[Openswan dev] 2.4.10rc1 behind NAT ID issue?
Paul Wouters
paul at xelerance.com
Thu Nov 1 12:01:39 EDT 2007
It looks like our fix for the %any case might have confused our nat-t
handling:
104 "aivd-bofh" #14: STATE_MAIN_I1: initiate
003 "aivd-bofh" #14: ignoring unknown Vendor ID payload [4f456b6e7c7c426d757e706f]
003 "aivd-bofh" #14: received Vendor ID payload [Dead Peer Detection]
003 "aivd-bofh" #14: received Vendor ID payload [RFC 3947] method set to=111
106 "aivd-bofh" #14: STATE_MAIN_I2: sent MI2, expecting MR2
003 "aivd-bofh" #14: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
108 "aivd-bofh" #14: STATE_MAIN_I3: sent MI3, expecting MR3
004 "aivd-bofh" #14: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "aivd-bofh" #15: STATE_QUICK_I1: initiate
218 "aivd-bofh" #15: STATE_QUICK_I1: INVALID_ID_INFORMATION
This is with forceencaps=yes
Without it, the conn establishes fine.
This is a simple rsa-rsa with leftid=/rightid= set to @me and @you
"aivd-bofh" #13: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#12}
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 13
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #13
| next event EVENT_NAT_T_KEEPALIVE in 19 seconds
! helper 0 doing build_kenonce op id: 13
! Local DH secret:
! eb 75 c8 44 37 49 ce 62 ce ec 09 a3 c8 13 06 ac
! 23 a6 b3 d6 1f f2 c6 ce e4 d1 53 12 8d 7f 2d 5d
! Public DH value sent:
! 09 37 b7 50 3b 50 a8 05 81 8d 32 e3 4c b2 e0 b0
! 2b 5a 9b 67 c7 37 71 11 85 97 43 e7 97 51 c6 54
! bb 89 95 cb 70 db 6a c6 da 2c 22 ee 34 54 b0 e8
! 15 5a b4 c0 fb b2 ae fb cd 25 30 36 05 a0 ed f2
! 4c ee 9a 86 31 55 8e 72 f6 1d e9 e3 5f ae 76 de
! e9 4b 88 84 bd b9 05 30 81 72 d5 0e d2 5c cb c5
! e3 cd a1 4e fb c6 3f 0b 36 0a f7 b0 15 84 68 53
! de 3a 00 28 8f c0 e7 cc 12 39 6d 84 18 2a a8 6c
! dd ad 45 96 47 0e e6 ae c6 e5 f1 6a eb 98 1b 90
! 18 1b 3a 8e 58 a6 a3 0d 0b 82 d3 e7 7e 3e df 6f
! b0 d4 25 2d f4 e8 b4 b6 5d 9f 15 9d a2 ae 92 fe
! 1c 9e 2b 89 93 1a 50 38 39 0d 06 09 58 81 c9 78
! Generated nonce:
! 09 41 c6 84 03 37 51 5a 1f 7c 4e 24 0a 9d 72 42
| helper 0 has work (cnt now 0)
| helper 0 replies to sequence 13
| calling callback function 0x420a30
| quick outI1: calculated ke+nonce, sending I1
| processing connection aivd-bofh
| **emit ISAKMP Message:
| initiator cookie:
| 15 fb ce ef 07 19 f5 1e
| responder cookie:
| 5e 6c 4b b3 b4 69 b4 e0
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_QUICK
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 61 7c f6 c8
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_SA
| emitting 16 zero bytes of HASH into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 20
| empty esp_info, returning empty
| ***emit ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_NONCE
| DOI: ISAKMP_DOI_IPSEC
| ****emit IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| out_sa pcn: 0 has 1 valid proposals
| out_sa pcn: 0 pn: 0<1 valid_count: 1
| ****emit ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| proposal number: 0
| protocol ID: PROTO_IPSEC_ESP
| SPI size: 4
| number of transforms: 4
| generate SPI: 62 4c 0c 48
| emitting 4 raw bytes of SPI into ISAKMP Proposal Payload
| SPI 62 4c 0c 48
| *****emit ISAKMP Transform Payload (ESP):
| next payload type: ISAKMP_NEXT_T
| transform number: 0
| transform ID: ESP_AES
| ******emit ISAKMP IPsec DOI attribute:
| af+type: GROUP_DESCRIPTION
| length/value: 5
| [5 is OAKLEY_GROUP_MODP1536]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: ENCAPSULATION_MODE
| length/value: 3
| [3 is ENCAPSULATION_MODE_UDP_TUNNEL]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_TYPE
| length/value: 1
| [1 is SA_LIFE_TYPE_SECONDS]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_DURATION
| length/value: 28800
| ******emit ISAKMP IPsec DOI attribute:
| af+type: AUTH_ALGORITHM
| length/value: 2
| [2 is AUTH_ALGORITHM_HMAC_SHA1]
| emitting length of ISAKMP Transform Payload (ESP): 28
| *****emit ISAKMP Transform Payload (ESP):
| next payload type: ISAKMP_NEXT_T
| transform number: 1
| transform ID: ESP_AES
| ******emit ISAKMP IPsec DOI attribute:
| af+type: GROUP_DESCRIPTION
| length/value: 5
| [5 is OAKLEY_GROUP_MODP1536]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: ENCAPSULATION_MODE
| length/value: 3
| [3 is ENCAPSULATION_MODE_UDP_TUNNEL]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_TYPE
| length/value: 1
| [1 is SA_LIFE_TYPE_SECONDS]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_DURATION
| length/value: 28800
| ******emit ISAKMP IPsec DOI attribute:
| af+type: AUTH_ALGORITHM
| length/value: 1
| [1 is AUTH_ALGORITHM_HMAC_MD5]
| emitting length of ISAKMP Transform Payload (ESP): 28
| *****emit ISAKMP Transform Payload (ESP):
| next payload type: ISAKMP_NEXT_T
| transform number: 2
| transform ID: ESP_3DES
| ******emit ISAKMP IPsec DOI attribute:
| af+type: GROUP_DESCRIPTION
| length/value: 5
| [5 is OAKLEY_GROUP_MODP1536]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: ENCAPSULATION_MODE
| length/value: 3
| [3 is ENCAPSULATION_MODE_UDP_TUNNEL]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_TYPE
| length/value: 1
| [1 is SA_LIFE_TYPE_SECONDS]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_DURATION
| length/value: 28800
| ******emit ISAKMP IPsec DOI attribute:
| af+type: AUTH_ALGORITHM
| length/value: 2
| [2 is AUTH_ALGORITHM_HMAC_SHA1]
| emitting length of ISAKMP Transform Payload (ESP): 28
| *****emit ISAKMP Transform Payload (ESP):
| next payload type: ISAKMP_NEXT_NONE
| transform number: 3
| transform ID: ESP_3DES
| ******emit ISAKMP IPsec DOI attribute:
| af+type: GROUP_DESCRIPTION
| length/value: 5
| [5 is OAKLEY_GROUP_MODP1536]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: ENCAPSULATION_MODE
| length/value: 3
| [3 is ENCAPSULATION_MODE_UDP_TUNNEL]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_TYPE
| length/value: 1
| [1 is SA_LIFE_TYPE_SECONDS]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_DURATION
| length/value: 28800
| ******emit ISAKMP IPsec DOI attribute:
| af+type: AUTH_ALGORITHM
| length/value: 1
| [1 is AUTH_ALGORITHM_HMAC_MD5]
| emitting length of ISAKMP Transform Payload (ESP): 28
| emitting length of ISAKMP Proposal Payload: 124
| emitting length of ISAKMP Security Association Payload: 136
| ***emit ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_KE
| emitting 16 raw bytes of Ni into ISAKMP Nonce Payload
| Ni 09 41 c6 84 03 37 51 5a 1f 7c 4e 24 0a 9d 72 42
| emitting length of ISAKMP Nonce Payload: 20
| ***emit ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_ID
| emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value 09 37 b7 50 3b 50 a8 05 81 8d 32 e3 4c b2 e0 b0
| 2b 5a 9b 67 c7 37 71 11 85 97 43 e7 97 51 c6 54
| bb 89 95 cb 70 db 6a c6 da 2c 22 ee 34 54 b0 e8
| 15 5a b4 c0 fb b2 ae fb cd 25 30 36 05 a0 ed f2
| 4c ee 9a 86 31 55 8e 72 f6 1d e9 e3 5f ae 76 de
| e9 4b 88 84 bd b9 05 30 81 72 d5 0e d2 5c cb c5
| e3 cd a1 4e fb c6 3f 0b 36 0a f7 b0 15 84 68 53
| de 3a 00 28 8f c0 e7 cc 12 39 6d 84 18 2a a8 6c
| dd ad 45 96 47 0e e6 ae c6 e5 f1 6a eb 98 1b 90
| 18 1b 3a 8e 58 a6 a3 0d 0b 82 d3 e7 7e 3e df 6f
| b0 d4 25 2d f4 e8 b4 b6 5d 9f 15 9d a2 ae 92 fe
| 1c 9e 2b 89 93 1a 50 38 39 0d 06 09 58 81 c9 78
| emitting length of ISAKMP Key Exchange Payload: 196
| ***emit ISAKMP Identification Payload (IPsec DOI):
| next payload type: ISAKMP_NEXT_ID
| ID type: ID_IPV4_ADDR
| Protocol ID: 0
| port: 0
| emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI)
| client network c1 6e 9d 11
| emitting length of ISAKMP Identification Payload (IPsec DOI): 12
| ***emit ISAKMP Identification Payload (IPsec DOI):
| next payload type: ISAKMP_NEXT_NONE
| ID type: ID_IPV4_ADDR
| Protocol ID: 0
| port: 0
| emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI)
| client network c1 6e 9d 83
| emitting length of ISAKMP Identification Payload (IPsec DOI): 12
| HASH(1) computed:
| 94 10 35 68 c8 2e d9 86 cd 58 dd 22 b2 79 70 fb
| last Phase 1 IV: dc a1 d3 97 5a 9b 28 76
| current Phase 1 IV: dc a1 d3 97 5a 9b 28 76
| computed Phase 2 IV:
| 20 46 27 07 b1 c7 25 62 15 ea 28 0d 8a 93 c3 d3
| encrypting:
| 01 00 00 14 94 10 35 68 c8 2e d9 86 cd 58 dd 22
| b2 79 70 fb 0a 00 00 88 00 00 00 01 00 00 00 01
| 00 00 00 7c 00 03 04 04 62 4c 0c 48 03 00 00 1c
| 00 0c 00 00 80 03 00 05 80 04 00 03 80 01 00 01
| 80 02 70 80 80 05 00 02 03 00 00 1c 01 0c 00 00
| 80 03 00 05 80 04 00 03 80 01 00 01 80 02 70 80
| 80 05 00 01 03 00 00 1c 02 03 00 00 80 03 00 05
| 80 04 00 03 80 01 00 01 80 02 70 80 80 05 00 02
| 00 00 00 1c 03 03 00 00 80 03 00 05 80 04 00 03
| 80 01 00 01 80 02 70 80 80 05 00 01 04 00 00 14
| 09 41 c6 84 03 37 51 5a 1f 7c 4e 24 0a 9d 72 42
| 05 00 00 c4 09 37 b7 50 3b 50 a8 05 81 8d 32 e3
| 4c b2 e0 b0 2b 5a 9b 67 c7 37 71 11 85 97 43 e7
| 97 51 c6 54 bb 89 95 cb 70 db 6a c6 da 2c 22 ee
| 34 54 b0 e8 15 5a b4 c0 fb b2 ae fb cd 25 30 36
| 05 a0 ed f2 4c ee 9a 86 31 55 8e 72 f6 1d e9 e3
| 5f ae 76 de e9 4b 88 84 bd b9 05 30 81 72 d5 0e
| d2 5c cb c5 e3 cd a1 4e fb c6 3f 0b 36 0a f7 b0
| 15 84 68 53 de 3a 00 28 8f c0 e7 cc 12 39 6d 84
| 18 2a a8 6c dd ad 45 96 47 0e e6 ae c6 e5 f1 6a
| eb 98 1b 90 18 1b 3a 8e 58 a6 a3 0d 0b 82 d3 e7
| 7e 3e df 6f b0 d4 25 2d f4 e8 b4 b6 5d 9f 15 9d
| a2 ae 92 fe 1c 9e 2b 89 93 1a 50 38 39 0d 06 09
| 58 81 c9 78 05 00 00 0c 01 00 00 00 c1 6e 9d 11
| 00 00 00 0c 01 00 00 00 c1 6e 9d 83
| IV:
| 20 46 27 07 b1 c7 25 62 15 ea 28 0d 8a 93 c3 d3
| emitting 4 zero bytes of encryption padding into ISAKMP Message
| encrypting using OAKLEY_3DES_CBC
| next IV: ab 3b 28 58 53 90 40 a8
| emitting length of ISAKMP Message: 428
| sending 428 bytes for quick_outI1 through eth0:4500 to 193.110.157.131:4500:
| 00 00 00 00 15 fb ce ef 07 19 f5 1e 5e 6c 4b b3
| b4 69 b4 e0 08 10 20 01 61 7c f6 c8 00 00 01 ac
| 4d e6 f1 68 3b 3b 4d 89 ca 5c f9 cd 1b 4e 3f 39
| d2 be 9b 7e 74 80 05 9d 7d a7 fb fb 6c 27 68 61
| e5 d3 c0 b0 64 65 e2 42 77 03 a8 b9 1f 64 21 29
| e3 23 2b b8 e0 56 3e cf 59 49 df 05 20 c3 1b 89
| a9 bb 0c cd 93 1d 1d 27 21 37 28 97 b6 35 ad d4
| dc b0 60 31 ad 66 25 3f 52 32 84 28 23 14 b3 19
| 99 a9 e2 21 2b 39 6b 74 d6 c8 9f eb 94 53 eb 0b
| fe 3d 34 38 7b 16 43 c7 ec 60 94 ec 54 77 66 05
| 51 47 58 4a ed 1d 08 38 af 73 53 12 03 af 7f e6
| 5d 6d 60 81 fa f6 3c 0f e4 a5 dc b2 eb fb 68 60
| 3b 37 34 47 7b 7f df c9 a1 8f 5d f2 ad 40 5c 6b
| 96 43 21 e1 b1 53 79 43 64 c8 66 73 b2 76 7f d0
| 14 38 de 45 8b 41 ad 99 43 31 a7 8c 57 f0 a3 4f
| 9e 8a 81 c3 e1 0f 73 95 db 3d fd 54 a2 60 39 2e
| 1e fa 39 97 5f 44 20 fa 3d c7 3e 31 be 93 56 e3
| cf 19 18 e2 7e ca cf d9 c8 18 d1 0a 59 37 5e e5
| 26 86 07 13 72 06 33 97 9d 1f 5d a5 3c ff a6 3e
| 4c cd f4 5a 4d 0c e4 aa 47 0d d7 fa 3e 8b cc e3
| f2 54 58 30 a6 37 c3 34 07 08 28 d5 41 ce 28 92
| 19 cc 17 ce bb b5 7f 3f a6 1f b2 e8 67 42 0c 46
| 1b a3 a0 d9 35 7c 86 53 31 4a 4e 18 63 f6 bb 06
| be 16 44 6f 2b 86 5a d1 1a 27 2c cd cc ff 08 ad
| e8 2a 89 67 0c 16 a1 33 e6 81 43 d2 5c 3b c8 b4
| 4c 38 4c aa ab 8a b7 18 9f 2c 69 2a 1b 40 6d 75
| 86 86 94 66 b1 88 9e 19 ab 3b 28 58 53 90 40 a8
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #13
| next event EVENT_RETRANSMIT in 10 seconds for #13
|
| *received 340 bytes from 193.110.157.131:4500 on eth0 (port=4500)
| 15 fb ce ef 07 19 f5 1e 5e 6c 4b b3 b4 69 b4 e0
| 08 10 20 01 61 7c f6 c8 00 00 01 54 dc 14 e1 5c
| 6e 0e 25 51 25 35 80 1b b1 bd 31 86 e2 f6 5e 4a
| 17 86 d2 85 d7 a3 d6 50 8c 14 e4 14 5b ee 66 06
| 78 3e 40 b7 fe e7 be 4f 78 09 5b f0 31 ea 53 0a
| 86 65 d6 8f a1 9c 36 6c e8 35 85 e8 41 c7 74 4e
| ac c3 32 54 9c 32 7d ad 60 ea 1a 57 c1 1d 6c e0
| d8 fb 3b 3d 66 f8 54 8a 42 ed 56 de 39 e3 3f 75
| e6 9b 4b 7e 22 f5 b9 78 bb bc ef 14 90 4e 5a 1d
| 10 7d a1 36 19 79 3f da 73 c1 87 b4 d0 15 21 8f
| 54 d1 39 64 9c 11 94 ab 32 17 df ad 97 8d 05 4c
| 67 e6 c5 b0 d3 26 35 fb 41 9f 0b d7 6b 65 87 18
| 6e 91 29 6f 9e 0b e1 27 0e 46 13 df ea bb 41 4c
| 6d 83 89 07 af 13 f4 3a 08 43 41 9b 30 d6 e2 b4
| 28 bb 15 40 bf b3 ec 82 d2 b3 98 94 21 eb 64 72
| 49 1e cd 5a f4 30 5f d2 a4 fc 79 cf 4a a3 fb 79
| e8 2e c1 83 2c d9 42 1e e3 55 61 8d 32 66 41 e1
| a0 82 0d a1 3f cd 20 74 ad ca fa 38 2a 7b 67 58
| 4b b4 07 b9 0a 2b ac da 9b 18 c0 01 35 9c ff 29
| fc 3b 8f f0 d9 9b 18 83 fb 00 d3 62 6b 31 d3 a3
| f4 79 e7 6b 05 9b d4 be ad 46 5c fd 50 fc c0 13
| c1 52 e2 96
| **parse ISAKMP Message:
| initiator cookie:
| 15 fb ce ef 07 19 f5 1e
| responder cookie:
| 5e 6c 4b b3 b4 69 b4 e0
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_QUICK
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 61 7c f6 c8
| length: 340
| processing packet with exchange type=ISAKMP_XCHG_QUICK (32)
| ICOOKIE: 15 fb ce ef 07 19 f5 1e
| RCOOKIE: 5e 6c 4b b3 b4 69 b4 e0
| peer: c1 6e 9d 83
| state hash entry 8
| peer and cookies match on #13, provided msgid 617cf6c8 vs 617cf6c8
| state object #13 found, in STATE_QUICK_I1
| processing connection aivd-bofh
| received encrypted packet from 193.110.157.131:4500
| decrypting 312 bytes using algorithm OAKLEY_3DES_CBC
| decrypted:
| 01 00 00 14 46 d6 ff fe 24 54 60 60 7e c4 09 f1
| 8b d4 83 9a 0a 00 00 34 00 00 00 01 00 00 00 01
| 00 00 00 28 00 03 04 01 a9 d9 d0 9f 00 00 00 1c
| 00 0c 00 00 80 03 00 05 80 04 00 03 80 01 00 01
| 80 02 70 80 80 05 00 02 04 00 00 14 08 2f c0 41
| fc 7d 87 3c 8d 32 07 fa bd d0 2e 49 05 00 00 c4
| db 10 44 84 0b b0 b7 7a e0 4a 48 7e 1c 78 a3 8b
| 00 71 b5 aa 54 0c 0e f0 e4 4c f1 28 dd 08 af ef
| f4 80 cf 61 0c a5 01 f9 99 08 f3 30 4a 14 e5 f8
| a1 35 9e 98 03 97 50 25 19 f1 01 58 32 d5 b3 9f
| 40 8d 15 e0 db 78 10 39 a5 f2 d4 9a 1b bf 1b df
| 72 9a 80 20 86 55 42 33 d9 42 6c 6a 22 37 bd 50
| f2 f7 74 70 7f 39 be 5b 2d 5c 54 60 26 e5 77 b6
| 95 10 9a c8 4d bc d4 75 99 a9 aa 1d 38 ed c3 81
| 72 c1 71 9a fd 71 da ca d8 81 d8 58 43 be 5f 3b
| a0 83 1f 86 9a 52 ef 1b d5 e2 90 a5 c7 e4 19 e2
| c0 f9 27 78 33 9d 17 0b bf 37 ef e9 9f 88 34 2b
| 20 cb 26 b6 b3 8e 12 4e 2e cb 44 53 00 5c ee 59
| 05 00 00 0c 01 00 00 00 c1 6e 9d 11 00 00 00 0c
| 01 00 00 00 c1 6e 9d 83
| next IV: 50 fc c0 13 c1 52 e2 96
| np=8 and sd=0x496bf0
| ***parse ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_SA
| length: 20
| np=1 and sd=0x496a70
| ***parse ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_NONCE
| length: 52
| DOI: ISAKMP_DOI_IPSEC
| np=10 and sd=0x496c30
| ***parse ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_KE
| length: 20
| np=4 and sd=0x496b50
| ***parse ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_ID
| length: 196
| np=5 and sd=(nil)
| ***parse ISAKMP Identification Payload (IPsec DOI):
| next payload type: ISAKMP_NEXT_ID
| length: 12
| ID type: ID_IPV4_ADDR
| Protocol ID: 0
| port: 0
| np=5 and sd=(nil)
| ***parse ISAKMP Identification Payload (IPsec DOI):
| next payload type: ISAKMP_NEXT_NONE
| length: 12
| ID type: ID_IPV4_ADDR
| Protocol ID: 0
| port: 0
| **emit ISAKMP Message:
| initiator cookie:
| 15 fb ce ef 07 19 f5 1e
| responder cookie:
| 5e 6c 4b b3 b4 69 b4 e0
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_QUICK
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 61 7c f6 c8
| HASH(2) computed:
| 46 d6 ff fe 24 54 60 60 7e c4 09 f1 8b d4 83 9a
| ****parse IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 40
| proposal number: 0
| protocol ID: PROTO_IPSEC_ESP
| SPI size: 4
| number of transforms: 1
| parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
| SPI a9 d9 d0 9f
| *****parse ISAKMP Transform Payload (ESP):
| next payload type: ISAKMP_NEXT_NONE
| length: 28
| transform number: 0
| transform ID: ESP_AES
| ******parse ISAKMP IPsec DOI attribute:
| af+type: GROUP_DESCRIPTION
| length/value: 5
| [5 is OAKLEY_GROUP_MODP1536]
| ******parse ISAKMP IPsec DOI attribute:
| af+type: ENCAPSULATION_MODE
| length/value: 3
| [3 is ENCAPSULATION_MODE_UDP_TUNNEL]
| ******parse ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_TYPE
| length/value: 1
| [1 is SA_LIFE_TYPE_SECONDS]
| ******parse ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_DURATION
| length/value: 28800
| ******parse ISAKMP IPsec DOI attribute:
| af+type: AUTH_ALGORITHM
| length/value: 2
| [2 is AUTH_ALGORITHM_HMAC_SHA1]
| DH public value received:
| db 10 44 84 0b b0 b7 7a e0 4a 48 7e 1c 78 a3 8b
| 00 71 b5 aa 54 0c 0e f0 e4 4c f1 28 dd 08 af ef
| f4 80 cf 61 0c a5 01 f9 99 08 f3 30 4a 14 e5 f8
| a1 35 9e 98 03 97 50 25 19 f1 01 58 32 d5 b3 9f
| 40 8d 15 e0 db 78 10 39 a5 f2 d4 9a 1b bf 1b df
| 72 9a 80 20 86 55 42 33 d9 42 6c 6a 22 37 bd 50
| f2 f7 74 70 7f 39 be 5b 2d 5c 54 60 26 e5 77 b6
| 95 10 9a c8 4d bc d4 75 99 a9 aa 1d 38 ed c3 81
| 72 c1 71 9a fd 71 da ca d8 81 d8 58 43 be 5f 3b
| a0 83 1f 86 9a 52 ef 1b d5 e2 90 a5 c7 e4 19 e2
| c0 f9 27 78 33 9d 17 0b bf 37 ef e9 9f 88 34 2b
| 20 cb 26 b6 b3 8e 12 4e 2e cb 44 53 00 5c ee 59
| started looking for secret for @you->@me of kind PPK_PSK
| actually looking for secret for @you->@me of kind PPK_PSK
| 1: compared PSK 74.93.91.193 to @you / @me -> 0
| 2: compared PSK 76.10.144.1 to @you / @me -> 0
| 1: compared PSK @CT-CHI-SRV001.cititechs.com to @you / @me -> 0
| 2: compared PSK 76.10.144.1 to @you / @me -> 0
| concluding with best_match=0 best=(nil) (lineno=-1)
| calc_dh_shared(): time elapsed (OAKLEY_GROUP_MODP1536): 928 usec
| DH shared secret:
| 82 0b 55 68 bb c2 b4 46 9c fc 3b 08 3a 37 c0 03
| 80 80 4d 83 cc cb 93 74 f0 d6 73 2d f9 af e9 f0
| 94 15 23 36 72 e1 4a 2d d4 12 d8 0a 5c 7e 62 d8
| be 0c 28 71 46 cf 58 c2 b5 f3 2f dc d5 b4 af b8
| fd 18 23 fb 48 ee 90 c9 0f 41 e4 b7 28 a2 9d 7c
| 93 79 98 37 7f 14 32 2e 6c e5 25 72 df 45 73 45
| 40 f7 da 95 e0 8e 92 7c 8e f5 d7 85 29 96 f1 96
| bc d3 17 0e b5 39 f5 96 1a 3b 24 d6 42 3f a3 5b
| d6 ec 33 ff 54 92 9b 1d e2 4d 50 32 01 af 93 6b
| 84 a5 9a b7 9e b6 81 8b 5d 67 ba bc a5 6b 5a c7
| f8 11 bb 46 90 f6 51 c3 e0 86 a2 46 41 bc 62 e8
| 6e 24 51 d1 b2 c6 f4 f3 8d ef ae 53 80 1c d5 57
| our client is 193.110.157.17
| our client protocol/port is 0/0
| complete state transition with (null)
"aivd-bofh" #13: sending encrypted notification INVALID_ID_INFORMATION to 193.110.157.131:4500
| **emit ISAKMP Message:
| initiator cookie:
| 15 fb ce ef 07 19 f5 1e
| responder cookie:
| 5e 6c 4b b3 b4 69 b4 e0
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_INFO
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: f8 ef ca 45
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_N
| emitting 16 zero bytes of HASH(1) into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 20
| ***emit ISAKMP Notification Payload:
| next payload type: ISAKMP_NEXT_NONE
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 1
| SPI size: 0
| Notify Message Type: INVALID_ID_INFORMATION
| emitting length of ISAKMP Notification Payload: 12
| HASH(1) computed:
| 3b 48 7b 98 82 bd ae db af 31 67 43 32 18 bc da
| last Phase 1 IV: dc a1 d3 97 5a 9b 28 76
| current Phase 1 IV: dc a1 d3 97 5a 9b 28 76
| computed Phase 2 IV:
| 0a 25 a6 20 95 e6 fb 5a b1 c1 e7 c2 83 db 04 37
| encrypting:
| 0b 00 00 14 3b 48 7b 98 82 bd ae db af 31 67 43
| 32 18 bc da 00 00 00 0c 00 00 00 01 01 00 00 12
| IV:
| 0a 25 a6 20 95 e6 fb 5a b1 c1 e7 c2 83 db 04 37
| encrypting using OAKLEY_3DES_CBC
| next IV: 90 79 97 cc a7 ce bc c8
| emitting length of ISAKMP Message: 60
| sending 60 bytes for notification packet through eth0:4500 to 193.110.157.131:4500:
| 00 00 00 00 15 fb ce ef 07 19 f5 1e 5e 6c 4b b3
| b4 69 b4 e0 08 10 05 01 f8 ef ca 45 00 00 00 3c
| 4f df d1 93 56 b5 12 9b 6f a5 da 23 b1 bc 8b 05
| d1 29 6d c6 10 e0 4a da 90 79 97 cc a7 ce bc c8
| state transition function for STATE_QUICK_I1 failed: INVALID_ID_INFORMATION
| deleting state #13
| processing connection aivd-bofh
| no suspended cryptographic state for 13
| ICOOKIE: 15 fb ce ef 07 19 f5 1e
| RCOOKIE: 5e 6c 4b b3 b4 69 b4 e0
| peer: c1 6e 9d 83
| state hash entry 8
| next event EVENT_NAT_T_KEEPALIVE in 19 seconds
[root at bofh openswan-2]# fg
tail -f /tmp/openswan.log
|
| *received 340 bytes from 193.110.157.131:4500 on eth0 (port=4500)
| 34 26 58 89 33 df e7 9c 53 81 5a e9 61 95 1f 6a
| 08 10 20 01 38 43 a4 86 00 00 01 54 36 fa b9 39
| c0 46 2e 49 1f 53 fc 63 a6 1d 42 5b f8 e3 fc 71
| 6d da 19 db 46 0b 41 ec 3e 39 55 25 bf e6 00 85
| b9 22 ad 7d ca 76 01 06 ab 0c 24 4a 5d f5 f0 ab
| dd 58 41 6d 6e e8 cd f5 aa 95 4b 61 86 6d e8 1f
| e0 fa 68 7b 71 23 c6 e0 cb d1 fd f0 bc 41 ea 40
| 8a c0 c4 18 e8 4e 8a f6 b9 8c 7c 02 75 65 f1 79
| 35 b0 15 85 d2 28 fa 62 b2 82 a2 6c 4e 58 f7 ff
| fa 6c b3 e2 9a b5 9d 14 15 d0 12 0b f8 d2 45 1e
| 78 19 01 8c d5 7f 5d 93 5b 61 39 1c b2 4c e8 b6
| 42 d1 fd 41 2a 44 b8 ab 4c 7c ca 7e e6 fb bb 8d
| 65 cb 21 52 93 e2 c0 57 8d ac 56 11 cd db f4 9c
| 72 83 b2 02 e9 77 ab df 35 32 b7 c7 29 81 a7 86
| 61 74 9f b2 f3 e9 4d 90 88 d3 dd 45 8c 4a 4d ab
| 53 54 93 79 f9 90 fe 7f 89 47 c7 42 e5 99 95 f6
| 7c 98 43 8b af 5b 17 33 3d 34 61 7d 69 91 62 5b
| 4c eb ee 1e 6a da 33 0d 49 6a e9 81 f6 c5 0e 4a
| 77 de 83 6c c8 82 44 f1 40 74 79 f8 f7 52 ad 47
| b1 98 36 1d 4e 15 54 65 31 4f ce 90 8e ce 4f b4
| b3 97 3b 8d 8b c7 10 17 58 01 aa 44 35 10 8a 01
| ce 93 4a 45
| **parse ISAKMP Message:
| initiator cookie:
| 34 26 58 89 33 df e7 9c
| responder cookie:
| 53 81 5a e9 61 95 1f 6a
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_QUICK
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 38 43 a4 86
| length: 340
| processing packet with exchange type=ISAKMP_XCHG_QUICK (32)
| ICOOKIE: 34 26 58 89 33 df e7 9c
| RCOOKIE: 53 81 5a e9 61 95 1f 6a
| peer: c1 6e 9d 83
| state hash entry 23
| state object not found
| ICOOKIE: 34 26 58 89 33 df e7 9c
| RCOOKIE: 53 81 5a e9 61 95 1f 6a
| peer: c1 6e 9d 83
| state hash entry 23
| state object not found
packet from 193.110.157.131:4500: Quick Mode message is for a non-existent (expired?) ISAKMP SA
| next event EVENT_NAT_T_KEEPALIVE in 13 seconds
[root at bofh openswan-2]#
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Dev
mailing list