<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>Hi All,<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>We use a X509 PKI for authentication of our IPsec VPN's. We have a number of Cisco 2911's and 2811's using this authentication method (RSASIG) successfully. We wish to interface a OpenSWAN configuration to a Cisco 2911 however despite trying a number of configurations none appear to work.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>We have tested 2911 to 2911 successfully and then switched out a 2911 for a OpenSWAN instance with the following configuration:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'># /etc/ipsec.conf - Openswan IPsec configuration file<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>#<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'># Manual: ipsec.conf.5<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>#<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'># Please place your own config files in /etc/ipsec.d/ ending in .conf<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>version 2.0 # conforms to second version of ipsec.conf specification<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'># basic configuration<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>config setup<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> protostack=netkey<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> nat_traversal=yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'># plutodebug=all<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> oe=off<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>#Load ipsec VPNs for a diffrence location<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>include /etc/ipsec.d/*.conf<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>/etc/ipsec.d/vpn.conf<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>conn tunnelipsec<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> authby= rsasig<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> auto= start<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> type= tunnel <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> #RRT<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> left= 172.0.0.2<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> leftid= "CN = gw.test1.org.uk"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> leftsubnets= 10.123.34.8/29,10.123.32.40/29,10.123.32.64/28<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> leftcert= cert1.dc <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> leftrsasigkey= %cert<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> leftsendcert= always<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> #SAA<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> right= 172.0.0.1<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> rightid= "CN = gw.test2.org.uk"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> rightsubnet= 192.168.12.0/24<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> keyexchange= ike<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> ike= aes256-sha1;modp1536!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> #sha2_truncbug= yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> phase2= esp<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> phase2alg= aes256-sha1!<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>/etc/ipsec.d/vpn.secrets<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>172.0.0.1 172.0.0.2: RSA cert1.dc <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>This configuration will not connection to the 2911 router and var log secure shows the following:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 ipsec__plutorun: Starting Pluto subsystem...<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: nss directory plutomain: /etc/ipsec.d<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: NSS Initialized<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:17666<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: LEAK_DETECTIVE support [disabled]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: OCF support for IKE [disabled]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: SAref support [disabled]: Protocol not available<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: SAbind support [disabled]: Protocol not available<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: NSS support [enabled]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: HAVE_STATSD notification support not compiled in<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Setting NAT-Traversal port-4500 floating to on<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: port floating activation criteria nat_t=1/port_float=1<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: NAT-Traversal support [enabled]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: starting up 1 cryptographic helpers<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: started helper (thread) pid=139636807268096 (fd:10)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Using Linux 2.6 IPsec interface code on 2.6.32-279.el6.x86_64 (experimental code)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Changed path to directory '/etc/ipsec.d/cacerts'<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: loaded CA cert file 'cacert.pem' (1472 bytes)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Changed path to directory '/etc/ipsec.d/aacerts'<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Changed path to directory '/etc/ipsec.d/ocspcerts'<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Changing to directory '/etc/ipsec.d/crls'<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Warning: empty directory<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: | selinux support is enabled. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: loading certificate from gw.harcc.org.uk.dc <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: added connection description "tunnelipsec/1x0"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: loading certificate from gw.harcc.org.uk.dc <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: added connection description "tunnelipsec/2x0"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: Non-fips mode set in /proc/sys/crypto/fips_enabled<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: loading certificate from gw.harcc.org.uk.dc <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: added connection description "tunnelipsec/3x0"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: listening for IKE messages<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: adding interface eth0/eth0 172.0.0.2:500<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: adding interface eth0/eth0 172.0.0.2:4500<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: adding interface lo/lo 127.0.0.1:500<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: adding interface lo/lo 127.0.0.1:4500<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: loading secrets from "/etc/ipsec.secrets"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: loading secrets from "/etc/ipsec.d/SSL.secrets"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: loaded private key for keyid: PPK_RSA:AwEAAeRSy<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: initiating all conns with alias='tunnelipsec' <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: initiating Main Mode<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: received Vendor ID payload [RFC 3947] method set to=109 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: enabling possible NAT-traversal with method 4<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: STATE_MAIN_I2: sent MI2, expecting MR2<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: received Vendor ID payload [Cisco-Unity]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: received Vendor ID payload [Dead Peer Detection]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: ignoring unknown Vendor ID payload [4f6fe869d5b9a2b9c45b7adfd1f01694]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: received Vendor ID payload [XAUTH]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: I am sending my cert<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: I am sending a certificate request<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:03 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: STATE_MAIN_I3: sent MI3, expecting MR3<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:39 172-0-0-2 pluto[17666]: shutting down<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:39 172-0-0-2 pluto[17666]: forgetting secrets<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:39 172-0-0-2 pluto[17666]: "tunnelipsec/3x0": deleting connection<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:39 172-0-0-2 pluto[17666]: "tunnelipsec/3x0" #1: deleting state (STATE_MAIN_I3)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:39 172-0-0-2 pluto[17666]: "tunnelipsec/2x0": deleting connection<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>Dec 9 09:51:39 172-0-0-2 pluto[17666]: "tunnelipsec/1x0": deleting connection<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>2911 debug output shows:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP (0): received packet from 172.0.0.2 dport 500 sport 500 Global (N) NEW SA<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP: Found a peer struct for 172.0.0.2, peer port 500<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP: Locking peer struct 0x3C7E38E4, refcount 9 for crypto_isakmp_process_block<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP: local port 500, remote port 500<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 21D908D4<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): processing SA payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID is DPD<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP (0): vendor ID is NAT-T RFC 3947<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID is NAT-T v3<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID is NAT-T v2<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP : Scanning profiles for xauth ...<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP:(0):Checking ISAKMP transform 0 against priority 10 policy<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP: life type in seconds<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP: life duration (basic) of 3600<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP: encryption AES-CBC<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP: hash SHA<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP: auth RSA sig<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP: default group 5<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.243: ISAKMP: keylength of 256<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0):atts are acceptable. Next payload is 0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0):Acceptable atts:actual life: 0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0):Acceptable atts:life: 0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0):Basic life_in_seconds:3600<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0):Returning Actual lifetime: 3600<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0)::Started lifetime timer: 3600.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID is DPD<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP (0): vendor ID is NAT-T RFC 3947<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID is NAT-T v3<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID is NAT-T v2<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): processing vendor id payload<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0): sending packet to 172.0.0.2 my_port 500 peer_port 500 (R) MM_SA_SETUP<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0):Sending an IKE IPv4 Packet.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.247: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.251: ISAKMP (0): received packet from 172.0.0.2 dport 500 sport 500 Global (R) MM_SA_SETUP<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.251: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.251: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.251: ISAKMP:(0): processing KE payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.315: ISAKMP:(0): processing NONCE payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP:received payload type 20<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP (1009): His hash no match - this node outside NAT<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP:received payload type 20<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP (1009): No NAT Found for self or peer<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP:(1009):Old State = IKE_R_MM3 New State = IKE_R_MM3 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP:(1009): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP:(1009): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP:(1009): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP:(1009): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP (1009): constructing CERT_REQ for issuer e=helpdesk@test.com,cn=MasterCA,ou=test-ou,o=test-o,l=Glasgow,st=Scotland,c=UK<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP:(1009): sending packet to 172.0.0.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP:(1009):Sending an IKE IPv4 Packet.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.319: ISAKMP:(1009):Old State = IKE_R_MM3 New State = IKE_R_MM4 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP (1009): received packet from 172.0.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP:(1009):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP:(1009):Old State = IKE_R_MM4 New State = IKE_R_MM5 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP:(1009): processing ID payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP (1009): ID payload <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> next-payload : 6<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> type : 9 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> Dist. name : cn=gw.test1.org.uk <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> protocol : 0 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> port : 0 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> length : 36<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP:(0):: peer matches *none* of the profiles<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP:(1009): processing CERT payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP:(1009): processing a CT_X509_SIGNATURE cert<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP:(1009): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP:(1009): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP:(1009): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP:(1009): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP:(1009): peer's pubkey isn't cached<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP:(0):: peer matches *none* of the profiles<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.335: ISAKMP:(1009): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.343: ISAKMP:(1009): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.343: %CRYPTO-6-IKMP_NO_ID_CERT_DN_MATCH: ID of cn=gw.test1.org.uk (type 9) and certificate DN with e=gw.test1.org.uk,cn=gw.test1.org.uk,ou=test-ou,o=test-o,l=Glasgow,st=Scotland,c=UK<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.343: ISAKMP:(1009): processing CERT_REQ payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.343: ISAKMP:(1009): peer wants a CT_X509_SIGNATURE cert<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>**** *Dec 9 09:41:09.343: ISAKMP:(1009): issuer not specified in cert request ***<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*** *Dec 9 09:41:09.343: ISAKMP:(1009): No issuer name in cert request .***<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.343: ISAKMP:(1009): processing SIG payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP:(1009):SA authentication status:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> authenticated<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP:(1009):SA has been authenticated with 172.0.0.2<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP:(1009):Old State = IKE_R_MM5 New State = IKE_R_MM5 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP:(1009): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP:(1009): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 172.0.0.2)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*** *Dec 9 09:41:09.351: ISAKMP:(1009):Unable to get router cert or routerdoes not have a cert: needed to find DN! ***<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP:(1009):SA is doing RSA signature authentication using id type ID_IPV4_ADDR<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP (1009): ID payload <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> next-payload : 6<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> type : 1 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> address : 172.0.0.1 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> protocol : 17 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> port : 500 <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'> length : 12<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP:(1009):Total payload length: 12<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP (1009): no cert chain to send to peer<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP (1009): peer did not specify issuer and no suitable profile found<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP (1009): FSM action returned error: 2<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP:(1009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:09.351: ISAKMP:(1009):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:19.343: ISAKMP (1009): received packet from 172.0.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:19.343: ISAKMP:(1009): phase 1 packet is a duplicate of a previous packet.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:19.343: ISAKMP:(1009): retransmitting due to retransmit phase 1<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:19.343: ISAKMP:(1009): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:39.363: ISAKMP (1009): received packet from 172.0.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:39.363: ISAKMP:(1009): phase 1 packet is a duplicate of a previous packet.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:39.363: ISAKMP:(1009): retransmitting due to retransmit phase 1<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB'>*Dec 9 09:41:39.363: ISAKMP:(1009): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>According to this, it would suggest that OpenSWAN is not sending the issuer of the certificate, and therefore the router cannot send the counter certificate back. Please Note the relevant sections are marked with ***<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>Any advice would be excellent.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>Thanks<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:12.0pt;font-family:"Times New Roman","serif";mso-fareast-language:EN-GB'>Joe.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:EN-GB'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:EN-GB'> Madden, Joe <br><b>Sent:</b> 05 December 2014 13:42<br><b>To:</b> 'users@lists.openswan.org'<br><b>Subject:</b> Issues with OpenSWAN / Cisco 2911 IOS 15 and Digital Certitifcates!<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>Hi all,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Currently working on a project that requires a site to site VPN using. We have chosen to authentication using Digital Certificates (rsasig on cisco).<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Please see below for an outline of the cisco configuration:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>crypto pki trustpoint ipsecvpn<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>enrollment terminal<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>fqdn gw.test.com<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>subject-name CN=gw.test.com,OU=TestOU,O=TestCompany,C=UK<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>revocation-check none<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>rsakeypair testrsapair<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>crypto pki certificate chain testrsapair<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>certificate 0A<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>certificate hash here ###<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>certificate ca 00E36E3DF10610AFEF<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>certitifcate hash here ###<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>crypto isakmp policy 10<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>encr aes 256<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>group 5<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>lifetime 3600<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>crypto ipsec transform-set IPSEC1 esp-aes 256 esp-sha-hmac<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>mode tunnel<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>crypto map test1 10 ipsec-isakmp<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>set peer 10.67.0.2<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>set transform-set IPSEC1<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>match address VPNTRAF1<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>interface GigabitEthernet0/0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>ip address 10.67.0.1 255.255.255.0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>duplex auto<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>speed auto<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>crypto map test1<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>I used the enrol terminal to generate a CSR and sign it and subsequently imported it back into the router. I believe this site of things is setup correctly.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>IPsec config is as follows:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>conn tunnelipsec<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> authby= rsasig<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> auto= start<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> type= tunnel <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>#<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> left= 10.67.0.2 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> leftid= "C=UK, O=testo2, OU=ou2, CN=gw.test1.org.uk"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> leftsubnets= 10.123.34.8/29,10.123.32.40/29,10.123.32.64/28<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> leftcert= gw.test1.org.uk <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> leftrsasigkey= %cert<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> leftca= "/etc/ipsec.d/cacerts/masterca.pem"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>#<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> right= 10.67.0.1<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> rightid= " OU=TestOU, O=TestCompany, C=UK, CN= gw.test.com "<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> rightsubnet= 192.168.12.0/24<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> rightca= "/etc/ipsec.d/cacerts/masterca.pem"<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> keyexchange= ike<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> ike= aes256-sha1;modp1536!<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> #sha2_truncbug= yes<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> phase2= esp<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> phase2alg= aes256-sha1!<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>This configuration worked on Pre-Shared Keys however does not work when you introduce the certificate based authentication OpenSWAN does authenticate with the router but the router fails to find the correct certificates to return. The router logs output looks like this:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Dec 5 11:24:47.819: ISAKMP (1044): received packet from 10.67.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044):Old State = IKE_R_MM4 New State = IKE_R_MM5 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044): processing ID payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP (1044): ID payload <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> next-payload : 6<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> type : 2 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> FQDN name : gw.test1.org.uk<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> protocol : 0 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> port : 0 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> length : 23<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(0):: peer matches *none* of the profiles<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044): processing CERT payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044): processing a CT_X509_SIGNATURE cert<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.819: ISAKMP:(1044): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.823: ISAKMP:(1044): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.823: ISAKMP:(1044): peer's pubkey isn't cached<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.823: ISAKMP:(0):: peer matches *none* of the profiles<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.823: ISAKMP:(1044): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.831: ISAKMP:(1044): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.831: ISAKMP:(1044): processing CERT_REQ payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.831: ISAKMP:(1044): peer wants a CT_X509_SIGNATURE cert<o:p></o:p></span></p><p class=MsoNormal><b><span style='color:red'>*Dec 5 11:24:47.831: ISAKMP:(1044): issuer not specified in cert request<o:p></o:p></span></b></p><p class=MsoNormal><b><span style='color:red'>*Dec 5 11:24:47.831: ISAKMP:(1044): No issuer name in cert request.<o:p></o:p></span></b></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.831: ISAKMP:(1044): processing SIG payload. message ID = 0<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):SA authentication status:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> authenticated<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>The router then goes on to get its owner certificate at which point it fails:<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):SA has been authenticated with 10.67.0.2 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):Old State = IKE_R_MM5 New State = IKE_R_MM5 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 10.67.0.2 )<o:p></o:p></span></p><p class=MsoNormal><b><span style='color:red'>*Dec 5 11:24:47.839: ISAKMP:(1044):Unable to get router cert or routerdoes not have a cert: needed to find DN!<o:p></o:p></span></b></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):SA is doing RSA signature authentication using id type ID_IPV4_ADDR<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP (1044): ID payload <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> next-payload : 6<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> type : 1 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> address : 10.67.0.1<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> protocol : 17 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> port : 500 <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'> length : 12<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):Total payload length: 12<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP (1044): no cert chain to send to peer<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP (1044): peer did not specify issuer and no suitable profile found<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP (1044): FSM action returned error: 2<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:47.839: ISAKMP:(1044):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:57.831: ISAKMP (1044): received packet from 10.67.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:57.831: ISAKMP:(1044): phase 1 packet is a duplicate of a previous packet.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:57.831: ISAKMP:(1044): retransmitting due to retransmit phase 1<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:24:57.831: ISAKMP:(1044): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:25:02.703: ISAKMP:(1041):purging node 1858511306<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:25:02.703: ISAKMP:(1041):purging node -560727786<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:25:02.703: ISAKMP:(1041):purging node 464479444<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>*Dec 5 11:25:02.707: ISAKMP: set new node 0 to QM_IDLE <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Does anyone know if there a way to force the Cisco to map the correct certificate or better if there is a way to tell OpenSWAN include the issuer in the request. I can confirm that the X509 certificates have both been signed by the same CA and therefore have issuer information within them.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Thanks<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Joe.<o:p></o:p></span></p></div></body></html>