Hi all.
We are using libreswan between two different RedHat Servers and want to do
host-to-host transport tunnel encryption to port 8080.
Left: RHEL 7.6 ( SELinux set to Permissive )
libreswan version: libreswan-3.25-2.el7.x86_64
Right: RHEL 6.10
Libreswan version : libreswan-3.15-7.5.el6_9.x86_64
I initialized NSS DB
ipsec initnss
Imported the certificate and used the nickname to reference them in the
connection config file.
They seem to talk to each other but then the message " sending encrypted
notification INVALID_ID_INFORMATION ".
I have to say that the left certificate has a CN which contains an
left-server-alias for Loadbalancer, which is not yet in place. But the
certificate has also a SAN list which contains the correct hostname.
But if libreswan ignores SAN and checks for the exact entry in the first DN
than this will fail.
Can you say whether libreswan checks also for the SAN entries ?
pluto.log from Server right:
Jan 31 18:28:23: added connection description "cloud_core_tunnel"
Jan 31 18:31:13: packet from <left-IP>:500: received Vendor ID payload [Dead
Peer Detection]
Jan 31 18:31:13: packet from <left-IP>:500: received Vendor ID payload
[FRAGMENTATION]
Jan 31 18:31:13: packet from <left-IP>:500: received Vendor ID payload [RFC
3947]
Jan 31 18:31:13: packet from <left-IP>:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
Jan 31 18:31:13: packet from <left-IP>:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
Jan 31 18:31:13: packet from <left-IP>:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]
Jan 31 18:31:13: "cloud_core_tunnel" #681: enabling possible NAT-traversal with
method RFC 3947 (NAT-Traversal)
Jan 31 18:31:13: "cloud_core_tunnel" #681: responding to Main Mode
Jan 31 18:31:13: "cloud_core_tunnel" #681: transition from state STATE_MAIN_R0
to state STATE_MAIN_R1
Jan 31 18:31:13: "cloud_core_tunnel" #681: STATE_MAIN_R1: sent MR1, expecting
MI2
Jan 31 18:31:13: "cloud_core_tunnel" #681: NAT-Traversal: Result using RFC 3947
(NAT-Traversal) sender port 500: no NAT detected
Jan 31 18:31:13: "cloud_core_tunnel" #681: transition from state STATE_MAIN_R1
to state STATE_MAIN_R2
Jan 31 18:31:13: "cloud_core_tunnel" #681: STATE_MAIN_R2: sent MR2, expecting
MI3
Jan 31 18:31:13: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN:
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:13: "cloud_core_tunnel" #681: EXPECTATION FAILED at
/var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843:
r != NULL
Jan 31 18:31:13: "cloud_core_tunnel" #681: no suitable connection for peer
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:13: "cloud_core_tunnel" #681: sending encrypted notification
INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:13: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN:
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:13: "cloud_core_tunnel" #681: EXPECTATION FAILED at
/var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843:
r != NULL
Jan 31 18:31:13: "cloud_core_tunnel" #681: no suitable connection for peer
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:13: "cloud_core_tunnel" #681: sending encrypted notification
INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:14: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN:
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:14: "cloud_core_tunnel" #681: EXPECTATION FAILED at
/var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843:
r != NULL
Jan 31 18:31:14: "cloud_core_tunnel" #681: no suitable connection for peer
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:14: "cloud_core_tunnel" #681: sending encrypted notification
INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:15: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN:
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:15: "cloud_core_tunnel" #681: EXPECTATION FAILED at
/var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843:
r != NULL
Jan 31 18:31:15: "cloud_core_tunnel" #681: no suitable connection for peer
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:15: "cloud_core_tunnel" #681: sending encrypted notification
INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:17: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN:
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:17: "cloud_core_tunnel" #681: EXPECTATION FAILED at
/var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843:
r != NULL
Jan 31 18:31:17: "cloud_core_tunnel" #681: no suitable connection for peer
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:17: "cloud_core_tunnel" #681: sending encrypted notification
INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:21: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN:
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:21: "cloud_core_tunnel" #681: EXPECTATION FAILED at
/var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843:
r != NULL
Jan 31 18:31:21: "cloud_core_tunnel" #681: no suitable connection for peer
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:21: "cloud_core_tunnel" #681: sending encrypted notification
INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:29: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN:
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:29: "cloud_core_tunnel" #681: EXPECTATION FAILED at
/var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843:
r != NULL
Jan 31 18:31:29: "cloud_core_tunnel" #681: no suitable connection for peer
'<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:29: "cloud_core_tunnel" #681: sending encrypted notification
INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:36: "cloud_core_tunnel": deleting connection
Jan 31 18:31:36: "cloud_core_tunnel" #681: deleting state #681 (STATE_MAIN_R2)
Jan 31 18:31:36: added connection description "cloud_core_tunnel"
Jan 31 18:31:43: "cloud_core_tunnel" #682: initiating Main Mode
Jan 31 18:31:43: "cloud_core_tunnel" #682: received Vendor ID payload [Dead
Peer Detection]
Jan 31 18:31:43: "cloud_core_tunnel" #682: received Vendor ID payload
[FRAGMENTATION]
Jan 31 18:31:43: "cloud_core_tunnel" #682: received Vendor ID payload [RFC 3947]
Jan 31 18:31:43: "cloud_core_tunnel" #682: enabling possible NAT-traversal with
method RFC 3947 (NAT-Traversal)
Jan 31 18:31:43: "cloud_core_tunnel" #682: transition from state STATE_MAIN_I1
to state STATE_MAIN_I2
Jan 31 18:31:43: "cloud_core_tunnel" #682: STATE_MAIN_I2: sent MI2, expecting
MR2
Jan 31 18:31:43: "cloud_core_tunnel" #682: NAT-Traversal: Result using RFC 3947
(NAT-Traversal) sender port 500: no NAT detected
Jan 31 18:31:43: "cloud_core_tunnel" #682: I am sending my cert
Jan 31 18:31:43: "cloud_core_tunnel" #682: I am sending a certificate request
Jan 31 18:31:43: "cloud_core_tunnel" #682: transition from state STATE_MAIN_I2
to state STATE_MAIN_I3
Jan 31 18:31:43: "cloud_core_tunnel" #682: STATE_MAIN_I3: sent MI3, expecting
MR3
Jan 31 18:31:43: "cloud_core_tunnel" #682: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:43: | ISAKMP Notification Payload
Jan 31 18:31:43: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:43: "cloud_core_tunnel" #682: received and ignored informational
message
Jan 31 18:31:43: "cloud_core_tunnel" #682: discarding duplicate packet; already
STATE_MAIN_I3
Jan 31 18:31:43: "cloud_core_tunnel" #682: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:43: | ISAKMP Notification Payload
Jan 31 18:31:43: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:43: "cloud_core_tunnel" #682: received and ignored informational
message
Jan 31 18:31:44: "cloud_core_tunnel" #682: discarding duplicate packet; already
STATE_MAIN_I3
Jan 31 18:31:44: "cloud_core_tunnel" #682: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:44: | ISAKMP Notification Payload
Jan 31 18:31:44: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:44: "cloud_core_tunnel" #682: received and ignored informational
message
Jan 31 18:31:45: "cloud_core_tunnel" #682: discarding duplicate packet; already
STATE_MAIN_I3
Jan 31 18:31:45: "cloud_core_tunnel" #682: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:45: | ISAKMP Notification Payload
Jan 31 18:31:45: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:45: "cloud_core_tunnel" #682: received and ignored informational
message
Jan 31 18:31:45: packet from <left-IP>:500: phase 1 message is part of an
unknown exchange
Jan 31 18:31:45: packet from <left-IP>:500: phase 1 message is part of an
unknown exchange
Jan 31 18:31:45: packet from <left-IP>:500: phase 1 message is part of an
unknown exchange
Jan 31 18:31:45: packet from <left-IP>:500: phase 1 message is part of an
unknown exchange
Jan 31 18:31:45: packet from <left-IP>:500: phase 1 message is part of an
unknown exchange
Jan 31 18:31:47: "cloud_core_tunnel" #682: discarding duplicate packet; already
STATE_MAIN_I3
Jan 31 18:31:47: "cloud_core_tunnel" #682: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:47: | ISAKMP Notification Payload
Jan 31 18:31:47: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:47: "cloud_core_tunnel" #682: received and ignored informational
message
Jan 31 18:31:51: "cloud_core_tunnel" #682: discarding duplicate packet; already
STATE_MAIN_I3
Jan 31 18:31:51: "cloud_core_tunnel" #682: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:51: | ISAKMP Notification Payload
Jan 31 18:31:51: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:51: "cloud_core_tunnel" #682: received and ignored informational
message
Jan 31 18:31:54: "cloud_core_tunnel": terminating SAs using this connection
Jan 31 18:31:54: "cloud_core_tunnel" #682: deleting state #682 (STATE_MAIN_I3)
Jan 31 18:31:59: packet from <left-IP>:500: phase 1 message is part of an
unknown exchange
Jan 31 18:32:24: "cloud_core_tunnel": deleting connection
pluto.log form Server left:
Jan 31 18:30:59.087939: shutting down
Jan 31 18:30:59.088214: forgetting secrets
Jan 31 18:30:59.088246: shutting down interface eth1/eth1 <left-IP>:4500
Jan 31 18:30:59.088251: shutting down interface eth1/eth1 <left-IP>:500
Jan 31 18:30:59.088662: leak detective found no leaks
Jan 31 18:31:02.693356: FIPS Product: NO
Jan 31 18:31:02.693488: FIPS Kernel: NO
Jan 31 18:31:02.693492: FIPS Mode: NO
Jan 31 18:31:02.693496: NSS DB directory: sql:/etc/ipsec.d
Jan 31 18:31:02.693578: Initializing NSS
Jan 31 18:31:02.693601: Opening NSS database "sql:/etc/ipsec.d" read-only
Jan 31 18:31:02.815400: NSS initialized
Jan 31 18:31:02.815418: NSS crypto library initialized
Jan 31 18:31:02.815423: FIPS HMAC integrity support [enabled]
Jan 31 18:31:02.815427: FIPS mode disabled for pluto daemon
Jan 31 18:31:02.840930: FIPS HMAC integrity verification self-test passed
Jan 31 18:31:02.841604: libcap-ng support [enabled]
Jan 31 18:31:02.841616: Linux audit support [enabled]
Jan 31 18:31:02.841804: Linux audit activated
Jan 31 18:31:02.841811: Starting Pluto (Libreswan Version 3.25 XFRM(netkey)
KLIPS FORK PTHREAD_SETSCHEDPRIO GCC_EXCEPTIONS NSS DNSSEC SYSTEMD_WATCHDOG
FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER
CURL(non-NSS) LDAP(non-NSS)) pid:58065
Jan 31 18:31:02.841815: core dump dir: /run/pluto
Jan 31 18:31:02.841819: secrets file: /etc/ipsec.secrets
Jan 31 18:31:02.841822: leak-detective enabled
Jan 31 18:31:02.841836: NSS crypto [enabled]
Jan 31 18:31:02.841840: XAUTH PAM support [enabled]
Jan 31 18:31:02.841900: NAT-Traversal support [enabled]
Jan 31 18:31:02.841926: Initializing libevent in pthreads mode: headers:
2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
Jan 31 18:31:02.842148: Encryption algorithms:
Jan 31 18:31:02.842161: AES_CCM_16 IKEv1: ESP IKEv2: ESP
FIPS {256,192,*128} (aes_ccm aes_ccm_c)
Jan 31 18:31:02.842174: AES_CCM_12 IKEv1: ESP IKEv2: ESP
FIPS {256,192,*128} (aes_ccm_b)
Jan 31 18:31:02.842181: AES_CCM_8 IKEv1: ESP IKEv2: ESP
FIPS {256,192,*128} (aes_ccm_a)
Jan 31 18:31:02.842188: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP
FIPS [*192] (3des)
Jan 31 18:31:02.842195: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP
{256,192,*128}
Jan 31 18:31:02.842201: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP
{256,192,*128} (camellia)
Jan 31 18:31:02.842207: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP
FIPS {256,192,*128} (aes_gcm aes_gcm_c)
Jan 31 18:31:02.842213: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP
FIPS {256,192,*128} (aes_gcm_b)
Jan 31 18:31:02.842220: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP
FIPS {256,192,*128} (aes_gcm_a)
Jan 31 18:31:02.842226: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP
FIPS {256,192,*128} (aesctr)
Jan 31 18:31:02.842231: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP
FIPS {256,192,*128} (aes)
Jan 31 18:31:02.842237: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP
{256,192,*128} (serpent)
Jan 31 18:31:02.842243: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP
{256,192,*128} (twofish)
Jan 31 18:31:02.842250: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP
{256,192,*128} (twofish_cbc_ssh)
Jan 31 18:31:02.842256: CAST_CBC IKEv1: ESP IKEv2: ESP
{*128} (cast)
Jan 31 18:31:02.842262: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP
{256,192,*128} (aes_gmac)
Jan 31 18:31:02.842266: NULL IKEv1: ESP IKEv2: ESP
[]
Jan 31 18:31:02.842274: Hash algorithms:
Jan 31 18:31:02.842279: MD5 IKEv1: IKE IKEv2:
Jan 31 18:31:02.842283: SHA1 IKEv1: IKE IKEv2:
FIPS (sha)
Jan 31 18:31:02.842287: SHA2_256 IKEv1: IKE IKEv2:
FIPS (sha2 sha256)
Jan 31 18:31:02.842291: SHA2_384 IKEv1: IKE IKEv2:
FIPS (sha384)
Jan 31 18:31:02.842294: SHA2_512 IKEv1: IKE IKEv2:
FIPS (sha512)
Jan 31 18:31:02.842302: PRF algorithms:
Jan 31 18:31:02.842307: HMAC_MD5 IKEv1: IKE IKEv2: IKE
(md5)
Jan 31 18:31:02.842311: HMAC_SHA1 IKEv1: IKE IKEv2: IKE
FIPS (sha sha1)
Jan 31 18:31:02.842314: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE
FIPS (sha2 sha256 sha2_256)
Jan 31 18:31:02.842318: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE
FIPS (sha384 sha2_384)
Jan 31 18:31:02.842323: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE
FIPS (sha512 sha2_512)
Jan 31 18:31:02.842327: AES_XCBC IKEv1: IKEv2: IKE
FIPS (aes128_xcbc)
Jan 31 18:31:02.842336: Integrity algorithms:
Jan 31 18:31:02.842340: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH (md5 hmac_md5)
Jan 31 18:31:02.842344: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH FIPS (sha sha1 sha1_96 hmac_sha1)
Jan 31 18:31:02.842348: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH FIPS (sha512 sha2_512 hmac_sha2_512)
Jan 31 18:31:02.842352: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH FIPS (sha384 sha2_384 hmac_sha2_384)
Jan 31 18:31:02.842356: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)
Jan 31 18:31:02.842360: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP
AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96)
Jan 31 18:31:02.842364: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP
AH FIPS (aes_cmac)
Jan 31 18:31:02.842368: NONE IKEv1: ESP IKEv2: ESP
FIPS (null)
Jan 31 18:31:02.842378: DH algorithms:
Jan 31 18:31:02.842382: NONE IKEv1: IKEv2: IKE ESP
AH (null dh0)
Jan 31 18:31:02.842388: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH (dh2)
Jan 31 18:31:02.842393: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH (dh5)
Jan 31 18:31:02.842397: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH FIPS (dh14)
Jan 31 18:31:02.842400: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH FIPS (dh15)
Jan 31 18:31:02.842404: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH FIPS (dh16)
Jan 31 18:31:02.842408: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH FIPS (dh17)
Jan 31 18:31:02.842412: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH FIPS (dh18)
Jan 31 18:31:02.842416: DH19 IKEv1: IKE IKEv2: IKE ESP
AH FIPS (ecp_256)
Jan 31 18:31:02.842419: DH20 IKEv1: IKE IKEv2: IKE ESP
AH FIPS (ecp_384)
Jan 31 18:31:02.842423: DH21 IKEv1: IKE IKEv2: IKE ESP
AH FIPS (ecp_521)
Jan 31 18:31:02.842427: DH22 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH
Jan 31 18:31:02.842431: DH23 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH FIPS
Jan 31 18:31:02.842434: DH24 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH FIPS
Jan 31 18:31:02.844407: starting up 4 crypto helpers
Jan 31 18:31:02.844477: started thread for crypto helper 0
Jan 31 18:31:02.844500: started thread for crypto helper 1
Jan 31 18:31:02.844519: started thread for crypto helper 2
Jan 31 18:31:02.844537: started thread for crypto helper 3
Jan 31 18:31:02.844671: Using Linux XFRM/NETKEY IPsec interface code on
3.10.0-957.1.3.el7.x86_64
Jan 31 18:31:02.876826: | selinux support is enabled.
Jan 31 18:31:02.877271: systemd watchdog for ipsec service configured with
timeout of 200000000 usecs
Jan 31 18:31:02.877280: watchdog: sending probes every 100 secs
Jan 31 18:31:02.891177: listening for IKE messages
Jan 31 18:31:02.891406: adding interface eth1/eth1 <left-IP>:500
Jan 31 18:31:02.891462: adding interface eth1/eth1 <left-IP>:4500
Jan 31 18:31:02.891471: skipping interface eth0 with 10.99.8.131
Jan 31 18:31:02.891477: skipping interface lo with 127.0.0.1
Jan 31 18:31:02.891537: | setup callback for interface eth1:4500 fd 17
Jan 31 18:31:02.891546: | setup callback for interface eth1:500 fd 16
Jan 31 18:31:02.891580: loading secrets from "/etc/ipsec.secrets"
Jan 31 18:31:02.891652: loading secrets from "/etc/ipsec.d/ivoryserver.secrets"
Jan 31 18:31:02.892423: "/etc/ipsec.d/ivoryserver.secrets" line 1: WARNING: The
:RSA secrets entries for X.509 certificates are no longer needed
Jan 31 18:31:02.892466: loading secrets from "/etc/ipsec.d/lagu-conn.secrets"
Jan 31 18:31:02.892519: loaded private key for keyid: PKK_RSA:AwEAAai2q
Jan 31 18:31:06.032957: added connection description "cloud_core_tunnel"
Jan 31 18:31:13.233300: "cloud_core_tunnel" #1: initiating Main Mode
Jan 31 18:31:13.239412: "cloud_core_tunnel" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Jan 31 18:31:13.244679: "cloud_core_tunnel" #1: I am sending my cert
Jan 31 18:31:13.244704: "cloud_core_tunnel" #1: I am sending a certificate
request
Jan 31 18:31:13.250324: "cloud_core_tunnel" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Jan 31 18:31:13.254655: "cloud_core_tunnel" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:13.254681: | ISAKMP Notification Payload
Jan 31 18:31:13.254688: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:13.254694: "cloud_core_tunnel" #1: received and ignored
informational message
Jan 31 18:31:13.744914: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission;
will wait 0.5 seconds for response
Jan 31 18:31:13.747787: "cloud_core_tunnel" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:13.747805: | ISAKMP Notification Payload
Jan 31 18:31:13.747811: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:13.747815: "cloud_core_tunnel" #1: received and ignored
informational message
Jan 31 18:31:14.246371: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission;
will wait 1 seconds for response
Jan 31 18:31:14.249222: "cloud_core_tunnel" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:14.249243: | ISAKMP Notification Payload
Jan 31 18:31:14.249249: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:14.249253: "cloud_core_tunnel" #1: received and ignored
informational message
Jan 31 18:31:15.248312: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission;
will wait 2 seconds for response
Jan 31 18:31:15.252637: "cloud_core_tunnel" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:15.252657: | ISAKMP Notification Payload
Jan 31 18:31:15.252662: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:15.252666: "cloud_core_tunnel" #1: received and ignored
informational message
Jan 31 18:31:17.249826: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission;
will wait 4 seconds for response
Jan 31 18:31:17.252971: "cloud_core_tunnel" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:17.252991: | ISAKMP Notification Payload
Jan 31 18:31:17.252996: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:17.253001: "cloud_core_tunnel" #1: received and ignored
informational message
Jan 31 18:31:21.254066: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission;
will wait 8 seconds for response
Jan 31 18:31:21.257004: "cloud_core_tunnel" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:21.257027: | ISAKMP Notification Payload
Jan 31 18:31:21.257032: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:21.257037: "cloud_core_tunnel" #1: received and ignored
informational message
Jan 31 18:31:29.260002: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission;
will wait 16 seconds for response
Jan 31 18:31:29.263114: "cloud_core_tunnel" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:29.263137: | ISAKMP Notification Payload
Jan 31 18:31:29.263143: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:29.263151: "cloud_core_tunnel" #1: received and ignored
informational message
Jan 31 18:31:42.978288: "cloud_core_tunnel" #2: responding to Main Mode
Jan 31 18:31:42.978398: "cloud_core_tunnel" #2: STATE_MAIN_R1: sent MR1,
expecting MI2
Jan 31 18:31:42.983222: "cloud_core_tunnel" #2: STATE_MAIN_R2: sent MR2,
expecting MI3
Jan 31 18:31:42.992330: "cloud_core_tunnel" #2: Peer ID is ID_DER_ASN1_DN:
'<DN-of-righ-server-alias>'
Jan 31 18:31:43.000467: "cloud_core_tunnel" #2: X509: no EE-cert in chain!
Jan 31 18:31:43.000482: "cloud_core_tunnel" #2: X509: Certificate rejected for
this connection
Jan 31 18:31:43.000487: "cloud_core_tunnel" #2: X509: CERT payload bogus or
revoked
Jan 31 18:31:43.000500: "cloud_core_tunnel" #2: sending encrypted notification
INVALID_ID_INFORMATION to <right-IP>:500
Jan 31 18:31:43.487204: "cloud_core_tunnel" #2: STATE_MAIN_R2: retransmission;
will wait 0.5 seconds for response
Jan 31 18:31:43.487366: "cloud_core_tunnel" #2: Peer ID is ID_DER_ASN1_DN:
'<DN-of-righ-server-alias>'
Jan 31 18:31:43.490862: "cloud_core_tunnel" #2: X509: no EE-cert in chain!
Jan 31 18:31:43.490874: "cloud_core_tunnel" #2: X509: Certificate rejected for
this connection
Jan 31 18:31:43.490879: "cloud_core_tunnel" #2: X509: CERT payload bogus or
revoked
Jan 31 18:31:43.490893: "cloud_core_tunnel" #2: sending encrypted notification
INVALID_ID_INFORMATION to <right-IP>:500
Jan 31 18:31:43.988658: "cloud_core_tunnel" #2: STATE_MAIN_R2: retransmission;
will wait 1 seconds for response
Jan 31 18:31:43.989154: "cloud_core_tunnel" #2: Peer ID is ID_DER_ASN1_DN:
'<DN-of-righ-server-alias>'
Jan 31 18:31:43.993705: "cloud_core_tunnel" #2: X509: no EE-cert in chain!
Jan 31 18:31:43.993720: "cloud_core_tunnel" #2: X509: Certificate rejected for
this connection
Jan 31 18:31:43.993726: "cloud_core_tunnel" #2: X509: CERT payload bogus or
revoked
Jan 31 18:31:43.993741: "cloud_core_tunnel" #2: sending encrypted notification
INVALID_ID_INFORMATION to <right-IP>:500
Jan 31 18:31:44.990237: "cloud_core_tunnel" #2: STATE_MAIN_R2: retransmission;
will wait 2 seconds for response
Jan 31 18:31:44.990425: "cloud_core_tunnel" #2: Peer ID is ID_DER_ASN1_DN:
'<DN-of-righ-server-alias>'
Jan 31 18:31:44.994998: "cloud_core_tunnel" #2: X509: no EE-cert in chain!
Jan 31 18:31:44.995013: "cloud_core_tunnel" #2: X509: Certificate rejected for
this connection
Jan 31 18:31:44.995019: "cloud_core_tunnel" #2: X509: CERT payload bogus or
revoked
Jan 31 18:31:44.995035: "cloud_core_tunnel" #2: sending encrypted notification
INVALID_ID_INFORMATION to <right-IP>:500
Jan 31 18:31:45.265441: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission;
will wait 32 seconds for response
Jan 31 18:31:46.992124: "cloud_core_tunnel" #2: STATE_MAIN_R2: retransmission;
will wait 4 seconds for response
Jan 31 18:31:46.992551: "cloud_core_tunnel" #2: Peer ID is ID_DER_ASN1_DN:
'<DN-of-righ-server-alias>'
Jan 31 18:31:46.996179: "cloud_core_tunnel" #2: X509: no EE-cert in chain!
Jan 31 18:31:46.996195: "cloud_core_tunnel" #2: X509: Certificate rejected for
this connection
Jan 31 18:31:46.996201: "cloud_core_tunnel" #2: X509: CERT payload bogus or
revoked
Jan 31 18:31:46.996214: "cloud_core_tunnel" #2: sending encrypted notification
INVALID_ID_INFORMATION to <right-IP>:500
Jan 31 18:31:50.996673: "cloud_core_tunnel" #2: STATE_MAIN_R2: retransmission;
will wait 8 seconds for response
Jan 31 18:31:50.996866: "cloud_core_tunnel" #2: Peer ID is ID_DER_ASN1_DN:
'<DN-of-righ-server-alias>'
Jan 31 18:31:51.001665: "cloud_core_tunnel" #2: X509: no EE-cert in chain!
Jan 31 18:31:51.001680: "cloud_core_tunnel" #2: X509: Certificate rejected for
this connection
Jan 31 18:31:51.001687: "cloud_core_tunnel" #2: X509: CERT payload bogus or
revoked
Jan 31 18:31:51.001702: "cloud_core_tunnel" #2: sending encrypted notification
INVALID_ID_INFORMATION to <right-IP>:500
Jan 31 18:31:59.009857: "cloud_core_tunnel" #2: STATE_MAIN_R2: retransmission;
will wait 16 seconds for response
Jan 31 18:32:02.096743: "cloud_core_tunnel": terminating SAs using this
connection
Jan 31 18:32:02.096778: "cloud_core_tunnel" #2: deleting state (STATE_MAIN_R2)
and NOT sending notification
Jan 31 18:32:02.096866: "cloud_core_tunnel" #1: deleting state (STATE_MAIN_I3)
and NOT sending notification
Jan 31 18:32:12.578197: "cloud_core_tunnel": deleting non-instance connection
Thank you very much for the help.
Best regards.
Giuseppe
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
