[Openswan dev] 2.4.10rc1 behind NAT ID issue?

Paul Wouters paul at xelerance.com
Thu Nov 1 12:01:39 EDT 2007


It looks like our fix for the %any case might have confused our nat-t
handling:

104 "aivd-bofh" #14: STATE_MAIN_I1: initiate
003 "aivd-bofh" #14: ignoring unknown Vendor ID payload [4f456b6e7c7c426d757e706f]
003 "aivd-bofh" #14: received Vendor ID payload [Dead Peer Detection]
003 "aivd-bofh" #14: received Vendor ID payload [RFC 3947] method set to=111
106 "aivd-bofh" #14: STATE_MAIN_I2: sent MI2, expecting MR2
003 "aivd-bofh" #14: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
108 "aivd-bofh" #14: STATE_MAIN_I3: sent MI3, expecting MR3
004 "aivd-bofh" #14: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "aivd-bofh" #15: STATE_QUICK_I1: initiate
218 "aivd-bofh" #15: STATE_QUICK_I1: INVALID_ID_INFORMATION

This is with forceencaps=yes
Without it, the conn establishes fine.
This is a simple rsa-rsa with leftid=/rightid= set to @me and @you

"aivd-bofh" #13: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#12}
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 13
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #13
| next event EVENT_NAT_T_KEEPALIVE in 19 seconds
! helper 0 doing build_kenonce op id: 13
! Local DH secret:
!   eb 75 c8 44  37 49 ce 62  ce ec 09 a3  c8 13 06 ac
!   23 a6 b3 d6  1f f2 c6 ce  e4 d1 53 12  8d 7f 2d 5d
! Public DH value sent:
!   09 37 b7 50  3b 50 a8 05  81 8d 32 e3  4c b2 e0 b0
!   2b 5a 9b 67  c7 37 71 11  85 97 43 e7  97 51 c6 54
!   bb 89 95 cb  70 db 6a c6  da 2c 22 ee  34 54 b0 e8
!   15 5a b4 c0  fb b2 ae fb  cd 25 30 36  05 a0 ed f2
!   4c ee 9a 86  31 55 8e 72  f6 1d e9 e3  5f ae 76 de
!   e9 4b 88 84  bd b9 05 30  81 72 d5 0e  d2 5c cb c5
!   e3 cd a1 4e  fb c6 3f 0b  36 0a f7 b0  15 84 68 53
!   de 3a 00 28  8f c0 e7 cc  12 39 6d 84  18 2a a8 6c
!   dd ad 45 96  47 0e e6 ae  c6 e5 f1 6a  eb 98 1b 90
!   18 1b 3a 8e  58 a6 a3 0d  0b 82 d3 e7  7e 3e df 6f
!   b0 d4 25 2d  f4 e8 b4 b6  5d 9f 15 9d  a2 ae 92 fe
!   1c 9e 2b 89  93 1a 50 38  39 0d 06 09  58 81 c9 78
! Generated nonce:
!   09 41 c6 84  03 37 51 5a  1f 7c 4e 24  0a 9d 72 42
| helper 0 has work (cnt now 0)
| helper 0 replies to sequence 13
| calling callback function 0x420a30
| quick outI1: calculated ke+nonce, sending I1
| processing connection aivd-bofh
| **emit ISAKMP Message:
|    initiator cookie:
|   15 fb ce ef  07 19 f5 1e
|    responder cookie:
|   5e 6c 4b b3  b4 69 b4 e0
|    next payload type: ISAKMP_NEXT_HASH
|    ISAKMP version: ISAKMP Version 1.0
|    exchange type: ISAKMP_XCHG_QUICK
|    flags: ISAKMP_FLAG_ENCRYPTION
|    message ID:  61 7c f6 c8
| ***emit ISAKMP Hash Payload:
|    next payload type: ISAKMP_NEXT_SA
| emitting 16 zero bytes of HASH into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 20
| empty esp_info, returning empty
| ***emit ISAKMP Security Association Payload:
|    next payload type: ISAKMP_NEXT_NONCE
|    DOI: ISAKMP_DOI_IPSEC
| ****emit IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY
| out_sa pcn: 0 has 1 valid proposals
| out_sa pcn: 0 pn: 0<1 valid_count: 1
| ****emit ISAKMP Proposal Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    proposal number: 0
|    protocol ID: PROTO_IPSEC_ESP
|    SPI size: 4
|    number of transforms: 4
| generate SPI:  62 4c 0c 48
| emitting 4 raw bytes of SPI into ISAKMP Proposal Payload
| SPI  62 4c 0c 48
| *****emit ISAKMP Transform Payload (ESP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 0
|    transform ID: ESP_AES
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: GROUP_DESCRIPTION
|    length/value: 5
|     [5 is OAKLEY_GROUP_MODP1536]
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: ENCAPSULATION_MODE
|    length/value: 3
|     [3 is ENCAPSULATION_MODE_UDP_TUNNEL]
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: SA_LIFE_TYPE
|    length/value: 1
|     [1 is SA_LIFE_TYPE_SECONDS]
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: SA_LIFE_DURATION
|    length/value: 28800
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: AUTH_ALGORITHM
|    length/value: 2
|     [2 is AUTH_ALGORITHM_HMAC_SHA1]
| emitting length of ISAKMP Transform Payload (ESP): 28
| *****emit ISAKMP Transform Payload (ESP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 1
|    transform ID: ESP_AES
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: GROUP_DESCRIPTION
|    length/value: 5
|     [5 is OAKLEY_GROUP_MODP1536]
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: ENCAPSULATION_MODE
|    length/value: 3
|     [3 is ENCAPSULATION_MODE_UDP_TUNNEL]
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: SA_LIFE_TYPE
|    length/value: 1
|     [1 is SA_LIFE_TYPE_SECONDS]
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: SA_LIFE_DURATION
|    length/value: 28800
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: AUTH_ALGORITHM
|    length/value: 1
|     [1 is AUTH_ALGORITHM_HMAC_MD5]
| emitting length of ISAKMP Transform Payload (ESP): 28
| *****emit ISAKMP Transform Payload (ESP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 2
|    transform ID: ESP_3DES
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: GROUP_DESCRIPTION
|    length/value: 5
|     [5 is OAKLEY_GROUP_MODP1536]
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: ENCAPSULATION_MODE
|    length/value: 3
|     [3 is ENCAPSULATION_MODE_UDP_TUNNEL]
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: SA_LIFE_TYPE
|    length/value: 1
|     [1 is SA_LIFE_TYPE_SECONDS]
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: SA_LIFE_DURATION
|    length/value: 28800
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: AUTH_ALGORITHM
|    length/value: 2
|     [2 is AUTH_ALGORITHM_HMAC_SHA1]
| emitting length of ISAKMP Transform Payload (ESP): 28
| *****emit ISAKMP Transform Payload (ESP):
|    next payload type: ISAKMP_NEXT_NONE
|    transform number: 3
|    transform ID: ESP_3DES
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: GROUP_DESCRIPTION
|    length/value: 5
|     [5 is OAKLEY_GROUP_MODP1536]
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: ENCAPSULATION_MODE
|    length/value: 3
|     [3 is ENCAPSULATION_MODE_UDP_TUNNEL]
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: SA_LIFE_TYPE
|    length/value: 1
|     [1 is SA_LIFE_TYPE_SECONDS]
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: SA_LIFE_DURATION
|    length/value: 28800
| ******emit ISAKMP IPsec DOI attribute:
|    af+type: AUTH_ALGORITHM
|    length/value: 1
|     [1 is AUTH_ALGORITHM_HMAC_MD5]
| emitting length of ISAKMP Transform Payload (ESP): 28
| emitting length of ISAKMP Proposal Payload: 124
| emitting length of ISAKMP Security Association Payload: 136
| ***emit ISAKMP Nonce Payload:
|    next payload type: ISAKMP_NEXT_KE
| emitting 16 raw bytes of Ni into ISAKMP Nonce Payload
| Ni  09 41 c6 84  03 37 51 5a  1f 7c 4e 24  0a 9d 72 42
| emitting length of ISAKMP Nonce Payload: 20
| ***emit ISAKMP Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_ID
| emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value  09 37 b7 50  3b 50 a8 05  81 8d 32 e3  4c b2 e0 b0
|   2b 5a 9b 67  c7 37 71 11  85 97 43 e7  97 51 c6 54
|   bb 89 95 cb  70 db 6a c6  da 2c 22 ee  34 54 b0 e8
|   15 5a b4 c0  fb b2 ae fb  cd 25 30 36  05 a0 ed f2
|   4c ee 9a 86  31 55 8e 72  f6 1d e9 e3  5f ae 76 de
|   e9 4b 88 84  bd b9 05 30  81 72 d5 0e  d2 5c cb c5
|   e3 cd a1 4e  fb c6 3f 0b  36 0a f7 b0  15 84 68 53
|   de 3a 00 28  8f c0 e7 cc  12 39 6d 84  18 2a a8 6c
|   dd ad 45 96  47 0e e6 ae  c6 e5 f1 6a  eb 98 1b 90
|   18 1b 3a 8e  58 a6 a3 0d  0b 82 d3 e7  7e 3e df 6f
|   b0 d4 25 2d  f4 e8 b4 b6  5d 9f 15 9d  a2 ae 92 fe
|   1c 9e 2b 89  93 1a 50 38  39 0d 06 09  58 81 c9 78
| emitting length of ISAKMP Key Exchange Payload: 196
| ***emit ISAKMP Identification Payload (IPsec DOI):
|    next payload type: ISAKMP_NEXT_ID
|    ID type: ID_IPV4_ADDR
|    Protocol ID: 0
|    port: 0
| emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI)
| client network  c1 6e 9d 11
| emitting length of ISAKMP Identification Payload (IPsec DOI): 12
| ***emit ISAKMP Identification Payload (IPsec DOI):
|    next payload type: ISAKMP_NEXT_NONE
|    ID type: ID_IPV4_ADDR
|    Protocol ID: 0
|    port: 0
| emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI)
| client network  c1 6e 9d 83
| emitting length of ISAKMP Identification Payload (IPsec DOI): 12
| HASH(1) computed:
|   94 10 35 68  c8 2e d9 86  cd 58 dd 22  b2 79 70 fb
| last Phase 1 IV:  dc a1 d3 97  5a 9b 28 76
| current Phase 1 IV:  dc a1 d3 97  5a 9b 28 76
| computed Phase 2 IV:
|   20 46 27 07  b1 c7 25 62  15 ea 28 0d  8a 93 c3 d3
| encrypting:
|   01 00 00 14  94 10 35 68  c8 2e d9 86  cd 58 dd 22
|   b2 79 70 fb  0a 00 00 88  00 00 00 01  00 00 00 01
|   00 00 00 7c  00 03 04 04  62 4c 0c 48  03 00 00 1c
|   00 0c 00 00  80 03 00 05  80 04 00 03  80 01 00 01
|   80 02 70 80  80 05 00 02  03 00 00 1c  01 0c 00 00
|   80 03 00 05  80 04 00 03  80 01 00 01  80 02 70 80
|   80 05 00 01  03 00 00 1c  02 03 00 00  80 03 00 05
|   80 04 00 03  80 01 00 01  80 02 70 80  80 05 00 02
|   00 00 00 1c  03 03 00 00  80 03 00 05  80 04 00 03
|   80 01 00 01  80 02 70 80  80 05 00 01  04 00 00 14
|   09 41 c6 84  03 37 51 5a  1f 7c 4e 24  0a 9d 72 42
|   05 00 00 c4  09 37 b7 50  3b 50 a8 05  81 8d 32 e3
|   4c b2 e0 b0  2b 5a 9b 67  c7 37 71 11  85 97 43 e7
|   97 51 c6 54  bb 89 95 cb  70 db 6a c6  da 2c 22 ee
|   34 54 b0 e8  15 5a b4 c0  fb b2 ae fb  cd 25 30 36
|   05 a0 ed f2  4c ee 9a 86  31 55 8e 72  f6 1d e9 e3
|   5f ae 76 de  e9 4b 88 84  bd b9 05 30  81 72 d5 0e
|   d2 5c cb c5  e3 cd a1 4e  fb c6 3f 0b  36 0a f7 b0
|   15 84 68 53  de 3a 00 28  8f c0 e7 cc  12 39 6d 84
|   18 2a a8 6c  dd ad 45 96  47 0e e6 ae  c6 e5 f1 6a
|   eb 98 1b 90  18 1b 3a 8e  58 a6 a3 0d  0b 82 d3 e7
|   7e 3e df 6f  b0 d4 25 2d  f4 e8 b4 b6  5d 9f 15 9d
|   a2 ae 92 fe  1c 9e 2b 89  93 1a 50 38  39 0d 06 09
|   58 81 c9 78  05 00 00 0c  01 00 00 00  c1 6e 9d 11
|   00 00 00 0c  01 00 00 00  c1 6e 9d 83
| IV:
|   20 46 27 07  b1 c7 25 62  15 ea 28 0d  8a 93 c3 d3
| emitting 4 zero bytes of encryption padding into ISAKMP Message
| encrypting using OAKLEY_3DES_CBC
| next IV:  ab 3b 28 58  53 90 40 a8
| emitting length of ISAKMP Message: 428
| sending 428 bytes for quick_outI1 through eth0:4500 to 193.110.157.131:4500:
|   00 00 00 00  15 fb ce ef  07 19 f5 1e  5e 6c 4b b3
|   b4 69 b4 e0  08 10 20 01  61 7c f6 c8  00 00 01 ac
|   4d e6 f1 68  3b 3b 4d 89  ca 5c f9 cd  1b 4e 3f 39
|   d2 be 9b 7e  74 80 05 9d  7d a7 fb fb  6c 27 68 61
|   e5 d3 c0 b0  64 65 e2 42  77 03 a8 b9  1f 64 21 29
|   e3 23 2b b8  e0 56 3e cf  59 49 df 05  20 c3 1b 89
|   a9 bb 0c cd  93 1d 1d 27  21 37 28 97  b6 35 ad d4
|   dc b0 60 31  ad 66 25 3f  52 32 84 28  23 14 b3 19
|   99 a9 e2 21  2b 39 6b 74  d6 c8 9f eb  94 53 eb 0b
|   fe 3d 34 38  7b 16 43 c7  ec 60 94 ec  54 77 66 05
|   51 47 58 4a  ed 1d 08 38  af 73 53 12  03 af 7f e6
|   5d 6d 60 81  fa f6 3c 0f  e4 a5 dc b2  eb fb 68 60
|   3b 37 34 47  7b 7f df c9  a1 8f 5d f2  ad 40 5c 6b
|   96 43 21 e1  b1 53 79 43  64 c8 66 73  b2 76 7f d0
|   14 38 de 45  8b 41 ad 99  43 31 a7 8c  57 f0 a3 4f
|   9e 8a 81 c3  e1 0f 73 95  db 3d fd 54  a2 60 39 2e
|   1e fa 39 97  5f 44 20 fa  3d c7 3e 31  be 93 56 e3
|   cf 19 18 e2  7e ca cf d9  c8 18 d1 0a  59 37 5e e5
|   26 86 07 13  72 06 33 97  9d 1f 5d a5  3c ff a6 3e
|   4c cd f4 5a  4d 0c e4 aa  47 0d d7 fa  3e 8b cc e3
|   f2 54 58 30  a6 37 c3 34  07 08 28 d5  41 ce 28 92
|   19 cc 17 ce  bb b5 7f 3f  a6 1f b2 e8  67 42 0c 46
|   1b a3 a0 d9  35 7c 86 53  31 4a 4e 18  63 f6 bb 06
|   be 16 44 6f  2b 86 5a d1  1a 27 2c cd  cc ff 08 ad
|   e8 2a 89 67  0c 16 a1 33  e6 81 43 d2  5c 3b c8 b4
|   4c 38 4c aa  ab 8a b7 18  9f 2c 69 2a  1b 40 6d 75
|   86 86 94 66  b1 88 9e 19  ab 3b 28 58  53 90 40 a8
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #13
| next event EVENT_RETRANSMIT in 10 seconds for #13
|
| *received 340 bytes from 193.110.157.131:4500 on eth0 (port=4500)
|   15 fb ce ef  07 19 f5 1e  5e 6c 4b b3  b4 69 b4 e0
|   08 10 20 01  61 7c f6 c8  00 00 01 54  dc 14 e1 5c
|   6e 0e 25 51  25 35 80 1b  b1 bd 31 86  e2 f6 5e 4a
|   17 86 d2 85  d7 a3 d6 50  8c 14 e4 14  5b ee 66 06
|   78 3e 40 b7  fe e7 be 4f  78 09 5b f0  31 ea 53 0a
|   86 65 d6 8f  a1 9c 36 6c  e8 35 85 e8  41 c7 74 4e
|   ac c3 32 54  9c 32 7d ad  60 ea 1a 57  c1 1d 6c e0
|   d8 fb 3b 3d  66 f8 54 8a  42 ed 56 de  39 e3 3f 75
|   e6 9b 4b 7e  22 f5 b9 78  bb bc ef 14  90 4e 5a 1d
|   10 7d a1 36  19 79 3f da  73 c1 87 b4  d0 15 21 8f
|   54 d1 39 64  9c 11 94 ab  32 17 df ad  97 8d 05 4c
|   67 e6 c5 b0  d3 26 35 fb  41 9f 0b d7  6b 65 87 18
|   6e 91 29 6f  9e 0b e1 27  0e 46 13 df  ea bb 41 4c
|   6d 83 89 07  af 13 f4 3a  08 43 41 9b  30 d6 e2 b4
|   28 bb 15 40  bf b3 ec 82  d2 b3 98 94  21 eb 64 72
|   49 1e cd 5a  f4 30 5f d2  a4 fc 79 cf  4a a3 fb 79
|   e8 2e c1 83  2c d9 42 1e  e3 55 61 8d  32 66 41 e1
|   a0 82 0d a1  3f cd 20 74  ad ca fa 38  2a 7b 67 58
|   4b b4 07 b9  0a 2b ac da  9b 18 c0 01  35 9c ff 29
|   fc 3b 8f f0  d9 9b 18 83  fb 00 d3 62  6b 31 d3 a3
|   f4 79 e7 6b  05 9b d4 be  ad 46 5c fd  50 fc c0 13
|   c1 52 e2 96
| **parse ISAKMP Message:
|    initiator cookie:
|   15 fb ce ef  07 19 f5 1e
|    responder cookie:
|   5e 6c 4b b3  b4 69 b4 e0
|    next payload type: ISAKMP_NEXT_HASH
|    ISAKMP version: ISAKMP Version 1.0
|    exchange type: ISAKMP_XCHG_QUICK
|    flags: ISAKMP_FLAG_ENCRYPTION
|    message ID:  61 7c f6 c8
|    length: 340
|  processing packet with exchange type=ISAKMP_XCHG_QUICK (32)
| ICOOKIE:  15 fb ce ef  07 19 f5 1e
| RCOOKIE:  5e 6c 4b b3  b4 69 b4 e0
| peer:  c1 6e 9d 83
| state hash entry 8
| peer and cookies match on #13, provided msgid 617cf6c8 vs 617cf6c8
| state object #13 found, in STATE_QUICK_I1
| processing connection aivd-bofh
| received encrypted packet from 193.110.157.131:4500
| decrypting 312 bytes using algorithm OAKLEY_3DES_CBC
| decrypted:
|   01 00 00 14  46 d6 ff fe  24 54 60 60  7e c4 09 f1
|   8b d4 83 9a  0a 00 00 34  00 00 00 01  00 00 00 01
|   00 00 00 28  00 03 04 01  a9 d9 d0 9f  00 00 00 1c
|   00 0c 00 00  80 03 00 05  80 04 00 03  80 01 00 01
|   80 02 70 80  80 05 00 02  04 00 00 14  08 2f c0 41
|   fc 7d 87 3c  8d 32 07 fa  bd d0 2e 49  05 00 00 c4
|   db 10 44 84  0b b0 b7 7a  e0 4a 48 7e  1c 78 a3 8b
|   00 71 b5 aa  54 0c 0e f0  e4 4c f1 28  dd 08 af ef
|   f4 80 cf 61  0c a5 01 f9  99 08 f3 30  4a 14 e5 f8
|   a1 35 9e 98  03 97 50 25  19 f1 01 58  32 d5 b3 9f
|   40 8d 15 e0  db 78 10 39  a5 f2 d4 9a  1b bf 1b df
|   72 9a 80 20  86 55 42 33  d9 42 6c 6a  22 37 bd 50
|   f2 f7 74 70  7f 39 be 5b  2d 5c 54 60  26 e5 77 b6
|   95 10 9a c8  4d bc d4 75  99 a9 aa 1d  38 ed c3 81
|   72 c1 71 9a  fd 71 da ca  d8 81 d8 58  43 be 5f 3b
|   a0 83 1f 86  9a 52 ef 1b  d5 e2 90 a5  c7 e4 19 e2
|   c0 f9 27 78  33 9d 17 0b  bf 37 ef e9  9f 88 34 2b
|   20 cb 26 b6  b3 8e 12 4e  2e cb 44 53  00 5c ee 59
|   05 00 00 0c  01 00 00 00  c1 6e 9d 11  00 00 00 0c
|   01 00 00 00  c1 6e 9d 83
| next IV:  50 fc c0 13  c1 52 e2 96
| np=8 and sd=0x496bf0
| ***parse ISAKMP Hash Payload:
|    next payload type: ISAKMP_NEXT_SA
|    length: 20
| np=1 and sd=0x496a70
| ***parse ISAKMP Security Association Payload:
|    next payload type: ISAKMP_NEXT_NONCE
|    length: 52
|    DOI: ISAKMP_DOI_IPSEC
| np=10 and sd=0x496c30
| ***parse ISAKMP Nonce Payload:
|    next payload type: ISAKMP_NEXT_KE
|    length: 20
| np=4 and sd=0x496b50
| ***parse ISAKMP Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_ID
|    length: 196
| np=5 and sd=(nil)
| ***parse ISAKMP Identification Payload (IPsec DOI):
|    next payload type: ISAKMP_NEXT_ID
|    length: 12
|    ID type: ID_IPV4_ADDR
|    Protocol ID: 0
|    port: 0
| np=5 and sd=(nil)
| ***parse ISAKMP Identification Payload (IPsec DOI):
|    next payload type: ISAKMP_NEXT_NONE
|    length: 12
|    ID type: ID_IPV4_ADDR
|    Protocol ID: 0
|    port: 0
| **emit ISAKMP Message:
|    initiator cookie:
|   15 fb ce ef  07 19 f5 1e
|    responder cookie:
|   5e 6c 4b b3  b4 69 b4 e0
|    next payload type: ISAKMP_NEXT_HASH
|    ISAKMP version: ISAKMP Version 1.0
|    exchange type: ISAKMP_XCHG_QUICK
|    flags: ISAKMP_FLAG_ENCRYPTION
|    message ID:  61 7c f6 c8
| HASH(2) computed:
|   46 d6 ff fe  24 54 60 60  7e c4 09 f1  8b d4 83 9a
| ****parse IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    length: 40
|    proposal number: 0
|    protocol ID: PROTO_IPSEC_ESP
|    SPI size: 4
|    number of transforms: 1
| parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
| SPI  a9 d9 d0 9f
| *****parse ISAKMP Transform Payload (ESP):
|    next payload type: ISAKMP_NEXT_NONE
|    length: 28
|    transform number: 0
|    transform ID: ESP_AES
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: GROUP_DESCRIPTION
|    length/value: 5
|    [5 is OAKLEY_GROUP_MODP1536]
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: ENCAPSULATION_MODE
|    length/value: 3
|    [3 is ENCAPSULATION_MODE_UDP_TUNNEL]
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: SA_LIFE_TYPE
|    length/value: 1
|    [1 is SA_LIFE_TYPE_SECONDS]
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: SA_LIFE_DURATION
|    length/value: 28800
| ******parse ISAKMP IPsec DOI attribute:
|    af+type: AUTH_ALGORITHM
|    length/value: 2
|    [2 is AUTH_ALGORITHM_HMAC_SHA1]
| DH public value received:
|   db 10 44 84  0b b0 b7 7a  e0 4a 48 7e  1c 78 a3 8b
|   00 71 b5 aa  54 0c 0e f0  e4 4c f1 28  dd 08 af ef
|   f4 80 cf 61  0c a5 01 f9  99 08 f3 30  4a 14 e5 f8
|   a1 35 9e 98  03 97 50 25  19 f1 01 58  32 d5 b3 9f
|   40 8d 15 e0  db 78 10 39  a5 f2 d4 9a  1b bf 1b df
|   72 9a 80 20  86 55 42 33  d9 42 6c 6a  22 37 bd 50
|   f2 f7 74 70  7f 39 be 5b  2d 5c 54 60  26 e5 77 b6
|   95 10 9a c8  4d bc d4 75  99 a9 aa 1d  38 ed c3 81
|   72 c1 71 9a  fd 71 da ca  d8 81 d8 58  43 be 5f 3b
|   a0 83 1f 86  9a 52 ef 1b  d5 e2 90 a5  c7 e4 19 e2
|   c0 f9 27 78  33 9d 17 0b  bf 37 ef e9  9f 88 34 2b
|   20 cb 26 b6  b3 8e 12 4e  2e cb 44 53  00 5c ee 59
| started looking for secret for @you->@me of kind PPK_PSK
| actually looking for secret for @you->@me of kind PPK_PSK
| 1: compared PSK 74.93.91.193 to @you / @me -> 0
| 2: compared PSK 76.10.144.1 to @you / @me -> 0
| 1: compared PSK @CT-CHI-SRV001.cititechs.com to @you / @me -> 0
| 2: compared PSK 76.10.144.1 to @you / @me -> 0
| concluding with best_match=0 best=(nil) (lineno=-1)
| calc_dh_shared(): time elapsed (OAKLEY_GROUP_MODP1536): 928 usec
| DH shared secret:
|   82 0b 55 68  bb c2 b4 46  9c fc 3b 08  3a 37 c0 03
|   80 80 4d 83  cc cb 93 74  f0 d6 73 2d  f9 af e9 f0
|   94 15 23 36  72 e1 4a 2d  d4 12 d8 0a  5c 7e 62 d8
|   be 0c 28 71  46 cf 58 c2  b5 f3 2f dc  d5 b4 af b8
|   fd 18 23 fb  48 ee 90 c9  0f 41 e4 b7  28 a2 9d 7c
|   93 79 98 37  7f 14 32 2e  6c e5 25 72  df 45 73 45
|   40 f7 da 95  e0 8e 92 7c  8e f5 d7 85  29 96 f1 96
|   bc d3 17 0e  b5 39 f5 96  1a 3b 24 d6  42 3f a3 5b
|   d6 ec 33 ff  54 92 9b 1d  e2 4d 50 32  01 af 93 6b
|   84 a5 9a b7  9e b6 81 8b  5d 67 ba bc  a5 6b 5a c7
|   f8 11 bb 46  90 f6 51 c3  e0 86 a2 46  41 bc 62 e8
|   6e 24 51 d1  b2 c6 f4 f3  8d ef ae 53  80 1c d5 57
| our client is 193.110.157.17
| our client protocol/port is 0/0
| complete state transition with (null)
"aivd-bofh" #13: sending encrypted notification INVALID_ID_INFORMATION to 193.110.157.131:4500
| **emit ISAKMP Message:
|    initiator cookie:
|   15 fb ce ef  07 19 f5 1e
|    responder cookie:
|   5e 6c 4b b3  b4 69 b4 e0
|    next payload type: ISAKMP_NEXT_HASH
|    ISAKMP version: ISAKMP Version 1.0
|    exchange type: ISAKMP_XCHG_INFO
|    flags: ISAKMP_FLAG_ENCRYPTION
|    message ID:  f8 ef ca 45
| ***emit ISAKMP Hash Payload:
|    next payload type: ISAKMP_NEXT_N
| emitting 16 zero bytes of HASH(1) into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 20
| ***emit ISAKMP Notification Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    DOI: ISAKMP_DOI_IPSEC
|    protocol ID: 1
|    SPI size: 0
|    Notify Message Type: INVALID_ID_INFORMATION
| emitting length of ISAKMP Notification Payload: 12
| HASH(1) computed:
|   3b 48 7b 98  82 bd ae db  af 31 67 43  32 18 bc da
| last Phase 1 IV:  dc a1 d3 97  5a 9b 28 76
| current Phase 1 IV:  dc a1 d3 97  5a 9b 28 76
| computed Phase 2 IV:
|   0a 25 a6 20  95 e6 fb 5a  b1 c1 e7 c2  83 db 04 37
| encrypting:
|   0b 00 00 14  3b 48 7b 98  82 bd ae db  af 31 67 43
|   32 18 bc da  00 00 00 0c  00 00 00 01  01 00 00 12
| IV:
|   0a 25 a6 20  95 e6 fb 5a  b1 c1 e7 c2  83 db 04 37
| encrypting using OAKLEY_3DES_CBC
| next IV:  90 79 97 cc  a7 ce bc c8
| emitting length of ISAKMP Message: 60
| sending 60 bytes for notification packet through eth0:4500 to 193.110.157.131:4500:
|   00 00 00 00  15 fb ce ef  07 19 f5 1e  5e 6c 4b b3
|   b4 69 b4 e0  08 10 05 01  f8 ef ca 45  00 00 00 3c
|   4f df d1 93  56 b5 12 9b  6f a5 da 23  b1 bc 8b 05
|   d1 29 6d c6  10 e0 4a da  90 79 97 cc  a7 ce bc c8
| state transition function for STATE_QUICK_I1 failed: INVALID_ID_INFORMATION
| deleting state #13
| processing connection aivd-bofh
| no suspended cryptographic state for 13
| ICOOKIE:  15 fb ce ef  07 19 f5 1e
| RCOOKIE:  5e 6c 4b b3  b4 69 b4 e0
| peer:  c1 6e 9d 83
| state hash entry 8
| next event EVENT_NAT_T_KEEPALIVE in 19 seconds

[root at bofh openswan-2]# fg
tail -f /tmp/openswan.log
|
| *received 340 bytes from 193.110.157.131:4500 on eth0 (port=4500)
|   34 26 58 89  33 df e7 9c  53 81 5a e9  61 95 1f 6a
|   08 10 20 01  38 43 a4 86  00 00 01 54  36 fa b9 39
|   c0 46 2e 49  1f 53 fc 63  a6 1d 42 5b  f8 e3 fc 71
|   6d da 19 db  46 0b 41 ec  3e 39 55 25  bf e6 00 85
|   b9 22 ad 7d  ca 76 01 06  ab 0c 24 4a  5d f5 f0 ab
|   dd 58 41 6d  6e e8 cd f5  aa 95 4b 61  86 6d e8 1f
|   e0 fa 68 7b  71 23 c6 e0  cb d1 fd f0  bc 41 ea 40
|   8a c0 c4 18  e8 4e 8a f6  b9 8c 7c 02  75 65 f1 79
|   35 b0 15 85  d2 28 fa 62  b2 82 a2 6c  4e 58 f7 ff
|   fa 6c b3 e2  9a b5 9d 14  15 d0 12 0b  f8 d2 45 1e
|   78 19 01 8c  d5 7f 5d 93  5b 61 39 1c  b2 4c e8 b6
|   42 d1 fd 41  2a 44 b8 ab  4c 7c ca 7e  e6 fb bb 8d
|   65 cb 21 52  93 e2 c0 57  8d ac 56 11  cd db f4 9c
|   72 83 b2 02  e9 77 ab df  35 32 b7 c7  29 81 a7 86
|   61 74 9f b2  f3 e9 4d 90  88 d3 dd 45  8c 4a 4d ab
|   53 54 93 79  f9 90 fe 7f  89 47 c7 42  e5 99 95 f6
|   7c 98 43 8b  af 5b 17 33  3d 34 61 7d  69 91 62 5b
|   4c eb ee 1e  6a da 33 0d  49 6a e9 81  f6 c5 0e 4a
|   77 de 83 6c  c8 82 44 f1  40 74 79 f8  f7 52 ad 47
|   b1 98 36 1d  4e 15 54 65  31 4f ce 90  8e ce 4f b4
|   b3 97 3b 8d  8b c7 10 17  58 01 aa 44  35 10 8a 01
|   ce 93 4a 45
| **parse ISAKMP Message:
|    initiator cookie:
|   34 26 58 89  33 df e7 9c
|    responder cookie:
|   53 81 5a e9  61 95 1f 6a
|    next payload type: ISAKMP_NEXT_HASH
|    ISAKMP version: ISAKMP Version 1.0
|    exchange type: ISAKMP_XCHG_QUICK
|    flags: ISAKMP_FLAG_ENCRYPTION
|    message ID:  38 43 a4 86
|    length: 340
|  processing packet with exchange type=ISAKMP_XCHG_QUICK (32)
| ICOOKIE:  34 26 58 89  33 df e7 9c
| RCOOKIE:  53 81 5a e9  61 95 1f 6a
| peer:  c1 6e 9d 83
| state hash entry 23
| state object not found
| ICOOKIE:  34 26 58 89  33 df e7 9c
| RCOOKIE:  53 81 5a e9  61 95 1f 6a
| peer:  c1 6e 9d 83
| state hash entry 23
| state object not found
packet from 193.110.157.131:4500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
| next event EVENT_NAT_T_KEEPALIVE in 13 seconds

[root at bofh openswan-2]#



-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Dev mailing list