[Openswan dev] decrypted packet appears at wrong ipsec interface

hiren joshi joshihirenn at gmail.com
Fri Aug 29 12:10:13 EDT 2008


Hello,

I use openswan-2.4.8 (KLIPS).

I have two external interfaces.
Physical to ipsec interface bindings are: interfaces="ipsec0=eth1 ipsec1=eth2"

If I define a connection on the first interface (eth1), decrypted
packet appears on corresponding ipsec interface (ipsec0).

21:49:11.504898 eth1 < 172.16.1.1.4500 > 172.16.1.2.4500: udp 116 (DF)
(ttl 63, id 10582)
21:49:11.504898 if119 < 172.16.3.2 > 192.168.88.21: icmp: echo request
(DF) (ttl 64, id 0)
21:49:11.512770 eth0 > 172.16.3.2 > 192.168.88.21: icmp: echo request
(DF) (ttl 63, id 0)
21:49:11.512988 eth0 < 192.168.88.21 > 172.16.3.2: icmp: echo reply
(ttl 255, id 15887)
21:49:11.513280 if119 > 192.168.88.21 > 172.16.3.2: icmp: echo reply
(ttl 254, id 15887)
21:49:11.516443 eth1 > 172.16.1.2.4500 > 172.16.1.1.4500: udp 116 (ttl
64, id 50791)

However if I define the same connection on eth2, decrypted packet
still appears on ipsec0 instead of ipsec1.

21:51:44.300464 eth2 < 172.16.2.1.4500 > 172.16.2.2.4500: udp 116 (DF)
(ttl 63, id 10582)
21:51:44.300464 if119 < 172.16.3.2 > 192.168.88.21: icmp: echo request
(DF) (ttl 64, id 0)
21:51:44.300877 eth0 > 172.16.3.2 > 192.168.88.21: icmp: echo request
(DF) (ttl 63, id 0)
21:51:44.301378 eth0 < 192.168.88.21 > 172.16.3.2: icmp: echo reply
(ttl 255, id 15888)
21:51:44.301449 if120 > 192.168.88.21 > 172.16.3.2: icmp: echo reply
(ttl 254, id 15888)
21:51:44.301528 eth2 > 172.16.2.2.4500 > 172.16.2.1.4500: udp 116 (ttl
64, id 50792)

Is it normal?

Thank you.

Regards,
-hiren

------------------details (connection on eth1: behavior I do not
expect)-----------------

ip addr show
1: lo: <LOOPBACK,UP> mtu 1500 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:11:5a:84 brd ff:ff:ff:ff:ff:ff
    inet 192.168.88.13/24 brd 192.168.88.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:11:5a:8e brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.2/24 brd 172.16.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:11:5a:98 brd ff:ff:ff:ff:ff:ff
    inet 172.16.2.2/24 brd 172.16.2.255 scope global eth2
5: imq0: <NOARP,UP> mtu 1500 qdisc htb qlen 30
    link/void
6: imq1: <NOARP> mtu 1500 qdisc noop qlen 30
    link/void
119: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:0c:29:11:5a:8e brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.2/24 brd 172.16.1.255 scope global ipsec0
120: ipsec1: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:0c:29:11:5a:98 brd ff:ff:ff:ff:ff:ff
    inet 172.16.2.2/24 brd 172.16.2.255 scope global ipsec1
121: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
    link/void
122: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
    link/void
----------------------
ip rule show
0:	from all lookup local
49:	from 192.168.88.0/24 to 172.16.3.2 lookup vpnroute
50:	from all lookup main
150:	from all fwmark        4 lookup gw4nof
150:	from all fwmark        5 lookup gw5nof
151:	from 172.16.2.0/24 lookup 151
152:	from 172.16.1.0/24 lookup 152
221:	from all lookup 221
32766:	from all lookup main
32767:	from all lookup 253
----------------------
ip route show
192.168.88.13 dev eth0  scope link
172.16.2.2 dev eth2  scope link
172.16.2.0/24 dev eth2  proto kernel  scope link  src 172.16.2.2
172.16.2.0/24 dev ipsec1  scope link  metric 1
172.16.1.0/24 dev eth1  proto kernel  scope link  src 172.16.1.2
172.16.1.0/24 dev ipsec0  scope link  metric 1
192.168.88.0/24 dev eth0  proto kernel  scope link  src 192.168.88.13
127.0.0.0/8 dev lo  scope link
----------------------
ip route show table vpnroute
172.16.3.2 dev ipsec1  scope link
----------------------
ip route show table local
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
local 192.168.88.13 dev eth0  proto kernel  scope host  src 192.168.88.13
broadcast 172.16.2.0 dev eth2  proto kernel  scope link  src 172.16.2.2
broadcast 172.16.2.0 dev ipsec1  proto kernel  scope link  src 172.16.2.2
broadcast 172.16.1.255 dev eth1  proto kernel  scope link  src 172.16.1.2
broadcast 172.16.1.255 dev ipsec0  proto kernel  scope link  src 172.16.1.2
broadcast 192.168.88.255 dev eth0  proto kernel  scope link  src 192.168.88.13
local 172.16.2.2 dev eth2  proto kernel  scope host  src 172.16.2.2
local 172.16.2.2 dev ipsec1  proto kernel  scope host  src 172.16.2.2
broadcast 172.16.2.255 dev eth2  proto kernel  scope link  src 172.16.2.2
broadcast 172.16.2.255 dev ipsec1  proto kernel  scope link  src 172.16.2.2
broadcast 172.16.1.0 dev eth1  proto kernel  scope link  src 172.16.1.2
broadcast 172.16.1.0 dev ipsec0  proto kernel  scope link  src 172.16.1.2
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
broadcast 192.168.88.0 dev eth0  proto kernel  scope link  src 192.168.88.13
local 172.16.1.2 dev eth1  proto kernel  scope host  src 172.16.1.2
local 172.16.1.2 dev ipsec0  proto kernel  scope host  src 172.16.1.2
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1
----------------------
ipsec auto --status
000 interface ipsec0/eth1 172.16.1.2
000 interface ipsec0/eth1 172.16.1.2
000 interface ipsec1/eth2 172.16.2.2
000 interface ipsec1/eth2 172.16.2.2
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=64,
keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64,
keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64,
keysizemin=96, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8, keydeflen=64
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,
blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "rw_2-1": 192.168.88.0/24===172.16.2.2---172.16.2.1...%virtual===?;
unrouted; eroute owner: #0
000 "rw_2-1":     srcip=unset; dstip=unset;
srcup=/usr/lib/ipsec/_updown; dstup=/usr/lib/ipsec/_updown;
000 "rw_2-1":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin:
120s; rekey_fuzz: 0%; keyingtries: 3
000 "rw_2-1":   policy:
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+failureDROP; prio: 24,32;
interface: eth2; encap: esp;
000 "rw_2-1":   dpd: action:clear; delay:30; timeout:120;
000 "rw_2-1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "rw_2-1":   IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "rw_2-1":   IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "rw_2-1":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1":   ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1"[2]:
192.168.88.0/24===172.16.2.2...172.16.2.1[172.16.3.2]===172.16.3.2/32;
erouted; eroute owner: #8
000 "rw_2-1"[2]:     srcip=unset; dstip=unset;
srcup=/usr/lib/ipsec/_updown; dstup=/usr/lib/ipsec/_updown;
000 "rw_2-1"[2]:   ike_life: 3600s; ipsec_life: 3600s; rekey_margin:
120s; rekey_fuzz: 0%; keyingtries: 3
000 "rw_2-1"[2]:   policy:
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+failureDROP; prio: 24,32;
interface: eth2; encap: esp;
000 "rw_2-1"[2]:   dpd: action:clear; delay:30; timeout:120;
000 "rw_2-1"[2]:   newest ISAKMP SA: #7; newest IPsec SA: #8;
000 "rw_2-1"[2]:   IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "rw_2-1"[2]:   IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "rw_2-1"[2]:   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "rw_2-1"[2]:   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1"[2]:   ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1"[2]:   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #8: "rw_2-1"[2] 172.16.2.1:4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3509s; newest IPSEC; eroute owner
000 #8: "rw_2-1"[2] 172.16.2.1 esp.1387c495 at 172.16.2.1
esp.9b60af09 at 172.16.2.2 tun.1006 at 172.16.2.1 tun.1005 at 172.16.2.2
000 #7: "rw_2-1"[2] 172.16.2.1:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 3568s; newest ISAKMP; lastdpd=1s(seq
in:5966 out:0)
000
----------------------
ipsec.conf
version 2
config setup
	interfaces="ipsec0=eth1 ipsec1=eth2 "
	klipsdebug=none
	plutodebug="none"
	uniqueids=no
	nat_traversal=yes
	crlcheckinterval=3600
	nhelpers=0

conn %default
	leftupdown=/usr/lib/ipsec/_updown
	rightupdown=/usr/lib/ipsec/_updown

conn rw_2-1
	leftsubnet=192.168.88.0/24
	auto=add
	also=rw_2

conn rw_2
	type=tunnel
	left=172.16.2.2
	leftnexthop=172.16.2.1
	right=%any
	x_rightdynamic=yes
	authby=secret
	rightsubnet="vhost:%v4:0.0.0.0/0"
	keylife=3600
	rekey=no
	rekeymargin=120
	rekeyfuzz=0%
	keyingtries=3
	compress=yes
	failureshunt=drop
	dpddelay=30
	dpdtimeout=120
	dpdaction=clear
	ikelifetime=3600
	pfs=yes
	ike="3des-md5-modp1024"
	esp="3des-md5"




------------------details (connection on eth1: normal behavior)-----------------
ip addr show
1: lo: <LOOPBACK,UP> mtu 1500 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:11:5a:84 brd ff:ff:ff:ff:ff:ff
    inet 192.168.88.13/24 brd 192.168.88.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:11:5a:8e brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.2/24 brd 172.16.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:11:5a:98 brd ff:ff:ff:ff:ff:ff
    inet 172.16.2.2/24 brd 172.16.2.255 scope global eth2
5: imq0: <NOARP,UP> mtu 1500 qdisc htb qlen 30
    link/void
6: imq1: <NOARP> mtu 1500 qdisc noop qlen 30
    link/void
119: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:0c:29:11:5a:8e brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.2/24 brd 172.16.1.255 scope global ipsec0
120: ipsec1: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:0c:29:11:5a:98 brd ff:ff:ff:ff:ff:ff
    inet 172.16.2.2/24 brd 172.16.2.255 scope global ipsec1
121: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
    link/void
122: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
    link/void
----------------------
ip rule show
0:	from all lookup local
49:	from 192.168.88.0/24 to 172.16.3.2 lookup vpnroute
50:	from all lookup main
150:	from all fwmark        4 lookup gw4nof
150:	from all fwmark        5 lookup gw5nof
151:	from 172.16.2.0/24 lookup 151
152:	from 172.16.1.0/24 lookup 152
221:	from all lookup 221
32766:	from all lookup main
32767:	from all lookup 253
----------------------
ip route show
192.168.88.13 dev eth0  scope link
172.16.2.2 dev eth2  scope link
172.16.2.0/24 dev eth2  proto kernel  scope link  src 172.16.2.2
172.16.2.0/24 dev ipsec1  scope link  metric 1
172.16.1.0/24 dev eth1  proto kernel  scope link  src 172.16.1.2
172.16.1.0/24 dev ipsec0  scope link  metric 1
192.168.88.0/24 dev eth0  proto kernel  scope link  src 192.168.88.13
127.0.0.0/8 dev lo  scope link
----------------------
ip route show table vpnroute
172.16.3.2 dev ipsec0  scope link
----------------------
ip route show table local
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
local 192.168.88.13 dev eth0  proto kernel  scope host  src 192.168.88.13
broadcast 172.16.2.0 dev eth2  proto kernel  scope link  src 172.16.2.2
broadcast 172.16.2.0 dev ipsec1  proto kernel  scope link  src 172.16.2.2
broadcast 172.16.1.255 dev eth1  proto kernel  scope link  src 172.16.1.2
broadcast 172.16.1.255 dev ipsec0  proto kernel  scope link  src 172.16.1.2
broadcast 192.168.88.255 dev eth0  proto kernel  scope link  src 192.168.88.13
local 172.16.2.2 dev eth2  proto kernel  scope host  src 172.16.2.2
local 172.16.2.2 dev ipsec1  proto kernel  scope host  src 172.16.2.2
broadcast 172.16.2.255 dev eth2  proto kernel  scope link  src 172.16.2.2
broadcast 172.16.2.255 dev ipsec1  proto kernel  scope link  src 172.16.2.2
broadcast 172.16.1.0 dev eth1  proto kernel  scope link  src 172.16.1.2
broadcast 172.16.1.0 dev ipsec0  proto kernel  scope link  src 172.16.1.2
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
broadcast 192.168.88.0 dev eth0  proto kernel  scope link  src 192.168.88.13
local 172.16.1.2 dev eth1  proto kernel  scope host  src 172.16.1.2
local 172.16.1.2 dev ipsec0  proto kernel  scope host  src 172.16.1.2
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1
----------------------
ipsec.conf
version 2
config setup
	interfaces="ipsec0=eth1 ipsec1=eth2 "
	klipsdebug=none
	plutodebug="none"
	uniqueids=no
	nat_traversal=yes
	crlcheckinterval=3600
	nhelpers=0


conn %default
	leftupdown=/usr/lib/ipsec/_updown
	rightupdown=/usr/lib/ipsec/_updown

conn rw_2-1
	leftsubnet=192.168.88.0/24
	auto=add
	also=rw_2

conn rw_2
	type=tunnel
	left=172.16.1.2
	leftnexthop=172.16.1.1
	right=%any
	x_rightdynamic=yes
	authby=secret
	rightsubnet="vhost:%v4:0.0.0.0/0"
	keylife=3600
	rekey=no
	rekeymargin=120
	rekeyfuzz=0%
	keyingtries=3
	compress=yes
	failureshunt=drop
	dpddelay=30
	dpdtimeout=120
	dpdaction=clear
	ikelifetime=3600
	pfs=yes
	ike="3des-md5-modp1024"
	esp="3des-md5"
----------------------
ipsec auto --status
000 interface ipsec0/eth1 172.16.1.2
000 interface ipsec0/eth1 172.16.1.2
000 interface ipsec1/eth2 172.16.2.2
000 interface ipsec1/eth2 172.16.2.2
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=64,
keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64,
keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64,
keysizemin=96, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8, keydeflen=64
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,
blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "rw_2-1": 192.168.88.0/24===172.16.1.2---172.16.1.1...%virtual===?;
unrouted; eroute owner: #0
000 "rw_2-1":     srcip=unset; dstip=unset;
srcup=/usr/lib/ipsec/_updown; dstup=/usr/lib/ipsec/_updown;
000 "rw_2-1":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin:
120s; rekey_fuzz: 0%; keyingtries: 3
000 "rw_2-1":   policy:
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+failureDROP; prio: 24,32;
interface: eth1; encap: esp;
000 "rw_2-1":   dpd: action:clear; delay:30; timeout:120;
000 "rw_2-1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "rw_2-1":   IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "rw_2-1":   IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "rw_2-1":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1":   ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1"[2]:
192.168.88.0/24===172.16.1.2...172.16.1.1[172.16.3.2]===172.16.3.2/32;
erouted; eroute owner: #6
000 "rw_2-1"[2]:     srcip=unset; dstip=unset;
srcup=/usr/lib/ipsec/_updown; dstup=/usr/lib/ipsec/_updown;
000 "rw_2-1"[2]:   ike_life: 3600s; ipsec_life: 3600s; rekey_margin:
120s; rekey_fuzz: 0%; keyingtries: 3
000 "rw_2-1"[2]:   policy:
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+failureDROP; prio: 24,32;
interface: eth1; encap: esp;
000 "rw_2-1"[2]:   dpd: action:clear; delay:30; timeout:120;
000 "rw_2-1"[2]:   newest ISAKMP SA: #5; newest IPsec SA: #6;
000 "rw_2-1"[2]:   IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "rw_2-1"[2]:   IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "rw_2-1"[2]:   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "rw_2-1"[2]:   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1"[2]:   ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1"[2]:   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #6: "rw_2-1"[2] 172.16.1.1:4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3492s; newest IPSEC; eroute owner
000 #6: "rw_2-1"[2] 172.16.1.1 esp.885e979 at 172.16.1.1
esp.9b60af08 at 172.16.1.2 tun.1004 at 172.16.1.1 tun.1003 at 172.16.1.2
000 #5: "rw_2-1"[2] 172.16.1.1:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 3552s; newest ISAKMP; lastdpd=18s(seq
in:22203 out:0)
000


More information about the Dev mailing list