<div dir="ltr">tunnel is up. it was a misconfiguration error -- wrong subnet.</div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/4/16 Viacheslav Dushin <span dir="ltr"><<a href="mailto:slava333@gmail.com" target="_blank">slava333@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I realized that the problem is somewhere here:<div>>000 "telphin": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict</div>
<div>
>000 "telphin": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)</div><div class="im"><div>>000 "telphin": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024</div>
</div><div>>000 "telphin": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; flags=-strict</div><div class="im"><div>>000 "telphin": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160</div><div><br>
</div></div><div>But I still don't understand how to strictly specify the algorithms it needs.</div>
</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">2013/4/16 Viacheslav Dushin <span dir="ltr"><<a href="mailto:slava333@gmail.com" target="_blank">slava333@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>Hi, everybody.</div><div>First of all, thanks for the answers</div><div><br></div><div>I also have some stupid questions: what does all these states mean? What is the last state after establishing a connection?</div>
<div><br></div><div>In some tutorials PKS is inside brackets, but on in the other ones it's without them. Which one is correct? My PKS contains letters and numbers only:</div><div><br></div><div>my /etc/ipsec.secrets file</div>
<div><br></div><div><br></div><div># this file is managed with debconf and will contain the automatically created RSA keys</div><div>#include /var/lib/openswan/ipsec.secrets.inc</div><div><br></div><div>1.1.1.123 <a href="http://2.2.2.2" target="_blank">2.2.2.2</a>: PSK XXXXXX </div>
<div><br></div><div>/etc/ipsec.secrets file ends</div><div><br></div><div>Also does anybody have succeeded in using openswan on XEN VPS and/or Cisco-Unity? Maybe the problem is in XEN or Cisco-Unity.</div><div><br></div>
<div>
I'll keep digging.</div><div><br></div><div>Thanks, Slava</div><div><div><br></div><div>2013/4/16 Simon Deziel <<a href="mailto:simon@xelerance.com" target="_blank">simon@xelerance.com</a>></div><div>
> Hi Slava,</div><div>> </div>
<div>> On 13-04-15 10:59 AM, Viacheslav Dushin wrote:</div><div>> > Hi, I'm trying to create site-to-site connection</div><div>> ></div><div>> ></div><div>> > My provider sent me the following settings:</div>
<div>> ></div><div>> >>VPN server address – 2.2.2.2</div><div>> >>Client subnet <a href="http://10.128.139.0/24" target="_blank">10.128.139.0/24</a> <<a href="http://10.128.139.0/24" target="_blank">http://10.128.139.0/24</a>></div>
<div>> >>Destiantion subnet - <a href="http://10.128.0.0/24" target="_blank">10.128.0.0/24</a> <<a href="http://10.128.0.0/24" target="_blank">http://10.128.0.0/24</a>></div><div>> >>PSK: – XXXXXXXXX</div>
<div>> >>VPN mode: – tunnel, PSK, 3DES encryption, hash: SHA1, UDP encapsulation</div>
<div>> </div><div>> UDP encapsulation means you should enable nat_traversal and might also</div><div>> need to use "forceencaps=yes" for the connection. You might also need to</div><div>> disable PFS but this should be confirmed with the remote side.</div>
<div>> </div><div>> HTH,</div><div>> Simon</div><div><br></div></div><div>What if I don't need nat traversal? I have no NAT on my server. Or is it my provider, who is behind NAT?</div><div><div><br>
</div><div><br></div>
<div>2013/4/15 Gertjan Baarda <<a href="mailto:gertjan.baarda@gmail.com" target="_blank">gertjan.baarda@gmail.com</a>></div><div>> This message can appear for various reasons, most likely both sides can't agree on the IKE params.</div>
<div>> Try:</div><div>> pfs=no</div><div>> ike=3des-sha1-modp1024</div><div>> esp=3des-sha1</div><div>> (notice the removed exclamation point)</div><div>> </div><div>> or else:</div><div>> pfs=no</div>
<div>> ike=3des-sha1</div><div>> esp=3des-sha1</div><div><br></div></div><div>Still the same: with modp1024 or without it hangs on STATE_MAIN_I4</div><div><div><br></div><div><br></div><div>2013/4/15 Leto <<a href="mailto:letoams@gmail.com" target="_blank">letoams@gmail.com</a>></div>
<div>> try modp1536 and/or pfs=no</div><div>> </div><div>> sent from a tiny device</div></div><div>In case of modp1536 or modp2048 it hangs on the first stage (STATE_MAIN_I1)</div><div><div><div><br>
</div><div class="gmail_extra">
<br><br><div class="gmail_quote">2013/4/16 Simon Deziel <span dir="ltr"><<a href="mailto:simon@xelerance.com" target="_blank">simon@xelerance.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi Slava,<br>
<div><br>
On 13-04-15 10:59 AM, Viacheslav Dushin wrote:<br>
> Hi, I'm trying to create site-to-site connection<br>
><br>
><br>
> My provider sent me the following settings:<br>
><br>
>>VPN server address – 2.2.2.2<br>
</div>>>Client subnet <a href="http://10.128.139.0/24" target="_blank">10.128.139.0/24</a> <<a href="http://10.128.139.0/24" target="_blank">http://10.128.139.0/24</a>><br>
>>Destiantion subnet - <a href="http://10.128.0.0/24" target="_blank">10.128.0.0/24</a> <<a href="http://10.128.0.0/24" target="_blank">http://10.128.0.0/24</a>><br>
<div>>>PSK: – XXXXXXXXX<br>
>>VPN mode: – tunnel, PSK, 3DES encryption, hash: SHA1, UDP encapsulation<br>
<br>
</div>UDP encapsulation means you should enable nat_traversal and might also<br>
need to use "forceencaps=yes" for the connection. You might also need to<br>
disable PFS but this should be confirmed with the remote side.<br>
<br>
HTH,<br>
Simon<br>
<div><div><br>
> I configured it accordingly, but it doesn't want to connect:<br>
><br>
> It fails with "NO_PROPOSAL_CHOSEN"<br>
><br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from state<br>
> STATE_MAIN_I3 to state STATE_MAIN_I4<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I4: ISAKMP<br>
> SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192<br>
> prf=oakley_sha group=modp1024}<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #2: initiating Quick Mode<br>
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1<br>
> msgid:cccf4cf7 proposal=3DES(3)_192-SHA1(2)_160<br>
> pfsgroup=OAKLEY_GROUP_MODP1024}<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring<br>
> informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received and ignored<br>
> informational message<br>
><br>
><br>
> Openswan version: Linux Openswan U2.6.38/K3.1.0-1.2-xen (netkey)<br>
><br>
><br>
> 1.1.1.123 is my local address<br>
> 1.1.1.1 is my default gateway<br>
> 2.2.2.2 is remote server address<br>
><br>
><br>
> Thanks, Slava<br>
><br>
><br>
> See all logs and configs below:<br>
><br>
><br>
> ipsec.conf start<br>
><br>
><br>
> # /etc/ipsec.conf - Openswan IPsec configuration file<br>
><br>
> # This file: /usr/share/doc/openswan/ipsec.conf-sample<br>
> #<br>
> # Manual: ipsec.conf.5<br>
><br>
><br>
</div></div>> version2.0# conforms to second version of ipsec.conf specification<br>
<div><div>><br>
> # basic configuration<br>
> config setup<br>
> #interfaces="%defaultroute"<br>
> # Do not set debug options to debug configuration issues!<br>
> # plutodebug / klipsdebug = "all", "none" or a combation from below:<br>
> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"<br>
> # eg:<br>
> # plutodebug="control parsing"<br>
> # Again: only enable plutodebug or klipsdebug when asked by a developer<br>
> #<br>
> # enable to get logs per-peer<br>
> # plutoopts="--perpeerlog"<br>
> #<br>
> # Enable core dumps (might require system changes, like ulimit -C)<br>
> # This is required for abrtd to work properly<br>
> # Note: incorrect SElinux policies might prevent pluto writing the core<br>
> dumpdir=/var/run/pluto/<br>
> #<br>
> # NAT-TRAVERSAL support, see README.NAT-Traversal<br>
> nat_traversal=no<br>
> # exclude networks used on server side by adding %v4:!a.b.c.0/24<br>
> # It seems that T-Mobile in the US and Rogers/Fido in Canada are<br>
> # using 25/8 as "private" address space on their 3G network.<br>
> # This range has not been announced via BGP (at least upto 2010-12-21)<br>
> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a><br>
</div></div>> <<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10" target="_blank">http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a>><br>
<div>> # OE is now off by default. Uncomment and change to on, to enable.<br>
> oe=off<br>
> # which IPsec stack to use. auto will try netkey, then klips then mast<br>
> protostack=netkey<br>
> # Use this to log to a file, or disable logging on embedded systems<br>
> (like openwrt)<br>
> #plutostderrlog=/dev/null<br>
><br>
><br>
> # Add connections here<br>
><br>
> # sample VPN connection<br>
> # for more examples, see /etc/ipsec.d/examples/<br>
> #conn sample<br>
</div>> ## Left security gateway, subnet behind it, nexthop toward right.<br>
> #left=10.0.0.1<br>
> #leftsubnet=<a href="http://172.16.0.0/24" target="_blank">172.16.0.0/24</a> <<a href="http://172.16.0.0/24" target="_blank">http://172.16.0.0/24</a>><br>
> #leftnexthop=10.22.33.44<br>
> ## Right security gateway, subnet behind it, nexthop toward left.<br>
> #right=10.12.12.1<br>
> #rightsubnet=<a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" target="_blank">http://192.168.0.0/24</a>><br>
> #rightnexthop=10.101.102.103<br>
> ## To authorize this connection, but not actually start it,<br>
<div>> ## at startup, uncomment this.<br>
> ##auto=add<br>
><br>
><br>
> conn telphin<br>
> left=1.1.1.123 # left for local<br>
</div>> leftsubnet=<a href="http://10.128.139.0/24" target="_blank">10.128.139.0/24</a> <<a href="http://10.128.139.0/24" target="_blank">http://10.128.139.0/24</a>><br>
<div>> leftnexthop=%defaultroute<br>
> right=2.2.2.2 # right for remote<br>
</div>> rightsubnet=<a href="http://10.128.0.0/24" target="_blank">10.128.0.0/24</a> <<a href="http://10.128.0.0/24" target="_blank">http://10.128.0.0/24</a>><br>
<div>> rightnexthop=%defaultroute<br>
> type=tunnel<br>
> authby=secret<br>
> auto=start<br>
> auth=esp<br>
> keyexchange=ike<br>
> ike=3des-sha1-modp1024!<br>
> esp=3des-sha1!<br>
> pfs=yes<br>
><br>
> ipsec.conf end<br>
><br>
><br>
> status start<br>
><br>
> ipsec auto --status<br>
> 000 using kernel interface: netkey<br>
> 000 interface lo/lo ::1<br>
> 000 interface lo/lo 127.0.0.1<br>
> 000 interface eth0/eth0 1.1.1.123<br>
> 000 interface tun0/tun0 10.128.139.1<br>
> 000 %myid = (none)<br>
> 000 debug none<br>
> 000<br>
> 000 virtual_private (%priv):<br>
</div>> 000 - allowed 6 subnets: <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> <<a href="http://10.0.0.0/8" target="_blank">http://10.0.0.0/8</a>>, <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a><br>
> <<a href="http://192.168.0.0/16" target="_blank">http://192.168.0.0/16</a>>, <a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a> <<a href="http://172.16.0.0/12" target="_blank">http://172.16.0.0/12</a>>,<br>
> <a href="http://25.0.0.0/8" target="_blank">25.0.0.0/8</a> <<a href="http://25.0.0.0/8" target="_blank">http://25.0.0.0/8</a>>, fd00::/8, fe80::/10<br>
<div><div>> 000 - disallowed 0 subnets:<br>
> 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have<br>
> 000 private address space in internal use, it should be excluded!<br>
> 000<br>
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,<br>
> keysizemax=64<br>
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,<br>
> keysizemax=192<br>
> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,<br>
> keysizemax=128<br>
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,<br>
> keysizemin=40, keysizemax=448<br>
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,<br>
> keysizemax=0<br>
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,<br>
> keysizemax=256<br>
> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,<br>
> keysizemin=160, keysizemax=288<br>
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,<br>
> keysizemin=128, keysizemax=256<br>
> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,<br>
> keysizemin=128, keysizemax=256<br>
> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,<br>
> keysizemin=128, keysizemax=256<br>
> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,<br>
> keysizemin=128, keysizemax=256<br>
> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,<br>
> keysizemin=128, keysizemax=256<br>
> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,<br>
> keysizemin=128, keysizemax=256<br>
> 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,<br>
> keysizemin=128, keysizemax=256<br>
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,<br>
> keysizemin=128, keysizemax=256<br>
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,<br>
> keysizemin=128, keysizemax=256<br>
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,<br>
> keysizemin=128, keysizemax=128<br>
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,<br>
> keysizemin=160, keysizemax=160<br>
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,<br>
> keysizemin=256, keysizemax=256<br>
> 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,<br>
> keysizemin=384, keysizemax=384<br>
> 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,<br>
> keysizemin=512, keysizemax=512<br>
> 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,<br>
> keysizemin=160, keysizemax=160<br>
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,<br>
> keysizemin=128, keysizemax=128<br>
> 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME,<br>
> keysizemin=0, keysizemax=0<br>
> 000<br>
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131<br>
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,<br>
> keydeflen=192<br>
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,<br>
> keydeflen=128<br>
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32<br>
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64<br>
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024<br>
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048<br>
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048<br>
> 000<br>
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36}<br>
> trans={0,2,1536} attrs={0,2,2048}<br>
> 000<br>
> 000 "telphin": <a href="http://10.128.139.0/24===1.1.1.123" target="_blank">10.128.139.0/24===1.1.1.123</a><br>
</div></div>> <<a href="http://10.128.139.0/24===1.1.1.123" target="_blank">http://10.128.139.0/24===1.1.1.123</a>><1.1.1.123>---1.1.1.1...1.1.1.1---2.2.2.2<2.2.2.2>===<a href="http://10.128.0.0/24" target="_blank">10.128.0.0/24</a><br>
> <<a href="http://10.128.0.0/24" target="_blank">http://10.128.0.0/24</a>>; prospective erouted; eroute owner: #0<br>
<div><div>> 000 "telphin": myip=unset; hisip=unset;<br>
> 000 "telphin": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:<br>
> 540s; rekey_fuzz: 100%; keyingtries: 0<br>
> 000 "telphin": policy:<br>
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;<br>
> interface: eth0;<br>
> 000 "telphin": newest ISAKMP SA: #1; newest IPsec SA: #0;<br>
> 000 "telphin": IKE algorithms wanted:<br>
> 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=strict<br>
> 000 "telphin": IKE algorithms found:<br>
> 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)<br>
> 000 "telphin": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024<br>
> 000 "telphin": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;<br>
> flags=strict<br>
> 000 "telphin": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160<br>
> 000<br>
> 000 #2: "telphin":500 STATE_QUICK_I1 (sent QI1, expecting QR1);<br>
> EVENT_RETRANSMIT in 33s; lastdpd=-1s(seq in:0 out:0); idle; import:admin<br>
> initiate<br>
> 000 #1: "telphin":500 STATE_MAIN_I4 (ISAKMP SA established);<br>
> EVENT_SA_REPLACE in 2792s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);<br>
> idle; import:admin initiate<br>
> 000<br>
><br>
> status end<br>
><br>
><br>
> log file start<br>
><br>
> Apr 15 18:34:38 vm12202 ipsec__plutorun: Starting Pluto subsystem...<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: Starting Pluto (Openswan Version<br>
> 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:4039<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: LEAK_DETECTIVE support [disabled]<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: OCF support for IKE [disabled]<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: SAref support [disabled]: Protocol<br>
> not available<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: SAbind support [disabled]: Protocol<br>
> not available<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: NSS support [disabled]<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: HAVE_STATSD notification support<br>
> not compiled in<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: Setting NAT-Traversal port-4500<br>
> floating to off<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: port floating activation<br>
> criteria nat_t=0/port_float=1<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: NAT-Traversal support [disabled]<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: using /dev/urandom as source of<br>
> random entropy<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating<br>
> OAKLEY_AES_CBC: Ok (ret=0)<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_hash(): Activating<br>
> OAKLEY_SHA2_512: Ok (ret=0)<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_hash(): Activating<br>
> OAKLEY_SHA2_256: Ok (ret=0)<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: starting up 1 cryptographic helpers<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: started helper pid=4041 (fd:6)<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: Using Linux 2.6 IPsec interface<br>
> code on 3.1.0-1.2-xen (experimental code)<br>
> Apr 15 18:34:38 vm12202 pluto[4041]: using /dev/urandom as source of<br>
> random entropy<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating<br>
> aes_ccm_8: Ok (ret=0)<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type<br>
> '0', algo_id '0', Algorithm type already exists<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating<br>
> aes_ccm_12: FAILED (ret=-17)<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type<br>
> '0', algo_id '0', Algorithm type already exists<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating<br>
> aes_ccm_16: FAILED (ret=-17)<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type<br>
> '0', algo_id '0', Algorithm type already exists<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating<br>
> aes_gcm_8: FAILED (ret=-17)<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type<br>
> '0', algo_id '0', Algorithm type already exists<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating<br>
> aes_gcm_12: FAILED (ret=-17)<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type<br>
> '0', algo_id '0', Algorithm type already exists<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating<br>
> aes_gcm_16: FAILED (ret=-17)<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: added connection description "telphin"<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: listening for IKE messages<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: adding interface tun0/tun0<br>
</div></div>> <a href="http://10.128.139.1:500" target="_blank">10.128.139.1:500</a> <<a href="http://10.128.139.1:500" target="_blank">http://10.128.139.1:500</a>><br>
<div>> Apr 15 18:34:38 vm12202 pluto[4039]: adding interface eth0/eth0<br>
</div>> <a href="http://1.1.1.123:500" target="_blank">1.1.1.123:500</a> <<a href="http://1.1.1.123:500" target="_blank">http://1.1.1.123:500</a>><br>
<div>> Apr 15 18:34:38 vm12202 pluto[4039]: adding interface lo/lo<br>
</div>> <a href="http://127.0.0.1:500" target="_blank">127.0.0.1:500</a> <<a href="http://127.0.0.1:500" target="_blank">http://127.0.0.1:500</a>><br>
<div><div>> Apr 15 18:34:38 vm12202 pluto[4039]: adding interface lo/lo ::1:500<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: loading secrets from<br>
> "/etc/ipsec.secrets"<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: initiating Main Mode<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from state<br>
> STATE_MAIN_I1 to state STATE_MAIN_I2<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I2: sent<br>
> MI2, expecting MR2<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received Vendor ID<br>
> payload [Cisco-Unity]<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received Vendor ID<br>
> payload [Dead Peer Detection]<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring unknown<br>
> Vendor ID payload [24f71717df62d1ed92fbaa8e988a9af6]<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received Vendor ID<br>
> payload [XAUTH]<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from state<br>
> STATE_MAIN_I2 to state STATE_MAIN_I3<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I3: sent<br>
> MI3, expecting MR3<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: Main mode peer ID is<br>
> ID_IPV4_ADDR: '2.2.2.2'<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from state<br>
> STATE_MAIN_I3 to state STATE_MAIN_I4<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I4: ISAKMP<br>
> SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192<br>
> prf=oakley_sha group=modp1024}<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #2: initiating Quick Mode<br>
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1<br>
> msgid:cccf4cf7 proposal=3DES(3)_192-SHA1(2)_160<br>
> pfsgroup=OAKLEY_GROUP_MODP1024}<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring<br>
> informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000<br>
> Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received and ignored<br>
> informational message<br>
><br>
> log file end<br>
><br>
><br>
</div></div><div><div>> _______________________________________________<br>
> <a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
> <a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
> Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
> Building and Integrating Virtual Private Networks with Openswan:<br>
> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
><br>
<br>
_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
</div></div></blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>