[Openswan Users] getting openswan 2.6.32-27 to talk to asa version 9.1(2)
jason welsh
jwelsh at livegamer.com
Tue Jan 21 16:25:26 EST 2014
hey folks, Ive been fighting this for a few days now and need some
help.. I have openswan installed on a centos VM and have the following
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.6.32 (klips)
Checking for IPsec support in kernel [OK]
KLIPS: checking for NAT Traversal support [OK]
KLIPS: checking for OCF crypto offload support [N/A]
SAref kernel support [N/A]
Testing against enforced SElinux mode [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Cannot execute command "lsof -i UDP:500": No such file or directory
Pluto listening for NAT-T on udp 4500 [FAILED]
Cannot execute command "lsof -i UDP:4500": No such file or directory
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
here is the config on the linux side:
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
#protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
#include /etc/ipsec.d/*.conf
conn net-to-vegas
type=tunnel
authby=secret
#interfaces="ipsec0=eth1"
left=x.x.x.142
leftsubnet=192.168.126.0/24
right=x.x.x.244
rightsubnet=10.13.32.0/21
#ike=aes128-sha1-modp1024
#esp=aes128-sha1
#ike=aes256-sha1-modp1024
#esp=aes256-sha1
#esp= 3des-md5-96
#esp= 3des-md5
#esp=3des-sha1
keyexchange=ike
pfs=yes
auto=add
#ike=aes256-sha1;modp1024!
phase2alg="aes128-sha1;modp1024"
I keep failing phase 2 negotiations and I cant figure out why.. Im 99%
sure its not the subnets, so I have to think that its the phase2algs?
here is the logs from the asa:
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, processing ke payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, processing ISA_KE payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, processing nonce payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, processing NAT-Discovery
payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, computing NAT Discovery hash
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, processing NAT-Discovery
payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, computing NAT Discovery hash
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing ke payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing nonce payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing Cisco Unity
VID payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing xauth V6 VID
payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, Send IOS VID
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, Constructing ASA spoofing
IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing VID payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, Send Altiga/Cisco
VPN3000/Cisco ASA GW VID
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing NAT-Discovery
payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, computing NAT Discovery hash
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing NAT-Discovery
payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, computing NAT Discovery hash
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, Connection landed on tunnel_group
X.X.X.142
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
Generating keys for Responder...
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, IKE_DECODE SENDING Message
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE
(0) total length : 368
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, IKE_DECODE RECEIVED Message
(msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total
length : 64
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing ID payload
Jan 21 13:00:12 [IKEv1 DECODE]Group = X.X.X.142, IP = X.X.X.142,
ID_IPV4_ADDR ID received
X.X.X.142
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing hash payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
Computing hash for ISAKMP
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, Automatic NAT
Detection Status: Remote end is NOT behind a NAT device This end
is NOT behind a NAT device
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, Connection landed on tunnel_group
X.X.X.142
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
constructing ID payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
constructing hash payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
Computing hash for ISAKMP
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
constructing dpd vid payload
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, IKE_DECODE SENDING Message
(msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE
(0) total length : 84
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, PHASE 1 COMPLETED
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, Keep-alive type for this
connection: DPD
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142, Starting
P1 rekey timer: 2700 seconds.
Jan 21 13:00:12 [IKEv1 DECODE]IP = X.X.X.142, IKE Responder starting QM:
msg id = 8d8a323a
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, IKE_DECODE RECEIVED Message
(msgid=8d8a323a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) +
KE (4) + ID (5) + ID (5) + NONE (0) total length : 388
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing hash payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing SA payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing nonce payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing ke payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing ISA_KE for PFS in phase 2
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing ID payload
Jan 21 13:00:12 [IKEv1 DECODE]Group = X.X.X.142, IP = X.X.X.142,
ID_IPV4_ADDR_SUBNET ID received--192.168.126.0--255.255.255.0
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, Received
remote IP Proxy Subnet data in ID Payload: Address 192.168.126.0, Mask
255.255.255.0, Protocol 0, Port 0
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing ID payload
Jan 21 13:00:12 [IKEv1 DECODE]Group = X.X.X.142, IP = X.X.X.142,
ID_IPV4_ADDR_SUBNET ID received--10.13.32.0--255.255.248.0
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, Received local
IP Proxy Subnet data in ID Payload: Address 10.13.32.0, Mask
255.255.248.0, Protocol 0, Port 0
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, QM IsRekeyed
old sa not found by addr
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, Static Crypto
Map check, checking map = MAP-VPN, seq = 10...
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, Static Crypto
Map check, map MAP-VPN, seq = 10 is a successful match
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, IKE Remote
Peer configured for crypto map: MAP-VPN
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing IPSec SA payload
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, All IPSec SA
proposals found unacceptable!
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142, sending
notify message
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
constructing blank hash payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
constructing ipsec notify payload for msg id 8d8a323a
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
constructing qm hash payload
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, IKE_DECODE SENDING Message
(msgid=1f50aada) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0)
total length : 84
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, QM FSM error
(P2 struct &0x00007ffd92f130c0, mess id 0x8d8a323a)!
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142, IKE QM
Responder FSM error history (struct &0x00007ffd92f130c0) <state>,
<event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2,
EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2,
EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2,
NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142, sending
delete/delete with reason message
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, Removing peer
from correlator table failed, no match!
and here is the barf from the linux box:
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, processing ke payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, processing ISA_KE payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, processing nonce payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, processing NAT-Discovery
payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, computing NAT Discovery hash
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, processing NAT-Discovery
payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, computing NAT Discovery hash
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing ke payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing nonce payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing Cisco Unity
VID payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing xauth V6 VID
payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, Send IOS VID
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, Constructing ASA spoofing
IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing VID payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, Send Altiga/Cisco
VPN3000/Cisco ASA GW VID
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing NAT-Discovery
payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, computing NAT Discovery hash
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, constructing NAT-Discovery
payload
Jan 21 13:00:12 [IKEv1 DEBUG]IP = X.X.X.142, computing NAT Discovery hash
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, Connection landed on tunnel_group
X.X.X.142
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
Generating keys for Responder...
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, IKE_DECODE SENDING Message
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE
(0) total length : 368
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, IKE_DECODE RECEIVED Message
(msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total
length : 64
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing ID payload
Jan 21 13:00:12 [IKEv1 DECODE]Group = X.X.X.142, IP = X.X.X.142,
ID_IPV4_ADDR ID received
X.X.X.142
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing hash payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
Computing hash for ISAKMP
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, Automatic NAT
Detection Status: Remote end is NOT behind a NAT device This end
is NOT behind a NAT device
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, Connection landed on tunnel_group
X.X.X.142
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
constructing ID payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
constructing hash payload
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 40 1e 82 8e 00 00 00 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 06 00 00 00 00 00 02 00 00 00 42 74 62 f4
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 04 00 03 0b 00 00 00 18 00 00 00 77 3b 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 01 00 d5 aa cf a8 00 01 00 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 05 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 42 74 62 f4 00 00 00 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 06 00 00 00 00 00 02 00 00 00 40 1e 82 8e
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00
Jan 21 21:10:16 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP
SA(0xe8f561e2) not found (maybe expired)
Jan 21 21:10:16 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #1: received and ignored informational message
Jan 21 21:10:16 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #1: received Delete SA payload: deleting ISAKMP State #1
Jan 21 21:10:16 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
packet from 66.116.98.244:500: received and ignored informational message
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
shutting down
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
forgetting secrets
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas": deleting connection
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #3: deleting state (STATE_QUICK_I1)
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: deleting state (STATE_QUICK_I1)
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
shutting down interface mast0/eth1 192.168.126.224:4500
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: iptables v1.4.7: can't
initialize iptables table `mangle': Permission denied (you must be root)
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: Perhaps iptables or your kernel
needs to be upgraded.
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output:
/usr/libexec/ipsec/_updown.mast: doroute `iptables -t mangle -I
NEW_IPSEC_CONN 1 --src 192.168.126.0/255.255.255.0 --dst
10.13.32.0/255.255.248.0 -m mark --mark 0/0x80000000 -j MARK --set-mark
0x80010000 -m comment --comment 'net-to-vegas'' failed (Could
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: not determine whether revision
1 is supported, assuming it is.
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: Could not determine whether
revision 2 is supported, assuming it is.
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 01 00 d5 aa cf a8 00 01 00 00 00 00 00 00
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
Computing hash for ISAKMP
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
constructing dpd vid payload
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, IKE_DECODE SENDING Message
(msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE
(0) total length : 84
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, PHASE 1 COMPLETED
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, Keep-alive type for this
connection: DPD
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142, Starting
P1 rekey timer: 2700 seconds.
Jan 21 13:00:12 [IKEv1 DECODE]IP = X.X.X.142, IKE Responder starting QM:
msg id = 8d8a323a
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, IKE_DECODE RECEIVED Message
(msgid=8d8a323a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) +
KE (4) + ID (5) + ID (5) + NONE (0) total length : 388
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing hash payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing SA payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing nonce payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing ke payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing ISA_KE for PFS in phase 2
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing ID payload
Jan 21 13:00:12 [IKEv1 DECODE]Group = X.X.X.142, IP = X.X.X.142,
ID_IPV4_ADDR_SUBNET ID received--192.168.126.0--255.255.255.0
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, Received
remote IP Proxy Subnet data in ID Payload: Address 192.168.126.0, Mask
255.255.255.0, Protocol 0, Port 0
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing ID payload
Jan 21 13:00:12 [IKEv1 DECODE]Group = X.X.X.142, IP = X.X.X.142,
ID_IPV4_ADDR_SUBNET ID received--10.13.32.0--255.255.248.0
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, Received local
IP Proxy Subnet data in ID Payload: Address 10.13.32.0, Mask
255.255.248.0, Protocol 0, Port 0
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, QM IsRekeyed
old sa not found by addr
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, Static Crypto
Map check, checking map = MAP-VPN, seq = 10...
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, Static Crypto
Map check, map MAP-VPN, seq = 10 is a successful match
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, IKE Remote
Peer configured for crypto map: MAP-VPN
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
processing IPSec SA payload
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, All IPSec SA
proposals found unacceptable!
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142, sending
notify message
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
constructing blank hash payload
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
constructing ipsec notify payload for msg id 8d8a323a
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142,
constructing qm hash payload
Jan 21 13:00:12 [IKEv1]IP = X.X.X.142, IKE_DECODE SENDING Message
(msgid=1f50aada) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0)
total length : 84
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, QM FSM error
(P2 struct &0x00007ffd92f130c0, mess id 0x8d8a323a)!
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142, IKE QM
Responder FSM error history (struct &0x00007ffd92f130c0) <state>,
<event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2,
EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2,
EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2,
NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Jan 21 13:00:12 [IKEv1 DEBUG]Group = X.X.X.142, IP = X.X.X.142, sending
delete/delete with reason message
Jan 21 13:00:12 [IKEv1]Group = X.X.X.142, IP = X.X.X.142, Removing peer
from correlator table failed, no match!
[jason at zim ~]$ vi /tmp/crap2
[jason at zim ~]$ vi /tmp/crap1
[jason at zim ~]$ vi /tmp/crap
[jason at zim ~]$ vi /tmp/crap1
[jason at zim ~]$ cat /tmp/crap2
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: Perhaps iptables or your kernel
needs to be upgraded.
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: iptables v1.4.7: can't
initialize iptables table `mangle': Permission denied (you must be root)
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: Perhaps iptables or your kernel
needs to be upgraded.
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: iptables v1.4.7: can't
initialize iptables table `mangle': Permission denied (you must be root)
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: Perhaps iptables or your kernel
needs to be upgraded.
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output:
/usr/libexec/ipsec/_updown.mast: doroute `iptables -t mangle -I
NEW_IPSEC_CONN 1 --src 192.168.126.0/255.255.255.0 --dst
10.13.32.0/255.255.248.0 -m mark --mark 0/0x80000000 -j MARK --set-mark
0x80010000 -m comment --comment 'net-to-vegas'' failed (Could
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: not determine whether revision
1 is supported, assuming it is.
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: Could not determine whether
revision 2 is supported, assuming it is.
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: Could not determine whether
revision 2 is supported, assuming it is.
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: iptables v1.4.7: can't
initialize iptables table `mangle': Permission denied (you must be root)
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client output: Perhaps iptables or your kernel
needs to be upgraded.)
Jan 21 21:09:44 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: spdadd-client command exited with status 3
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME msgid=04ef88ee
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
mast_sag_eroute called op=1/add
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
mast_raw_eroute called op=1 said=tun.1001 at X.X.X.244
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: requested algorithm is not available in the kernel
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 0e 00 09 17 00 00 00 10 00 00 00 77 3b 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 01 00 00 00 10 01 00 00 00 00 10 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 05 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 40 1e 82 8e 00 00 00 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 06 00 00 00 00 00 02 00 00 00 42 74 62 f4
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 15 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 c0 a8 7e 00 00 00 00 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 16 00 00 00 00 00 02 00 00 00 0a 0d 20 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 17 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 18 00 00 00 00 00 02 00 00 00 ff ff f8 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
raw_eroute result=0
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
mast_sag_eroute failed to add/1 pfkey eroute
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 04 00 03 0b 00 00 00 11 00 00 00 77 3b 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 01 00 e8 f5 61 e2 00 01 00 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 05 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 40 1e 82 8e 00 00 00 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 06 00 00 00 00 00 02 00 00 00 42 74 62 f4
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 04 00 03 0b 00 00 00 12 00 00 00 77 3b 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 01 00 d5 aa cf a8 00 01 00 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 05 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 42 74 62 f4 00 00 00 00 00 00 00 00
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 06 00 00 00 00 00 02 00 00 00 40 1e 82 8e
Jan 21 21:09:52 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME msgid=04ef88ee
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
mast_sag_eroute called op=1/add
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
mast_raw_eroute called op=1 said=tun.1001 at X.X.X.244
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: requested algorithm is not available in the kernel
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 0e 00 09 17 00 00 00 13 00 00 00 77 3b 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 01 00 00 00 10 01 00 00 00 00 10 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 05 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 40 1e 82 8e 00 00 00 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 06 00 00 00 00 00 02 00 00 00 42 74 62 f4
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 15 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 c0 a8 7e 00 00 00 00 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 16 00 00 00 00 00 02 00 00 00 0a 0d 20 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 17 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 18 00 00 00 00 00 02 00 00 00 ff ff f8 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
raw_eroute result=0
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
mast_sag_eroute failed to add/1 pfkey eroute
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 04 00 03 0b 00 00 00 14 00 00 00 77 3b 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 01 00 e8 f5 61 e2 00 01 00 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 05 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 40 1e 82 8e 00 00 00 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 06 00 00 00 00 00 02 00 00 00 42 74 62 f4
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 04 00 03 0b 00 00 00 15 00 00 00 77 3b 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 01 00 d5 aa cf a8 00 01 00 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 05 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 42 74 62 f4 00 00 00 00 00 00 00 00
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 06 00 00 00 00 00 02 00 00 00 40 1e 82 8e
Jan 21 21:10:00 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00
Jan 21 21:10:03 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #3: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
msgid:f98f7772 proposal=AES(12)_128-SHA1(2)_160
pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME msgid=04ef88ee
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
mast_sag_eroute called op=1/add
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
mast_raw_eroute called op=1 said=tun.1001 at X.X.X.244
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: requested algorithm is not available in the kernel
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 0e 00 09 17 00 00 00 16 00 00 00 77 3b 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 01 00 00 00 10 01 00 00 00 00 10 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 05 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 40 1e 82 8e 00 00 00 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 06 00 00 00 00 00 02 00 00 00 42 74 62 f4
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 15 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 c0 a8 7e 00 00 00 00 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 16 00 00 00 00 00 02 00 00 00 0a 0d 20 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 17 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 18 00 00 00 00 00 02 00 00 00 ff ff f8 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
raw_eroute result=0
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
mast_sag_eroute failed to add/1 pfkey eroute
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 04 00 03 0b 00 00 00 17 00 00 00 77 3b 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 01 00 e8 f5 61 e2 00 01 00 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 05 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 40 1e 82 8e 00 00 00 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 06 00 00 00 00 00 02 00 00 00 42 74 62 f4
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 04 00 03 0b 00 00 00 18 00 00 00 77 3b 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 01 00 d5 aa cf a8 00 01 00 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00 03 00 05 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
02 00 00 00 42 74 62 f4 00 00 00 00 00 00 00 00
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
03 00 06 00 00 00 00 00 02 00 00 00 40 1e 82 8e
Jan 21 21:10:08 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]: |
00 00 00 00 00 00 00 00
Jan 21 21:10:16 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP
SA(0xe8f561e2) not found (maybe expired)
Jan 21 21:10:16 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #1: received and ignored informational message
Jan 21 21:10:16 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #1: received Delete SA payload: deleting ISAKMP State #1
Jan 21 21:10:16 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
packet from X.X.X.244:500: received and ignored informational message
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
shutting down
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
forgetting secrets
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas": deleting connection
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #3: deleting state (STATE_QUICK_I1)
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
"net-to-vegas" #2: deleting state (STATE_QUICK_I1)
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
shutting down interface mast0/eth1 192.168.126.224:4500
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
shutting down interface mast0/eth1 192.168.126.224:500
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
shutting down interface mast0/eth2 X.X.X.142:4500
Jan 21 21:10:17 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15223]:
shutting down interface mast0/eth2 X.X.X.142:500
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b ipsec__plutorun:
Starting Pluto subsystem...
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: nss
directory plutomain: /etc/ipsec.d
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: NSS
Initialized
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
Non-fips mode set in /proc/sys/crypto/fips_enabled
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: FIPS:
not a FIPS product
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: FIPS
HMAC integrity verification test passed
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:15512
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
Non-fips mode set in /proc/sys/crypto/fips_enabled
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
LEAK_DETECTIVE support [disabled]
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: OCF
support for IKE [disabled]
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: SAref
support [disabled]: Protocol not available
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
SAbind support [disabled]: Protocol not available
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: NSS
support [enabled]
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
HAVE_STATSD notification support not compiled in
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
Setting NAT-Traversal port-4500 floating to on
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
port floating activation criteria nat_t=1/port_float=1
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
NAT-Traversal support [enabled]
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: 1 bad
entries in virtual_private - none loaded
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
starting up 1 cryptographic helpers
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
started helper (thread) pid=140197100242688 (fd:8)
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
Kernel interface auto-pick
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: No
Kernel NETKEY interface detected
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: Using
KLIPSng (mast) IPsec interface code on 2.6.32-431.3.1.el6.x86_64
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: Could
not change to directory '/etc/ipsec.d/cacerts': /
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: Could
not change to directory '/etc/ipsec.d/aacerts': /
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: Could
not change to directory '/etc/ipsec.d/ocspcerts': /
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: Could
not change to directory '/etc/ipsec.d/crls'
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: |
selinux support is enabled.
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: added
connection description "net-to-vegas"
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
listening for IKE messages
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: |
useful mast device -1
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
adding interface mast0/eth2 X.X.X.142:500 (fd=15)
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
adding interface mast0/eth2 X.X.X.142:4500 (fd=16)
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
adding interface mast0/eth1 192.168.126.224:500 (fd=17)
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]:
adding interface mast0/eth1 192.168.126.224:4500 (fd=18)
Jan 21 21:10:18 ff2e1a08-53ed-c7e4-e36a-b0b2a181e33b pluto[15512]: |
useful mast device 0
Im not sure if its a case of them having a misconfiguration of the phase
2 crypto algorythms or something missing on the linux server side..
ive tried dozens of configuration options for the esp= but cant seem to
find one that works. Please hit me with a clue stick as needed.
regards,
Jason
More information about the Users
mailing list