[Openswan Users] Stuck Connection

Mark Olliver mark at olliver.me.uk
Tue Oct 10 10:20:08 EDT 2006



Hi,

I am having a problem with a new setup, bellow is a description of my
network, along with the configuration and iptables rules. Any help would be
appreciated.

Regards,

Mark


Local Lan 192.168.242.0/24 eth0
	|
Local Firewall ipsec0
	|
Local Public 81.17.242.10 eth1
	|
	|
Remote Public 212.159.53.154 eth1
	|
Remote Firewall ipsec0
	|
Remote Lan 192.168.234.0/23 eth0
	

If I ping a host on the remote lan from the local lan I can see the packets
via tcpdump on the remote lan box, I can also see the replies. If I do a
tcpdump on remote ipsec0 I can still see these packets both request and
reply. However, on Local ipsec0 I can only see the request and not the
reply.

Config Settings
conn ielan-ukoflan
        leftsubnet=192.168.242.0/24
        rightsubnet=192.168.234.0/24
        also=iecollo-ukoffice

conn iecollo-ukoflan
        leftsubnet=81.17.242.10/32
        rightsubnet=192.168.234.0/24
        also=iecollo-ukoffice

conn iecollo-ukoffice
        left=81.17.242.10
        right=212.159.53.154
        type=tunnel
        dpddelay=9
        dpdtimeout=30
        dpdaction=restart
        pfs=yes
        rekey=yes
        rekeymargin=600
        rekeyfuzz=100%
        keylife=3600
        keyingtries=10
        ikelifetime=28800
        compress=yes
        authby=secret
        auto=start



iptables script
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -X

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#IPSEC Rules
iptables -A OUTPUT -p esp -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp -o ipsec0 --sport 1701 -j ACCEPT
iptables -A INPUT -p udp -i ipsec0 --sport 1701 -j ACCEPT

#General Accept
iptables -A FORWARD -i ipsec0 -j ACCEPT
iptables -A OUTPUT -o ipsec0 -j ACCEPT
iptables -A INPUT -i ipsec0 -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT

iptables -A OUTPUT -o eth1  -m state --state NEW -j ACCEPT

#ICMP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.242.0/24 -d \! 192.168.234.0/24 -o
eth1 -j SNAT --to 81.17.242.81


ipsec look output
ie-fw1.thermeon.eu Tue Oct 10 15:06:59 BST 2006
81.17.242.10/32    -> 192.168.234.0/24   => tun0x1008 at 212.159.53.154
comp0xa624 at 212.159.53.154 esp0xee37a1cd at 212.159.53.154  (15)
81.17.242.10/32    -> 212.159.53.154/32  => tun0x1004 at 212.159.53.154
comp0xa622 at 212.159.53.154 esp0xee37a1cb at 212.159.53.154  (18)
192.168.242.0/24   -> 192.168.234.0/24   => tun0x1006 at 212.159.53.154
comp0xa623 at 212.159.53.154 esp0xee37a1cc at 212.159.53.154  (3)
ipsec0->eth1 mtu=16260(1500)->1500
comp0xa621 at 212.159.53.154 COMP_DEFLATE: dir=out src=81.17.242.10
life(c,s,h)=addtime(784,0,0) natencap=none natsport=0 natdport=0 refcount=5
ref=19
comp0xa622 at 212.159.53.154 COMP_DEFLATE: dir=out src=81.17.242.10
life(c,s,h)=addtime(784,0,0) natencap=none natsport=0 natdport=0 refcount=5
ref=35
comp0xa623 at 212.159.53.154 COMP_DEFLATE: dir=out src=81.17.242.10
life(c,s,h)=bytes(312,0,0)addtime(783,0,0)usetime(701,0,0)packets(3,0,0)
idle=699 ratio=312:312 natencap=none natsport=0 natdport=0 refcount=5 ref=51
comp0xa624 at 212.159.53.154 COMP_DEFLATE: dir=out src=81.17.242.10
life(c,s,h)=bytes(1560,0,0)addtime(723,0,0)usetime(694,0,0)packets(15,0,0)
idle=680 ratio=1560:1560 natencap=none natsport=0 natdport=0 refcount=5
ref=67
comp0xdaea at 81.17.242.10 COMP_DEFLATE: dir=in  src=212.159.53.154
life(c,s,h)=addtime(784,0,0) natencap=none natsport=0 natdport=0 refcount=5
ref=11
comp0xdaeb at 81.17.242.10 COMP_DEFLATE: dir=in  src=212.159.53.154
life(c,s,h)=addtime(784,0,0) natencap=none natsport=0 natdport=0 refcount=5
ref=27
comp0xdaec at 81.17.242.10 COMP_DEFLATE: dir=in  src=212.159.53.154
life(c,s,h)=addtime(783,0,0) natencap=none natsport=0 natdport=0 refcount=5
ref=43
comp0xdaed at 81.17.242.10 COMP_DEFLATE: dir=in  src=212.159.53.154
life(c,s,h)=addtime(723,0,0) natencap=none natsport=0 natdport=0 refcount=5
ref=59
esp0x6f27582e at 81.17.242.10 ESP_AES_HMAC_SHA1: dir=in  src=212.159.53.154
iv_bits=128bits iv=0x9048ed1ec176e6980d6722bc5d471faa ooowin=64 alen=160
aklen=160 eklen=128 life(c,s,h)=addtime(784,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=12
esp0x6f27582f at 81.17.242.10 ESP_AES_HMAC_SHA1: dir=in  src=212.159.53.154
iv_bits=128bits iv=0x52c03329a2fc1dc15d143c34c8f00fab ooowin=64 alen=160
aklen=160 eklen=128 life(c,s,h)=addtime(784,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=28
esp0x6f275830 at 81.17.242.10 ESP_AES_HMAC_SHA1: dir=in  src=212.159.53.154
iv_bits=128bits iv=0x66b862676fc95ef970cfab11d57a8304 ooowin=64 alen=160
aklen=160 eklen=128 life(c,s,h)=addtime(783,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=44
esp0x6f275831 at 81.17.242.10 ESP_3DES_HMAC_SHA1: dir=in  src=212.159.53.154
iv_bits=64bits iv=0xbdeeb91bdea92eb5 ooowin=64 alen=160 aklen=160 eklen=192
life(c,s,h)=addtime(723,0,0) natencap=none natsport=0 natdport=0 refcount=4
ref=60
esp0xee37a1ca at 212.159.53.154 ESP_AES_HMAC_SHA1: dir=out src=81.17.242.10
iv_bits=128bits iv=0x255c7a8d94d7b992f40cc7c9659158b2 ooowin=64 alen=160
aklen=160 eklen=128 life(c,s,h)=addtime(784,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=20
esp0xee37a1cb at 212.159.53.154 ESP_AES_HMAC_SHA1: dir=out src=81.17.242.10
iv_bits=128bits iv=0xc1b050b03948d708ac1f9df573bd0d21 ooowin=64 alen=160
aklen=160 eklen=128 life(c,s,h)=addtime(784,0,0) natencap=none natsport=0
natdport=0 refcount=4 ref=36
esp0xee37a1cc at 212.159.53.154 ESP_AES_HMAC_SHA1: dir=out src=81.17.242.10
iv_bits=128bits iv=0xa492f682cb38720363b778e7915315ce ooowin=64 seq=3
alen=160 aklen=160 eklen=128
life(c,s,h)=bytes(456,0,0)addtime(783,0,0)usetime(701,0,0)packets(3,0,0)
idle=699 natencap=none natsport=0 natdport=0 refcount=4 ref=52
esp0xee37a1cd at 212.159.53.154 ESP_3DES_HMAC_SHA1: dir=out src=81.17.242.10
iv_bits=64bits iv=0xe9e29f8493c4a07c ooowin=64 seq=15 alen=160 aklen=160
eklen=192
life(c,s,h)=bytes(2040,0,0)addtime(723,0,0)usetime(694,0,0)packets(15,0,0)
idle=680 natencap=none natsport=0 natdport=0 refcount=4 ref=68
tun0x1001 at 81.17.242.10 IPIP: dir=in  src=212.159.53.154
policy=192.168.234.0/24->81.17.242.10/32 flags=0x8<>
life(c,s,h)=addtime(784,0,0) natencap=none natsport=0 natdport=0 refcount=4
ref=10
tun0x1002 at 212.159.53.154 IPIP: dir=out src=81.17.242.10
life(c,s,h)=addtime(784,0,0) natencap=none natsport=0 natdport=0 refcount=4
ref=18
tun0x1003 at 81.17.242.10 IPIP: dir=in  src=212.159.53.154
policy=212.159.53.154/32->81.17.242.10/32 flags=0x8<>
life(c,s,h)=addtime(784,0,0) natencap=none natsport=0 natdport=0 refcount=4
ref=26
tun0x1004 at 212.159.53.154 IPIP: dir=out src=81.17.242.10
life(c,s,h)=addtime(784,0,0) natencap=none natsport=0 natdport=0 refcount=4
ref=34
tun0x1005 at 81.17.242.10 IPIP: dir=in  src=212.159.53.154
policy=192.168.234.0/24->192.168.242.0/24 flags=0x8<>
life(c,s,h)=addtime(783,0,0) natencap=none natsport=0 natdport=0 refcount=4
ref=42
tun0x1006 at 212.159.53.154 IPIP: dir=out src=81.17.242.10
life(c,s,h)=bytes(312,0,0)addtime(783,0,0)usetime(701,0,0)packets(3,0,0)
idle=699 natencap=none natsport=0 natdport=0 refcount=7 ref=50
tun0x1007 at 81.17.242.10 IPIP: dir=in  src=212.159.53.154
policy=192.168.234.0/24->81.17.242.10/32 flags=0x8<>
life(c,s,h)=addtime(723,0,0) natencap=none natsport=0 natdport=0 refcount=4
ref=58
tun0x1008 at 212.159.53.154 IPIP: dir=out src=81.17.242.10
life(c,s,h)=bytes(1560,0,0)addtime(723,0,0)usetime(694,0,0)packets(15,0,0)
idle=680 natencap=none natsport=0 natdport=0 refcount=19 ref=66
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
0.0.0.0         81.17.242.9     0.0.0.0         UG        0 0          0
eth1
192.168.234.0   0.0.0.0         255.255.255.0   U         0 0          0
ipsec0
212.159.53.154  0.0.0.0         255.255.255.255 UH        0 0          0
ipsec0
81.17.242.8     0.0.0.0         255.255.255.252 U         0 0          0
eth1
81.17.242.8     0.0.0.0         255.255.255.252 U         0 0          0
ipsec0
81.17.242.80    0.0.0.0         255.255.255.252 U         0 0          0
eth1



Secure log
Oct 10 14:53:53 ie-fw1 ipsec__plutorun: Starting Pluto subsystem...
Oct 10 14:53:53 ie-fw1 pluto[7054]: Starting Pluto (Openswan Version 2.4.6
X.509-1.5.4 PLUTO_USES_KEYRR)
Oct 10 14:53:53 ie-fw1 pluto[7054]: Setting NAT-Traversal port-4500 floating
to on
Oct 10 14:53:53 ie-fw1 pluto[7054]:    port floating activation criteria
nat_t=1/port_fload=1
Oct 10 14:53:53 ie-fw1 pluto[7054]:   including NAT-Traversal patch (Version
0.6c)
Oct 10 14:53:53 ie-fw1 pluto[7054]: 1 bad entries in virtual_private - none
loaded
Oct 10 14:53:53 ie-fw1 pluto[7054]: WARNING: Open of /dev/hw_random failed
in init_rnd_pool(), trying alternate sources of ra
ndom
Oct 10 14:53:53 ie-fw1 pluto[7054]: WARNING: Using /dev/urandom as the
source of random
Oct 10 14:53:53 ie-fw1 pluto[7054]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Oct 10 14:53:53 ie-fw1 pluto[7054]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Oct 10 14:53:53 ie-fw1 pluto[7054]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Oct 10 14:53:53 ie-fw1 pluto[7054]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Oct 10 14:53:53 ie-fw1 pluto[7054]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Oct 10 14:53:53 ie-fw1 pluto[7054]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Oct 10 14:53:53 ie-fw1 pluto[7054]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Oct 10 14:53:53 ie-fw1 pluto[7054]: no helpers will be started, all
cryptographic operations will be done inline
Oct 10 14:53:53 ie-fw1 pluto[7054]: Using KLIPS IPsec interface code on
2.6.18
Oct 10 14:53:53 ie-fw1 pluto[7054]: Changing to directory
'/etc/ipsec.d/cacerts'
Oct 10 14:53:53 ie-fw1 pluto[7054]:   loaded CA cert file 'caCert.pem' (1346
bytes)
Oct 10 14:53:53 ie-fw1 pluto[7054]: Changing to directory
'/etc/ipsec.d/aacerts'
Oct 10 14:53:53 ie-fw1 pluto[7054]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Oct 10 14:53:53 ie-fw1 pluto[7054]: Changing to directory
'/etc/ipsec.d/crls'
Oct 10 14:53:53 ie-fw1 pluto[7054]:   Warning: empty directory
Oct 10 14:53:53 ie-fw1 pluto[7054]: added connection description
"ielan-ukoflan"
Oct 10 14:53:53 ie-fw1 pluto[7054]: added connection description
"iecollo-ukoffice"
Oct 10 14:53:54 ie-fw1 pluto[7054]: added connection description
"iecollo-ukoflan"
Oct 10 14:53:54 ie-fw1 pluto[7054]: listening for IKE messages
Oct 10 14:53:54 ie-fw1 pluto[7054]: adding interface ipsec0/eth1
81.17.242.10:500
Oct 10 14:53:54 ie-fw1 pluto[7054]: adding interface ipsec0/eth1
81.17.242.10:4500
Oct 10 14:53:54 ie-fw1 pluto[7054]: loading secrets from
"/etc/ipsec.secrets"
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: initiating Main Mode
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] method set
 to=108
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: received Vendor ID
payload [Dead Peer Detection]
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: enabling possible
NAT-traversal with method RFC 3947 (NAT-Traversal)
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: I did not send a
certificate because I do not have one.
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: Main mode peer ID is
ID_IPV4_ADDR: '212.159.53.154'
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY ciphe
r=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #1: Dead Peer Detection
(RFC 3706): enabled
Oct 10 14:53:54 ie-fw1 pluto[7054]: "iecollo-ukoflan" #2: initiating Quick
Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isa
kmp#1}
Oct 10 14:53:54 ie-fw1 pluto[7054]: "iecollo-ukoffice" #3: initiating Quick
Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using is
akmp#1}
Oct 10 14:53:54 ie-fw1 pluto[7054]: "ielan-ukoflan" #4: initiating Quick
Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakm
p#1}
Oct 10 14:53:55 ie-fw1 pluto[7054]: "iecollo-ukoflan" #2: Dead Peer
Detection (RFC 3706): enabled
Oct 10 14:53:55 ie-fw1 pluto[7054]: "iecollo-ukoflan" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Oct 10 14:53:55 ie-fw1 pluto[7054]: "iecollo-ukoflan" #2: STATE_QUICK_I2:
sent QI2, IPsec SA established {ESP=>0xee37a1ca <0x
6f27582e xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x0000a621 <0x0000daea NATD=none
DPD=enabled}
Oct 10 14:53:55 ie-fw1 pluto[7054]: "iecollo-ukoffice" #3: Dead Peer
Detection (RFC 3706): enabled
Oct 10 14:53:55 ie-fw1 pluto[7054]: "iecollo-ukoffice" #3: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Oct 10 14:53:55 ie-fw1 pluto[7054]: "iecollo-ukoffice" #3: STATE_QUICK_I2:
sent QI2, IPsec SA established {ESP=>0xee37a1cb <0
x6f27582f xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x0000a622 <0x0000daeb NATD=none
DPD=enabled}
Oct 10 14:53:55 ie-fw1 pluto[7054]: packet from 212.159.53.154:500: Quick
Mode message is for a non-existent (expired?) ISAKM
P SA
Oct 10 14:53:55 ie-fw1 pluto[7054]: "ielan-ukoflan" #4: Dead Peer Detection
(RFC 3706): enabled
Oct 10 14:53:55 ie-fw1 pluto[7054]: "ielan-ukoflan" #4: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Oct 10 14:53:55 ie-fw1 pluto[7054]: "ielan-ukoflan" #4: STATE_QUICK_I2: sent
QI2, IPsec SA established {ESP=>0xee37a1cc <0x6f
275830 xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x0000a623 <0x0000daec NATD=none
DPD=enabled}
Oct 10 14:54:16 ie-fw1 pluto[7054]: packet from 212.159.53.154:500: Quick
Mode message is for a non-existent (expired?) ISAKM
P SA
Oct 10 14:54:56 ie-fw1 pluto[7054]: "iecollo-ukoflan" #5: responding to
Quick Mode {msgid:109f07f8}
Oct 10 14:54:56 ie-fw1 pluto[7054]: "iecollo-ukoflan" #5: transition from
state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 10 14:54:56 ie-fw1 pluto[7054]: "iecollo-ukoflan" #5: STATE_QUICK_R1:
sent QR1, inbound IPsec SA installed, expecting QI2
Oct 10 14:54:56 ie-fw1 pluto[7054]: "iecollo-ukoflan" #5: Dead Peer
Detection (RFC 3706): enabled
Oct 10 14:54:56 ie-fw1 pluto[7054]: "iecollo-ukoflan" #5: transition from
state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 10 14:54:56 ie-fw1 pluto[7054]: "iecollo-ukoflan" #5: STATE_QUICK_R2:
IPsec SA established {ESP=>0xee37a1cd <0x6f275831 x
frm=3DES_0-HMAC_SHA1 IPCOMP=>0x0000a624 <0x0000daed NATD=none DPD=enabled}


Remote Log
Oct 10 14:39:15 Pluto[194]: "OFFICE-IE_0" #140: responding to Main Mode 
Oct 10 14:39:15 Pluto[194]: "OFFICE-IE_0" #140: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected 
Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_0" #140: sent MR3, ISAKMP SA
established 
Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_1" #141: using deflate compression 
Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_1" #141: responding to Quick Mode 
Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_1" #141: ESP transform ESP_AES / auth
AUTH_ALGORITHM_HMAC_SHA1 implemented  
Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_2" #142: using deflate compression 
Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_2" #142: responding to Quick Mode 
Oct 10 14:39:17 Pluto[194]: "OFFICE-IE_2" #142: ESP transform ESP_AES / auth
AUTH_ALGORITHM_HMAC_SHA1 implemented  
Oct 10 14:39:17 Pluto[194]: "OFFICE-IE_0" #143: using deflate compression 
Oct 10 14:39:17 Pluto[194]: "OFFICE-IE_0" #143: responding to Quick Mode 
Oct 10 14:39:17 Pluto[194]: "OFFICE-IE_0" #143: ESP transform ESP_AES / auth
AUTH_ALGORITHM_HMAC_SHA1 implemented  
Oct 10 14:39:17 Pluto[194]: "OFFICE-IE_1" #141: ESP transform ESP_AES / auth
AUTH_ALGORITHM_HMAC_SHA1 implemented  
Oct 10 14:39:17 Pluto[194]: "OFFICE-IE_1" #141: IPsec SA established 
Oct 10 14:39:17 Pluto[194]: "OFFICE-IE_2" #142: ESP transform ESP_AES / auth
AUTH_ALGORITHM_HMAC_SHA1 implemented  
Oct 10 14:39:17 Pluto[194]: "OFFICE-IE_2" #142: IPsec SA established 
Oct 10 14:39:17 Pluto[194]: "OFFICE-IE_0" #143: ESP transform ESP_AES / auth
AUTH_ALGORITHM_HMAC_SHA1 implemented  
Oct 10 14:39:17 Pluto[194]: "OFFICE-IE_0" #143: IPsec SA established 
Oct 10 14:39:31 httpd: Authentication successful for root from
192.168.234.63  
Oct 10 14:40:17 Pluto[194]: "OFFICE-IE_1" #139: max number of
retransmissions (2) reached STATE_QUICK_I1 
Oct 10 14:40:17 Pluto[194]: "OFFICE-IE_1" #139: starting keying attempt 13
of an unlimited number 
Oct 10 14:40:17 Pluto[194]: "OFFICE-IE_1" #144: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS to replace #139 
Oct 10 14:40:17 Pluto[194]: "OFFICE-IE_1" #144: using deflate compression 
Oct 10 14:40:17 Pluto[194]: "OFFICE-IE_1" #144: sent QI2, IPsec SA
established 
Oct 10 14:40:21 httpd: Authentication successful for root from
192.168.234.63  
Oct 10 14:42:39 Pluto[194]: "OFFICE-IE_2" #145: using deflate compression 
Oct 10 14:42:39 Pluto[194]: "OFFICE-IE_2" #145: responding to Quick Mode 
Oct 10 14:42:39 Pluto[194]: "OFFICE-IE_2" #145: ESP transform ESP_AES / auth
AUTH_ALGORITHM_HMAC_SHA1 implemented  
Oct 10 14:42:48 Pluto[194]: "OFFICE-IE_2" #145: discarding duplicate packet;
already STATE_QUICK_R1 
Oct 10 14:43:49 last message repeated 1 time(s) 
Oct 10 14:43:49 Pluto[194]: "OFFICE-IE_2" #145: max number of
retransmissions (2) reached STATE_QUICK_R1






More information about the Users mailing list