[Openswan dev] decrypted packet appears at wrong ipsec interface
hiren joshi
joshihirenn at gmail.com
Fri Aug 29 12:10:13 EDT 2008
Hello,
I use openswan-2.4.8 (KLIPS).
I have two external interfaces.
Physical to ipsec interface bindings are: interfaces="ipsec0=eth1 ipsec1=eth2"
If I define a connection on the first interface (eth1), decrypted
packet appears on corresponding ipsec interface (ipsec0).
21:49:11.504898 eth1 < 172.16.1.1.4500 > 172.16.1.2.4500: udp 116 (DF)
(ttl 63, id 10582)
21:49:11.504898 if119 < 172.16.3.2 > 192.168.88.21: icmp: echo request
(DF) (ttl 64, id 0)
21:49:11.512770 eth0 > 172.16.3.2 > 192.168.88.21: icmp: echo request
(DF) (ttl 63, id 0)
21:49:11.512988 eth0 < 192.168.88.21 > 172.16.3.2: icmp: echo reply
(ttl 255, id 15887)
21:49:11.513280 if119 > 192.168.88.21 > 172.16.3.2: icmp: echo reply
(ttl 254, id 15887)
21:49:11.516443 eth1 > 172.16.1.2.4500 > 172.16.1.1.4500: udp 116 (ttl
64, id 50791)
However if I define the same connection on eth2, decrypted packet
still appears on ipsec0 instead of ipsec1.
21:51:44.300464 eth2 < 172.16.2.1.4500 > 172.16.2.2.4500: udp 116 (DF)
(ttl 63, id 10582)
21:51:44.300464 if119 < 172.16.3.2 > 192.168.88.21: icmp: echo request
(DF) (ttl 64, id 0)
21:51:44.300877 eth0 > 172.16.3.2 > 192.168.88.21: icmp: echo request
(DF) (ttl 63, id 0)
21:51:44.301378 eth0 < 192.168.88.21 > 172.16.3.2: icmp: echo reply
(ttl 255, id 15888)
21:51:44.301449 if120 > 192.168.88.21 > 172.16.3.2: icmp: echo reply
(ttl 254, id 15888)
21:51:44.301528 eth2 > 172.16.2.2.4500 > 172.16.2.1.4500: udp 116 (ttl
64, id 50792)
Is it normal?
Thank you.
Regards,
-hiren
------------------details (connection on eth1: behavior I do not
expect)-----------------
ip addr show
1: lo: <LOOPBACK,UP> mtu 1500 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:11:5a:84 brd ff:ff:ff:ff:ff:ff
inet 192.168.88.13/24 brd 192.168.88.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:11:5a:8e brd ff:ff:ff:ff:ff:ff
inet 172.16.1.2/24 brd 172.16.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:11:5a:98 brd ff:ff:ff:ff:ff:ff
inet 172.16.2.2/24 brd 172.16.2.255 scope global eth2
5: imq0: <NOARP,UP> mtu 1500 qdisc htb qlen 30
link/void
6: imq1: <NOARP> mtu 1500 qdisc noop qlen 30
link/void
119: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:0c:29:11:5a:8e brd ff:ff:ff:ff:ff:ff
inet 172.16.1.2/24 brd 172.16.1.255 scope global ipsec0
120: ipsec1: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:0c:29:11:5a:98 brd ff:ff:ff:ff:ff:ff
inet 172.16.2.2/24 brd 172.16.2.255 scope global ipsec1
121: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
122: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
----------------------
ip rule show
0: from all lookup local
49: from 192.168.88.0/24 to 172.16.3.2 lookup vpnroute
50: from all lookup main
150: from all fwmark 4 lookup gw4nof
150: from all fwmark 5 lookup gw5nof
151: from 172.16.2.0/24 lookup 151
152: from 172.16.1.0/24 lookup 152
221: from all lookup 221
32766: from all lookup main
32767: from all lookup 253
----------------------
ip route show
192.168.88.13 dev eth0 scope link
172.16.2.2 dev eth2 scope link
172.16.2.0/24 dev eth2 proto kernel scope link src 172.16.2.2
172.16.2.0/24 dev ipsec1 scope link metric 1
172.16.1.0/24 dev eth1 proto kernel scope link src 172.16.1.2
172.16.1.0/24 dev ipsec0 scope link metric 1
192.168.88.0/24 dev eth0 proto kernel scope link src 192.168.88.13
127.0.0.0/8 dev lo scope link
----------------------
ip route show table vpnroute
172.16.3.2 dev ipsec1 scope link
----------------------
ip route show table local
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.88.13 dev eth0 proto kernel scope host src 192.168.88.13
broadcast 172.16.2.0 dev eth2 proto kernel scope link src 172.16.2.2
broadcast 172.16.2.0 dev ipsec1 proto kernel scope link src 172.16.2.2
broadcast 172.16.1.255 dev eth1 proto kernel scope link src 172.16.1.2
broadcast 172.16.1.255 dev ipsec0 proto kernel scope link src 172.16.1.2
broadcast 192.168.88.255 dev eth0 proto kernel scope link src 192.168.88.13
local 172.16.2.2 dev eth2 proto kernel scope host src 172.16.2.2
local 172.16.2.2 dev ipsec1 proto kernel scope host src 172.16.2.2
broadcast 172.16.2.255 dev eth2 proto kernel scope link src 172.16.2.2
broadcast 172.16.2.255 dev ipsec1 proto kernel scope link src 172.16.2.2
broadcast 172.16.1.0 dev eth1 proto kernel scope link src 172.16.1.2
broadcast 172.16.1.0 dev ipsec0 proto kernel scope link src 172.16.1.2
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.88.0 dev eth0 proto kernel scope link src 192.168.88.13
local 172.16.1.2 dev eth1 proto kernel scope host src 172.16.1.2
local 172.16.1.2 dev ipsec0 proto kernel scope host src 172.16.1.2
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
----------------------
ipsec auto --status
000 interface ipsec0/eth1 172.16.1.2
000 interface ipsec0/eth1 172.16.1.2
000 interface ipsec1/eth2 172.16.2.2
000 interface ipsec1/eth2 172.16.2.2
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=64,
keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64,
keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64,
keysizemin=96, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8, keydeflen=64
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,
blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "rw_2-1": 192.168.88.0/24===172.16.2.2---172.16.2.1...%virtual===?;
unrouted; eroute owner: #0
000 "rw_2-1": srcip=unset; dstip=unset;
srcup=/usr/lib/ipsec/_updown; dstup=/usr/lib/ipsec/_updown;
000 "rw_2-1": ike_life: 3600s; ipsec_life: 3600s; rekey_margin:
120s; rekey_fuzz: 0%; keyingtries: 3
000 "rw_2-1": policy:
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+failureDROP; prio: 24,32;
interface: eth2; encap: esp;
000 "rw_2-1": dpd: action:clear; delay:30; timeout:120;
000 "rw_2-1": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "rw_2-1": IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "rw_2-1": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "rw_2-1": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1": ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1"[2]:
192.168.88.0/24===172.16.2.2...172.16.2.1[172.16.3.2]===172.16.3.2/32;
erouted; eroute owner: #8
000 "rw_2-1"[2]: srcip=unset; dstip=unset;
srcup=/usr/lib/ipsec/_updown; dstup=/usr/lib/ipsec/_updown;
000 "rw_2-1"[2]: ike_life: 3600s; ipsec_life: 3600s; rekey_margin:
120s; rekey_fuzz: 0%; keyingtries: 3
000 "rw_2-1"[2]: policy:
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+failureDROP; prio: 24,32;
interface: eth2; encap: esp;
000 "rw_2-1"[2]: dpd: action:clear; delay:30; timeout:120;
000 "rw_2-1"[2]: newest ISAKMP SA: #7; newest IPsec SA: #8;
000 "rw_2-1"[2]: IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "rw_2-1"[2]: IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "rw_2-1"[2]: IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "rw_2-1"[2]: ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1"[2]: ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1"[2]: ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #8: "rw_2-1"[2] 172.16.2.1:4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3509s; newest IPSEC; eroute owner
000 #8: "rw_2-1"[2] 172.16.2.1 esp.1387c495 at 172.16.2.1
esp.9b60af09 at 172.16.2.2 tun.1006 at 172.16.2.1 tun.1005 at 172.16.2.2
000 #7: "rw_2-1"[2] 172.16.2.1:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 3568s; newest ISAKMP; lastdpd=1s(seq
in:5966 out:0)
000
----------------------
ipsec.conf
version 2
config setup
interfaces="ipsec0=eth1 ipsec1=eth2 "
klipsdebug=none
plutodebug="none"
uniqueids=no
nat_traversal=yes
crlcheckinterval=3600
nhelpers=0
conn %default
leftupdown=/usr/lib/ipsec/_updown
rightupdown=/usr/lib/ipsec/_updown
conn rw_2-1
leftsubnet=192.168.88.0/24
auto=add
also=rw_2
conn rw_2
type=tunnel
left=172.16.2.2
leftnexthop=172.16.2.1
right=%any
x_rightdynamic=yes
authby=secret
rightsubnet="vhost:%v4:0.0.0.0/0"
keylife=3600
rekey=no
rekeymargin=120
rekeyfuzz=0%
keyingtries=3
compress=yes
failureshunt=drop
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikelifetime=3600
pfs=yes
ike="3des-md5-modp1024"
esp="3des-md5"
------------------details (connection on eth1: normal behavior)-----------------
ip addr show
1: lo: <LOOPBACK,UP> mtu 1500 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:11:5a:84 brd ff:ff:ff:ff:ff:ff
inet 192.168.88.13/24 brd 192.168.88.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:11:5a:8e brd ff:ff:ff:ff:ff:ff
inet 172.16.1.2/24 brd 172.16.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:11:5a:98 brd ff:ff:ff:ff:ff:ff
inet 172.16.2.2/24 brd 172.16.2.255 scope global eth2
5: imq0: <NOARP,UP> mtu 1500 qdisc htb qlen 30
link/void
6: imq1: <NOARP> mtu 1500 qdisc noop qlen 30
link/void
119: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:0c:29:11:5a:8e brd ff:ff:ff:ff:ff:ff
inet 172.16.1.2/24 brd 172.16.1.255 scope global ipsec0
120: ipsec1: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:0c:29:11:5a:98 brd ff:ff:ff:ff:ff:ff
inet 172.16.2.2/24 brd 172.16.2.255 scope global ipsec1
121: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
122: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
----------------------
ip rule show
0: from all lookup local
49: from 192.168.88.0/24 to 172.16.3.2 lookup vpnroute
50: from all lookup main
150: from all fwmark 4 lookup gw4nof
150: from all fwmark 5 lookup gw5nof
151: from 172.16.2.0/24 lookup 151
152: from 172.16.1.0/24 lookup 152
221: from all lookup 221
32766: from all lookup main
32767: from all lookup 253
----------------------
ip route show
192.168.88.13 dev eth0 scope link
172.16.2.2 dev eth2 scope link
172.16.2.0/24 dev eth2 proto kernel scope link src 172.16.2.2
172.16.2.0/24 dev ipsec1 scope link metric 1
172.16.1.0/24 dev eth1 proto kernel scope link src 172.16.1.2
172.16.1.0/24 dev ipsec0 scope link metric 1
192.168.88.0/24 dev eth0 proto kernel scope link src 192.168.88.13
127.0.0.0/8 dev lo scope link
----------------------
ip route show table vpnroute
172.16.3.2 dev ipsec0 scope link
----------------------
ip route show table local
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.88.13 dev eth0 proto kernel scope host src 192.168.88.13
broadcast 172.16.2.0 dev eth2 proto kernel scope link src 172.16.2.2
broadcast 172.16.2.0 dev ipsec1 proto kernel scope link src 172.16.2.2
broadcast 172.16.1.255 dev eth1 proto kernel scope link src 172.16.1.2
broadcast 172.16.1.255 dev ipsec0 proto kernel scope link src 172.16.1.2
broadcast 192.168.88.255 dev eth0 proto kernel scope link src 192.168.88.13
local 172.16.2.2 dev eth2 proto kernel scope host src 172.16.2.2
local 172.16.2.2 dev ipsec1 proto kernel scope host src 172.16.2.2
broadcast 172.16.2.255 dev eth2 proto kernel scope link src 172.16.2.2
broadcast 172.16.2.255 dev ipsec1 proto kernel scope link src 172.16.2.2
broadcast 172.16.1.0 dev eth1 proto kernel scope link src 172.16.1.2
broadcast 172.16.1.0 dev ipsec0 proto kernel scope link src 172.16.1.2
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.88.0 dev eth0 proto kernel scope link src 192.168.88.13
local 172.16.1.2 dev eth1 proto kernel scope host src 172.16.1.2
local 172.16.1.2 dev ipsec0 proto kernel scope host src 172.16.1.2
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
----------------------
ipsec.conf
version 2
config setup
interfaces="ipsec0=eth1 ipsec1=eth2 "
klipsdebug=none
plutodebug="none"
uniqueids=no
nat_traversal=yes
crlcheckinterval=3600
nhelpers=0
conn %default
leftupdown=/usr/lib/ipsec/_updown
rightupdown=/usr/lib/ipsec/_updown
conn rw_2-1
leftsubnet=192.168.88.0/24
auto=add
also=rw_2
conn rw_2
type=tunnel
left=172.16.1.2
leftnexthop=172.16.1.1
right=%any
x_rightdynamic=yes
authby=secret
rightsubnet="vhost:%v4:0.0.0.0/0"
keylife=3600
rekey=no
rekeymargin=120
rekeyfuzz=0%
keyingtries=3
compress=yes
failureshunt=drop
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikelifetime=3600
pfs=yes
ike="3des-md5-modp1024"
esp="3des-md5"
----------------------
ipsec auto --status
000 interface ipsec0/eth1 172.16.1.2
000 interface ipsec0/eth1 172.16.1.2
000 interface ipsec1/eth2 172.16.2.2
000 interface ipsec1/eth2 172.16.2.2
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=64,
keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64,
keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64,
keysizemin=96, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8, keydeflen=64
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,
blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "rw_2-1": 192.168.88.0/24===172.16.1.2---172.16.1.1...%virtual===?;
unrouted; eroute owner: #0
000 "rw_2-1": srcip=unset; dstip=unset;
srcup=/usr/lib/ipsec/_updown; dstup=/usr/lib/ipsec/_updown;
000 "rw_2-1": ike_life: 3600s; ipsec_life: 3600s; rekey_margin:
120s; rekey_fuzz: 0%; keyingtries: 3
000 "rw_2-1": policy:
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+failureDROP; prio: 24,32;
interface: eth1; encap: esp;
000 "rw_2-1": dpd: action:clear; delay:30; timeout:120;
000 "rw_2-1": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "rw_2-1": IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "rw_2-1": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "rw_2-1": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1": ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1"[2]:
192.168.88.0/24===172.16.1.2...172.16.1.1[172.16.3.2]===172.16.3.2/32;
erouted; eroute owner: #6
000 "rw_2-1"[2]: srcip=unset; dstip=unset;
srcup=/usr/lib/ipsec/_updown; dstup=/usr/lib/ipsec/_updown;
000 "rw_2-1"[2]: ike_life: 3600s; ipsec_life: 3600s; rekey_margin:
120s; rekey_fuzz: 0%; keyingtries: 3
000 "rw_2-1"[2]: policy:
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+failureDROP; prio: 24,32;
interface: eth1; encap: esp;
000 "rw_2-1"[2]: dpd: action:clear; delay:30; timeout:120;
000 "rw_2-1"[2]: newest ISAKMP SA: #5; newest IPsec SA: #6;
000 "rw_2-1"[2]: IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "rw_2-1"[2]: IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "rw_2-1"[2]: IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "rw_2-1"[2]: ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1"[2]: ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000 "rw_2-1"[2]: ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #6: "rw_2-1"[2] 172.16.1.1:4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3492s; newest IPSEC; eroute owner
000 #6: "rw_2-1"[2] 172.16.1.1 esp.885e979 at 172.16.1.1
esp.9b60af08 at 172.16.1.2 tun.1004 at 172.16.1.1 tun.1003 at 172.16.1.2
000 #5: "rw_2-1"[2] 172.16.1.1:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 3552s; newest ISAKMP; lastdpd=18s(seq
in:22203 out:0)
000
More information about the Dev
mailing list