On Wed, Jan 2, 2013 at 11:31 AM, richard -rw- weinberger <[email protected]> wrote: > On Wed, Jan 2, 2013 at 1:06 AM, Bharath Kumar <[email protected]> wrote: >> What is the log message in say /var/log/messages ? >> >> Also, please post the output of >> >> Ip xfrm policy >> >> Ip xfrm state >> >> Ipsec statusall > > There you go: > > # tail /var/log/secure > Jan 2 11:16:16 server pluto[27347]: packet from clientIP:500: > received Vendor ID payload [strongSwan] > Jan 2 11:16:16 server pluto[27347]: packet from clientIP:500: > ignoring Vendor ID payload [Cisco-Unity] > Jan 2 11:16:16 server pluto[27347]: packet from clientIP:500: > received Vendor ID payload [XAUTH] > Jan 2 11:16:16 server pluto[27347]: packet from clientIP:500: > received Vendor ID payload [Dead Peer Detection] > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: responding > to Main Mode from unknown peer clientIP > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: Peer ID is > ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=client' > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: crl not found > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: certificate > status unknown > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: we have a > cert and are sending it upon request > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sent MR3, > ISAKMP SA established > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sending XAUTH > request > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: parsing XAUTH reply > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: extended > authentication was successful > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sending XAUTH > status > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: parsing XAUTH ack > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: received > XAUTH ack, established > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: parsing > ModeCfg request > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: peer > requested virtual IP %any > Jan 2 11:16:16 server pluto[27347]: assigning new lease to 'test' > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: assigning > virtual IP 10.99.0.2 to peer > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sending ModeCfg > reply > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sent > ModeCfg reply, established > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #2: responding > to Quick Mode > Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #2: IPsec SA > established {ESP=>0xc708c481 <0xcc3562f2} > > # ip xfrm state > src serverIP dst clientIP > proto esp spi 0xc708c481 reqid 16388 mode tunnel > replay-window 32 flag 20 > auth hmac(sha1) 0xe2b06cec53465fe81094ba6e012ccb8345f6cc7f > enc cbc(aes) 0x6314df56e431a174b81c90b0fc85ed4c > src clientIP dst serverIP > proto esp spi 0xcc3562f2 reqid 16388 mode tunnel > replay-window 32 flag 20 > auth hmac(sha1) 0x4f454e47213971dcdc764b802f49dccf251e67e8 > enc cbc(aes) 0xaf084c8f7ea79af98fe344eed3098fe4 > > # ip xfrm policy > src 0.0.0.0/0 dst 10.99.0.2/32 > dir out priority 1923 ptype main > tmpl src serverIP dst clientIP > proto esp reqid 16388 mode tunnel > src 10.99.0.2/32 dst 0.0.0.0/0 > dir fwd priority 1923 ptype main > tmpl src clientIP dst serverIP > proto esp reqid 16388 mode tunnel > src 10.99.0.2/32 dst 0.0.0.0/0 > dir in priority 1923 ptype main > tmpl src clientIP dst serverIP > proto esp reqid 16388 mode tunnel > src ::/0 dst ::/0 > dir 4 priority 0 ptype main > src ::/0 dst ::/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src ::/0 dst ::/0 > dir 3 priority 0 ptype main > src ::/0 dst ::/0 > dir 4 priority 0 ptype main > src ::/0 dst ::/0 > dir 3 priority 0 ptype main > src ::/0 dst ::/0 > dir 4 priority 0 ptype main > src ::/0 dst ::/0 > dir 3 priority 0 ptype main > src ::/0 dst ::/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 3 priority 0 ptype main > src 0.0.0.0/0 dst 0.0.0.0/0 > dir 4 priority 0 ptype main > > ipsec statusall > 000 Status of IKEv1 pluto daemon (strongSwan 4.6.4): > 000 interface lo/lo ::1:500 > 000 interface lo/lo 127.0.0.1:4500 > 000 interface lo/lo 127.0.0.1:500 > 000 interface eth0/eth0 10.0.255.252:4500 > 000 interface eth0/eth0 10.0.255.252:500 > 000 interface eth1/eth1 serverIP:4500 > 000 interface eth1/eth1 serverIP:500 > 000 interface tun0/tun0 10.7.0.1:4500 > 000 interface tun0/tun0 10.7.0.1:500 > 000 interface tun1/tun1 10.4.0.1:4500 > 000 interface tun1/tun1 10.4.0.1:500 > 000 interface tun2/tun2 10.8.0.1:4500 > 000 interface tun2/tun2 10.8.0.1:500 > 000 interface tun3/tun3 10.3.0.1:4500 > 000 interface tun3/tun3 10.3.0.1:500 > 000 interface tun4/tun4 10.6.0.1:4500 > 000 interface tun4/tun4 10.6.0.1:500 > 000 interface tun5/tun5 10.5.0.1:4500 > 000 interface tun5/tun5 10.5.0.1:500 > 000 %myid = '%any' > 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp > dnskey pem gmp hmac xauth attr kernel-netlink resolve > 000 debug options: none > 000 Virtual IP pools (size/online/offline): > 000 "ios": 1/1/0 > 000 > 000 "ios": 0.0.0.0/0===serverIP[C=CH, O=strongSwan, > CN=my.serverfqdn.com]---95.130.255.1...%any[C=CH, O=strongSwan, > CN=client]===%ios; unrouted; eroute owner: #0 > 000 "ios": CAs: "C=CH, O=strongSwan, CN=strongSwan CA"..."C=CH, > O=strongSwan, CN=strongSwan CA" > 000 "ios": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; > rekey_fuzz: 100%; keyingtries: 3 > 000 "ios": policy: ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER; prio: > 0,24; interface: eth1; > 000 "ios": newest ISAKMP SA: #0; newest IPsec SA: #0; > 000 "ios"[1]: 0.0.0.0/0===serverIP[C=CH, O=strongSwan, > CN=my.serverfqdn.com]---95.130.255.1...clientIP[C=CH, O=strongSwan, > CN=client]===10.99.0.2/32; erouted; eroute owner: #2 > 000 "ios"[1]: CAs: "C=CH, O=strongSwan, CN=strongSwan CA"..."C=CH, > O=strongSwan, CN=strongSwan CA" > 000 "ios"[1]: ike_life: 10800s; ipsec_life: 3600s; rekey_margin: > 540s; rekey_fuzz: 100%; keyingtries: 3 > 000 "ios"[1]: policy: ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER; prio: > 0,24; interface: eth1; > 000 "ios"[1]: newest ISAKMP SA: #1; newest IPsec SA: #2; > 000 "ios"[1]: IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_2048 > 000 "ios"[1]: ESP proposal: AES_CBC_128/HMAC_SHA1/<N/A> > 000 > 000 #2: "ios"[1] clientIP STATE_QUICK_R2 (IPsec SA established); > EVENT_SA_REPLACE in 3217s; newest IPSEC; eroute owner > 000 #2: "ios"[1] clientIP esp.c708c481@clientIP (0 bytes) > esp.cc3562f2@serverIP (5333 bytes); tunnel > 000 #1: "ios"[1] clientIP STATE_MODE_CFG_R1 (sent ModeCfg reply, > established); EVENT_SA_REPLACE in 10417s; newest ISAKMP > 000 > Status of IKEv2 charon daemon (strongSwan 4.6.4): > uptime: 2 minutes, since Jan 02 11:15:54 2013 > malloc: sbrk 278528, mmap 0, used 161696, free 116832 > worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, > scheduled: 0 > loaded plugins: aes des sha1 sha2 md5 random x509 revocation > constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc cmac hmac > attr kernel-netlink resolve socket-raw stroke updown > Virtual IP pools (size/online/offline): > ios: 1/0/0 > Listening IP addresses: > 10.0.255.252 > serverIP > 10.7.0.1 > 10.4.0.1 > 10.8.0.1 > 10.3.0.1 > 10.6.0.1 > 10.5.0.1 > Connections: > Security Associations (0 up, 0 connecting): > none > > -- > Thanks, > //richard
Anyone? -- Thanks, //richard _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
