[Openswan Users] Negotiation fails at final step (NAT-T)

Marcus Better marcus+keyword+openswan.0a8cde at dactylis.com
Wed Jun 30 02:14:28 CEST 2004


Wed, 30 Jun 2004 01:14:28 +0200 (CEST)
Hi,

I am connecting two Openswans, one road-warrior on a public IP address 
(aa.bb.cc.dd in the logs below), and one gateway behind NAT, with the NAT 
gateway having address XX.YY.ZZ.WW. The road-warrior initiates the 
connection.

Both Openswans are openswan-2.1.4-15.rhfc2.at running on Fedora Core 2, 
stock kernel 2.6.6-1.435.

Although the setup is a bit excentric, it used to work, with NAT traversal
and all, only with kernel 2.4 (with a KLIPS kernel module from ATrpms)  
and Fedora Core 1 on the NATed side, and Openswan 2.1.2 on both sides.
It stopped working after switching to FC2 and kernel 2.6.

The log files below have been slightly edited to leave out sensitive 
details.

The negotiation seems proceed normally on both sides, with the initiator 
saying:

104 "here-there" #1: STATE_MAIN_I1: initiate
003 "here-there" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03]
106 "here-there" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "here-there" #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
108 "here-there" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "here-there" #1: STATE_MAIN_I4: ISAKMP SA established
112 "here-there" #2: STATE_QUICK_I1: initiate
004 "here-there" #2: STATE_QUICK_I2: sent QI2, IPsec SA established 
{ESP=>0xec831438 <0xb3f4c36c}

Despite this, there are error messages in the logs and the SA seems not to 
be established after all.

Here is /var/log/secure on the initiator side (road-warrior):

-----------------------------------------------------
Jun 29 23:22:07 kelev ipsec__plutorun: Starting Pluto subsystem...
Jun 29 23:22:07 kelev pluto[5890]: Starting Pluto (Openswan Version cvs2002Mar11_19:19:03 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Jun 29 23:22:07 kelev pluto[5890]:   including NAT-Traversal patch (Version 0.6c)
Jun 29 23:22:07 kelev pluto[5890]: Using Linux 2.6 IPsec interface code
Jun 29 23:22:07 kelev pluto[5890]: Changing to directory '/etc/ipsec.d/cacerts'
Jun 29 23:22:07 kelev pluto[5890]:   loaded cacert file 'cacert.pem' (1289 bytes)
Jun 29 23:22:08 kelev pluto[5890]: added connection description "here-there"
Jun 29 23:22:08 kelev pluto[5890]:   loaded host cert file '/etc/ipsec.d/certs/marcus.pem' (3661 bytes)
Jun 29 23:22:08 kelev pluto[5890]: listening for IKE messages
Jun 29 23:22:08 kelev pluto[5890]: adding interface eth2/eth2 aa.bb.cc.dd
Jun 29 23:22:08 kelev pluto[5890]: adding interface eth2/eth2 aa.bb.cc.dd:4500
Jun 29 23:22:08 kelev pluto[5890]: adding interface lo/lo 127.0.0.1
Jun 29 23:22:08 kelev pluto[5890]: adding interface lo/lo 127.0.0.1:4500
Jun 29 23:22:08 kelev pluto[5890]: adding interface lo/lo ::1
Jun 29 23:22:08 kelev pluto[5890]: adding interface lo/lo ::1:4500
Jun 29 23:22:08 kelev pluto[5890]: loading secrets from "/etc/ipsec.secrets"
Jun 29 23:22:08 kelev pluto[5890]:   loaded private key file '/etc/ipsec.d/private/user.pem' (1087 bytes)
Jun 29 23:22:09 kelev pluto[5890]: "here-there" #1: initiating Main Mode
Jun 29 23:22:09 kelev pluto[5890]: | **emit ISAKMP Message:
Jun 29 23:22:09 kelev pluto[5890]: |    initiator cookie:
Jun 29 23:22:09 kelev pluto[5890]: |   f6 26 59 be  12 66 73 e4
Jun 29 23:22:09 kelev pluto[5890]: |    responder cookie:
Jun 29 23:22:09 kelev pluto[5890]: |   00 00 00 00  00 00 00 00
Jun 29 23:22:09 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_SA
Jun 29 23:22:09 kelev pluto[5890]: |    ISAKMP version: ISAKMP Version 1.0
Jun 29 23:22:09 kelev pluto[5890]: |    exchange type: ISAKMP_XCHG_IDPROT
Jun 29 23:22:09 kelev pluto[5890]: |    flags: none
Jun 29 23:22:09 kelev pluto[5890]: |    message ID:  00 00 00 00
Jun 29 23:22:09 kelev pluto[5890]: | ***emit ISAKMP Security Association Payload:
Jun 29 23:22:09 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:09 kelev pluto[5890]: |    DOI: ISAKMP_DOI_IPSEC
Jun 29 23:22:09 kelev pluto[5890]: | ****emit IPsec DOI SIT:
Jun 29 23:22:09 kelev pluto[5890]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
Jun 29 23:22:09 kelev pluto[5890]: | ****emit ISAKMP Proposal Payload:
Jun 29 23:22:09 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:09 kelev pluto[5890]: |    proposal number: 0
Jun 29 23:22:09 kelev pluto[5890]: |    protocol ID: PROTO_ISAKMP
Jun 29 23:22:09 kelev pluto[5890]: |    SPI size: 0
Jun 29 23:22:09 kelev pluto[5890]: |    number of transforms: 4
Jun 29 23:22:09 kelev pluto[5890]: | *****emit ISAKMP Transform Payload (ISAKMP):
Jun 29 23:22:09 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_T
Jun 29 23:22:09 kelev pluto[5890]: |    transform number: 0
Jun 29 23:22:09 kelev pluto[5890]: |    transform ID: KEY_IKE
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_LIFE_TYPE
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 1
Jun 29 23:22:09 kelev pluto[5890]: |     [1 is OAKLEY_LIFE_SECONDS]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_LIFE_DURATION
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 3600
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 5
Jun 29 23:22:09 kelev pluto[5890]: |     [5 is OAKLEY_3DES_CBC]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_HASH_ALGORITHM
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 1
Jun 29 23:22:09 kelev pluto[5890]: |     [1 is OAKLEY_MD5]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 3
Jun 29 23:22:09 kelev pluto[5890]: |     [3 is OAKLEY_RSA_SIG]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_GROUP_DESCRIPTION
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 5
Jun 29 23:22:09 kelev pluto[5890]: |     [5 is OAKLEY_GROUP_MODP1536 (extension)]
Jun 29 23:22:09 kelev pluto[5890]: | emitting length of ISAKMP Transform Payload (ISAKMP): 32
Jun 29 23:22:09 kelev pluto[5890]: | *****emit ISAKMP Transform Payload (ISAKMP):
Jun 29 23:22:09 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_T
Jun 29 23:22:09 kelev pluto[5890]: |    transform number: 1
Jun 29 23:22:09 kelev pluto[5890]: |    transform ID: KEY_IKE
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_LIFE_TYPE
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 1
Jun 29 23:22:09 kelev pluto[5890]: |     [1 is OAKLEY_LIFE_SECONDS]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_LIFE_DURATION
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 3600
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 5
Jun 29 23:22:09 kelev pluto[5890]: |     [5 is OAKLEY_3DES_CBC]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_HASH_ALGORITHM
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 2
Jun 29 23:22:09 kelev pluto[5890]: |     [2 is OAKLEY_SHA]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 3
Jun 29 23:22:09 kelev pluto[5890]: |     [3 is OAKLEY_RSA_SIG]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_GROUP_DESCRIPTION
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 5
Jun 29 23:22:09 kelev pluto[5890]: |     [5 is OAKLEY_GROUP_MODP1536 (extension)]
Jun 29 23:22:09 kelev pluto[5890]: | emitting length of ISAKMP Transform Payload (ISAKMP): 32
Jun 29 23:22:09 kelev pluto[5890]: | *****emit ISAKMP Transform Payload (ISAKMP):
Jun 29 23:22:09 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_T
Jun 29 23:22:09 kelev pluto[5890]: |    transform number: 2
Jun 29 23:22:09 kelev pluto[5890]: |    transform ID: KEY_IKE
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_LIFE_TYPE
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 1
Jun 29 23:22:09 kelev pluto[5890]: |     [1 is OAKLEY_LIFE_SECONDS]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_LIFE_DURATION
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 3600
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 5
Jun 29 23:22:09 kelev pluto[5890]: |     [5 is OAKLEY_3DES_CBC]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_HASH_ALGORITHM
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 2
Jun 29 23:22:09 kelev pluto[5890]: |     [2 is OAKLEY_SHA]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 3
Jun 29 23:22:09 kelev pluto[5890]: |     [3 is OAKLEY_RSA_SIG]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_GROUP_DESCRIPTION
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 2
Jun 29 23:22:09 kelev pluto[5890]: |     [2 is OAKLEY_GROUP_MODP1024]
Jun 29 23:22:09 kelev pluto[5890]: | emitting length of ISAKMP Transform Payload (ISAKMP): 32
Jun 29 23:22:09 kelev pluto[5890]: | *****emit ISAKMP Transform Payload (ISAKMP):
Jun 29 23:22:09 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:09 kelev pluto[5890]: |    transform number: 3
Jun 29 23:22:09 kelev pluto[5890]: |    transform ID: KEY_IKE
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_LIFE_TYPE
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 1
Jun 29 23:22:09 kelev pluto[5890]: |     [1 is OAKLEY_LIFE_SECONDS]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_LIFE_DURATION
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 3600
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 5
Jun 29 23:22:09 kelev pluto[5890]: |     [5 is OAKLEY_3DES_CBC]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_HASH_ALGORITHM
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 1
Jun 29 23:22:09 kelev pluto[5890]: |     [1 is OAKLEY_MD5]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 3
Jun 29 23:22:09 kelev pluto[5890]: |     [3 is OAKLEY_RSA_SIG]
Jun 29 23:22:09 kelev pluto[5890]: | ******emit ISAKMP Oakley attribute:
Jun 29 23:22:09 kelev pluto[5890]: |    af+type: OAKLEY_GROUP_DESCRIPTION
Jun 29 23:22:09 kelev pluto[5890]: |    length/value: 2
Jun 29 23:22:09 kelev pluto[5890]: |     [2 is OAKLEY_GROUP_MODP1024]
Jun 29 23:22:09 kelev pluto[5890]: | emitting length of ISAKMP Transform Payload (ISAKMP): 32
Jun 29 23:22:09 kelev pluto[5890]: | emitting length of ISAKMP Proposal Payload: 136
Jun 29 23:22:09 kelev pluto[5890]: | emitting length of ISAKMP Security Association Payload: 148
Jun 29 23:22:09 kelev pluto[5890]: | out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-03]
Jun 29 23:22:09 kelev pluto[5890]: | ***emit ISAKMP Vendor ID Payload:
Jun 29 23:22:09 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:09 kelev pluto[5890]: | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
Jun 29 23:22:09 kelev pluto[5890]: | V_ID  7d 94 19 a6  53 10 ca 6f  2c 17 9d 92  15 52 9d 56
Jun 29 23:22:09 kelev pluto[5890]: | emitting length of ISAKMP Vendor ID Payload: 20
Jun 29 23:22:09 kelev pluto[5890]: | out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02]
Jun 29 23:22:09 kelev pluto[5890]: | ***emit ISAKMP Vendor ID Payload:
Jun 29 23:22:09 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:09 kelev pluto[5890]: | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
Jun 29 23:22:09 kelev pluto[5890]: | V_ID  cd 60 46 43  35 df 21 f8  7c fd b2 fc  68 b6 a4 48
Jun 29 23:22:09 kelev pluto[5890]: | emitting length of ISAKMP Vendor ID Payload: 20
Jun 29 23:22:09 kelev pluto[5890]: | out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-00]
Jun 29 23:22:09 kelev pluto[5890]: | ***emit ISAKMP Vendor ID Payload:
Jun 29 23:22:09 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:09 kelev pluto[5890]: | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
Jun 29 23:22:09 kelev pluto[5890]: | V_ID  44 85 15 2d  18 b6 bb cd  0b e8 a8 46  95 79 dd cc
Jun 29 23:22:09 kelev pluto[5890]: | emitting length of ISAKMP Vendor ID Payload: 20
Jun 29 23:22:09 kelev pluto[5890]: | emitting length of ISAKMP Message: 236
Jun 29 23:22:10 kelev pluto[5890]: |  
Jun 29 23:22:10 kelev pluto[5890]: | *received 100 bytes from XX.YY.ZZ.WW:500 on eth2
Jun 29 23:22:10 kelev pluto[5890]: | **parse ISAKMP Message:
Jun 29 23:22:10 kelev pluto[5890]: |    initiator cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   f6 26 59 be  12 66 73 e4
Jun 29 23:22:10 kelev pluto[5890]: |    responder cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   0f e0 31 8d  3f c4 4e c5
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_SA
Jun 29 23:22:10 kelev pluto[5890]: |    ISAKMP version: ISAKMP Version 1.0
Jun 29 23:22:10 kelev pluto[5890]: |    exchange type: ISAKMP_XCHG_IDPROT
Jun 29 23:22:10 kelev pluto[5890]: |    flags: none
Jun 29 23:22:10 kelev pluto[5890]: |    message ID:  00 00 00 00
Jun 29 23:22:10 kelev pluto[5890]: |    length: 100
Jun 29 23:22:10 kelev pluto[5890]: | ***parse ISAKMP Security Association Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_VID
Jun 29 23:22:10 kelev pluto[5890]: |    length: 52
Jun 29 23:22:10 kelev pluto[5890]: |    DOI: ISAKMP_DOI_IPSEC
Jun 29 23:22:10 kelev pluto[5890]: | ***parse ISAKMP Vendor ID Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:10 kelev pluto[5890]: |    length: 20
Jun 29 23:22:10 kelev pluto[5890]: "here-there" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jun 29 23:22:10 kelev pluto[5890]: | ****parse IPsec DOI SIT:
Jun 29 23:22:10 kelev pluto[5890]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
Jun 29 23:22:10 kelev pluto[5890]: | ****parse ISAKMP Proposal Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:10 kelev pluto[5890]: |    length: 40
Jun 29 23:22:10 kelev pluto[5890]: |    proposal number: 0
Jun 29 23:22:10 kelev pluto[5890]: |    protocol ID: PROTO_ISAKMP
Jun 29 23:22:10 kelev pluto[5890]: |    SPI size: 0
Jun 29 23:22:10 kelev pluto[5890]: |    number of transforms: 1
Jun 29 23:22:10 kelev pluto[5890]: | *****parse ISAKMP Transform Payload (ISAKMP):
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:10 kelev pluto[5890]: |    length: 32
Jun 29 23:22:10 kelev pluto[5890]: |    transform number: 0
Jun 29 23:22:10 kelev pluto[5890]: |    transform ID: KEY_IKE
Jun 29 23:22:10 kelev pluto[5890]: | ******parse ISAKMP Oakley attribute:
Jun 29 23:22:10 kelev pluto[5890]: |    af+type: OAKLEY_LIFE_TYPE
Jun 29 23:22:10 kelev pluto[5890]: |    length/value: 1
Jun 29 23:22:10 kelev pluto[5890]: |    [1 is OAKLEY_LIFE_SECONDS]
Jun 29 23:22:10 kelev pluto[5890]: | ******parse ISAKMP Oakley attribute:
Jun 29 23:22:10 kelev pluto[5890]: |    af+type: OAKLEY_LIFE_DURATION
Jun 29 23:22:10 kelev pluto[5890]: |    length/value: 3600
Jun 29 23:22:10 kelev pluto[5890]: | ******parse ISAKMP Oakley attribute:
Jun 29 23:22:10 kelev pluto[5890]: |    af+type: OAKLEY_ENCRYPTION_ALGORITHM
Jun 29 23:22:10 kelev pluto[5890]: |    length/value: 5
Jun 29 23:22:10 kelev pluto[5890]: |    [5 is OAKLEY_3DES_CBC]
Jun 29 23:22:10 kelev pluto[5890]: | ******parse ISAKMP Oakley attribute:
Jun 29 23:22:10 kelev pluto[5890]: |    af+type: OAKLEY_HASH_ALGORITHM
Jun 29 23:22:10 kelev pluto[5890]: |    length/value: 1
Jun 29 23:22:10 kelev pluto[5890]: |    [1 is OAKLEY_MD5]
Jun 29 23:22:10 kelev pluto[5890]: | ******parse ISAKMP Oakley attribute:
Jun 29 23:22:10 kelev pluto[5890]: |    af+type: OAKLEY_AUTHENTICATION_METHOD
Jun 29 23:22:10 kelev pluto[5890]: |    length/value: 3
Jun 29 23:22:10 kelev pluto[5890]: |    [3 is OAKLEY_RSA_SIG]
Jun 29 23:22:10 kelev pluto[5890]: | ******parse ISAKMP Oakley attribute:
Jun 29 23:22:10 kelev pluto[5890]: |    af+type: OAKLEY_GROUP_DESCRIPTION
Jun 29 23:22:10 kelev pluto[5890]: |    length/value: 5
Jun 29 23:22:10 kelev pluto[5890]: |    [5 is OAKLEY_GROUP_MODP1536 (extension)]
Jun 29 23:22:10 kelev pluto[5890]: | Oakley Transform 0 accepted
Jun 29 23:22:10 kelev pluto[5890]: "here-there" #1: enabling possible NAT-traversal with method RFC XXXX (NAT-Traversal)
Jun 29 23:22:10 kelev pluto[5890]: | **emit ISAKMP Message:
Jun 29 23:22:10 kelev pluto[5890]: |    initiator cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   f6 26 59 be  12 66 73 e4
Jun 29 23:22:10 kelev pluto[5890]: |    responder cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   0f e0 31 8d  3f c4 4e c5
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_KE
Jun 29 23:22:10 kelev pluto[5890]: |    ISAKMP version: ISAKMP Version 1.0
Jun 29 23:22:10 kelev pluto[5890]: |    exchange type: ISAKMP_XCHG_IDPROT
Jun 29 23:22:10 kelev pluto[5890]: |    flags: none
Jun 29 23:22:10 kelev pluto[5890]: |    message ID:  00 00 00 00
Jun 29 23:22:10 kelev pluto[5890]: | ***emit ISAKMP Key Exchange Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONCE
Jun 29 23:22:10 kelev pluto[5890]: | emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload
Jun 29 23:22:10 kelev pluto[5890]: | keyex value  53 c3 96 ea  a9 46 21 20  70 75 dd 5d  f7 7b b1 d9
Jun 29 23:22:10 kelev pluto[5890]: |   84 be 5c 45  a7 b9 d1 3d  cd 3a 12 9a  b2 0b a4 f8
Jun 29 23:22:10 kelev pluto[5890]: |   d5 f6 c3 bd  2d 80 f3 45  c8 55 d7 cf  9c 21 8e 40
Jun 29 23:22:10 kelev pluto[5890]: |   44 b2 3e 8c  ed b6 58 f8  84 37 1d 87  97 55 b6 8f
Jun 29 23:22:10 kelev pluto[5890]: |   1c 05 c3 65  13 ad 9e 5e  8a a5 6c 36  07 42 6c ea
Jun 29 23:22:10 kelev pluto[5890]: |   03 a9 82 a1  3f a3 76 50  d2 39 e1 62  d7 86 e6 e1
Jun 29 23:22:10 kelev pluto[5890]: |   65 cf 62 3d  7c 0c 43 d3  af 47 4d 06  c5 fd c4 71
Jun 29 23:22:10 kelev pluto[5890]: |   54 79 19 64  79 82 ed 7f  ff b7 c6 fa  26 5d 78 7f
Jun 29 23:22:10 kelev pluto[5890]: |   9f e3 d3 9f  58 18 7b 0e  dc 1e 6f 77  e2 5c 89 11
Jun 29 23:22:10 kelev pluto[5890]: |   7a 3c 99 67  b6 45 27 d7  3e fa 49 a3  b2 3d cf c0
Jun 29 23:22:10 kelev pluto[5890]: |   05 4a 84 ba  7f 58 0e 60  90 8f 78 82  9c a5 27 5d
Jun 29 23:22:10 kelev pluto[5890]: |   8f d3 77 dc  1d 15 2c e6  c2 c2 fc e8  f6 25 63 c7
Jun 29 23:22:10 kelev pluto[5890]: | emitting length of ISAKMP Key Exchange Payload: 196
Jun 29 23:22:10 kelev pluto[5890]: | ***emit ISAKMP Nonce Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:10 kelev pluto[5890]: | emitting 16 raw bytes of Ni into ISAKMP Nonce Payload
Jun 29 23:22:10 kelev pluto[5890]: | Ni  44 46 19 42  c3 da f1 a0  5a 9c fc 83  fb 7b e2 99
Jun 29 23:22:10 kelev pluto[5890]: | emitting length of ISAKMP Nonce Payload: 20
Jun 29 23:22:10 kelev pluto[5890]: | sending NATD payloads
Jun 29 23:22:10 kelev pluto[5890]: | ***emit ISAKMP NAT-D Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NAT-D
Jun 29 23:22:10 kelev pluto[5890]: | emitting 16 raw bytes of NAT-D into ISAKMP NAT-D Payload
Jun 29 23:22:10 kelev pluto[5890]: | NAT-D  f0 80 9d 34  d7 b6 95 a6  16 3f 5f e0  1a 83 78 e1
Jun 29 23:22:10 kelev pluto[5890]: | emitting length of ISAKMP NAT-D Payload: 20
Jun 29 23:22:10 kelev pluto[5890]: | ***emit ISAKMP NAT-D Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:10 kelev pluto[5890]: | emitting 16 raw bytes of NAT-D into ISAKMP NAT-D Payload
Jun 29 23:22:10 kelev pluto[5890]: | NAT-D  0c 16 ec 37  eb 01 94 aa  55 ac 20 bd  79 0d 56 a4
Jun 29 23:22:10 kelev pluto[5890]: | emitting length of ISAKMP NAT-D Payload: 20
Jun 29 23:22:10 kelev pluto[5890]: | emitting length of ISAKMP Message: 284
Jun 29 23:22:10 kelev pluto[5890]: "here-there" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 29 23:22:10 kelev pluto[5890]: |  
Jun 29 23:22:10 kelev pluto[5890]: | *received 424 bytes from XX.YY.ZZ.WW:500 on eth2
Jun 29 23:22:10 kelev pluto[5890]: | **parse ISAKMP Message:
Jun 29 23:22:10 kelev pluto[5890]: |    initiator cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   f6 26 59 be  12 66 73 e4
Jun 29 23:22:10 kelev pluto[5890]: |    responder cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   0f e0 31 8d  3f c4 4e c5
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_KE
Jun 29 23:22:10 kelev pluto[5890]: |    ISAKMP version: ISAKMP Version 1.0
Jun 29 23:22:10 kelev pluto[5890]: |    exchange type: ISAKMP_XCHG_IDPROT
Jun 29 23:22:10 kelev pluto[5890]: |    flags: none
Jun 29 23:22:10 kelev pluto[5890]: |    message ID:  00 00 00 00
Jun 29 23:22:10 kelev pluto[5890]: |    length: 424
Jun 29 23:22:10 kelev pluto[5890]: | ***parse ISAKMP Key Exchange Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONCE
Jun 29 23:22:10 kelev pluto[5890]: |    length: 196
Jun 29 23:22:10 kelev pluto[5890]: | ***parse ISAKMP Nonce Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_CR
Jun 29 23:22:10 kelev pluto[5890]: |    length: 20
Jun 29 23:22:10 kelev pluto[5890]: | ***parse ISAKMP Certificate RequestPayload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NAT-D
Jun 29 23:22:10 kelev pluto[5890]: |    length: 139
Jun 29 23:22:10 kelev pluto[5890]: |    cert type: CERT_X509_SIGNATURE
Jun 29 23:22:10 kelev pluto[5890]: | ***parse ISAKMP NAT-D Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NAT-D
Jun 29 23:22:10 kelev pluto[5890]: |    length: 20
Jun 29 23:22:10 kelev pluto[5890]: | ***parse ISAKMP NAT-D Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:10 kelev pluto[5890]: |    length: 20
Jun 29 23:22:10 kelev pluto[5890]: | removing 1 bytes of padding
Jun 29 23:22:10 kelev pluto[5890]: | **emit ISAKMP Message:
Jun 29 23:22:10 kelev pluto[5890]: |    initiator cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   f6 26 59 be  12 66 73 e4
Jun 29 23:22:10 kelev pluto[5890]: |    responder cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   0f e0 31 8d  3f c4 4e c5
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_ID
Jun 29 23:22:10 kelev pluto[5890]: |    ISAKMP version: ISAKMP Version 1.0
Jun 29 23:22:10 kelev pluto[5890]: |    exchange type: ISAKMP_XCHG_IDPROT
Jun 29 23:22:10 kelev pluto[5890]: |    flags: ISAKMP_FLAG_ENCRYPTION
Jun 29 23:22:10 kelev pluto[5890]: |    message ID:  00 00 00 00
Jun 29 23:22:10 kelev pluto[5890]: | CR  30 81 83 31  0b 30 09 06  03 55 04 06  13 02 53 45
Jun 29 23:22:10 kelev pluto[5890]: |   31 12 30 10  06 03 55 04  07 13 09 53  74 6f 63 6b
Jun 29 23:22:10 kelev pluto[5890]: |   68 6f 6c 6d  31 31 30 2f  06 03 55 04  0a 13 28 44
Jun 29 23:22:10 kelev pluto[5890]: |   61 63 74 79  6c 69 73 20  53 6f 66 74  77 61 72 65
Jun 29 23:22:10 kelev pluto[5890]: |   20 53 6f 6c  75 74 69 6f  6e 73 20 53  74 6f 63 6b
Jun 29 23:22:10 kelev pluto[5890]: |   68 6f 6c 6d  20 41 42 31  14 30 12 06  03 55 04 0b
Jun 29 23:22:10 kelev pluto[5890]: |   13 0b 44 65  76 65 6c 6f  70 6d 65 6e  74 31 17 30
Jun 29 23:22:10 kelev pluto[5890]: |   15 06 03 55  04 03 13 0e  44 65 76 65  6c 6f 70 6d
Jun 29 23:22:10 kelev pluto[5890]: |   65 6e 74 20  43 41
Jun 29 23:22:10 kelev pluto[5890]: | requested CA: 'C=SE, L=Stockholm, O=Example Software Solutions Stockholm AB, OU=Development, CN=Development CA'
Jun 29 23:22:10 kelev pluto[5890]: "here-there" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Jun 29 23:22:10 kelev pluto[5890]: | ***emit ISAKMP Identification Payload (IPsec DOI):
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_CERT
Jun 29 23:22:10 kelev pluto[5890]: |    ID type: ID_USER_FQDN
Jun 29 23:22:10 kelev pluto[5890]: |    Protocol ID: 0
Jun 29 23:22:10 kelev pluto[5890]: |    port: 0
Jun 29 23:22:10 kelev pluto[5890]: | emitting 19 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI)
Jun 29 23:22:10 kelev pluto[5890]: | my identity  6d 61 72 63  75 73 40 64  61 63 74 79  6c 69 73 2e
Jun 29 23:22:10 kelev pluto[5890]: |   63 6f 6d
Jun 29 23:22:10 kelev pluto[5890]: | emitting length of ISAKMP Identification Payload (IPsec DOI): 27
Jun 29 23:22:10 kelev pluto[5890]: | ***emit ISAKMP Certificate Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_CR
Jun 29 23:22:10 kelev pluto[5890]: |    cert encoding: CERT_X509_SIGNATURE
Jun 29 23:22:10 kelev pluto[5890]: | emitting 901 raw bytes of CERT into ISAKMP Certificate Payload
Jun 29 23:22:10 kelev pluto[5890]: | CERT  30 82 03 81  30 82 02 ea  a0 03 02 01  02 02 02 00
Jun 29 23:22:10 kelev pluto[5890]: |   9a 30 0d 06  09 2a 86 48  86 f7 0d 01  01 05 05 00
Jun 29 23:22:10 kelev pluto[5890]: |   30 81 83 31  0b 30 09 06  03 55 04 06  13 02 53 45
Jun 29 23:22:10 kelev pluto[5890]: |   31 12 30 10  06 03 55 04  07 13 09 53  74 6f 63 6b
Jun 29 23:22:10 kelev pluto[5890]: |   68 6f 6c 6d  31 31 30 2f  06 03 55 04  0a 13 28 44
Jun 29 23:22:10 kelev pluto[5890]: |   61 63 74 79  6c 69 73 20  53 6f 66 74  77 61 72 65
Jun 29 23:22:10 kelev pluto[5890]: |   20 53 6f 6c  75 74 69 6f  6e 73 20 53  74 6f 63 6b
Jun 29 23:22:10 kelev pluto[5890]: |   68 6f 6c 6d  20 41 42 31  14 30 12 06  03 55 04 0b
Jun 29 23:22:10 kelev pluto[5890]: |   13 0b 44 65  76 65 6c 6f  70 6d 65 6e  74 31 17 30
Jun 29 23:22:10 kelev pluto[5890]: |   15 06 03 55  04 03 13 0e  44 65 76 65  6c 6f 70 6d
Jun 29 23:22:10 kelev pluto[5890]: |   65 6e 74 20  43 41 30 1e  17 0d 30 33  31 32 30 34
Jun 29 23:22:10 kelev pluto[5890]: |   30 39 30 32  34 38 5a 17  0d 30 35 31  32 30 33 30
Jun 29 23:22:10 kelev pluto[5890]: |   39 30 32 34  38 5a 30 6e  31 0b 30 09  06 03 55 04
Jun 29 23:22:10 kelev pluto[5890]: |   06 13 02 53  45 31 31 30  2f 06 03 55  04 0a 13 28
Jun 29 23:22:10 kelev pluto[5890]: |   44 61 63 74  79 6c 69 73  20 53 6f 66  74 77 61 72
Jun 29 23:22:10 kelev pluto[5890]: |   65 20 53 6f  6c 75 74 69  6f 6e 73 20  53 74 6f 63
Jun 29 23:22:10 kelev pluto[5890]: |   6b 68 6f 6c  6d 20 41 42  31 14 30 12  06 03 55 04
Jun 29 23:22:10 kelev pluto[5890]: |   0b 13 0b 44  65 76 65 6c  6f 70 6d 65  6e 74 31 16
Jun 29 23:22:10 kelev pluto[5890]: |   30 14 06 03  55 04 03 13  0d 4d 61 72  63 75 73 20
Jun 29 23:22:10 kelev pluto[5890]: |   42 65 74 74  65 72 30 81  9f 30 0d 06  09 2a 86 48
Jun 29 23:22:10 kelev pluto[5890]: |   86 f7 0d 01  01 01 05 00  03 81 8d 00  30 81 89 02
Jun 29 23:22:10 kelev pluto[5890]: |   81 81 00 ba  4b 0a aa aa  8a c6 3b bb  a4 08 5d d2
Jun 29 23:22:10 kelev pluto[5890]: |   32 44 cb b0  d6 e4 da e7  c9 25 2e 11  c5 10 42 b1
Jun 29 23:22:10 kelev pluto[5890]: |   35 c6 2d 7c  d0 44 0c 7c  ec b4 6b 22  4b d9 59 e3
Jun 29 23:22:10 kelev pluto[5890]: |   33 90 83 bc  0f ff 98 f9  28 cc 62 11  1b 58 51 1c
Jun 29 23:22:10 kelev pluto[5890]: |   3d 77 c5 c5  7b 5a 4d 46  df 29 7c a7  e1 22 0b 26
Jun 29 23:22:10 kelev pluto[5890]: |   36 cf 3d 43  26 c3 89 22  05 ca 6b 46  7e e3 7e 6c
Jun 29 23:22:10 kelev pluto[5890]: |   38 dd c2 b9  8b 34 f7 1e  3c a2 c7 b1  d8 4b 05 85
Jun 29 23:22:10 kelev pluto[5890]: |   9c e0 6a 11  cd 89 2f 67  67 64 77 9d  c7 f6 79 16
Jun 29 23:22:10 kelev pluto[5890]: |   18 66 99 02  03 01 00 01  a3 82 01 16  30 82 01 12
Jun 29 23:22:10 kelev pluto[5890]: |   30 11 06 09  60 86 48 01  86 f8 42 01  01 04 04 03
Jun 29 23:22:10 kelev pluto[5890]: |   02 05 a0 30  0b 06 03 55  1d 0f 04 04  03 02 05 e0
Jun 29 23:22:10 kelev pluto[5890]: |   30 1d 06 03  55 1d 0e 04  16 04 14 2b  39 9c ed 1e
Jun 29 23:22:10 kelev pluto[5890]: |   50 c3 d0 f5  ba e2 56 19  d8 d3 45 3c  8e 95 cc 30
Jun 29 23:22:10 kelev pluto[5890]: |   81 b0 06 03  55 1d 23 04  81 a8 30 81  a5 80 14 ba
Jun 29 23:22:10 kelev pluto[5890]: |   89 5d 54 d8  bc bf 37 01  36 28 ac 45  0a 06 de b9
Jun 29 23:22:10 kelev pluto[5890]: |   59 90 41 a1  81 89 a4 81  86 30 81 83  31 0b 30 09
Jun 29 23:22:10 kelev pluto[5890]: |   06 03 55 04  06 13 02 53  45 31 12 30  10 06 03 55
Jun 29 23:22:10 kelev pluto[5890]: |   04 07 13 09  53 74 6f 63  6b 68 6f 6c  6d 31 31 30
Jun 29 23:22:10 kelev pluto[5890]: |   2f 06 03 55  04 0a 13 28  44 61 63 74  79 6c 69 73
Jun 29 23:22:10 kelev pluto[5890]: |   20 53 6f 66  74 77 61 72  65 20 53 6f  6c 75 74 69
Jun 29 23:22:10 kelev pluto[5890]: |   6f 6e 73 20  53 74 6f 63  6b 68 6f 6c  6d 20 41 42
Jun 29 23:22:10 kelev pluto[5890]: |   31 14 30 12  06 03 55 04  0b 13 0b 44  65 76 65 6c
Jun 29 23:22:10 kelev pluto[5890]: |   6f 70 6d 65  6e 74 31 17  30 15 06 03  55 04 03 13
Jun 29 23:22:10 kelev pluto[5890]: |   0e 44 65 76  65 6c 6f 70  6d 65 6e 74  20 43 41 82
Jun 29 23:22:10 kelev pluto[5890]: |   01 01 30 1e  06 03 55 1d  11 04 17 30  15 81 13 6d
Jun 29 23:22:10 kelev pluto[5890]: |   61 72 63 75  73 40 64 61  63 74 79 6c  69 73 2e 63
Jun 29 23:22:10 kelev pluto[5890]: |   6f 6d 30 0d  06 09 2a 86  48 86 f7 0d  01 01 05 05
Jun 29 23:22:10 kelev pluto[5890]: |   00 03 81 81  00 b8 2d cc  bd 63 ad 7b  2a 27 3b e7
Jun 29 23:22:10 kelev pluto[5890]: |   32 f5 76 68  d7 ef 90 cc  eb 10 e3 19  88 a8 ac 27
Jun 29 23:22:10 kelev pluto[5890]: |   75 4a 81 e1  1a 71 9e a4  36 39 ca 3d  49 dc 94 d2
Jun 29 23:22:10 kelev pluto[5890]: |   17 c2 8d 1b  fa 46 98 36  67 71 e5 40  8b 73 c8 57
Jun 29 23:22:10 kelev pluto[5890]: |   34 13 15 d8  57 8f 5e 0f  76 8e 3d 94  22 1b 01 e7
Jun 29 23:22:10 kelev pluto[5890]: |   eb 7f f7 27  3a c8 a2 51  54 2e 30 d4  69 ac 91 55
Jun 29 23:22:10 kelev pluto[5890]: |   66 ee c7 90  37 0b c7 1d  65 52 38 02  84 2b 2a 00
Jun 29 23:22:10 kelev pluto[5890]: |   6f 12 72 55  5b 7e da 62  02 31 a7 91  1b e2 9d 79
Jun 29 23:22:10 kelev pluto[5890]: |   3d 0b e9 43  fd
Jun 29 23:22:10 kelev pluto[5890]: | emitting length of ISAKMP Certificate Payload: 906
Jun 29 23:22:10 kelev pluto[5890]: | ***emit ISAKMP Certificate RequestPayload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_SIG
Jun 29 23:22:10 kelev pluto[5890]: |    cert type: CERT_X509_SIGNATURE
Jun 29 23:22:10 kelev pluto[5890]: | emitting 134 raw bytes of CA into ISAKMP Certificate RequestPayload
Jun 29 23:22:10 kelev pluto[5890]: | CA  30 81 83 31  0b 30 09 06  03 55 04 06  13 02 53 45
Jun 29 23:22:10 kelev pluto[5890]: |   31 12 30 10  06 03 55 04  07 13 09 53  74 6f 63 6b
Jun 29 23:22:10 kelev pluto[5890]: |   68 6f 6c 6d  31 31 30 2f  06 03 55 04  0a 13 28 44
Jun 29 23:22:10 kelev pluto[5890]: |   61 63 74 79  6c 69 73 20  53 6f 66 74  77 61 72 65
Jun 29 23:22:10 kelev pluto[5890]: |   20 53 6f 6c  75 74 69 6f  6e 73 20 53  74 6f 63 6b
Jun 29 23:22:10 kelev pluto[5890]: |   68 6f 6c 6d  20 41 42 31  14 30 12 06  03 55 04 0b
Jun 29 23:22:10 kelev pluto[5890]: |   13 0b 44 65  76 65 6c 6f  70 6d 65 6e  74 31 17 30
Jun 29 23:22:10 kelev pluto[5890]: |   15 06 03 55  04 03 13 0e  44 65 76 65  6c 6f 70 6d
Jun 29 23:22:10 kelev pluto[5890]: |   65 6e 74 20  43 41
Jun 29 23:22:10 kelev pluto[5890]: | emitting length of ISAKMP Certificate RequestPayload: 139
Jun 29 23:22:10 kelev pluto[5890]: | ***emit ISAKMP Signature Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:10 kelev pluto[5890]: | emitting 128 raw bytes of SIG_I into ISAKMP Signature Payload
Jun 29 23:22:10 kelev pluto[5890]: | SIG_I  8a a0 4f e5  5e 76 ad 70  c0 da 4c 8a  88 91 6e 4b
Jun 29 23:22:10 kelev pluto[5890]: |   39 f1 92 8b  e6 56 6d 66  6d 02 82 12  8b da 94 41
Jun 29 23:22:10 kelev pluto[5890]: |   03 f8 c8 2b  b0 f3 59 c7  ce 33 a2 24  1b 3f 65 0a
Jun 29 23:22:10 kelev pluto[5890]: |   9c f8 ca a1  6f e8 83 6a  38 3a 3b bb  aa cd ae e3
Jun 29 23:22:10 kelev pluto[5890]: |   36 f8 54 a5  62 01 cc ed  6e 7e ad e7  97 12 e9 bf
Jun 29 23:22:10 kelev pluto[5890]: |   1f 44 7e c9  50 fc 49 8a  7f dd 21 6b  19 ba 07 18
Jun 29 23:22:10 kelev pluto[5890]: |   57 ec ba 51  28 90 75 94  64 ef 17 43  05 69 ac b6
Jun 29 23:22:10 kelev pluto[5890]: |   6f f3 11 b5  5c 32 d1 ec  36 85 ca 3d  77 d2 f3 b4
Jun 29 23:22:10 kelev pluto[5890]: | emitting length of ISAKMP Signature Payload: 132
Jun 29 23:22:10 kelev pluto[5890]: | emitting 4 zero bytes of encryption padding into ISAKMP Message
Jun 29 23:22:10 kelev pluto[5890]: | emitting length of ISAKMP Message: 1236
Jun 29 23:22:10 kelev pluto[5890]: "here-there" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 29 23:22:10 kelev pluto[5890]: |  
Jun 29 23:22:10 kelev pluto[5890]: | *received 76 bytes from XX.YY.ZZ.WW:4500 on eth2
Jun 29 23:22:10 kelev pluto[5890]: | **parse ISAKMP Message:
Jun 29 23:22:10 kelev pluto[5890]: |    initiator cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   0d f3 8b 81  6a 4f fc 54
Jun 29 23:22:10 kelev pluto[5890]: |    responder cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   30 72 71 ec  6e 44 1c 68
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_HASH
Jun 29 23:22:10 kelev pluto[5890]: |    ISAKMP version: ISAKMP Version 1.0
Jun 29 23:22:10 kelev pluto[5890]: |    exchange type: ISAKMP_XCHG_INFO
Jun 29 23:22:10 kelev pluto[5890]: |    flags: ISAKMP_FLAG_ENCRYPTION
Jun 29 23:22:10 kelev pluto[5890]: |    message ID:  3e e0 36 ab
Jun 29 23:22:10 kelev pluto[5890]: |    length: 76
Jun 29 23:22:10 kelev pluto[5890]: packet from XX.YY.ZZ.WW:4500: Informational Exchange is for an unknown (expired?) SA
Jun 29 23:22:10 kelev pluto[5890]: |  
Jun 29 23:22:10 kelev pluto[5890]: | *received 868 bytes from XX.YY.ZZ.WW:4500 on eth2
Jun 29 23:22:10 kelev pluto[5890]: | **parse ISAKMP Message:
Jun 29 23:22:10 kelev pluto[5890]: |    initiator cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   f6 26 59 be  12 66 73 e4
Jun 29 23:22:10 kelev pluto[5890]: |    responder cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   0f e0 31 8d  3f c4 4e c5
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_ID
Jun 29 23:22:10 kelev pluto[5890]: |    ISAKMP version: ISAKMP Version 1.0
Jun 29 23:22:10 kelev pluto[5890]: |    exchange type: ISAKMP_XCHG_IDPROT
Jun 29 23:22:10 kelev pluto[5890]: |    flags: ISAKMP_FLAG_ENCRYPTION
Jun 29 23:22:10 kelev pluto[5890]: |    message ID:  00 00 00 00
Jun 29 23:22:10 kelev pluto[5890]: |    length: 868
Jun 29 23:22:10 kelev pluto[5890]: | ***parse ISAKMP Identification Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_CERT
Jun 29 23:22:10 kelev pluto[5890]: |    length: 22
Jun 29 23:22:10 kelev pluto[5890]: |    ID type: ID_FQDN
Jun 29 23:22:10 kelev pluto[5890]: |    DOI specific A: 0
Jun 29 23:22:10 kelev pluto[5890]: |    DOI specific B: 0
Jun 29 23:22:10 kelev pluto[5890]: | ***parse ISAKMP Certificate Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_SIG
Jun 29 23:22:10 kelev pluto[5890]: |    length: 679
Jun 29 23:22:10 kelev pluto[5890]: |    cert encoding: CERT_X509_SIGNATURE
Jun 29 23:22:10 kelev pluto[5890]: | ***parse ISAKMP Signature Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:10 kelev pluto[5890]: |    length: 132
Jun 29 23:22:10 kelev pluto[5890]: | removing 7 bytes of padding
Jun 29 23:22:10 kelev pluto[5890]: "here-there" #1: Peer ID is ID_FQDN: '@*.example.com'
Jun 29 23:22:10 kelev pluto[5890]: | Signature Algorithm: 'md5WithRSAEncryption'
Jun 29 23:22:10 kelev pluto[5890]: |   digest:  56 cf 1d f6  45 01 ed 63  8b 9d 3a 46  35 1d 99 bf
Jun 29 23:22:10 kelev pluto[5890]: |   decrypted signature: 
Jun 29 23:22:10 kelev pluto[5890]: |   00 00 01 ff  ff ff ff ff  ff ff ff ff  ff ff ff ff
Jun 29 23:22:10 kelev pluto[5890]: |   ff ff ff ff  ff ff ff ff  ff ff ff ff  ff ff ff ff
Jun 29 23:22:10 kelev last message repeated 3 times
Jun 29 23:22:10 kelev pluto[5890]: |   ff ff ff ff  ff ff ff ff  ff ff ff ff  ff ff 00 30
Jun 29 23:22:10 kelev pluto[5890]: |   20 30 0c 06  08 2a 86 48  86 f7 0d 02  05 05 00 04
Jun 29 23:22:10 kelev pluto[5890]: |   10 56 cf 1d  f6 45 01 ed  63 8b 9d 3a  46 35 1d 99
Jun 29 23:22:10 kelev pluto[5890]: |   bf
Jun 29 23:22:10 kelev pluto[5890]: "here-there" #1: issuer crl not found
Jun 29 23:22:10 kelev pluto[5890]: |   not before  : May 25 23:11:35 UTC 2003
Jun 29 23:22:10 kelev pluto[5890]: |   current time: Jun 29 21:22:10 UTC 2004
Jun 29 23:22:10 kelev pluto[5890]: |   not after   : May 23 23:11:35 UTC 2008
Jun 29 23:22:10 kelev pluto[5890]: | Signature Algorithm: 'sha-1WithRSAEncryption'
Jun 29 23:22:10 kelev pluto[5890]: |   digest:  a9 4f ab ca  53 99 91 f8  c4 c4 43 f8  7d 59 dc 44
Jun 29 23:22:10 kelev pluto[5890]: |   3a 3a e8 a2
Jun 29 23:22:10 kelev pluto[5890]: |   decrypted signature: 
Jun 29 23:22:10 kelev pluto[5890]: |   00 00 01 ff  ff ff ff ff  ff ff ff ff  ff ff ff ff
Jun 29 23:22:10 kelev pluto[5890]: |   ff ff ff ff  ff ff ff ff  ff ff ff ff  ff ff ff ff
Jun 29 23:22:10 kelev last message repeated 3 times
Jun 29 23:22:10 kelev pluto[5890]: |   ff ff ff ff  ff ff ff ff  ff ff ff ff  ff 00 30 21
Jun 29 23:22:10 kelev pluto[5890]: |   30 09 06 05  2b 0e 03 02  1a 05 00 04  14 a9 4f ab
Jun 29 23:22:10 kelev pluto[5890]: |   ca 53 99 91  f8 c4 c4 43  f8 7d 59 dc  44 3a 3a e8
Jun 29 23:22:10 kelev pluto[5890]: |   a2
Jun 29 23:22:10 kelev pluto[5890]: "here-there" #1: issuer crl not found
Jun 29 23:22:10 kelev pluto[5890]: | Public key validated
Jun 29 23:22:10 kelev pluto[5890]: "here-there" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 29 23:22:10 kelev pluto[5890]: "here-there" #1: ISAKMP SA established
Jun 29 23:22:10 kelev pluto[5890]: "here-there" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Jun 29 23:22:10 kelev pluto[5890]: | **emit ISAKMP Message:
Jun 29 23:22:10 kelev pluto[5890]: |    initiator cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   f6 26 59 be  12 66 73 e4
Jun 29 23:22:10 kelev pluto[5890]: |    responder cookie:
Jun 29 23:22:10 kelev pluto[5890]: |   0f e0 31 8d  3f c4 4e c5
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_HASH
Jun 29 23:22:10 kelev pluto[5890]: |    ISAKMP version: ISAKMP Version 1.0
Jun 29 23:22:10 kelev pluto[5890]: |    exchange type: ISAKMP_XCHG_QUICK
Jun 29 23:22:10 kelev pluto[5890]: |    flags: ISAKMP_FLAG_ENCRYPTION
Jun 29 23:22:10 kelev pluto[5890]: |    message ID:  af cf 20 a3
Jun 29 23:22:10 kelev pluto[5890]: | ***emit ISAKMP Hash Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_SA
Jun 29 23:22:10 kelev pluto[5890]: | emitting 16 zero bytes of HASH into ISAKMP Hash Payload
Jun 29 23:22:10 kelev pluto[5890]: | emitting length of ISAKMP Hash Payload: 20
Jun 29 23:22:10 kelev pluto[5890]: | ***emit ISAKMP Security Association Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONCE
Jun 29 23:22:10 kelev pluto[5890]: |    DOI: ISAKMP_DOI_IPSEC
Jun 29 23:22:10 kelev pluto[5890]: | ****emit IPsec DOI SIT:
Jun 29 23:22:10 kelev pluto[5890]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
Jun 29 23:22:10 kelev pluto[5890]: | ****emit ISAKMP Proposal Payload:
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:10 kelev pluto[5890]: |    proposal number: 0
Jun 29 23:22:10 kelev pluto[5890]: |    protocol ID: PROTO_IPSEC_ESP
Jun 29 23:22:10 kelev pluto[5890]: |    SPI size: 4
Jun 29 23:22:10 kelev pluto[5890]: |    number of transforms: 2
Jun 29 23:22:10 kelev pluto[5890]: | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload
Jun 29 23:22:10 kelev pluto[5890]: | SPI  b3 f4 c3 6c
Jun 29 23:22:10 kelev pluto[5890]: | *****emit ISAKMP Transform Payload (ESP):
Jun 29 23:22:10 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_T
Jun 29 23:22:10 kelev pluto[5890]: |    transform number: 0
Jun 29 23:22:10 kelev pluto[5890]: |    transform ID: ESP_3DES
Jun 29 23:22:10 kelev pluto[5890]: | ******emit ISAKMP IPsec DOI attribute:
Jun 29 23:22:10 kelev pluto[5890]: |    af+type: GROUP_DESCRIPTION
Jun 29 23:22:10 kelev pluto[5890]: |    length/value: 5
Jun 29 23:22:10 kelev pluto[5890]: |     [5 is OAKLEY_GROUP_MODP1536 (extension)]
Jun 29 23:22:11 kelev pluto[5890]: | ******emit ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: ENCAPSULATION_MODE
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 61443
Jun 29 23:22:11 kelev pluto[5890]: |     [61443 is ENCAPSULATION_MODE_UDP_TUNNEL]
Jun 29 23:22:11 kelev pluto[5890]: | ******emit ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: SA_LIFE_TYPE
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 1
Jun 29 23:22:11 kelev pluto[5890]: |     [1 is SA_LIFE_TYPE_SECONDS]
Jun 29 23:22:11 kelev pluto[5890]: | ******emit ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: SA_LIFE_DURATION
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 28800
Jun 29 23:22:11 kelev pluto[5890]: | ******emit ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: AUTH_ALGORITHM
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 1
Jun 29 23:22:11 kelev pluto[5890]: |     [1 is AUTH_ALGORITHM_HMAC_MD5]
Jun 29 23:22:11 kelev pluto[5890]: | emitting length of ISAKMP Transform Payload (ESP): 28
Jun 29 23:22:11 kelev pluto[5890]: | *****emit ISAKMP Transform Payload (ESP):
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:11 kelev pluto[5890]: |    transform number: 1
Jun 29 23:22:11 kelev pluto[5890]: |    transform ID: ESP_3DES
Jun 29 23:22:11 kelev pluto[5890]: | ******emit ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: GROUP_DESCRIPTION
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 5
Jun 29 23:22:11 kelev pluto[5890]: |     [5 is OAKLEY_GROUP_MODP1536 (extension)]
Jun 29 23:22:11 kelev pluto[5890]: | ******emit ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: ENCAPSULATION_MODE
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 61443
Jun 29 23:22:11 kelev pluto[5890]: |     [61443 is ENCAPSULATION_MODE_UDP_TUNNEL]
Jun 29 23:22:11 kelev pluto[5890]: | ******emit ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: SA_LIFE_TYPE
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 1
Jun 29 23:22:11 kelev pluto[5890]: |     [1 is SA_LIFE_TYPE_SECONDS]
Jun 29 23:22:11 kelev pluto[5890]: | ******emit ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: SA_LIFE_DURATION
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 28800
Jun 29 23:22:11 kelev pluto[5890]: | ******emit ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: AUTH_ALGORITHM
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 2
Jun 29 23:22:11 kelev pluto[5890]: |     [2 is AUTH_ALGORITHM_HMAC_SHA1]
Jun 29 23:22:11 kelev pluto[5890]: | emitting length of ISAKMP Transform Payload (ESP): 28
Jun 29 23:22:11 kelev pluto[5890]: | emitting length of ISAKMP Proposal Payload: 68
Jun 29 23:22:11 kelev pluto[5890]: | emitting length of ISAKMP Security Association Payload: 80
Jun 29 23:22:11 kelev pluto[5890]: | ***emit ISAKMP Nonce Payload:
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_KE
Jun 29 23:22:11 kelev pluto[5890]: | emitting 16 raw bytes of Ni into ISAKMP Nonce Payload
Jun 29 23:22:11 kelev pluto[5890]: | Ni  88 8b c2 8b  25 32 7f f9  7b ce 4b a3  8e a1 1e 92
Jun 29 23:22:11 kelev pluto[5890]: | emitting length of ISAKMP Nonce Payload: 20
Jun 29 23:22:11 kelev pluto[5890]: | ***emit ISAKMP Key Exchange Payload:
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_ID
Jun 29 23:22:11 kelev pluto[5890]: | emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload
Jun 29 23:22:11 kelev pluto[5890]: | keyex value  e7 40 4b ad  63 12 ec bc  55 78 ee 8c  a2 87 5d e7
Jun 29 23:22:11 kelev pluto[5890]: |   9d ad 00 51  8d a0 40 90  1d 79 66 94  9b 63 9d 59
Jun 29 23:22:11 kelev pluto[5890]: |   70 78 15 82  fd da 9b 1e  81 ef d2 d4  f6 3e 31 67
Jun 29 23:22:11 kelev pluto[5890]: |   3c 86 e6 13  a8 05 28 5b  93 92 37 a3  8a 0d ea 0e
Jun 29 23:22:11 kelev pluto[5890]: |   a7 ed 32 29  60 99 c5 62  35 f7 b2 de  c5 12 66 53
Jun 29 23:22:11 kelev pluto[5890]: |   ec 7c 2a 35  c8 2c 27 2b  a4 a7 00 dd  4e 9c 77 84
Jun 29 23:22:11 kelev pluto[5890]: |   ca bd 2d c4  3e f6 c1 9c  d7 79 95 89  dc f9 03 42
Jun 29 23:22:11 kelev pluto[5890]: |   df ea 8c 89  3f 7f 1c 7f  74 25 52 a0  7e e9 08 d6
Jun 29 23:22:11 kelev pluto[5890]: |   f3 74 a7 fb  17 f6 52 8c  e1 77 f8 6d  42 23 b0 fb
Jun 29 23:22:11 kelev pluto[5890]: |   31 cc c8 fd  99 05 e7 0f  5b e2 80 a4  66 61 71 14
Jun 29 23:22:11 kelev pluto[5890]: |   da ef fb e2  bd e4 53 ed  d2 88 47 c1  9a c5 b3 3f
Jun 29 23:22:11 kelev pluto[5890]: |   e8 59 06 14  8b 5d 79 70  7f 11 75 5d  59 12 e7 1a
Jun 29 23:22:11 kelev pluto[5890]: | emitting length of ISAKMP Key Exchange Payload: 196
Jun 29 23:22:11 kelev pluto[5890]: | ***emit ISAKMP Identification Payload (IPsec DOI):
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_ID
Jun 29 23:22:11 kelev pluto[5890]: |    ID type: ID_IPV4_ADDR_SUBNET
Jun 29 23:22:11 kelev pluto[5890]: |    Protocol ID: 0
Jun 29 23:22:11 kelev pluto[5890]: |    port: 0
Jun 29 23:22:11 kelev pluto[5890]: | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI)
Jun 29 23:22:11 kelev pluto[5890]: | client network  52 d6 01 a1
Jun 29 23:22:11 kelev pluto[5890]: | emitting 4 raw bytes of client mask into ISAKMP Identification Payload (IPsec DOI)
Jun 29 23:22:11 kelev pluto[5890]: | client mask  ff ff ff ff
Jun 29 23:22:11 kelev pluto[5890]: | emitting length of ISAKMP Identification Payload (IPsec DOI): 16
Jun 29 23:22:11 kelev pluto[5890]: | ***emit ISAKMP Identification Payload (IPsec DOI):
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:11 kelev pluto[5890]: |    ID type: ID_IPV4_ADDR_SUBNET
Jun 29 23:22:11 kelev pluto[5890]: |    Protocol ID: 0
Jun 29 23:22:11 kelev pluto[5890]: |    port: 0
Jun 29 23:22:11 kelev pluto[5890]: | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI)
Jun 29 23:22:11 kelev pluto[5890]: | client network  c0 a8 01 00
Jun 29 23:22:11 kelev pluto[5890]: | emitting 4 raw bytes of client mask into ISAKMP Identification Payload (IPsec DOI)
Jun 29 23:22:11 kelev pluto[5890]: | client mask  ff ff ff 00
Jun 29 23:22:11 kelev pluto[5890]: | emitting length of ISAKMP Identification Payload (IPsec DOI): 16
Jun 29 23:22:11 kelev pluto[5890]: | emitting 4 zero bytes of encryption padding into ISAKMP Message
Jun 29 23:22:11 kelev pluto[5890]: | emitting length of ISAKMP Message: 380
Jun 29 23:22:11 kelev pluto[5890]: |  
Jun 29 23:22:11 kelev pluto[5890]: | *received 348 bytes from XX.YY.ZZ.WW:4500 on eth2
Jun 29 23:22:11 kelev pluto[5890]: | **parse ISAKMP Message:
Jun 29 23:22:11 kelev pluto[5890]: |    initiator cookie:
Jun 29 23:22:11 kelev pluto[5890]: |   f6 26 59 be  12 66 73 e4
Jun 29 23:22:11 kelev pluto[5890]: |    responder cookie:
Jun 29 23:22:11 kelev pluto[5890]: |   0f e0 31 8d  3f c4 4e c5
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_HASH
Jun 29 23:22:11 kelev pluto[5890]: |    ISAKMP version: ISAKMP Version 1.0
Jun 29 23:22:11 kelev pluto[5890]: |    exchange type: ISAKMP_XCHG_QUICK
Jun 29 23:22:11 kelev pluto[5890]: |    flags: ISAKMP_FLAG_ENCRYPTION
Jun 29 23:22:11 kelev pluto[5890]: |    message ID:  af cf 20 a3
Jun 29 23:22:11 kelev pluto[5890]: |    length: 348
Jun 29 23:22:11 kelev pluto[5890]: | ***parse ISAKMP Hash Payload:
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_SA
Jun 29 23:22:11 kelev pluto[5890]: |    length: 20
Jun 29 23:22:11 kelev pluto[5890]: | ***parse ISAKMP Security Association Payload:
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONCE
Jun 29 23:22:11 kelev pluto[5890]: |    length: 52
Jun 29 23:22:11 kelev pluto[5890]: |    DOI: ISAKMP_DOI_IPSEC
Jun 29 23:22:11 kelev pluto[5890]: | ***parse ISAKMP Nonce Payload:
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_KE
Jun 29 23:22:11 kelev pluto[5890]: |    length: 20
Jun 29 23:22:11 kelev pluto[5890]: | ***parse ISAKMP Key Exchange Payload:
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_ID
Jun 29 23:22:11 kelev pluto[5890]: |    length: 196
Jun 29 23:22:11 kelev pluto[5890]: | ***parse ISAKMP Identification Payload (IPsec DOI):
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_ID
Jun 29 23:22:11 kelev pluto[5890]: |    length: 16
Jun 29 23:22:11 kelev pluto[5890]: |    ID type: ID_IPV4_ADDR_SUBNET
Jun 29 23:22:11 kelev pluto[5890]: |    Protocol ID: 0
Jun 29 23:22:11 kelev pluto[5890]: |    port: 0
Jun 29 23:22:11 kelev pluto[5890]: | ***parse ISAKMP Identification Payload (IPsec DOI):
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:11 kelev pluto[5890]: |    length: 16
Jun 29 23:22:11 kelev pluto[5890]: |    ID type: ID_IPV4_ADDR_SUBNET
Jun 29 23:22:11 kelev pluto[5890]: |    Protocol ID: 0
Jun 29 23:22:11 kelev pluto[5890]: |    port: 0
Jun 29 23:22:11 kelev pluto[5890]: | **emit ISAKMP Message:
Jun 29 23:22:11 kelev pluto[5890]: |    initiator cookie:
Jun 29 23:22:11 kelev pluto[5890]: |   f6 26 59 be  12 66 73 e4
Jun 29 23:22:11 kelev pluto[5890]: |    responder cookie:
Jun 29 23:22:11 kelev pluto[5890]: |   0f e0 31 8d  3f c4 4e c5
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_HASH
Jun 29 23:22:11 kelev pluto[5890]: |    ISAKMP version: ISAKMP Version 1.0
Jun 29 23:22:11 kelev pluto[5890]: |    exchange type: ISAKMP_XCHG_QUICK
Jun 29 23:22:11 kelev pluto[5890]: |    flags: ISAKMP_FLAG_ENCRYPTION
Jun 29 23:22:11 kelev pluto[5890]: |    message ID:  af cf 20 a3
Jun 29 23:22:11 kelev pluto[5890]: | ****parse IPsec DOI SIT:
Jun 29 23:22:11 kelev pluto[5890]: |    IPsec DOI SIT: SIT_IDENTITY_ONLY
Jun 29 23:22:11 kelev pluto[5890]: | ****parse ISAKMP Proposal Payload:
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:11 kelev pluto[5890]: |    length: 40
Jun 29 23:22:11 kelev pluto[5890]: |    proposal number: 0
Jun 29 23:22:11 kelev pluto[5890]: |    protocol ID: PROTO_IPSEC_ESP
Jun 29 23:22:11 kelev pluto[5890]: |    SPI size: 4
Jun 29 23:22:11 kelev pluto[5890]: |    number of transforms: 1
Jun 29 23:22:11 kelev pluto[5890]: | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
Jun 29 23:22:11 kelev pluto[5890]: | SPI  ec 83 14 38
Jun 29 23:22:11 kelev pluto[5890]: | *****parse ISAKMP Transform Payload (ESP):
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:11 kelev pluto[5890]: |    length: 28
Jun 29 23:22:11 kelev pluto[5890]: |    transform number: 0
Jun 29 23:22:11 kelev pluto[5890]: |    transform ID: ESP_3DES
Jun 29 23:22:11 kelev pluto[5890]: | ******parse ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: GROUP_DESCRIPTION
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 5
Jun 29 23:22:11 kelev pluto[5890]: |    [5 is OAKLEY_GROUP_MODP1536 (extension)]
Jun 29 23:22:11 kelev pluto[5890]: | ******parse ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: ENCAPSULATION_MODE
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 61443
Jun 29 23:22:11 kelev pluto[5890]: |    [61443 is ENCAPSULATION_MODE_UDP_TUNNEL]
Jun 29 23:22:11 kelev pluto[5890]: | ******parse ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: SA_LIFE_TYPE
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 1
Jun 29 23:22:11 kelev pluto[5890]: |    [1 is SA_LIFE_TYPE_SECONDS]
Jun 29 23:22:11 kelev pluto[5890]: | ******parse ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: SA_LIFE_DURATION
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 28800
Jun 29 23:22:11 kelev pluto[5890]: | ******parse ISAKMP IPsec DOI attribute:
Jun 29 23:22:11 kelev pluto[5890]: |    af+type: AUTH_ALGORITHM
Jun 29 23:22:11 kelev pluto[5890]: |    length/value: 1
Jun 29 23:22:11 kelev pluto[5890]: |    [1 is AUTH_ALGORITHM_HMAC_MD5]
Jun 29 23:22:11 kelev pluto[5890]: | our client is subnet aa.bb.cc.dd/32
Jun 29 23:22:11 kelev pluto[5890]: | our client protocol/port is 0/0
Jun 29 23:22:11 kelev pluto[5890]: | peer client is subnet 192.168.1.0/24
Jun 29 23:22:11 kelev pluto[5890]: | peer client protocol/port is 0/0
Jun 29 23:22:11 kelev pluto[5890]: | ***emit ISAKMP Hash Payload:
Jun 29 23:22:11 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_NONE
Jun 29 23:22:11 kelev pluto[5890]: | emitting 16 zero bytes of HASH into ISAKMP Hash Payload
Jun 29 23:22:11 kelev pluto[5890]: | emitting length of ISAKMP Hash Payload: 20
Jun 29 23:22:11 kelev pluto[5890]: | emitting 4 zero bytes of encryption padding into ISAKMP Message
Jun 29 23:22:11 kelev pluto[5890]: | emitting length of ISAKMP Message: 52
Jun 29 23:22:11 kelev pluto[5890]: "here-there" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 29 23:22:11 kelev pluto[5890]: "here-there" #2: sent QI2, IPsec SA established {ESP=>0xec831438 <0xb3f4c36c}
Jun 29 23:22:21 kelev pluto[5890]: |  
Jun 29 23:22:21 kelev pluto[5890]: | *received 348 bytes from XX.YY.ZZ.WW:4500 on eth2
Jun 29 23:22:21 kelev pluto[5890]: | **parse ISAKMP Message:
Jun 29 23:22:21 kelev pluto[5890]: |    initiator cookie:
Jun 29 23:22:21 kelev pluto[5890]: |   f6 26 59 be  12 66 73 e4
Jun 29 23:22:21 kelev pluto[5890]: |    responder cookie:
Jun 29 23:22:21 kelev pluto[5890]: |   0f e0 31 8d  3f c4 4e c5
Jun 29 23:22:21 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_HASH
Jun 29 23:22:21 kelev pluto[5890]: |    ISAKMP version: ISAKMP Version 1.0
Jun 29 23:22:21 kelev pluto[5890]: |    exchange type: ISAKMP_XCHG_QUICK
Jun 29 23:22:21 kelev pluto[5890]: |    flags: ISAKMP_FLAG_ENCRYPTION
Jun 29 23:22:21 kelev pluto[5890]: |    message ID:  af cf 20 a3
Jun 29 23:22:21 kelev pluto[5890]: |    length: 348
Jun 29 23:22:21 kelev pluto[5890]: "here-there" #2: retransmitting in response to duplicate packet; already STATE_QUICK_I2
Jun 29 23:22:41 kelev pluto[5890]: |  
Jun 29 23:22:41 kelev pluto[5890]: | *received 348 bytes from XX.YY.ZZ.WW:4500 on eth2
Jun 29 23:22:41 kelev pluto[5890]: | **parse ISAKMP Message:
Jun 29 23:22:41 kelev pluto[5890]: |    initiator cookie:
Jun 29 23:22:41 kelev pluto[5890]: |   f6 26 59 be  12 66 73 e4
Jun 29 23:22:41 kelev pluto[5890]: |    responder cookie:
Jun 29 23:22:41 kelev pluto[5890]: |   0f e0 31 8d  3f c4 4e c5
Jun 29 23:22:41 kelev pluto[5890]: |    next payload type: ISAKMP_NEXT_HASH
Jun 29 23:22:41 kelev pluto[5890]: |    ISAKMP version: ISAKMP Version 1.0
Jun 29 23:22:41 kelev pluto[5890]: |    exchange type: ISAKMP_XCHG_QUICK
Jun 29 23:22:41 kelev pluto[5890]: |    flags: ISAKMP_FLAG_ENCRYPTION
Jun 29 23:22:41 kelev pluto[5890]: |    message ID:  af cf 20 a3
Jun 29 23:22:41 kelev pluto[5890]: |    length: 348
Jun 29 23:22:41 kelev pluto[5890]: "here-there" #2: retransmitting in response to duplicate packet; already STATE_QUICK_I2
---------------------------------------------------------------------

(Notice the last error message.)

Here is a corresponding /var/log/secure for the responder (taken at a 
different time though):

-------------------------------------------------------------

Jun 29 23:22:22 kakmonster pluto[14558]: packet from aa.bb.cc.dd:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jun 29 23:22:22 kakmonster pluto[14558]: packet from aa.bb.cc.dd:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already 
using method 108
Jun 29 23:22:22 kakmonster pluto[14558]: packet from aa.bb.cc.dd:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun 29 23:22:22 kakmonster pluto[14558]: "rw"[12] aa.bb.cc.dd #20: 
responding to Main Mode from unknown peer aa.bb.cc.dd
Jun 29 23:22:22 kakmonster pluto[14558]: "rw"[12] aa.bb.cc.dd #20: 
transition from state (null) to state STATE_MAIN_R1
Jun 29 23:22:23 kakmonster pluto[14558]: "rw"[12] aa.bb.cc.dd #20: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Jun 29 23:22:23 kakmonster pluto[14558]: "rw"[12] aa.bb.cc.dd #20: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 29 23:22:23 kakmonster pluto[14558]: "rw"[12] aa.bb.cc.dd #20: Peer ID 
is ID_USER_FQDN: 'user at example.com'
Jun 29 23:22:23 kakmonster pluto[14558]: "rw"[12] aa.bb.cc.dd #20: issuer 
crl not found
Jun 29 23:22:23 kakmonster pluto[14558]: "rw"[12] aa.bb.cc.dd #20: issuer 
crl not found
Jun 29 23:22:23 kakmonster pluto[14558]: "rw"[13] aa.bb.cc.dd #20: 
deleting connection "rw" instance with peer aa.bb.cc.dd {isakmp=#0/ipsec=#0}
Jun 29 23:22:23 kakmonster pluto[14558]: "rw"[13] aa.bb.cc.dd #20: 
deleting connection "rw" instance with peer aa.bb.cc.dd {isakmp=#18/ipsec=#0}
Jun 29 23:22:23 kakmonster pluto[14558]: "rw" #18: deleting state 
(STATE_MAIN_R3)
Jun 29 23:22:23 kakmonster pluto[14558]: "rw"[13] aa.bb.cc.dd #20: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 29 23:22:23 kakmonster pluto[14558]: | NAT-T: new mapping 
aa.bb.cc.dd:500/4500)
Jun 29 23:22:23 kakmonster pluto[14558]: "rw"[13] aa.bb.cc.dd:4500 #20: 
sent MR3, ISAKMP SA established
Jun 29 23:22:24 kakmonster pluto[14558]: "rw"[13] aa.bb.cc.dd:4500 #21: 
responding to Quick Mode
Jun 29 23:22:24 kakmonster pluto[14558]: "rw"[13] aa.bb.cc.dd:4500 #21: 
transition from state (null) to state STATE_QUICK_R1
Jun 29 23:23:34 kakmonster pluto[14558]: "rw"[13] aa.bb.cc.dd:4500 #21: 
max number of retransmissions (2) reached STATE_QUICK_R1

--------------------------------------------------------------





ipsec.conf for the initator:
--------------------------------------------------------
version 2

# basic configuration
config setup
    interfaces="%defaultroute"
    nat_traversal=yes

conn %default
    authby=rsasig
    rightrsasigkey=%cert
    left=%defaultroute
    leftcert=user.pem
    leftid=user at example.com

conn here-there
    right=XX.YY.ZZ.WW
    rightsubnet=192.168.1.0/24
    rightca="C=SE, O=Example Co, CN=Development CA"
    leftsendcert=always
    auto=add
    rightid=@*.example.com

include ipsec.d/examples/no_oe.conf
--------------------------------------------------------------



ipsec.conf for the responder:

--------------------------------------------------------------
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
    nat_traversal=yes
    plutodebug="parsing emitting control"

conn %default
    authby=rsasig
    rightrsasigkey=%cert
    left=%defaultroute
    leftcert=kakmonster.pem
    leftsubnet=192.168.1.0/24
    leftid=@*.example.com
    leftsendcert=always

conn rw
    right=%any
    rightca="C=SE, O=Example Co, CN=Development CA"
    auto=add

include ipsec.d/examples/no_oe.conf
------------------------------------------------------------------


Does anyone have any ideas?

Thanks,

Marcus B.


More information about the Users mailing list