[vpn-help] shrew to strongswan different subnets = different results

Fri, 27 Sep 2013 08:29:58 -0700 


Hi

I tried establish IPSec RSA xauth connection between shrew and strongswan.

I did 3 tests with the same configurations on both sites :

1., client (shrew) and gateway (strongswan) on the same IP subnet
         - connection established

2., client (shrew) and gateway (strongswan) on different IP subnet
        - connection failed with
        ""send IKE packet B.B.B.B:500 -> S.S.S.S:500" and enough

3., client (shrew) behind NAT
        - connection failed with:
        "!! : validate packet failed ( reserved value is non-null )"
        "!! : config packet ignored ( packet decryption error )"


Can somebody help me to explain why did I obtain three different results
with exactly the same configuration on both sites ?



 strongswan --version
Linux strongSwan U5.0.4/K2.6.32-358.6.2.el6.x86_64


 IKE Daemon, ver 2.2.1
 Copyright 2013 Shrew Soft Inc.
 This product linked OpenSSL 1.0.1e-fips 11 Feb 2013


Configurations and iked logs are attached.

                  Thanks

                       Miro

13/09/26 15:07:52 ## : IKE Daemon, ver 2.2.1
13/09/26 15:07:52 ## : Copyright 2013 Shrew Soft Inc.
13/09/26 15:07:52 ## : This product linked OpenSSL 1.0.1e-fips 11 Feb 2013
13/09/26 15:07:52 ii : opened '/var/log/iked.log'
13/09/26 15:07:52 ii : ipc server process thread begin ...
13/09/26 15:07:52 ii : pfkey process thread begin ...
13/09/26 15:07:52 ii : network process thread begin ...
13/09/26 15:07:52 K< : recv pfkey REGISTER AH message
13/09/26 15:07:52 K< : recv pfkey REGISTER ESP message
13/09/26 15:07:52 K< : recv pfkey REGISTER IPCOMP message
13/09/26 15:07:52 K! : recv X_SPDDUMP message failure ( errno = 2 )
13/09/26 15:07:55 ii : ipc client process thread begin ...
13/09/26 15:07:55 <A : peer config add message
13/09/26 15:07:55 <A : proposal config message
13/09/26 15:07:55 <A : proposal config message
13/09/26 15:07:55 <A : client config message
13/09/26 15:07:55 <A : xauth username message
13/09/26 15:07:55 <A : xauth password message
13/09/26 15:07:55 <A : remote certificate data message
13/09/26 15:07:55 ii : remote certificate read complete ( 889 bytes )
13/09/26 15:07:55 <A : local certificate data message
13/09/26 15:07:55 ii : local certificate read complete ( 1493 bytes )
13/09/26 15:07:55 <A : local key data message
13/09/26 15:07:55 ii : local key read complete ( 1193 bytes )
13/09/26 15:07:55 <A : peer tunnel enable message
13/09/26 15:07:55 DB : peer added ( obj count = 1 )
13/09/26 15:07:55 ii : local address S.S.S.S selected for peer
13/09/26 15:07:55 DB : tunnel added ( obj count = 1 )
13/09/26 15:07:55 ii : obtained x509 cert subject ( 159 bytes )
13/09/26 15:07:55 DB : new phase1 ( ISAKMP initiator )
13/09/26 15:07:55 DB : exchange type is identity protect
13/09/26 15:07:55 DB : C.C.C.C:500 <-> S.S.S.S:500
13/09/26 15:07:55 DB : 3700000049000000:0000000000000000
13/09/26 15:07:55 DB : phase1 added ( obj count = 1 )
13/09/26 15:07:55 >> : security association payload
13/09/26 15:07:55 >> : - proposal #1 payload 
13/09/26 15:07:55 >> : -- transform #1 payload 
13/09/26 15:07:55 >> : vendor id payload
13/09/26 15:07:55 ii : local supports XAUTH
13/09/26 15:07:55 >> : vendor id payload
13/09/26 15:07:55 ii : local supports nat-t ( draft v00 )
13/09/26 15:07:55 >> : vendor id payload
13/09/26 15:07:55 ii : local supports nat-t ( draft v01 )
13/09/26 15:07:55 >> : vendor id payload
13/09/26 15:07:55 ii : local supports nat-t ( draft v02 )
13/09/26 15:07:55 >> : vendor id payload
13/09/26 15:07:55 ii : local supports nat-t ( draft v03 )
13/09/26 15:07:55 >> : vendor id payload
13/09/26 15:07:55 ii : local supports nat-t ( rfc )
13/09/26 15:07:55 >> : vendor id payload
13/09/26 15:07:55 ii : local supports FRAGMENTATION
13/09/26 15:07:55 >> : vendor id payload
13/09/26 15:07:55 >> : vendor id payload
13/09/26 15:07:55 ii : local supports DPDv1
13/09/26 15:07:55 >> : vendor id payload
13/09/26 15:07:55 ii : local is SHREW SOFT compatible
13/09/26 15:07:55 >> : vendor id payload
13/09/26 15:07:55 ii : local is NETSCREEN compatible
13/09/26 15:07:55 >> : vendor id payload
13/09/26 15:07:55 ii : local is SIDEWINDER compatible
13/09/26 15:07:55 >> : vendor id payload
13/09/26 15:07:55 ii : local is CISCO UNITY compatible
13/09/26 15:07:55 >= : cookies 3700000049000000:0000000000000000
13/09/26 15:07:55 >= : message 00000000
13/09/26 15:07:55 -> : send IKE packet C.C.C.C:500 -> S.S.S.S:500 ( 372 bytes )
13/09/26 15:07:55 DB : phase1 resend event scheduled ( ref count = 2 )
13/09/26 15:07:56 <- : recv IKE packet S.S.S.S:500 -> C.C.C.C:500 ( 136 bytes )
13/09/26 15:07:56 DB : phase1 found
13/09/26 15:07:56 ii : processing phase1 packet ( 136 bytes )
13/09/26 15:07:56 =< : cookies 3700000049000000:a800000085000000
13/09/26 15:07:56 =< : message 00000000
13/09/26 15:07:56 << : security association payload
13/09/26 15:07:56 << : - propsal #1 payload 
13/09/26 15:07:56 << : -- transform #1 payload 
13/09/26 15:07:56 ii : matched isakmp proposal #1 transform #1
13/09/26 15:07:56 ii : - transform    = ike
13/09/26 15:07:56 ii : - cipher type  = 3des
13/09/26 15:07:56 ii : - key length   = default
13/09/26 15:07:56 ii : - hash type    = sha1
13/09/26 15:07:56 ii : - dh group     = group2 ( modp-1024 )
13/09/26 15:07:56 ii : - auth type    = xauth-initiator-rsa
13/09/26 15:07:56 ii : - life seconds = 86400
13/09/26 15:07:56 ii : - life kbytes  = 0
13/09/26 15:07:56 << : vendor id payload
13/09/26 15:07:56 ii : peer supports XAUTH
13/09/26 15:07:56 << : vendor id payload
13/09/26 15:07:56 ii : peer supports DPDv1
13/09/26 15:07:56 << : vendor id payload
13/09/26 15:07:56 ii : peer supports nat-t ( rfc )
13/09/26 15:07:56 >> : key exchange payload
13/09/26 15:07:56 >> : nonce payload
13/09/26 15:07:56 >> : cert request payload
13/09/26 15:07:56 >> : nat discovery payload
13/09/26 15:07:56 >> : nat discovery payload
13/09/26 15:07:56 >= : cookies 3700000049000000:a800000085000000
13/09/26 15:07:56 >= : message 00000000
13/09/26 15:07:56 DB : phase1 resend event canceled ( ref count = 1 )
13/09/26 15:07:56 -> : send IKE packet C.C.C.C:500 -> S.S.S.S:500 ( 265 bytes )
13/09/26 15:07:56 DB : phase1 resend event scheduled ( ref count = 2 )
13/09/26 15:07:56 <- : recv IKE packet S.S.S.S:500 -> C.C.C.C:500 ( 328 bytes )
13/09/26 15:07:56 DB : phase1 found
13/09/26 15:07:56 ii : processing phase1 packet ( 328 bytes )
13/09/26 15:07:56 =< : cookies 3700000049000000:a800000085000000
13/09/26 15:07:56 =< : message 00000000
13/09/26 15:07:56 << : key exchange payload
13/09/26 15:07:56 << : nonce payload
13/09/26 15:07:56 << : cert request payload
13/09/26 15:07:56 << : nat discovery payload
13/09/26 15:07:56 << : nat discovery payload
13/09/26 15:07:56 ii : nat discovery - local address is translated
13/09/26 15:07:56 ii : switching to src nat-t udp port 4500
13/09/26 15:07:56 ii : switching to dst nat-t udp port 4500
13/09/26 15:07:56 == : DH shared secret ( 128 bytes )
13/09/26 15:07:56 == : SETKEYID ( 20 bytes )
13/09/26 15:07:56 == : SETKEYID_d ( 20 bytes )
13/09/26 15:07:56 == : SETKEYID_a ( 20 bytes )
13/09/26 15:07:56 == : SETKEYID_e ( 20 bytes )
13/09/26 15:07:56 == : cipher key ( 40 bytes )
13/09/26 15:07:56 == : cipher iv ( 8 bytes )
13/09/26 15:07:56 >> : identification payload
13/09/26 15:07:56 >> : certificate payload
13/09/26 15:07:56 == : phase1 hash_i ( computed ) ( 20 bytes )
13/09/26 15:07:56 >> : signature payload
13/09/26 15:07:56 >= : cookies 3700000049000000:a800000085000000
13/09/26 15:07:56 >= : message 00000000
13/09/26 15:07:56 >= : encrypt iv ( 8 bytes )
13/09/26 15:07:56 == : encrypt packet ( 1953 bytes )
13/09/26 15:07:56 == : stored iv ( 8 bytes )
13/09/26 15:07:56 DB : phase1 resend event canceled ( ref count = 1 )
13/09/26 15:07:56 -> : send NAT-T:IKE packet C.C.C.C:4500 -> S.S.S.S:4500 ( 
1988 bytes )
13/09/26 15:07:56 <- : recv NAT-T:IKE packet S.S.S.S:4500 -> C.C.C.C:4500 ( 76 
bytes )
13/09/26 15:07:56 DB : phase1 found
13/09/26 15:07:56 ii : processing config packet ( 76 bytes )
13/09/26 15:07:56 DB : config not found
13/09/26 15:07:56 DB : config added ( obj count = 1 )
13/09/26 15:07:56 == : new config iv ( 8 bytes )
13/09/26 15:07:56 !! : config packet ignored ( phase1 not mature )
13/09/26 15:07:56 <- : recv NAT-T:IKE packet S.S.S.S:4500 -> C.C.C.C:4500 ( 
1908 bytes )
13/09/26 15:07:56 DB : phase1 found
13/09/26 15:07:56 ii : processing phase1 packet ( 1908 bytes )
13/09/26 15:07:56 =< : cookies 3700000049000000:a800000085000000
13/09/26 15:07:56 =< : message 00000000
13/09/26 15:07:56 =< : decrypt iv ( 8 bytes )
13/09/26 15:07:56 == : decrypt packet ( 1908 bytes )
13/09/26 15:07:56 <= : trimmed packet padding ( 3 bytes )
13/09/26 15:07:56 <= : stored iv ( 8 bytes )
13/09/26 15:07:56 << : identification payload
13/09/26 15:07:56 ii : phase1 id match ( cert check only )
13/09/26 15:07:56 ii : received = asn1-dn 
C=SK,ST=XXX,L=XXXXXXX,O=XXXXXXX,OU=XXXXXXXX,CN=XXXXXXXX
13/09/26 15:07:56 << : certificate payload
13/09/26 15:07:56 << : signature payload
13/09/26 15:07:56 ii : unable to get certificate CRL(3) at depth:0
13/09/26 15:07:56 ii : subject 
/C=SK/ST=XXX/L=XXXXXXX/O=XXXXXXXX/OU=XXXXXXXXX/CN=XXXXXXXXX
13/09/26 15:07:56 ii : unable to get certificate CRL(3) at depth:1
13/09/26 15:07:56 ii : subject /DC=sk/DC=XXXXXX/CN=XXXXXXXXXX
13/09/26 15:07:56 == : phase1 hash_r ( computed ) ( 20 bytes )
13/09/26 15:07:56 == : phase1 hash_r ( received ) ( 20 bytes )
13/09/26 15:07:56 ii : phase1 sa established
13/09/26 15:07:56 ii : S.S.S.S:4500 <-> C.C.C.C:4500
13/09/26 15:07:56 ii : 3700000049000000:a800000085000000
13/09/26 15:07:56 ii : sending peer INITIAL-CONTACT notification
13/09/26 15:07:56 ii : - C.C.C.C:4500 -> S.S.S.S:4500
13/09/26 15:07:56 ii : - isakmp spi = 3700000049000000:a800000085000000
13/09/26 15:07:56 ii : - data size 0
13/09/26 15:07:56 >> : hash payload
13/09/26 15:07:56 >> : notification payload
13/09/26 15:07:56 == : new informational hash ( 20 bytes )
13/09/26 15:07:56 == : new informational iv ( 8 bytes )
13/09/26 15:07:56 >= : cookies 3700000049000000:a800000085000000
13/09/26 15:07:56 >= : message 0a1f3f7c
13/09/26 15:07:56 >= : encrypt iv ( 8 bytes )
13/09/26 15:07:56 == : encrypt packet ( 80 bytes )
13/09/26 15:07:56 == : stored iv ( 8 bytes )
13/09/26 15:07:56 -> : send NAT-T:IKE packet C.C.C.C:4500 -> S.S.S.S:4500 ( 116 
bytes )
13/09/26 15:07:56 DB : phase2 not found
13/09/26 15:08:00 <- : recv NAT-T:IKE packet S.S.S.S:4500 -> C.C.C.C:4500 ( 76 
bytes )
13/09/26 15:08:00 DB : phase1 found
13/09/26 15:08:00 ii : processing config packet ( 76 bytes )
13/09/26 15:08:00 DB : config found
13/09/26 15:08:00 =< : cookies 3700000049000000:a800000085000000
13/09/26 15:08:00 =< : message 57cc32fc
13/09/26 15:08:00 =< : decrypt iv ( 8 bytes )
13/09/26 15:08:00 == : decrypt packet ( 76 bytes )
13/09/26 15:08:00 !! : validate packet failed ( reserved value is non-null )
13/09/26 15:08:00 !! : config packet ignored ( packet decryption error )
13/09/26 15:08:07 <- : recv NAT-T:IKE packet S.S.S.S:4500 -> C.C.C.C:4500 ( 76 
bytes )
13/09/26 15:08:07 DB : phase1 found
13/09/26 15:08:07 ii : processing config packet ( 76 bytes )
13/09/26 15:08:07 DB : config found
13/09/26 15:08:07 =< : cookies 3700000049000000:a800000085000000
13/09/26 15:08:07 =< : message 57cc32fc
13/09/26 15:08:07 =< : decrypt iv ( 8 bytes )
13/09/26 15:08:07 == : decrypt packet ( 76 bytes )
13/09/26 15:08:07 !! : validate packet failed ( reserved value is non-null )
13/09/26 15:08:07 !! : config packet ignored ( packet decryption error )
13/09/26 15:08:11 DB : phase1 found
13/09/26 15:08:11 ii : sending peer DPDV1-R-U-THERE notification
13/09/26 15:08:11 ii : - C.C.C.C:4500 -> S.S.S.S:4500
13/09/26 15:08:11 ii : - isakmp spi = 3700000049000000:a800000085000000
13/09/26 15:08:11 ii : - data size 4
13/09/26 15:08:11 >> : hash payload
13/09/26 15:08:11 >> : notification payload
13/09/26 15:08:11 == : new informational hash ( 20 bytes )
13/09/26 15:08:11 == : new informational iv ( 8 bytes )
13/09/26 15:08:11 >= : cookies 3700000049000000:a800000085000000
13/09/26 15:08:11 >= : message af726eb5
13/09/26 15:08:11 >= : encrypt iv ( 8 bytes )
13/09/26 15:08:11 == : encrypt packet ( 84 bytes )
13/09/26 15:08:11 == : stored iv ( 8 bytes )
13/09/26 15:08:11 -> : send NAT-T:IKE packet C.C.C.C:4500 -> S.S.S.S:4500 ( 116 
bytes )
13/09/26 15:08:11 ii : DPD ARE-YOU-THERE sequence 34747ac8 requested
13/09/26 15:08:11 DB : phase1 found
13/09/26 15:08:11 -> : send NAT-T:KEEP-ALIVE packet C.C.C.C:4500 -> S.S.S.S:4500
13/09/26 15:08:20 <- : recv NAT-T:IKE packet S.S.S.S:4500 -> C.C.C.C:4500 ( 76 
bytes )
13/09/26 15:08:20 DB : phase1 found
13/09/26 15:08:20 ii : processing config packet ( 76 bytes )
13/09/26 15:08:20 DB : config found
13/09/26 15:08:20 =< : cookies 3700000049000000:a800000085000000
13/09/26 15:08:20 =< : message 57cc32fc
13/09/26 15:08:20 =< : decrypt iv ( 8 bytes )
13/09/26 15:08:20 == : decrypt packet ( 76 bytes )
13/09/26 15:08:20 !! : validate packet failed ( reserved value is non-null )
13/09/26 15:08:20 !! : config packet ignored ( packet decryption error )
13/09/26 15:08:26 DB : phase1 found
13/09/26 15:08:26 -> : send NAT-T:KEEP-ALIVE packet C.C.C.C:4500 -> S.S.S.S:4500
13/09/26 15:08:26 DB : phase1 found
13/09/26 15:08:26 ii : next tunnel DPD retry in 4 secs for peer S.S.S.S:4500
13/09/26 15:08:26 ii : sending peer DPDV1-R-U-THERE notification
13/09/26 15:08:26 ii : - C.C.C.C:4500 -> S.S.S.S:4500
13/09/26 15:08:26 ii : - isakmp spi = 3700000049000000:a800000085000000
13/09/26 15:08:26 ii : - data size 4
13/09/26 15:08:26 >> : hash payload
13/09/26 15:08:26 >> : notification payload
13/09/26 15:08:26 == : new informational hash ( 20 bytes )
13/09/26 15:08:26 == : new informational iv ( 8 bytes )
13/09/26 15:08:26 >= : cookies 3700000049000000:a800000085000000
13/09/26 15:08:26 >= : message 931eb370
13/09/26 15:08:26 >= : encrypt iv ( 8 bytes )
13/09/26 15:08:26 == : encrypt packet ( 84 bytes )
13/09/26 15:08:26 == : stored iv ( 8 bytes )
13/09/26 15:08:26 -> : send NAT-T:IKE packet C.C.C.C:4500 -> S.S.S.S:4500 ( 116 
bytes )
13/09/26 15:08:26 ii : DPD ARE-YOU-THERE sequence 34747ac9 requested
13/09/26 15:08:30 DB : phase1 found
13/09/26 15:08:30 ii : next tunnel DPD retry in 3 secs for peer S.S.S.S:4500
13/09/26 15:08:30 ii : sending peer DPDV1-R-U-THERE notification
13/09/26 15:08:30 ii : - C.C.C.C:4500 -> S.S.S.S:4500
13/09/26 15:08:30 ii : - isakmp spi = 3700000049000000:a800000085000000
13/09/26 15:08:30 ii : - data size 4
13/09/26 15:08:30 >> : hash payload
13/09/26 15:08:30 >> : notification payload
13/09/26 15:08:30 == : new informational hash ( 20 bytes )
13/09/26 15:08:30 == : new informational iv ( 8 bytes )
13/09/26 15:08:30 >= : cookies 3700000049000000:a800000085000000
13/09/26 15:08:30 >= : message 81832fa5
13/09/26 15:08:30 >= : encrypt iv ( 8 bytes )
13/09/26 15:08:30 == : encrypt packet ( 84 bytes )
13/09/26 15:08:30 == : stored iv ( 8 bytes )
13/09/26 15:08:30 -> : send NAT-T:IKE packet C.C.C.C:4500 -> S.S.S.S:4500 ( 116 
bytes )
13/09/26 15:08:30 ii : DPD ARE-YOU-THERE sequence 34747aca requested
13/09/26 15:08:33 ii : hard halt signal received, shutting down
13/09/26 15:08:33 DB : removing all peer tunnel references
13/09/26 15:08:33 DB : tunnel dpd event canceled ( ref count = 5 )
13/09/26 15:08:33 DB : tunnel natt event canceled ( ref count = 4 )
13/09/26 15:08:33 DB : removing tunnel config references
13/09/26 15:08:33 DB : config deleted ( obj count = 0 )
13/09/26 15:08:33 DB : removing tunnel phase2 references
13/09/26 15:08:33 DB : removing tunnel phase1 references
13/09/26 15:08:33 DB : phase1 soft event canceled ( ref count = 3 )
13/09/26 15:08:33 DB : phase1 hard event canceled ( ref count = 2 )
13/09/26 15:08:33 DB : phase1 dead event canceled ( ref count = 1 )
13/09/26 15:08:33 ii : sending peer DELETE message
13/09/26 15:08:33 ii : - C.C.C.C:4500 -> S.S.S.S:4500
13/09/26 15:08:33 ii : - isakmp spi = 3700000049000000:a800000085000000
13/09/26 15:08:33 ii : - data size 0
13/09/26 15:08:33 >> : hash payload
13/09/26 15:08:33 >> : delete payload
13/09/26 15:08:33 == : new informational hash ( 20 bytes )
13/09/26 15:08:33 == : new informational iv ( 8 bytes )
13/09/26 15:08:33 >= : cookies 3700000049000000:a800000085000000
13/09/26 15:08:33 >= : message 69c2d1db
13/09/26 15:08:33 >= : encrypt iv ( 8 bytes )
13/09/26 15:08:33 == : encrypt packet ( 80 bytes )
13/09/26 15:08:33 == : stored iv ( 8 bytes )
13/09/26 15:08:33 -> : send NAT-T:IKE packet C.C.C.C:4500 -> S.S.S.S:4500 ( 116 
bytes )
13/09/26 15:08:33 ii : phase1 removal before expire time
13/09/26 15:08:33 DB : phase1 deleted ( obj count = 0 )
13/09/26 15:08:33 DB : policy not found
13/09/26 15:08:33 DB : policy not found
13/09/26 15:08:33 DB : tunnel deleted ( obj count = 0 )
13/09/26 15:08:33 DB : peer deleted ( obj count = 0 )
13/09/26 15:08:33 ii : ipc client process thread exit ...
13/09/26 15:08:33 ii : ipc server process thread exit ...
13/09/26 15:08:33 ii : pfkey process thread exit ...
13/09/26 15:08:33 ii : network process thread exit ...

13/09/26 13:43:18 ## : IKE Daemon, ver 2.2.1
13/09/26 13:43:18 ## : Copyright 2013 Shrew Soft Inc.
13/09/26 13:43:18 ## : This product linked OpenSSL 1.0.1e-fips 11 Feb 2013
13/09/26 13:43:18 ii : opened '/var/log/iked.log'
13/09/26 13:43:18 ii : ipc server process thread begin ...
13/09/26 13:43:18 ii : pfkey process thread begin ...
13/09/26 13:43:18 ii : network process thread begin ...
13/09/26 13:43:18 K< : recv pfkey REGISTER AH message
13/09/26 13:43:18 K< : recv pfkey REGISTER ESP message
13/09/26 13:43:18 K< : recv pfkey REGISTER IPCOMP message
13/09/26 13:43:18 K! : recv X_SPDDUMP message failure ( errno = 2 )
13/09/26 13:43:31 ii : ipc client process thread begin ...
13/09/26 13:43:31 <A : peer config add message
13/09/26 13:43:31 <A : proposal config message
13/09/26 13:43:31 <A : proposal config message
13/09/26 13:43:31 <A : client config message
13/09/26 13:43:31 <A : xauth username message
13/09/26 13:43:31 <A : xauth password message
13/09/26 13:43:31 <A : remote certificate data message
13/09/26 13:43:31 ii : remote certificate read complete ( 889 bytes )
13/09/26 13:43:31 <A : local certificate data message
13/09/26 13:43:31 ii : local certificate read complete ( 1493 bytes )
13/09/26 13:43:31 <A : local key data message
13/09/26 13:43:31 ii : local key read complete ( 1193 bytes )
13/09/26 13:43:31 <A : peer tunnel enable message
13/09/26 13:43:31 DB : peer added ( obj count = 1 )
13/09/26 13:43:31 ii : local address A.A.A.A selected for peer
13/09/26 13:43:31 DB : tunnel added ( obj count = 1 )
13/09/26 13:43:31 ii : obtained x509 cert subject ( 159 bytes )
13/09/26 13:43:31 DB : new phase1 ( ISAKMP initiator )
13/09/26 13:43:31 DB : exchange type is identity protect
13/09/26 13:43:31 DB : A.A.A.A:500 <-> S.S.S.S:500
13/09/26 13:43:31 DB : de000000c8000000:0000000000000000
13/09/26 13:43:31 DB : phase1 added ( obj count = 1 )
13/09/26 13:43:31 >> : security association payload
13/09/26 13:43:31 >> : - proposal #1 payload 
13/09/26 13:43:31 >> : -- transform #1 payload 
13/09/26 13:43:31 >> : vendor id payload
13/09/26 13:43:31 ii : local supports XAUTH
13/09/26 13:43:31 >> : vendor id payload
13/09/26 13:43:31 ii : local supports nat-t ( draft v00 )
13/09/26 13:43:31 >> : vendor id payload
13/09/26 13:43:31 ii : local supports nat-t ( draft v01 )
13/09/26 13:43:31 >> : vendor id payload
13/09/26 13:43:31 ii : local supports nat-t ( draft v02 )
13/09/26 13:43:31 >> : vendor id payload
13/09/26 13:43:31 ii : local supports nat-t ( draft v03 )
13/09/26 13:43:31 >> : vendor id payload
13/09/26 13:43:31 ii : local supports nat-t ( rfc )
13/09/26 13:43:31 >> : vendor id payload
13/09/26 13:43:31 ii : local supports FRAGMENTATION
13/09/26 13:43:31 >> : vendor id payload
13/09/26 13:43:31 >> : vendor id payload
13/09/26 13:43:31 ii : local supports DPDv1
13/09/26 13:43:31 >> : vendor id payload
13/09/26 13:43:31 ii : local is SHREW SOFT compatible
13/09/26 13:43:31 >> : vendor id payload
13/09/26 13:43:31 ii : local is NETSCREEN compatible
13/09/26 13:43:31 >> : vendor id payload
13/09/26 13:43:31 ii : local is SIDEWINDER compatible
13/09/26 13:43:31 >> : vendor id payload
13/09/26 13:43:31 ii : local is CISCO UNITY compatible
13/09/26 13:43:31 >= : cookies de000000c8000000:0000000000000000
13/09/26 13:43:31 >= : message 00000000
13/09/26 13:43:31 -> : send IKE packet A.A.A.A:500 -> S.S.S.S:500 ( 372 bytes )
13/09/26 13:43:31 DB : phase1 resend event scheduled ( ref count = 2 )
13/09/26 13:43:31 <- : recv IKE packet S.S.S.S:500 -> A.A.A.A:500 ( 136 bytes )
13/09/26 13:43:31 DB : phase1 found
13/09/26 13:43:31 ii : processing phase1 packet ( 136 bytes )
13/09/26 13:43:31 =< : cookies de000000c8000000:4400000089000000
13/09/26 13:43:31 =< : message 00000000
13/09/26 13:43:31 << : security association payload
13/09/26 13:43:31 << : - propsal #1 payload 
13/09/26 13:43:31 << : -- transform #1 payload 
13/09/26 13:43:31 ii : matched isakmp proposal #1 transform #1
13/09/26 13:43:31 ii : - transform    = ike
13/09/26 13:43:31 ii : - cipher type  = 3des
13/09/26 13:43:31 ii : - key length   = default
13/09/26 13:43:31 ii : - hash type    = sha1
13/09/26 13:43:31 ii : - dh group     = group2 ( modp-1024 )
13/09/26 13:43:31 ii : - auth type    = xauth-initiator-rsa
13/09/26 13:43:31 ii : - life seconds = 86400
13/09/26 13:43:31 ii : - life kbytes  = 0
13/09/26 13:43:31 << : vendor id payload
13/09/26 13:43:31 ii : peer supports XAUTH
13/09/26 13:43:31 << : vendor id payload
13/09/26 13:43:31 ii : peer supports DPDv1
13/09/26 13:43:31 << : vendor id payload
13/09/26 13:43:31 ii : peer supports nat-t ( rfc )
13/09/26 13:43:31 >> : key exchange payload
13/09/26 13:43:31 >> : nonce payload
13/09/26 13:43:31 >> : cert request payload
13/09/26 13:43:31 >> : nat discovery payload
13/09/26 13:43:31 >> : nat discovery payload
13/09/26 13:43:31 >= : cookies de000000c8000000:4400000089000000
13/09/26 13:43:31 >= : message 00000000
13/09/26 13:43:31 DB : phase1 resend event canceled ( ref count = 1 )
13/09/26 13:43:31 -> : send IKE packet A.A.A.A:500 -> S.S.S.S:500 ( 265 bytes )
13/09/26 13:43:31 DB : phase1 resend event scheduled ( ref count = 2 )
13/09/26 13:43:31 <- : recv IKE packet S.S.S.S:500 -> A.A.A.A:500 ( 328 bytes )
13/09/26 13:43:31 DB : phase1 found
13/09/26 13:43:31 ii : processing phase1 packet ( 328 bytes )
13/09/26 13:43:31 =< : cookies de000000c8000000:4400000089000000
13/09/26 13:43:31 =< : message 00000000
13/09/26 13:43:31 << : key exchange payload
13/09/26 13:43:31 << : nonce payload
13/09/26 13:43:31 << : cert request payload
13/09/26 13:43:31 << : nat discovery payload
13/09/26 13:43:31 << : nat discovery payload
13/09/26 13:43:31 ii : disabled nat-t ( no nat detected )
13/09/26 13:43:31 == : DH shared secret ( 128 bytes )
13/09/26 13:43:31 == : SETKEYID ( 20 bytes )
13/09/26 13:43:31 == : SETKEYID_d ( 20 bytes )
13/09/26 13:43:31 == : SETKEYID_a ( 20 bytes )
13/09/26 13:43:31 == : SETKEYID_e ( 20 bytes )
13/09/26 13:43:31 == : cipher key ( 40 bytes )
13/09/26 13:43:31 == : cipher iv ( 8 bytes )
13/09/26 13:43:31 >> : identification payload
13/09/26 13:43:31 >> : certificate payload
13/09/26 13:43:31 == : phase1 hash_i ( computed ) ( 20 bytes )
13/09/26 13:43:31 >> : signature payload
13/09/26 13:43:31 >= : cookies de000000c8000000:4400000089000000
13/09/26 13:43:31 >= : message 00000000
13/09/26 13:43:31 >= : encrypt iv ( 8 bytes )
13/09/26 13:43:31 == : encrypt packet ( 1953 bytes )
13/09/26 13:43:31 == : stored iv ( 8 bytes )
13/09/26 13:43:31 DB : phase1 resend event canceled ( ref count = 1 )
13/09/26 13:43:31 -> : send IKE packet A.A.A.A:500 -> S.S.S.S:500 ( 1984 bytes )
13/09/26 13:43:31 <- : recv IKE packet S.S.S.S:500 -> A.A.A.A:500 ( 1908 bytes )
13/09/26 13:43:31 DB : phase1 found
13/09/26 13:43:31 ii : processing phase1 packet ( 1908 bytes )
13/09/26 13:43:31 =< : cookies de000000c8000000:4400000089000000
13/09/26 13:43:31 =< : message 00000000
13/09/26 13:43:31 =< : decrypt iv ( 8 bytes )
13/09/26 13:43:31 == : decrypt packet ( 1908 bytes )
13/09/26 13:43:31 <= : trimmed packet padding ( 3 bytes )
13/09/26 13:43:31 <= : stored iv ( 8 bytes )
13/09/26 13:43:31 << : identification payload
13/09/26 13:43:31 ii : phase1 id match ( cert check only )
13/09/26 13:43:31 ii : received = asn1-dn 
C=SK,ST=XXX,L=XXXXXXX,O=XXXXXXX,OU=XXXXXXXX,CN=XXXXXXXX
13/09/26 13:43:31 << : certificate payload
13/09/26 13:43:31 << : signature payload
13/09/26 13:43:31 ii : unable to get certificate CRL(3) at depth:0
13/09/26 13:43:31 ii : subject 
:/C=SK/ST=XXX/L=XXXXXXX/O=XXXXXXXX/OU=XXXXXXXXX/CN=XXXXXXXXX
13/09/26 13:43:31 ii : unable to get certificate CRL(3) at depth:1
13/09/26 13:43:31 ii : subject :/DC=sk/DC=XXXXXX/CN=XXXXXXXXXX
13/09/26 13:43:31 == : phase1 hash_r ( computed ) ( 20 bytes )
13/09/26 13:43:31 == : phase1 hash_r ( received ) ( 20 bytes )
13/09/26 13:43:31 ii : phase1 sa established
13/09/26 13:43:31 ii : S.S.S.S:500 <-> A.A.A.A:500
13/09/26 13:43:31 ii : de000000c8000000:4400000089000000
13/09/26 13:43:31 ii : sending peer INITIAL-CONTACT notification
13/09/26 13:43:31 ii : - A.A.A.A:500 -> S.S.S.S:500
13/09/26 13:43:31 ii : - isakmp spi = de000000c8000000:4400000089000000
13/09/26 13:43:31 ii : - data size 0
13/09/26 13:43:31 >> : hash payload
13/09/26 13:43:31 >> : notification payload
13/09/26 13:43:31 == : new informational hash ( 20 bytes )
13/09/26 13:43:31 == : new informational iv ( 8 bytes )
13/09/26 13:43:31 >= : cookies de000000c8000000:4400000089000000
13/09/26 13:43:31 >= : message c2822f31
13/09/26 13:43:31 >= : encrypt iv ( 8 bytes )
13/09/26 13:43:31 == : encrypt packet ( 80 bytes )
13/09/26 13:43:31 == : stored iv ( 8 bytes )
13/09/26 13:43:31 -> : send IKE packet A.A.A.A:500 -> S.S.S.S:500 ( 112 bytes )
13/09/26 13:43:31 DB : phase2 not found
13/09/26 13:43:31 <- : recv IKE packet S.S.S.S:500 -> A.A.A.A:500 ( 76 bytes )
13/09/26 13:43:31 DB : phase1 found
13/09/26 13:43:31 ii : processing config packet ( 76 bytes )
13/09/26 13:43:31 DB : config not found
13/09/26 13:43:31 DB : config added ( obj count = 1 )
13/09/26 13:43:31 == : new config iv ( 8 bytes )
13/09/26 13:43:31 =< : cookies de000000c8000000:4400000089000000
13/09/26 13:43:31 =< : message 2628112e
13/09/26 13:43:31 =< : decrypt iv ( 8 bytes )
13/09/26 13:43:31 == : decrypt packet ( 76 bytes )
13/09/26 13:43:31 <= : trimmed packet padding ( 8 bytes )
13/09/26 13:43:31 <= : stored iv ( 8 bytes )
13/09/26 13:43:31 << : hash payload
13/09/26 13:43:31 << : attribute payload
13/09/26 13:43:31 == : configure hash_i ( computed ) ( 20 bytes )
13/09/26 13:43:31 == : configure hash_c ( computed ) ( 20 bytes )
13/09/26 13:43:31 ii : configure hash verified
13/09/26 13:43:31 ii : - xauth username
13/09/26 13:43:31 ii : - xauth password
13/09/26 13:43:31 ii : received basic xauth request - 
13/09/26 13:43:31 ii : - standard xauth username
13/09/26 13:43:31 ii : - standard xauth password
13/09/26 13:43:31 ii : sending xauth response for [email protected]
13/09/26 13:43:31 >> : hash payload
13/09/26 13:43:31 >> : attribute payload
13/09/26 13:43:31 == : new configure hash ( 20 bytes )
13/09/26 13:43:31 >= : cookies de000000c8000000:4400000089000000
13/09/26 13:43:31 >= : message 2628112e
13/09/26 13:43:31 >= : encrypt iv ( 8 bytes )
13/09/26 13:43:31 == : encrypt packet ( 104 bytes )
13/09/26 13:43:31 == : stored iv ( 8 bytes )
13/09/26 13:43:31 -> : send IKE packet A.A.A.A:500 -> S.S.S.S:500 ( 136 bytes )
13/09/26 13:43:31 DB : config resend event scheduled ( ref count = 2 )
13/09/26 13:43:31 <- : recv IKE packet S.S.S.S:500 -> A.A.A.A:500 ( 68 bytes )
13/09/26 13:43:31 DB : phase1 found
13/09/26 13:43:31 ii : processing config packet ( 68 bytes )
13/09/26 13:43:31 DB : config found
13/09/26 13:43:31 == : new config iv ( 8 bytes )
13/09/26 13:43:31 =< : cookies de000000c8000000:4400000089000000
13/09/26 13:43:31 =< : message 178fe1e6
13/09/26 13:43:31 =< : decrypt iv ( 8 bytes )
13/09/26 13:43:31 == : decrypt packet ( 68 bytes )
13/09/26 13:43:31 <= : trimmed packet padding ( 4 bytes )
13/09/26 13:43:31 <= : stored iv ( 8 bytes )
13/09/26 13:43:31 << : hash payload
13/09/26 13:43:31 << : attribute payload
13/09/26 13:43:31 == : configure hash_i ( computed ) ( 20 bytes )
13/09/26 13:43:31 == : configure hash_c ( computed ) ( 20 bytes )
13/09/26 13:43:31 ii : configure hash verified
13/09/26 13:43:31 ii : received xauth result - 
13/09/26 13:43:31 ii : user [email protected] authentication succeeded
13/09/26 13:43:31 ii : sending xauth acknowledge
13/09/26 13:43:31 >> : hash payload
13/09/26 13:43:31 >> : attribute payload
13/09/26 13:43:31 == : new configure hash ( 20 bytes )
13/09/26 13:43:31 >= : cookies de000000c8000000:4400000089000000
13/09/26 13:43:31 >= : message 178fe1e6
13/09/26 13:43:31 >= : encrypt iv ( 8 bytes )
13/09/26 13:43:31 == : encrypt packet ( 60 bytes )
13/09/26 13:43:31 == : stored iv ( 8 bytes )
13/09/26 13:43:31 DB : config resend event canceled ( ref count = 1 )
13/09/26 13:43:31 -> : send IKE packet A.A.A.A:500 -> S.S.S.S:500 ( 88 bytes )
13/09/26 13:43:31 DB : config resend event scheduled ( ref count = 2 )
13/09/26 13:43:31 ii : building config attribute list
13/09/26 13:43:31 ii : - IP4 Address
13/09/26 13:43:31 ii : - Address Expiry
13/09/26 13:43:31 ii : - IP4 Netmask
13/09/26 13:43:31 ii : - IP4 DNS Server
13/09/26 13:43:31 ii : - IP4 Subnet
13/09/26 13:43:31 == : new config iv ( 8 bytes )
13/09/26 13:43:31 ii : sending config pull request
13/09/26 13:43:31 >> : hash payload
13/09/26 13:43:31 >> : attribute payload
13/09/26 13:43:31 == : new configure hash ( 20 bytes )
13/09/26 13:43:31 >= : cookies de000000c8000000:4400000089000000
13/09/26 13:43:31 >= : message f4534bb6
13/09/26 13:43:31 >= : encrypt iv ( 8 bytes )
13/09/26 13:43:31 == : encrypt packet ( 80 bytes )
13/09/26 13:43:31 == : stored iv ( 8 bytes )
13/09/26 13:43:31 DB : config resend event canceled ( ref count = 1 )
13/09/26 13:43:31 -> : send IKE packet A.A.A.A:500 -> S.S.S.S:500 ( 112 bytes )
13/09/26 13:43:31 DB : config resend event scheduled ( ref count = 2 )
13/09/26 13:43:31 <- : recv IKE packet S.S.S.S:500 -> A.A.A.A:500 ( 76 bytes )
13/09/26 13:43:31 DB : phase1 found
13/09/26 13:43:31 ii : processing config packet ( 76 bytes )
13/09/26 13:43:31 DB : config found
13/09/26 13:43:31 =< : cookies de000000c8000000:4400000089000000
13/09/26 13:43:31 =< : message f4534bb6
13/09/26 13:43:31 =< : decrypt iv ( 8 bytes )
13/09/26 13:43:31 == : decrypt packet ( 76 bytes )
13/09/26 13:43:31 <= : trimmed packet padding ( 8 bytes )
13/09/26 13:43:31 <= : stored iv ( 8 bytes )
13/09/26 13:43:31 << : hash payload
13/09/26 13:43:31 << : attribute payload
13/09/26 13:43:31 == : configure hash_i ( computed ) ( 20 bytes )
13/09/26 13:43:31 == : configure hash_c ( computed ) ( 20 bytes )
13/09/26 13:43:31 ii : configure hash verified
13/09/26 13:43:31 ii : received config pull response
13/09/26 13:43:31 ii : - IP4 Address = 192.168.2.2
13/09/26 13:43:31 !! : invalid private netmask, defaulting to 255.255.255.0
13/09/26 13:43:31 ii : opened tap device tap0
13/09/26 13:43:31 ii : configured adapter tap0
13/09/26 13:43:31 ii : generating IPSEC security policies at UNIQUE level
13/09/26 13:43:31 ii : creating NONE INBOUND policy ANY:S.S.S.S:* -> 
ANY:A.A.A.A:*
13/09/26 13:43:31 DB : policy added ( obj count = 1 )
13/09/26 13:43:31 K> : send pfkey X_SPDADD UNSPEC message
13/09/26 13:43:31 K< : recv pfkey X_SPDADD UNSPEC message
13/09/26 13:43:31 DB : policy found
13/09/26 13:43:31 ii : creating NONE OUTBOUND policy ANY:A.A.A.A:* -> 
ANY:S.S.S.S:*
13/09/26 13:43:31 DB : config resend event canceled ( ref count = 1 )
13/09/26 13:43:31 ii : created NONE policy route for S.S.S.S/32
13/09/26 13:43:31 DB : policy added ( obj count = 2 )
13/09/26 13:43:31 K> : send pfkey X_SPDADD UNSPEC message
13/09/26 13:43:31 K< : recv pfkey X_SPDADD UNSPEC message
13/09/26 13:43:31 DB : policy found
13/09/26 13:43:31 ii : creating IPSEC INBOUND policy ANY:0.0.0.0/0:* -> 
ANY:192.168.2.2:*
13/09/26 13:43:31 DB : policy added ( obj count = 3 )
13/09/26 13:43:31 K> : send pfkey X_SPDADD UNSPEC message
13/09/26 13:43:31 K< : recv pfkey X_SPDADD UNSPEC message
13/09/26 13:43:31 DB : policy found
13/09/26 13:43:31 ii : creating IPSEC OUTBOUND policy ANY:192.168.2.2:* -> 
ANY:0.0.0.0/0:*
13/09/26 13:43:31 ii : created IPSEC policy route for 0.0.0.0
13/09/26 13:43:31 DB : policy added ( obj count = 4 )
13/09/26 13:43:31 K> : send pfkey X_SPDADD UNSPEC message
13/09/26 13:43:31 K< : recv pfkey X_SPDADD UNSPEC message
13/09/26 13:43:31 DB : policy found
13/09/26 13:43:36 K< : recv pfkey ACQUIRE ESP message
13/09/26 13:43:36 DB : policy found
13/09/26 13:43:36 DB : policy found
13/09/26 13:43:36 DB : tunnel found
13/09/26 13:43:36 DB : new phase2 ( IPSEC initiator )
13/09/26 13:43:36 DB : phase2 added ( obj count = 1 )
13/09/26 13:43:36 K> : send pfkey GETSPI ESP message
13/09/26 13:43:36 K< : recv pfkey GETSPI ESP message
13/09/26 13:43:36 DB : phase2 found
13/09/26 13:43:36 ii : updated spi for 1 ipsec-esp proposal
13/09/26 13:43:36 DB : phase1 found
13/09/26 13:43:36 >> : hash payload
13/09/26 13:43:36 >> : security association payload
13/09/26 13:43:36 >> : - proposal #1 payload 
13/09/26 13:43:36 >> : -- transform #1 payload 
13/09/26 13:43:36 >> : nonce payload
13/09/26 13:43:36 >> : identification payload
13/09/26 13:43:36 >> : identification payload
13/09/26 13:43:36 == : phase2 hash_i ( input ) ( 108 bytes )
13/09/26 13:43:36 == : phase2 hash_i ( computed ) ( 20 bytes )
13/09/26 13:43:36 == : new phase2 iv ( 8 bytes )
13/09/26 13:43:36 >= : cookies de000000c8000000:4400000089000000
13/09/26 13:43:36 >= : message 847f497e
13/09/26 13:43:36 >= : encrypt iv ( 8 bytes )
13/09/26 13:43:36 == : encrypt packet ( 156 bytes )
13/09/26 13:43:36 == : stored iv ( 8 bytes )
13/09/26 13:43:36 -> : send IKE packet A.A.A.A:500 -> S.S.S.S:500 ( 184 bytes )
13/09/26 13:43:36 DB : phase2 resend event scheduled ( ref count = 2 )
13/09/26 13:43:36 <- : recv IKE packet S.S.S.S:500 -> A.A.A.A:500 ( 172 bytes )
13/09/26 13:43:36 DB : phase1 found
13/09/26 13:43:36 ii : processing phase2 packet ( 172 bytes )
13/09/26 13:43:36 DB : phase2 found
13/09/26 13:43:36 =< : cookies de000000c8000000:4400000089000000
13/09/26 13:43:36 =< : message 847f497e
13/09/26 13:43:36 =< : decrypt iv ( 8 bytes )
13/09/26 13:43:36 == : decrypt packet ( 172 bytes )
13/09/26 13:43:36 <= : trimmed packet padding ( 8 bytes )
13/09/26 13:43:36 <= : stored iv ( 8 bytes )
13/09/26 13:43:36 << : hash payload
13/09/26 13:43:36 << : security association payload
13/09/26 13:43:36 << : - propsal #1 payload 
13/09/26 13:43:36 << : -- transform #1 payload 
13/09/26 13:43:36 << : nonce payload
13/09/26 13:43:36 << : identification payload
13/09/26 13:43:36 << : identification payload
13/09/26 13:43:36 == : phase2 hash_r ( input ) ( 136 bytes )
13/09/26 13:43:36 == : phase2 hash_r ( computed ) ( 20 bytes )
13/09/26 13:43:36 == : phase2 hash_r ( received ) ( 20 bytes )
13/09/26 13:43:36 ii : matched ipsec-esp proposal #1 transform #1
13/09/26 13:43:36 ii : - transform    = esp-3des
13/09/26 13:43:36 ii : - key length   = default
13/09/26 13:43:36 ii : - encap mode   = tunnel
13/09/26 13:43:36 ii : - msg auth     = hmac-sha1
13/09/26 13:43:36 ii : - pfs dh group = none
13/09/26 13:43:36 ii : - life seconds = 3600
13/09/26 13:43:36 ii : - life kbytes  = 0
13/09/26 13:43:36 DB : policy found
13/09/26 13:43:36 K> : send pfkey GETSPI ESP message
13/09/26 13:43:36 ii : phase2 ids accepted
13/09/26 13:43:36 ii : - loc ANY:192.168.2.2:* -> ANY:0.0.0.0/0:*
13/09/26 13:43:36 ii : - rmt ANY:0.0.0.0/0:* -> ANY:192.168.2.2:*
13/09/26 13:43:36 ii : phase2 sa established
13/09/26 13:43:36 ii : A.A.A.A:500 <-> S.S.S.S:500
13/09/26 13:43:36 == : phase2 hash_p ( input ) ( 57 bytes )
13/09/26 13:43:36 == : phase2 hash_p ( computed ) ( 20 bytes )
13/09/26 13:43:36 >> : hash payload
13/09/26 13:43:36 >= : cookies de000000c8000000:4400000089000000
13/09/26 13:43:36 >= : message 847f497e
13/09/26 13:43:36 >= : encrypt iv ( 8 bytes )
13/09/26 13:43:36 == : encrypt packet ( 52 bytes )
13/09/26 13:43:36 == : stored iv ( 8 bytes )
13/09/26 13:43:36 DB : phase2 resend event canceled ( ref count = 1 )
13/09/26 13:43:36 -> : send IKE packet A.A.A.A:500 -> S.S.S.S:500 ( 80 bytes )
13/09/26 13:43:36 == : spi cipher key data ( 24 bytes )
13/09/26 13:43:36 == : spi hmac key data ( 20 bytes )
13/09/26 13:43:36 K> : send pfkey UPDATE ESP message
13/09/26 13:43:36 K< : recv pfkey GETSPI ESP message
13/09/26 13:43:36 DB : phase2 found
13/09/26 13:43:36 K< : recv pfkey UPDATE ESP message
13/09/26 13:43:36 == : spi cipher key data ( 24 bytes )
13/09/26 13:43:36 == : spi hmac key data ( 20 bytes )
13/09/26 13:43:36 K> : send pfkey UPDATE ESP message
13/09/26 13:43:36 K< : recv pfkey UPDATE ESP message
13/09/26 13:43:46 DB : phase1 found
13/09/26 13:43:46 ii : sending peer DPDV1-R-U-THERE notification
13/09/26 13:43:46 ii : - A.A.A.A:500 -> S.S.S.S:500
13/09/26 13:43:46 ii : - isakmp spi = de000000c8000000:4400000089000000
13/09/26 13:43:46 ii : - data size 4
13/09/26 13:43:46 >> : hash payload
13/09/26 13:43:46 >> : notification payload
13/09/26 13:43:46 == : new informational hash ( 20 bytes )
13/09/26 13:43:46 == : new informational iv ( 8 bytes )
13/09/26 13:43:46 >= : cookies de000000c8000000:4400000089000000
13/09/26 13:43:46 >= : message aacfb3a8
13/09/26 13:43:46 >= : encrypt iv ( 8 bytes )
13/09/26 13:43:46 == : encrypt packet ( 84 bytes )
13/09/26 13:43:46 == : stored iv ( 8 bytes )
13/09/26 13:43:46 -> : send IKE packet A.A.A.A:500 -> S.S.S.S:500 ( 112 bytes )
13/09/26 13:43:46 ii : DPD ARE-YOU-THERE sequence 026d9f46 requested
13/09/26 13:43:46 <- : recv IKE packet S.S.S.S:500 -> A.A.A.A:500 ( 92 bytes )
13/09/26 13:43:46 DB : phase1 found
13/09/26 13:43:46 ii : processing informational packet ( 92 bytes )
13/09/26 13:43:46 == : new informational iv ( 8 bytes )
13/09/26 13:43:46 =< : cookies de000000c8000000:4400000089000000
13/09/26 13:43:46 =< : message 843d23b8
13/09/26 13:43:46 =< : decrypt iv ( 8 bytes )
13/09/26 13:43:46 == : decrypt packet ( 92 bytes )
13/09/26 13:43:46 <= : trimmed packet padding ( 8 bytes )
13/09/26 13:43:46 <= : stored iv ( 8 bytes )
13/09/26 13:43:46 << : hash payload
13/09/26 13:43:46 << : notification payload
13/09/26 13:43:46 == : informational hash_i ( computed ) ( 20 bytes )
13/09/26 13:43:46 == : informational hash_c ( received ) ( 20 bytes )
13/09/26 13:43:46 ii : informational hash verified
13/09/26 13:43:46 ii : received peer DPDV1-R-U-THERE-ACK notification
13/09/26 13:43:46 ii : - S.S.S.S:500 -> A.A.A.A:500
13/09/26 13:43:46 ii : - isakmp spi = de000000c8000000:4400000089000000
13/09/26 13:43:46 ii : - data size 4
13/09/26 13:43:46 ii : DPD ARE-YOU-THERE-ACK sequence 026d9f46 accepted
13/09/26 13:43:46 ii : next tunnel DPD request in 15 secs for peer S.S.S.S:500
13/09/26 13:43:53 <A : peer tunnel disable message
13/09/26 13:43:53 DB : policy found
13/09/26 13:43:53 ii : removing IPSEC INBOUND policy ANY:0.0.0.0/0:* -> 
ANY:192.168.2.2:*
13/09/26 13:43:53 K> : send pfkey X_SPDDELETE2 UNSPEC message
13/09/26 13:43:53 K< : recv pfkey X_SPDDELETE2 UNSPEC message
13/09/26 13:43:53 DB : policy found
13/09/26 13:43:53 ii : removing IPSEC OUTBOUND policy ANY:192.168.2.2:* -> 
ANY:0.0.0.0/0:*
13/09/26 13:43:53 K> : send pfkey X_SPDDELETE2 UNSPEC message
13/09/26 13:43:53 ii : removed IPSEC policy route for ANY:0.0.0.0/0:*
13/09/26 13:43:53 DB : policy found
13/09/26 13:43:53 ii : removing NONE INBOUND policy ANY:S.S.S.S:* -> 
ANY:A.A.A.A:*
13/09/26 13:43:53 K> : send pfkey X_SPDDELETE2 UNSPEC message
13/09/26 13:43:53 DB : policy found
13/09/26 13:43:53 ii : removing NONE OUTBOUND policy ANY:A.A.A.A:* -> 
ANY:S.S.S.S:*
13/09/26 13:43:53 K> : send pfkey X_SPDDELETE2 UNSPEC message
13/09/26 13:43:53 ii : removed NONE policy route for ANY:S.S.S.S:*
13/09/26 13:43:53 DB : policy found
13/09/26 13:43:53 DB : policy deleted ( obj count = 3 )
13/09/26 13:43:53 K< : recv pfkey X_SPDDELETE2 UNSPEC message
13/09/26 13:43:53 DB : policy found
13/09/26 13:43:53 DB : policy deleted ( obj count = 2 )
13/09/26 13:43:53 K< : recv pfkey X_SPDDELETE2 UNSPEC message
13/09/26 13:43:53 DB : policy found
13/09/26 13:43:53 DB : policy deleted ( obj count = 1 )
13/09/26 13:43:53 K< : recv pfkey X_SPDDELETE2 UNSPEC message
13/09/26 13:43:53 DB : policy found
13/09/26 13:43:53 DB : policy deleted ( obj count = 0 )
13/09/26 13:43:53 ii : closed tap device tap0
13/09/26 13:43:53 DB : tunnel dpd event canceled ( ref count = 5 )
13/09/26 13:43:53 DB : tunnel stats event canceled ( ref count = 4 )
13/09/26 13:43:53 DB : removing tunnel config references
13/09/26 13:43:53 DB : config deleted ( obj count = 0 )
13/09/26 13:43:53 DB : removing tunnel phase2 references
13/09/26 13:43:53 DB : phase2 soft event canceled ( ref count = 2 )
13/09/26 13:43:53 DB : phase2 hard event canceled ( ref count = 1 )
13/09/26 13:43:53 DB : phase1 found
13/09/26 13:43:53 ii : sending peer DELETE message
13/09/26 13:43:53 ii : - A.A.A.A:500 -> S.S.S.S:500
13/09/26 13:43:53 ii : - ipsec-esp spi = 0x05dacbdb
13/09/26 13:43:53 ii : - data size 0
13/09/26 13:43:53 >> : hash payload
13/09/26 13:43:53 >> : delete payload
13/09/26 13:43:53 == : new informational hash ( 20 bytes )
13/09/26 13:43:53 == : new informational iv ( 8 bytes )
13/09/26 13:43:53 >= : cookies de000000c8000000:4400000089000000
13/09/26 13:43:53 >= : message 93a37fce
13/09/26 13:43:53 >= : encrypt iv ( 8 bytes )
13/09/26 13:43:53 == : encrypt packet ( 68 bytes )
13/09/26 13:43:53 == : stored iv ( 8 bytes )
13/09/26 13:43:53 -> : send IKE packet A.A.A.A:500 -> S.S.S.S:500 ( 96 bytes )
13/09/26 13:43:53 K> : send pfkey DELETE ESP message
13/09/26 13:43:53 K< : recv pfkey DELETE ESP message
13/09/26 13:43:53 K> : send pfkey DELETE ESP message
13/09/26 13:43:53 K< : recv pfkey DELETE ESP message
13/09/26 13:43:53 ii : phase2 removal before expire time
13/09/26 13:43:53 DB : phase2 deleted ( obj count = 0 )
13/09/26 13:43:53 DB : removing tunnel phase1 references
13/09/26 13:43:53 DB : phase1 soft event canceled ( ref count = 3 )
13/09/26 13:43:53 DB : phase1 hard event canceled ( ref count = 2 )
13/09/26 13:43:53 DB : phase1 dead event canceled ( ref count = 1 )
13/09/26 13:43:53 ii : sending peer DELETE message
13/09/26 13:43:53 ii : - A.A.A.A:500 -> S.S.S.S:500
13/09/26 13:43:53 ii : - isakmp spi = de000000c8000000:4400000089000000
13/09/26 13:43:53 ii : - data size 0
13/09/26 13:43:53 >> : hash payload
13/09/26 13:43:53 >> : delete payload
13/09/26 13:43:53 == : new informational hash ( 20 bytes )
13/09/26 13:43:53 == : new informational iv ( 8 bytes )
13/09/26 13:43:53 >= : cookies de000000c8000000:4400000089000000
13/09/26 13:43:53 >= : message 5eb9da83
13/09/26 13:43:53 >= : encrypt iv ( 8 bytes )
13/09/26 13:43:53 == : encrypt packet ( 80 bytes )
13/09/26 13:43:53 == : stored iv ( 8 bytes )
13/09/26 13:43:53 -> : send IKE packet A.A.A.A:500 -> S.S.S.S:500 ( 112 bytes )
13/09/26 13:43:53 ii : phase1 removal before expire time
13/09/26 13:43:53 DB : phase1 deleted ( obj count = 0 )
13/09/26 13:43:53 DB : tunnel deleted ( obj count = 0 )
13/09/26 13:43:53 DB : removing all peer tunnel references
13/09/26 13:43:53 DB : peer deleted ( obj count = 0 )
13/09/26 13:43:53 ii : ipc client process thread exit ...
13/09/26 13:43:59 ii : hard halt signal received, shutting down
13/09/26 13:43:59 ii : ipc server process thread exit ...
13/09/26 13:43:59 ii : pfkey process thread exit ...
13/09/26 13:43:59 ii : network process thread exit ...

n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
s:auth-server-cert-name:CA.cert.pem
b:auth-server-cert-data:content of CA.cert.pem here
s:auth-client-cert-name:user.cert.pem
b:auth-client-cert-data:content of user.cert.pem here
s:auth-client-key-name:user.key.pem
b:auth-client-key-data:content of user.key.pem here
n:phase1-dhgroup:2
n:phase1-keylen:0
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-keylen:0
n:phase2-pfsgroup:-1
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
s:network-host:S.S.S.S = ip addres of real gateway ( VPN concentrator )
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-rsa-xauth
s:ident-client-type:asn1dn
s:ident-server-type:asn1dn
s:phase1-exchange:main
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
s:policy-level:auto

Attachment: strongswan.ipsec.conf
Description: Binary data

13/09/26 19:40:27 ## : IKE Daemon, ver 2.2.1
13/09/26 19:40:27 ## : Copyright 2013 Shrew Soft Inc.
13/09/26 19:40:27 ## : This product linked OpenSSL 1.0.1e-fips 11 Feb 2013
13/09/26 19:40:27 ii : opened '/var/log/iked.log'
13/09/26 19:40:27 ii : ipc server process thread begin ...
13/09/26 19:40:27 ii : pfkey process thread begin ...
13/09/26 19:40:27 ii : network process thread begin ...
13/09/26 19:40:27 K< : recv pfkey REGISTER AH message
13/09/26 19:40:27 K< : recv pfkey REGISTER ESP message
13/09/26 19:40:27 K< : recv pfkey REGISTER IPCOMP message
13/09/26 19:40:27 K! : recv X_SPDDUMP message failure ( errno = 2 )
13/09/26 19:40:52 ii : ipc client process thread begin ...
13/09/26 19:40:52 <A : peer config add message
13/09/26 19:40:52 <A : proposal config message
13/09/26 19:40:52 <A : proposal config message
13/09/26 19:40:52 <A : client config message
13/09/26 19:40:52 <A : xauth username message
13/09/26 19:40:52 <A : xauth password message
13/09/26 19:40:52 <A : remote certificate data message
13/09/26 19:40:52 ii : remote certificate read complete ( 889 bytes )
13/09/26 19:40:52 <A : local certificate data message
13/09/26 19:40:52 ii : local certificate read complete ( 1493 bytes )
13/09/26 19:40:52 <A : local key data message
13/09/26 19:40:52 ii : local key read complete ( 1193 bytes )
13/09/26 19:40:52 <A : peer tunnel enable message
13/09/26 19:40:52 DB : peer added ( obj count = 1 )
13/09/26 19:40:52 ii : local address B.B.B.B selected for peer
13/09/26 19:40:52 DB : tunnel added ( obj count = 1 )
13/09/26 19:40:52 ii : obtained x509 cert subject ( 159 bytes )
13/09/26 19:40:52 DB : new phase1 ( ISAKMP initiator )
13/09/26 19:40:52 DB : exchange type is identity protect
13/09/26 19:40:52 DB : B.B.B.B:500 <-> S.S.S.S:500
13/09/26 19:40:52 DB : e900000057000000:0000000000000000
13/09/26 19:40:52 DB : phase1 added ( obj count = 1 )
13/09/26 19:40:52 >> : security association payload
13/09/26 19:40:52 >> : - proposal #1 payload 
13/09/26 19:40:52 >> : -- transform #1 payload 
13/09/26 19:40:52 >> : vendor id payload
13/09/26 19:40:52 ii : local supports XAUTH
13/09/26 19:40:52 >> : vendor id payload
13/09/26 19:40:52 ii : local supports nat-t ( draft v00 )
13/09/26 19:40:52 >> : vendor id payload
13/09/26 19:40:52 ii : local supports nat-t ( draft v01 )
13/09/26 19:40:52 >> : vendor id payload
13/09/26 19:40:52 ii : local supports nat-t ( draft v02 )
13/09/26 19:40:52 >> : vendor id payload
13/09/26 19:40:52 ii : local supports nat-t ( draft v03 )
13/09/26 19:40:52 >> : vendor id payload
13/09/26 19:40:52 ii : local supports nat-t ( rfc )
13/09/26 19:40:52 >> : vendor id payload
13/09/26 19:40:52 ii : local supports FRAGMENTATION
13/09/26 19:40:52 >> : vendor id payload
13/09/26 19:40:52 >> : vendor id payload
13/09/26 19:40:52 ii : local supports DPDv1
13/09/26 19:40:52 >> : vendor id payload
13/09/26 19:40:52 ii : local is SHREW SOFT compatible
13/09/26 19:40:52 >> : vendor id payload
13/09/26 19:40:52 ii : local is NETSCREEN compatible
13/09/26 19:40:52 >> : vendor id payload
13/09/26 19:40:52 ii : local is SIDEWINDER compatible
13/09/26 19:40:52 >> : vendor id payload
13/09/26 19:40:52 ii : local is CISCO UNITY compatible
13/09/26 19:40:52 >= : cookies e900000057000000:0000000000000000
13/09/26 19:40:52 >= : message 00000000
13/09/26 19:40:52 -> : send IKE packet B.B.B.B:500 -> S.S.S.S:500 ( 372 bytes )
13/09/26 19:40:52 DB : phase1 resend event scheduled ( ref count = 2 )
13/09/26 19:40:52 <- : recv IKE packet S.S.S.S:500 -> B.B.B.B:500 ( 136 bytes )
13/09/26 19:40:52 DB : phase1 found
13/09/26 19:40:52 ii : processing phase1 packet ( 136 bytes )
13/09/26 19:40:52 =< : cookies e900000057000000:e40000003f000000
13/09/26 19:40:52 =< : message 00000000
13/09/26 19:40:52 << : security association payload
13/09/26 19:40:52 << : - propsal #1 payload 
13/09/26 19:40:52 << : -- transform #1 payload 
13/09/26 19:40:52 ii : matched isakmp proposal #1 transform #1
13/09/26 19:40:52 ii : - transform    = ike
13/09/26 19:40:52 ii : - cipher type  = 3des
13/09/26 19:40:52 ii : - key length   = default
13/09/26 19:40:52 ii : - hash type    = sha1
13/09/26 19:40:52 ii : - dh group     = group2 ( modp-1024 )
13/09/26 19:40:52 ii : - auth type    = xauth-initiator-rsa
13/09/26 19:40:52 ii : - life seconds = 86400
13/09/26 19:40:52 ii : - life kbytes  = 0
13/09/26 19:40:52 << : vendor id payload
13/09/26 19:40:52 ii : peer supports XAUTH
13/09/26 19:40:52 << : vendor id payload
13/09/26 19:40:52 ii : peer supports DPDv1
13/09/26 19:40:52 << : vendor id payload
13/09/26 19:40:52 ii : peer supports nat-t ( rfc )
13/09/26 19:40:52 >> : key exchange payload
13/09/26 19:40:52 >> : nonce payload
13/09/26 19:40:52 >> : cert request payload
13/09/26 19:40:52 >> : nat discovery payload
13/09/26 19:40:52 >> : nat discovery payload
13/09/26 19:40:52 >= : cookies e900000057000000:e40000003f000000
13/09/26 19:40:52 >= : message 00000000
13/09/26 19:40:52 DB : phase1 resend event canceled ( ref count = 1 )
13/09/26 19:40:52 -> : send IKE packet B.B.B.B:500 -> S.S.S.S:500 ( 265 bytes )
13/09/26 19:40:52 DB : phase1 resend event scheduled ( ref count = 2 )
13/09/26 19:40:52 <- : recv IKE packet S.S.S.S:500 -> B.B.B.B:500 ( 328 bytes )
13/09/26 19:40:52 DB : phase1 found
13/09/26 19:40:52 ii : processing phase1 packet ( 328 bytes )
13/09/26 19:40:52 =< : cookies e900000057000000:e40000003f000000
13/09/26 19:40:52 =< : message 00000000
13/09/26 19:40:52 << : key exchange payload
13/09/26 19:40:52 << : nonce payload
13/09/26 19:40:52 << : cert request payload
13/09/26 19:40:52 << : nat discovery payload
13/09/26 19:40:52 << : nat discovery payload
13/09/26 19:40:52 ii : disabled nat-t ( no nat detected )
13/09/26 19:40:52 == : DH shared secret ( 128 bytes )
13/09/26 19:40:52 == : SETKEYID ( 20 bytes )
13/09/26 19:40:52 == : SETKEYID_d ( 20 bytes )
13/09/26 19:40:52 == : SETKEYID_a ( 20 bytes )
13/09/26 19:40:52 == : SETKEYID_e ( 20 bytes )
13/09/26 19:40:52 == : cipher key ( 40 bytes )
13/09/26 19:40:52 == : cipher iv ( 8 bytes )
13/09/26 19:40:52 >> : identification payload
13/09/26 19:40:52 >> : certificate payload
13/09/26 19:40:52 == : phase1 hash_i ( computed ) ( 20 bytes )
13/09/26 19:40:52 >> : signature payload
13/09/26 19:40:52 >= : cookies e900000057000000:e40000003f000000
13/09/26 19:40:52 >= : message 00000000
13/09/26 19:40:52 >= : encrypt iv ( 8 bytes )
13/09/26 19:40:52 == : encrypt packet ( 1953 bytes )
13/09/26 19:40:52 == : stored iv ( 8 bytes )
13/09/26 19:40:52 DB : phase1 resend event canceled ( ref count = 1 )
13/09/26 19:40:52 -> : send IKE packet B.B.B.B:500 -> S.S.S.S:500 ( 1984 bytes )
13/09/26 19:41:37 ii : hard halt signal received, shutting down
13/09/26 19:41:37 DB : removing all peer tunnel references
13/09/26 19:41:37 DB : removing tunnel config references
13/09/26 19:41:37 DB : removing tunnel phase2 references
13/09/26 19:41:37 DB : removing tunnel phase1 references
13/09/26 19:41:37 ii : sending peer DELETE message
13/09/26 19:41:37 ii : - B.B.B.B:500 -> S.S.S.S:500
13/09/26 19:41:37 ii : - isakmp spi = e900000057000000:e40000003f000000
13/09/26 19:41:37 ii : - data size 0
13/09/26 19:41:37 >> : hash payload
13/09/26 19:41:37 >> : delete payload
13/09/26 19:41:37 == : new informational hash ( 20 bytes )
13/09/26 19:41:37 == : new informational iv ( 8 bytes )
13/09/26 19:41:37 >= : cookies e900000057000000:e40000003f000000
13/09/26 19:41:37 >= : message 8349f253
13/09/26 19:41:37 >= : encrypt iv ( 8 bytes )
13/09/26 19:41:37 == : encrypt packet ( 80 bytes )
13/09/26 19:41:37 == : stored iv ( 8 bytes )
13/09/26 19:41:37 -> : send IKE packet B.B.B.B:500 -> S.S.S.S:500 ( 112 bytes )
13/09/26 19:41:37 ii : phase1 removal before expire time
13/09/26 19:41:37 DB : phase1 deleted ( obj count = 0 )
13/09/26 19:41:37 DB : policy not found
13/09/26 19:41:37 DB : policy not found
13/09/26 19:41:37 DB : tunnel deleted ( obj count = 0 )
13/09/26 19:41:37 DB : peer deleted ( obj count = 0 )
13/09/26 19:41:37 ii : ipc client process thread exit ...
13/09/26 19:41:37 ii : ipc server process thread exit ...
13/09/26 19:41:37 ii : pfkey process thread exit ...
13/09/26 19:41:37 ii : network process thread exit ...

_______________________________________________
vpn-help mailing list
[email protected]
https://lists.shrew.net/mailman/listinfo/vpn-help

Reply via email to