DPD: received old or
duplicate R_U_THERE
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3
duplicate R_U_THERE's - will reluctantly answer
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: XAUTH: Successfully
Authenticated
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: XAUTH client
- possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha
group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: modecfg: Sending IP request
(MODECFG_I1)
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received IPv4 address:
xxx.xxx.xxx.193/32
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received DNS server
xxx.xxx.xxx.116
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received DNS server
xxx.xxx.xxx.117
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received subnet 0.0.0.0/0
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Subnet 0.0.0.0/0 already has
an spd_route - ignoring
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+DONT_REKEY+UP+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#1 msgid:f792899c proposal=AES_CBC_256-HMAC_SHA1_96-MODP1536
pfsgroup=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: ignoring informational
payload IPSEC_RESPONDER_LIFETIME, msgid=f792899c, length=28
May 9 20:53:59 rather pluto[31225]: | ISAKMP Notification Payload
May 9 20:53:59 rather pluto[31225]: | 00 00 00 1c 00 00 00 01 03 04 60 00
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: up-client output: updating
resolvconf
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: up-client output: backup
resolv.conf exists, but current resolv.conf is not generated by Libreswan
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: STATE_QUICK_I2: sent QI2,
IPsec SA established tunnel mode {ESP/NAT=>0x45356086 <0x8689505c
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=xxx.xxx.xxx.5:4500 DPD=passive
username=myself}
May 9 20:54:01 rather pluto[31225]: "my-vpn" #2: retransmitting in response to
duplicate packet; already STATE_QUICK_I2
May 9 20:54:05 rather pluto[31225]: "my-vpn" #2: retransmitting in response to
duplicate packet; already STATE_QUICK_I2
May 9 20:54:13 rather pluto[31225]: "my-vpn" #2: discarding duplicate packet
-- exhausted retransmission; already STATE_QUICK_I2
May 9 20:54:14 rather pluto[31225]: "my-vpn" #1: DPD: received old or
duplicate R_U_THERE
May 9 20:54:14 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3
duplicate R_U_THERE's - will reluctantly answer
May 9 20:54:19 rather pluto[31225]: "my-vpn" #1: DPD: received old or
duplicate R_U_THERE
May 9 20:54:19 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3
duplicate R_U_THERE's - will reluctantly answer
May 9 20:54:24 rather pluto[31225]: "my-vpn" #1: received Delete SA payload:
self-deleting ISAKMP State #1
May 9 20:54:24 rather pluto[31225]: "my-vpn" #1: deleting state
(STATE_MAIN_I4) and sending notification
May 9 20:53:22 rather pluto[31225]: NSS DB directory: sql:/etc/ipsec.d
May 9 20:53:22 rather pluto[31225]: Initializing NSS
May 9 20:53:22 rather pluto[31225]: Opening NSS database "sql:/etc/ipsec.d"
read-only
May 9 20:53:22 rather pluto[31225]: NSS initialized
May 9 20:53:22 rather pluto[31225]: NSS crypto library initialized
May 9 20:53:22 rather pluto[31225]: FIPS HMAC integrity support [disabled]
May 9 20:53:22 rather pluto[31225]: libcap-ng support [disabled]
May 9 20:53:22 rather pluto[31225]: Linux audit support [disabled]
May 9 20:53:22 rather pluto[31225]: Starting Pluto (Libreswan Version 3.24rc4
XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS SECCOMP XAUTH_PAM
NETWORKMANAGER) pid:31225
May 9 20:53:22 rather pluto[31225]: core dump dir: /run/pluto
May 9 20:53:22 rather pluto[31225]: secrets file: /etc/ipsec.secrets
May 9 20:53:22 rather pluto[31225]: leak-detective disabled
May 9 20:53:22 rather pluto[31225]: NSS crypto [enabled]
May 9 20:53:22 rather pluto[31225]: XAUTH PAM support [enabled]
May 9 20:53:22 rather pluto[31225]: NAT-Traversal support [enabled]
May 9 20:53:22 rather pluto[31225]: Initializing libevent in pthreads mode:
headers: 2.1.7-beta (2010700); library: 2.1.7-beta (2010700)
May 9 20:53:22 rather pluto[31225]: Encryption algorithms:
May 9 20:53:22 rather pluto[31225]: AES_CCM_16 IKEv1: ESP
IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)
May 9 20:53:22 rather pluto[31225]: AES_CCM_12 IKEv1: ESP
IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b)
May 9 20:53:22 rather pluto[31225]: AES_CCM_8 IKEv1: ESP
IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a)
May 9 20:53:22 rather pluto[31225]: 3DES_CBC IKEv1: IKE ESP
IKEv2: IKE ESP FIPS [*192] (3des)
May 9 20:53:22 rather pluto[31225]: CAMELLIA_CTR IKEv1: ESP
IKEv2: ESP {256,192,*128}
May 9 20:53:22 rather pluto[31225]: CAMELLIA_CBC IKEv1: IKE ESP
IKEv2: IKE ESP {256,192,*128} (camellia)
May 9 20:53:22 rather pluto[31225]: AES_GCM_16 IKEv1: ESP
IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)
May 9 20:53:22 rather pluto[31225]: AES_GCM_12 IKEv1: ESP
IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b)
May 9 20:53:22 rather pluto[31225]: AES_GCM_8 IKEv1: ESP
IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a)
May 9 20:53:22 rather pluto[31225]: AES_CTR IKEv1: IKE ESP
IKEv2: IKE ESP FIPS {256,192,*128} (aesctr)
May 9 20:53:22 rather pluto[31225]: AES_CBC IKEv1: IKE ESP
IKEv2: IKE ESP FIPS {256,192,*128} (aes)
May 9 20:53:22 rather pluto[31225]: SERPENT_CBC IKEv1: IKE ESP
IKEv2: IKE ESP {256,192,*128} (serpent)
May 9 20:53:22 rather pluto[31225]: TWOFISH_CBC IKEv1: IKE ESP
IKEv2: IKE ESP {256,192,*128} (twofish)
May 9 20:53:22 rather pluto[31225]: TWOFISH_SSH IKEv1: IKE
IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh)
May 9 20:53:22 rather pluto[31225]: CAST_CBC IKEv1: ESP
IKEv2: ESP {*128} (cast)
May 9 20:53:22 rather pluto[31225]: NULL_AUTH_AES_GMAC IKEv1: ESP
IKEv2: ESP {256,192,*128} (aes_gmac)
May 9 20:53:22 rather pluto[31225]: NULL IKEv1: ESP
IKEv2: ESP []
May 9 20:53:22 rather pluto[31225]: Hash algorithms:
May 9 20:53:22 rather pluto[31225]: MD5 IKEv1: IKE
IKEv2:
May 9 20:53:22 rather pluto[31225]: SHA1 IKEv1: IKE
IKEv2: FIPS (sha)
May 9 20:53:22 rather pluto[31225]: SHA2_256 IKEv1: IKE
IKEv2: FIPS (sha2 sha256)
May 9 20:53:22 rather pluto[31225]: SHA2_384 IKEv1: IKE
IKEv2: FIPS (sha384)
May 9 20:53:22 rather pluto[31225]: SHA2_512 IKEv1: IKE
IKEv2: FIPS (sha512)
May 9 20:53:22 rather pluto[31225]: PRF algorithms:
May 9 20:53:22 rather pluto[31225]: HMAC_MD5 IKEv1: IKE
IKEv2: IKE (md5)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA1 IKEv1: IKE
IKEv2: IKE FIPS (sha sha1)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_256 IKEv1: IKE
IKEv2: IKE FIPS (sha2 sha256 sha2_256)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_384 IKEv1: IKE
IKEv2: IKE FIPS (sha384 sha2_384)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_512 IKEv1: IKE
IKEv2: IKE FIPS (sha512 sha2_512)
May 9 20:53:22 rather pluto[31225]: AES_XCBC IKEv1:
IKEv2: IKE (aes128_xcbc)
May 9 20:53:22 rather pluto[31225]: Integrity algorithms:
May 9 20:53:22 rather pluto[31225]: HMAC_MD5_96 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH (md5 hmac_md5)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA1_96 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)
May 9 20:53:22 rather pluto[31225]: AES_XCBC_96 IKEv1: ESP AH
IKEv2: IKE ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96)
May 9 20:53:22 rather pluto[31225]: AES_CMAC_96 IKEv1: ESP AH
IKEv2: ESP AH FIPS (aes_cmac)
May 9 20:53:22 rather pluto[31225]: NONE IKEv1: ESP
IKEv2: ESP FIPS (null)
May 9 20:53:22 rather pluto[31225]: DH algorithms:
May 9 20:53:22 rather pluto[31225]: NONE IKEv1:
IKEv2: IKE ESP AH (null dh0)
May 9 20:53:22 rather pluto[31225]: MODP1024 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH (dh2)
May 9 20:53:22 rather pluto[31225]: MODP1536 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH (dh5)
May 9 20:53:22 rather pluto[31225]: MODP2048 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh14)
May 9 20:53:22 rather pluto[31225]: MODP3072 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh15)
May 9 20:53:22 rather pluto[31225]: MODP4096 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh16)
May 9 20:53:22 rather pluto[31225]: MODP6144 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh17)
May 9 20:53:22 rather pluto[31225]: MODP8192 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS (dh18)
May 9 20:53:22 rather pluto[31225]: DH19 IKEv1: IKE
IKEv2: IKE ESP AH FIPS (ecp_256)
May 9 20:53:22 rather pluto[31225]: DH20 IKEv1: IKE
IKEv2: IKE ESP AH FIPS (ecp_384)
May 9 20:53:22 rather pluto[31225]: DH21 IKEv1: IKE
IKEv2: IKE ESP AH FIPS (ecp_521)
May 9 20:53:22 rather pluto[31225]: DH23 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS
May 9 20:53:22 rather pluto[31225]: DH24 IKEv1: IKE ESP AH
IKEv2: IKE ESP AH FIPS
May 9 20:53:22 rather pluto[31225]: starting up 3 crypto helpers
May 9 20:53:22 rather pluto[31225]: started thread for crypto helper 0
May 9 20:53:22 rather pluto[31225]: started thread for crypto helper 1
May 9 20:53:22 rather pluto[31225]: started thread for crypto helper 2
May 9 20:53:22 rather pluto[31225]: Using Linux XFRM/NETKEY IPsec interface
code on 4.16.5
May 9 20:53:22 rather pluto[31225]: added connection description "my-vpn"
May 9 20:53:22 rather pluto[31225]: listening for IKE messages
May 9 20:53:22 rather pluto[31225]: adding interface wlan0/wlan0
192.168.178.21:500
May 9 20:53:22 rather pluto[31225]: adding interface wlan0/wlan0
192.168.178.21:4500
May 9 20:53:22 rather pluto[31225]: adding interface lo/lo 127.0.0.1:500
May 9 20:53:22 rather pluto[31225]: adding interface lo/lo 127.0.0.1:4500
May 9 20:53:22 rather pluto[31225]: adding interface lo/lo ::1:500
May 9 20:53:22 rather pluto[31225]: | setup callback for interface lo:500 fd 19
May 9 20:53:22 rather pluto[31225]: | setup callback for interface lo:4500 fd
18
May 9 20:53:22 rather pluto[31225]: | setup callback for interface lo:500 fd 17
May 9 20:53:22 rather pluto[31225]: | setup callback for interface wlan0:4500
fd 16
May 9 20:53:22 rather pluto[31225]: | setup callback for interface wlan0:500
fd 15
May 9 20:53:22 rather pluto[31225]: loading secrets from "/etc/ipsec.secrets"
May 9 20:53:49 rather pluto[31225]: "my-vpn": deleting non-instance connection
May 9 20:53:49 rather pluto[31225]: added connection description "my-vpn"
May 9 20:53:49 rather pluto[31225]: "my-vpn": IKEv1 Aggressive Mode with PSK
is vulnerable to dictionary attacks and is cracked on large scale by TLA's
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: multiple DH groups in
aggressive mode can cause interop failure
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Deleting previous proposal in
the hopes of selecting DH 2 or DH 5
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: initiating Aggressive Mode
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: multiple DH groups in
aggressive mode can cause interop failure
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Deleting previous proposal in
the hopes of selecting DH 2 or DH 5
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: ignoring unknown Vendor ID
payload [8299031757a36082c6a621de000502f2]
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Peer ID is ID_IPV4_ADDR:
'xxx.xxx.xxx.5'
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Peer ID is ID_IPV4_ADDR:
'xxx.xxx.xxx.5'
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: STATE_AGGR_I2: sent AI2,
ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha
group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: XAUTH: Answering XAUTH
challenge with user='myself'
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: XAUTH client
- possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha
group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1:
retransmission; will wait 0.5 seconds for response
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: DPD: received old or
duplicate R_U_THERE
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3
duplicate R_U_THERE's - will reluctantly answer
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: XAUTH: Successfully
Authenticated
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: XAUTH client
- possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha
group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: modecfg: Sending IP request
(MODECFG_I1)
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received IPv4 address:
xxx.xxx.xxx.193/32
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received DNS server
xxx.xxx.xxx.116
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received DNS server
xxx.xxx.xxx.117
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received subnet 0.0.0.0/0
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Subnet 0.0.0.0/0 already has
an spd_route - ignoring
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+DONT_REKEY+UP+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#1 msgid:f792899c proposal=AES_CBC_256-HMAC_SHA1_96-MODP1536
pfsgroup=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: ignoring informational
payload IPSEC_RESPONDER_LIFETIME, msgid=f792899c, length=28
May 9 20:53:59 rather pluto[31225]: | ISAKMP Notification Payload
May 9 20:53:59 rather pluto[31225]: | 00 00 00 1c 00 00 00 01 03 04 60 00
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: up-client output: updating
resolvconf
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: up-client output: backup
resolv.conf exists, but current resolv.conf is not generated by Libreswan
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: STATE_QUICK_I2: sent QI2,
IPsec SA established tunnel mode {ESP/NAT=>0x45356086 <0x8689505c
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=xxx.xxx.xxx.5:4500 DPD=passive
username=myself}
May 9 20:54:01 rather pluto[31225]: "my-vpn" #2: retransmitting in response to
duplicate packet; already STATE_QUICK_I2
May 9 20:54:05 rather pluto[31225]: "my-vpn" #2: retransmitting in response to
duplicate packet; already STATE_QUICK_I2
May 9 20:54:13 rather pluto[31225]: "my-vpn" #2: discarding duplicate packet
-- exhausted retransmission; already STATE_QUICK_I2
May 9 20:54:14 rather pluto[31225]: "my-vpn" #1: DPD: received old or
duplicate R_U_THERE
May 9 20:54:14 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3
duplicate R_U_THERE's - will reluctantly answer
May 9 20:54:19 rather pluto[31225]: "my-vpn" #1: DPD: received old or
duplicate R_U_THERE
May 9 20:54:19 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3
duplicate R_U_THERE's - will reluctantly answer
May 9 20:54:24 rather pluto[31225]: "my-vpn" #1: received Delete SA payload:
self-deleting ISAKMP State #1
May 9 20:54:24 rather pluto[31225]: "my-vpn" #1: deleting state
(STATE_MAIN_I4) and sending notification
May 9 20:54:24 rather pluto[31225]: packet from xxx.xxx.xxx.5:4500: received
and ignored empty informational notification payload
May 9 20:54:35 rather pluto[31225]: forgetting secrets
May 9 20:54:35 rather pluto[31225]: "my-vpn": deleting non-instance connection
May 9 20:54:35 rather pluto[31225]: "my-vpn" #2: deleting state
(STATE_QUICK_I2) and sending notification
May 9 20:54:35 rather pluto[31225]: "my-vpn" #2: ESP traffic information:
in=101KB out=0B XAUTHuser=myself
May 9 20:54:35 rather pluto[31225]: "my-vpn": unroute-client output: need at
least a destination address
May 9 20:54:35 rather pluto[31225]: shutting down interface lo/lo ::1:500
May 9 20:54:35 rather pluto[31225]: shutting down interface lo/lo
127.0.0.1:4500
May 9 20:54:35 rather pluto[31225]: shutting down interface lo/lo 127.0.0.1:500
May 9 20:54:35 rather pluto[31225]: shutting down interface wlan0/wlan0
192.168.178.21:4500
May 9 20:54:35 rather pluto[31225]: shutting down interface wlan0/wlan0
192.168.178.21:500May 9 20:54:24 rather pluto[31225]: packet from
xxx.xxx.xxx.5:4500: received and ignored empty informational notification
payload
May 9 20:54:35 rather pluto[31225]: forgetting secrets
May 9 20:54:35 rather pluto[31225]: "my-vpn": deleting non-instance connection
May 9 20:54:35 rather pluto[31225]: "my-vpn" #2: deleting state
(STATE_QUICK_I2) and sending notification
May 9 20:54:35 rather pluto[31225]: "my-vpn" #2: ESP traffic information:
in=101KB out=0B XAUTHuser=myself
May 9 20:54:35 rather pluto[31225]: "my-vpn": unroute-client output: need at
least a destination address
May 9 20:54:35 rather pluto[31225]: shutting down interface lo/lo ::1:500
May 9 20:54:35 rather pluto[31225]: shutting down interface lo/lo
127.0.0.1:4500
May 9 20:54:35 rather pluto[31225]: shutting down interface lo/lo 127.0.0.1:500
May 9 20:54:35 rather pluto[31225]: shutting down interface wlan0/wlan0
192.168.178.21:4500
May 9 20:54:35 rather pluto[31225]: shutting down interface wlan0/wlan0
192.168.178.21:500
Hope this helps.
thanks and cheers
t.
> Paul
>
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
