[Openswan Users] server certificate problem (ID_DER_ASN1_DN, subjectAltName, INVALID_ID_INFORMATION)

Laurentiu Lazar lazar.laurentiu at gmail.com
Tue Apr 7 03:11:26 EDT 2009


>>Public key validated
>>we require peer to have ID 'CN=...', but peer declares 'P\016\303'
>>complete state transition with (null)
>>sending encrypted notification INVALID_ID_INFORMATION to SERVERIP:4500
>
>Do a run with plutodebug=all and post that.

Thank you. The log is ...

Starting Pluto (Openswan Version 2.6.20; Vendor ID OECqBqWLdKzA) pid:6389
Setting NAT-Traversal port-4500 floating to on
   port floating activation criteria nat_t=1/port_float=1
   including NAT-Traversal patch (Version 0.6c)
| opening /dev/urandom
using /dev/urandom as source of random entropy
| inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
| event added at head of queue
| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
| event added at head of queue
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=6397 (fd:7)
| opening /dev/urandom
using /dev/urandom as source of random entropy
! helper 0 waiting on fd: 8
Using Linux 2.6 IPsec interface code on 2.6.28-1-amd64 (experimental code)
| process 6389 listening for PF_KEY_V2 on file descriptor 10
| finish_pfkey_msg: K_SADB_REGISTER message 1 for AH
|   02 07 00 02  02 00 00 00  01 00 00 00  f5 18 00 00
| pfkey_get: K_SADB_REGISTER message 1
| AH registered with kernel.
| finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP
|   02 07 00 03  02 00 00 00  02 00 00 00  f5 18 00 00
| pfkey_get: K_SADB_REGISTER message 2
| alg_init():memset(0x71f5e0, 0, 2016) memset(0x71fdc0, 0, 2048)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=19
sadb_supported_len=56
| kernel_alg_add():satype=3, exttype=14, alg_id=251
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14,
satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0,
res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=2
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14,
satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128,
res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=3
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14,
satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160,
res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=5
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14,
satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=8
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14,
satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160,
res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=9
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14,
satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128,
res=0, ret=1
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=19
sadb_supported_len=80
| kernel_alg_add():satype=3, exttype=15, alg_id=11
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=15,
satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0,
ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=2
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=15,
satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64,
res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=3
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15,
satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192,
res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=7
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15,
satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448,
res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=12
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15,
satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=252
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15,
satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=22
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15,
satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=253
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15,
satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=13
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15,
satype=3, alg_id=13, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=18
| kernel_alg_add():satype=3, exttype=15, alg_id=19
| kernel_alg_add():satype=3, exttype=15, alg_id=20
| kernel_alg_add():satype=3, exttype=15, alg_id=14
| kernel_alg_add():satype=3, exttype=15, alg_id=15
| kernel_alg_add():satype=3, exttype=15, alg_id=16
ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)
ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
| ESP registered with kernel.
| finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP
|   02 07 00 09  02 00 00 00  03 00 00 00  f5 18 00 00
| pfkey_get: K_SADB_REGISTER message 3
| IPCOMP registered with kernel.
Changed path to directory '/etc/ipsec.d/cacerts'
  loaded CA cert file 'ca.pem' (1736 bytes)
|   file content is not binary ASN.1
|   -----BEGIN CERTIFICATE-----
|   -----END CERTIFICATE-----
|   file coded in PEM format
| L0 - certificate:
...
| L1 - tbsCertificate:
...
| L2 - DEFAULT v1:
| L3 - version:
|   02
|   v3
| L2 - serialNumber:
|   51 ...
| L2 - signature:
| L3 - algorithmIdentifier:
| L4 - algorithm:
|   'sha-1WithRSAEncryption'
| L2 - issuer:
    30 ...
    'DC=...'
| L2 - validity:
| L3 - notBefore:
| L4 - utcTime:
|   '... 2008'
| L3 - notAfter:
| L4 - utcTime:
|   '... 2013'
| L2 - subject:
    30 ...
    'DC=...'
| L2 - subjectPublicKeyInfo:
| L3 - algorithm:
| L4 - algorithmIdentifier:
| L5 - algorithm:
|   'rsaEncryption'
| L3 - subjectPublicKey:
| L4 - RSAPublicKey:
| L5 - modulus:
    ...
| L5 - publicExponent:
|   01 00 01
| L2 - optional extensions:
| L3 - extensions:
| L4 - extension:
| L5 - extnID:
|   'keyUsage'
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   03 02 01 86
| L4 - extension:
| L5 - extnID:
|   'basicConstraints'
| L5 - critical:
|   ff
|   TRUE
| L5 - extnValue:
|   30 03 01 01  ff
| L6 - basicConstraints:
| L7 - CA:
|   ff
|   TRUE
| L4 - extension:
| L5 - extnID:
|   'subjectKeyIdentifier'
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   04 14 ...
| L6 - keyIdentifier:
|   ...
| L4 - extension:
| L5 - extnID:
|   'crlDistributionPoints'
| L5 - critical:
|   FALSE
| L5 - extnValue:
    ...
| L6 - crlDistributionPoints:
| L7 - DistributionPoint:
| L8 - distributionPoint:
| L9 - fullName:
|   a0 82 ...
| L10 - generalNames:
| L11 - generalName:
| L12 - uniformResourceIdentifier:
|   6c 64 61 70  3a 2f 2f 2f  43 4e 3d ...
|   'ldap:///CN=...'
| L11 - generalName:
| L12 - uniformResourceIdentifier:
|   68 74 74 70  3a ...
|   'http://...'
| L4 - extension:
| L5 - extnID:
|   2b 06 01 04  01 82 37 15  01
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   02 03 01 00  01
| L4 - extension:
| L5 - extnID:
|   2b 06 01 04  01 82 37 15  02
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   04 14 ...
| L1 - signatureAlgorithm:
| L2 - algorithmIdentifier:
| L3 - algorithm:
|   'sha-1WithRSAEncryption'
| L1 - signatureValue:
|   00 b1 ...
|   authcert inserted
Changed path to directory '/etc/ipsec.d/aacerts'
Changed path to directory '/etc/ipsec.d/ocspcerts'
  loaded OCSP cert file 'ca.pem' (1736 bytes)
... (same certificate as above) ...
|   authcert inserted
Changing to directory '/etc/ipsec.d/crls'
  Warning: empty directory
| inserting event EVENT_LOG_DAILY, timeout in 53744 seconds
| event added after event EVENT_REINIT_SECRET
| next event EVENT_PENDING_PHASE2 in 120 seconds
|
| *received whack message
| Added new connection VPN with policy RSASIG+ENCRYPT+DONTREKEY+IKEv2ALLOW
loading certificate from my.cert.pem
  loaded host cert file '/etc/ipsec.d/certs/my.cert.pem' (2510 bytes)
|   file content is not binary ASN.1
|   -----BEGIN CERTIFICATE-----
|   -----END CERTIFICATE-----
|   file coded in PEM format
| L0 - certificate:
|   30 ...
| L1 - tbsCertificate:
|   30 ...
| L2 - DEFAULT v1:
| L3 - version:
|   02
|   v3
| L2 - serialNumber:
|   56 ...
| L2 - signature:
| L3 - algorithmIdentifier:
| L4 - algorithm:
|   'sha-1WithRSAEncryption'
| L2 - issuer:
|   30 4d 31 ...
|   'DC=...'
| L2 - validity:
| L3 - notBefore:
| L4 - utcTime:
|   'Mar ... 2009'
| L3 - notAfter:
| L4 - utcTime:
|   'Mar ... 2010'
| L2 - subject:
|   30 81 c0 31  ...
|   'DC=...'
| L2 - subjectPublicKeyInfo:
| L3 - algorithm:
| L4 - algorithmIdentifier:
| L5 - algorithm:
|   'rsaEncryption'
| L3 - subjectPublicKey:
| L4 - RSAPublicKey:
| L5 - modulus:
    ...
| L5 - publicExponent:
|   01 00 01
| L2 - optional extensions:
| L3 - extensions:
| L4 - extension:
| L5 - extnID:
|   'keyUsage'
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   03 02 05 a0
| L4 - extension:
| L5 - extnID:
|   2a 86 48 86  f7 0d 01 09  0f
| L5 - critical:
|   FALSE
| L5 - extnValue:
...
| L4 - extension:
| L5 - extnID:
|   2b 06 01 04  01 82 37 14  02
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   1e 08 00 55  00 73 00 65  00 72
| L4 - extension:
| L5 - extnID:
|   'extendedKeyUsage'
| L5 - critical:
|   FALSE
| L5 - extnValue:
...
| L6 - extendedKeyUsage:
| L7 - keyPurposeID:
|   2b 06 01 04  01 82 37 0a  03 04
| L7 - keyPurposeID:
|   'emailProtection'
| L7 - keyPurposeID:
|   'clientAuth'
| L4 - extension:
| L5 - extnID:
|   'subjectAltName'
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   30 37 ...
| L6 - generalNames:
| L7 - generalName:
| L8 - otherName:
|   06 0a 2b 06  ...
| L7 - generalName:
| L8 - rfc822Name:
|   ...
|   'my at email'
| L4 - extension:
| L5 - extnID:
|   'subjectKeyIdentifier'
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   04 14 ...
| L6 - keyIdentifier:
|   f9 ...
| L4 - extension:
| L5 - extnID:
|   'authorityKeyIdentifier'
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   30 16 ...
| L6 - authorityKeyIdentifier:
| L7 - keyIdentifier:
|   80 14 ...
| L8 - keyIdentifier:
|   f8 ...
| L4 - extension:
| L5 - extnID:
|   'crlDistributionPoints'
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   30 82 01 0e  ...
| L6 - crlDistributionPoints:
| L7 - DistributionPoint:
| L8 - distributionPoint:
| L9 - fullName:
|   a0 82 01 02  ...
| L10 - generalNames:
| L11 - generalName:
| L12 - uniformResourceIdentifier:
|   6c 64 61 70  3a ...
|   'ldap:///CN=...'
| L11 - generalName:
| L12 - uniformResourceIdentifier:
|   68 74 74 70  ...
|   'http://...'
| L4 - extension:
| L5 - extnID:
|   'authorityInfoAccess'
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   30 82 ...
| L6 - authorityInfoAccess:
| L7 - accessDescription:
| L8 - accessMethod:
|   2b 06 01 05  05 07 30 02
| L8 - accessLocation:
| L7 - accessDescription:
| L8 - accessMethod:
|   2b 06 01 05  05 07 30 02
| L8 - accessLocation:
| L1 - signatureAlgorithm:
| L2 - algorithmIdentifier:
| L3 - algorithm:
|   'sha-1WithRSAEncryption'
| L1 - signatureValue:
|   00 91 95 db  ...
|   not before  : Mar ... 2009
|   current time: Apr ... 2009
|   not after   : Mar ... 2010
| certificate is valid
| certs and keys locked by 'add_x509cert'
| certs and keys unlocked by 'add_x509cert'
| counting wild cards for DC=(me) is 0
| counting wild cards for CN=(vpn.server) is 0
added connection description "VPN"
| 192.168.1.97[(DC=me),+S=C]:17/1701---192.168.1.1...SERVERIP<SERVERIP>[CN=(vpn.server),+S=C]:17/1701
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz:
100%; keyingtries: 3; policy: RSASIG+ENCRYPT+DONTREKEY+IKEv2ALLOW
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_PHASE2 in 120 seconds
| next event EVENT_PENDING_PHASE2 in 120 seconds
|
| *received whack message
listening for IKE messages
| found lo with address 127.0.0.1
| found wlan0 with address 192.168.1.97
adding interface wlan0/wlan0 192.168.1.97:500
adding interface wlan0/wlan0 192.168.1.97:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
| found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
adding interface lo/lo ::1:500
| connect_to_host_pair: 192.168.1.97:500 SERVERIP:500 -> hp:none
loading secrets from "/etc/ipsec.secrets"
  loaded private key file '/etc/ipsec.d/private/my.key.pem' (1127 bytes)
|   file content is not binary ASN.1
|   -----BEGIN RSA PRIVATE KEY-----
|   -----END RSA PRIVATE KEY-----
|   file coded in PEM format
| L0 - RSAPrivateKey:
| L1 - version:
| L1 - modulus:
| L1 - publicExponent:
| L1 - privateExponent:
| L1 - prime1:
| L1 - prime2:
| L1 - exponent1:
| L1 - exponent2:
| L1 - coefficient:
loaded private key for keyid: PPK_RSA:AwEAAazKo
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_PHASE2 in 120 seconds
| next event EVENT_PENDING_PHASE2 in 120 seconds
|
| *received whack message
| processing connection VPN
| route owner of "VPN" unrouted: NULL; eroute owner: NULL
| could_route called for VPN (kind=CK_PERMANENT)
| route owner of "VPN" unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: VPN (next: none) ero:null esr:{(nil)}
ro:null rosr:{(nil)} and state: 0
| request to add a prospective erouted policy with netkey kernel ---
experimental
| route_and_eroute: firewall_notified: true
| command executing prepare-host
| executing prepare-host: 2>&1 PLUTO_VERB='prepare-host'
PLUTO_VERSION='2.0' PLUTO_CONNECTION='VPN' PLUTO_INTERFACE='wlan0' ...
| popen(): cmd is 767 chars long
| cmd(   0):2>&1 PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='VPN' PLUTO_:
| cmd(  80):INTERFACE='wlan0' PLUTO_NEXT_HOP='192.168.1.1'
PLUTO_ME='192.168.1.97' PLUTO_MY_:
| cmd( 160):ID='DC=...:
| cmd( 240):, CN=..., E=...' PLUTO_MY_CLIENT='192.168.1.97/32':
| cmd( 320): PLUTO_MY_CLIENT_NET='192.168.1.97'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO:
| cmd( 400):_MY_PORT='1701' PLUTO_MY_PROTOCOL='17'
PLUTO_PEER='SERVERIP' PLUTO_PEER_ID=':
| cmd( 480):CN=vpn.server' PLUTO_PEER_CLIENT='SERVERIP/32'
PLUTO_PEER_CLIENT_NET='SERVERIP':
| cmd( 560):PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='1701' PLUTO_PE:
| cmd( 640):ER_PROTOCOL='17' PLUTO_PEER_CA='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='RSASI:
| cmd( 720):G+ENCRYPT+DONTREKEY+IKEv2ALLOW'   ipsec _updown:
| command executing route-host
| executing route-host: 2>&1 PLUTO_VERB='route-host'
PLUTO_VERSION='2.0' PLUTO_CONNECTION='VPN' PLUTO_INTERFACE='wlan0' ...
| popen(): cmd is 765 chars long
| cmd(   0):2>&1 PLUTO_VERB='route-host' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='VPN' PLUTO_IN:
| cmd(  80):TERFACE='wlan0' PLUTO_NEXT_HOP='192.168.1.1'
PLUTO_ME='192.168.1.97' PLUTO_MY_ID:
| cmd( 160):='DC=...':
| cmd( 240):PLUTO_MY_CLIENT='192.168.1.97/32' P:
| cmd( 320):LUTO_MY_CLIENT_NET='192.168.1.97'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_M:
| cmd( 400):Y_PORT='1701' PLUTO_MY_PROTOCOL='17' PLUTO_PEER='SERVERIP'
PLUTO_PEER_ID='CN:
| cmd( 480):=vpn.server' PLUTO_PEER_CLIENT='SERVERIP/32'
PLUTO_PEER_CLIENT_NET='SERVERIP':
| cmd( 560):PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='1701' PLUTO_PEER:
| cmd( 640):_PROTOCOL='17' PLUTO_PEER_CA='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='RSASIG+:
| cmd( 720):ENCRYPT+DONTREKEY+IKEv2ALLOW'   ipsec _updown:
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_PHASE2 in 119 seconds
| next event EVENT_PENDING_PHASE2 in 119 seconds
|
| *received whack message
| processing connection VPN
| empty esp_info, returning defaults
| creating state object #1 at 0x1816aa0
| processing connection VPN
| ICOOKIE:  be a3 c0 e1  bc 0d 18 87
| RCOOKIE:  00 00 00 00  00 00 00 00
| state hash entry 22
| inserting state object #1 on chain 22
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| event added at head of queue
| processing connection VPN
| Queuing pending Quick Mode with SERVERIP "VPN"
"VPN" #1: initiating Main Mode
| **emit ISAKMP Message:
|    initiator cookie:
|   be a3 c0 e1  bc 0d 18 87
|    responder cookie:
|   00 00 00 00  00 00 00 00
|    next payload type: ISAKMP_NEXT_SA
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
|    exchange type: ISAKMP_XCHG_IDPROT
|    flags: none
|    message ID:  00 00 00 00
| no IKE algorithms for this connection
| ***emit ISAKMP Security Association Payload:
|    next payload type: ISAKMP_NEXT_VID
|    DOI: ISAKMP_DOI_IPSEC
| ****emit IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY
| out_sa pcn: 0 has 1 valid proposals
| out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 12
| ****emit ISAKMP Proposal Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    proposal number: 0
|    protocol ID: PROTO_ISAKMP
|    SPI size: 0
|    number of transforms: 12
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 0
|    transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|     [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION
|    length/value: 3600
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
|    length/value: 7
|     [7 is OAKLEY_AES_CBC]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 2
|     [2 is OAKLEY_SHA1]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|     [3 is OAKLEY_RSA_SIG]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 14
|     [14 is OAKLEY_GROUP_MODP2048]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_KEY_LENGTH
|    length/value: 128
| emitting length of ISAKMP Transform Payload (ISAKMP): 36
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 1
|    transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|     [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION
|    length/value: 3600
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
|    length/value: 7
|     [7 is OAKLEY_AES_CBC]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 1
|     [1 is OAKLEY_MD5]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|     [3 is OAKLEY_RSA_SIG]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 14
|     [14 is OAKLEY_GROUP_MODP2048]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_KEY_LENGTH
|    length/value: 128
| emitting length of ISAKMP Transform Payload (ISAKMP): 36
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 2
|    transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|     [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION
|    length/value: 3600
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
|    length/value: 5
|     [5 is OAKLEY_3DES_CBC]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 2
|     [2 is OAKLEY_SHA1]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|     [3 is OAKLEY_RSA_SIG]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 14
|     [14 is OAKLEY_GROUP_MODP2048]
| emitting length of ISAKMP Transform Payload (ISAKMP): 32
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 3
|    transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|     [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION
|    length/value: 3600
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
|    length/value: 5
|     [5 is OAKLEY_3DES_CBC]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 1
|     [1 is OAKLEY_MD5]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|     [3 is OAKLEY_RSA_SIG]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 14
|     [14 is OAKLEY_GROUP_MODP2048]
| emitting length of ISAKMP Transform Payload (ISAKMP): 32
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 4
|    transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|     [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION
|    length/value: 3600
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
|    length/value: 7
|     [7 is OAKLEY_AES_CBC]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 2
|     [2 is OAKLEY_SHA1]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|     [3 is OAKLEY_RSA_SIG]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 5
|     [5 is OAKLEY_GROUP_MODP1536]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_KEY_LENGTH
|    length/value: 128
| emitting length of ISAKMP Transform Payload (ISAKMP): 36
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 5
|    transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|     [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION
|    length/value: 3600
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
|    length/value: 7
|     [7 is OAKLEY_AES_CBC]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 1
|     [1 is OAKLEY_MD5]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|     [3 is OAKLEY_RSA_SIG]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 5
|     [5 is OAKLEY_GROUP_MODP1536]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_KEY_LENGTH
|    length/value: 128
| emitting length of ISAKMP Transform Payload (ISAKMP): 36
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 6
|    transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|     [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION
|    length/value: 3600
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
|    length/value: 5
|     [5 is OAKLEY_3DES_CBC]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 2
|     [2 is OAKLEY_SHA1]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|     [3 is OAKLEY_RSA_SIG]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 5
|     [5 is OAKLEY_GROUP_MODP1536]
| emitting length of ISAKMP Transform Payload (ISAKMP): 32
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 7
|    transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|     [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION
|    length/value: 3600
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
|    length/value: 5
|     [5 is OAKLEY_3DES_CBC]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 1
|     [1 is OAKLEY_MD5]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|     [3 is OAKLEY_RSA_SIG]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 5
|     [5 is OAKLEY_GROUP_MODP1536]
| emitting length of ISAKMP Transform Payload (ISAKMP): 32
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 8
|    transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|     [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION
|    length/value: 3600
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
|    length/value: 5
|     [5 is OAKLEY_3DES_CBC]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 2
|     [2 is OAKLEY_SHA1]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|     [3 is OAKLEY_RSA_SIG]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 2
|     [2 is OAKLEY_GROUP_MODP1024]
| emitting length of ISAKMP Transform Payload (ISAKMP): 32
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 9
|    transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|     [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION
|    length/value: 3600
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
|    length/value: 5
|     [5 is OAKLEY_3DES_CBC]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 1
|     [1 is OAKLEY_MD5]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|     [3 is OAKLEY_RSA_SIG]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 2
|     [2 is OAKLEY_GROUP_MODP1024]
| emitting length of ISAKMP Transform Payload (ISAKMP): 32
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_T
|    transform number: 10
|    transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|     [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION
|    length/value: 3600
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
|    length/value: 7
|     [7 is OAKLEY_AES_CBC]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 2
|     [2 is OAKLEY_SHA1]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|     [3 is OAKLEY_RSA_SIG]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 2
|     [2 is OAKLEY_GROUP_MODP1024]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_KEY_LENGTH
|    length/value: 128
| emitting length of ISAKMP Transform Payload (ISAKMP): 36
| *****emit ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_NONE
|    transform number: 11
|    transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|     [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION
|    length/value: 3600
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
|    length/value: 7
|     [7 is OAKLEY_AES_CBC]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 1
|     [1 is OAKLEY_MD5]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|     [3 is OAKLEY_RSA_SIG]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 2
|     [2 is OAKLEY_GROUP_MODP1024]
| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_KEY_LENGTH
|    length/value: 128
| emitting length of ISAKMP Transform Payload (ISAKMP): 36
| emitting length of ISAKMP Proposal Payload: 416
| emitting length of ISAKMP Security Association Payload: 428
| ***emit ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID
| emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
| Vendor ID  4f ...
| emitting length of ISAKMP Vendor ID Payload: 16
| out_vendorid(): sending [Dead Peer Detection]
| ***emit ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID  af ...
| emitting length of ISAKMP Vendor ID Payload: 20
| nat traversal enabled: 1
| nat add vid. port: 1 nonike: 1
| out_vendorid(): sending [RFC 3947]
| ***emit ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID  4a ...
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-03]
| ***emit ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID  7d ...
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02_n]
| ***emit ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID  90 ...
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02]
| ***emit ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID  cd ...
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-00]
| ***emit ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID  44 ...
| emitting length of ISAKMP Vendor ID Payload: 20
| emitting length of ISAKMP Message: 592
| sending 592 bytes for main_outI1 through wlan0:500 to SERVERIP:500 (using #1)
...
| deleting event for #1
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
| event added at head of queue
| * processed 0 messages from cryptographic helpers
| next event EVENT_RETRANSMIT in 10 seconds for #1
| next event EVENT_RETRANSMIT in 10 seconds for #1
|
| *received 148 bytes from SERVERIP:500 on wlan0 (port=500)
...
| **parse ISAKMP Message:
|    initiator cookie:
|   be a3 c0 e1  bc 0d 18 87
|    responder cookie:
|   2c 67 98 bd  7e a6 4a 52
|    next payload type: ISAKMP_NEXT_SA
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
|    exchange type: ISAKMP_XCHG_IDPROT
|    flags: none
|    message ID:  00 00 00 00
|    length: 148
|  processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE:  be a3 c0 e1  bc 0d 18 87
| RCOOKIE:  2c 67 98 bd  7e a6 4a 52
| state hash entry 22
| v1 state object not found
| ICOOKIE:  be a3 c0 e1  bc 0d 18 87
| RCOOKIE:  00 00 00 00  00 00 00 00
! helper 0 read 2744+4/2752 bytesfd: 8
! helper 0 doing build_kenonce op id: 1
| state hash entry 22
| v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
| v1 state object #1 found, in STATE_MAIN_I1
| processing connection VPN
| got payload 0x2(ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080
| ***parse ISAKMP Security Association Payload:
|    next payload type: ISAKMP_NEXT_VID
|    length: 56
|    DOI: ISAKMP_DOI_IPSEC
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID
|    length: 24
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_VID
|    length: 20
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    length: 20
"VPN" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
"VPN" #1: ignoring Vendor ID payload [FRAGMENTATION]
"VPN" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
method set to=106
| ****parse IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    length: 44
|    proposal number: 1
! Local DH secret:
...
! Public DH value sent:
...
|    protocol ID: PROTO_ISAKMP
|    SPI size: 0
|    number of transforms: 1
| *****parse ISAKMP Transform Payload (ISAKMP):
|    next payload type: ISAKMP_NEXT_NONE
|    length: 36
|    transform number: 1
|    transform ID: KEY_IKE
| ******parse ISAKMP Oakley attribute:
|    af+type: OAKLEY_ENCRYPTION_ALGORITHM
...
! Generated nonce:
!   1d 45 a8 93  9e 19 2a 96  66 7e e0 88  ef fb ab 26
|    length/value: 5
|    [5 is OAKLEY_3DES_CBC]
| ike_alg_enc_ok(ealg=5,key_len=0): blocksize=8, keyminlen=192,
keydeflen=192, keymaxlen=192, ret=1
| ******parse ISAKMP Oakley attribute:
|    af+type: OAKLEY_HASH_ALGORITHM
|    length/value: 2
|    [2 is OAKLEY_SHA1]
| ******parse ISAKMP Oakley attribute:
|    af+type: OAKLEY_GROUP_DESCRIPTION
|    length/value: 2
|    [2 is OAKLEY_GROUP_MODP1024]
| ******parse ISAKMP Oakley attribute:
|    af+type: OAKLEY_AUTHENTICATION_METHOD
|    length/value: 3
|    [3 is OAKLEY_RSA_SIG]
| ******parse ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_TYPE
|    length/value: 1
|    [1 is OAKLEY_LIFE_SECONDS]
| ******parse ISAKMP Oakley attribute:
|    af+type: OAKLEY_LIFE_DURATION (variable length)
|    length/value: 4
|    long duration: 3600
| Oakley Transform 1 accepted
| sender checking NAT-t: 1 and 106
"VPN" #1: enabling possible NAT-traversal with method
draft-ietf-ipsec-nat-t-ike-05
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 1 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #1
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
| event added after event EVENT_PENDING_PHASE2
| complete state transition with STF_SUSPEND
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_PHASE2 in 119 seconds
| next event EVENT_PENDING_PHASE2 in 119 seconds
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#1
| calling callback function 0x425c82
| main inR1_outI2: calculated ke+nonce, sending I2
| processing connection VPN
| **emit ISAKMP Message:
|    initiator cookie:
|   be a3 c0 e1  bc 0d 18 87
|    responder cookie:
|   2c 67 98 bd  7e a6 4a 52
|    next payload type: ISAKMP_NEXT_KE
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
|    exchange type: ISAKMP_XCHG_IDPROT
|    flags: none
|    message ID:  00 00 00 00
| ***emit ISAKMP Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_NONCE
| emitting 128 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value  d8 ...
| emitting length of ISAKMP Key Exchange Payload: 132
| ***emit ISAKMP Nonce Payload:
|    next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of Ni into ISAKMP Nonce Payload
| Ni  1d ...
| emitting length of ISAKMP Nonce Payload: 20
| sending NATD payloads
| _natd_hash: hasher=0x702d20(20)
| _natd_hash: icookie=
|   be a3 c0 e1  bc 0d 18 87
| _natd_hash: rcookie=
|   2c 67 98 bd  7e a6 4a 52
| _natd_hash: ip=  ...
| _natd_hash: port=500
| _natd_hash: hash=  4e ...
| ***emit ISAKMP NAT-D Payload:
|    next payload type: ISAKMP_NEXT_NAT-D
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D  ...
| emitting length of ISAKMP NAT-D Payload: 24
| _natd_hash: hasher=0x702d20(20)
| _natd_hash: icookie=
|   be a3 c0 e1  bc 0d 18 87
| _natd_hash: rcookie=
|   2c 67 98 bd  7e a6 4a 52
| _natd_hash: ip=  ...
| _natd_hash: port=500
| _natd_hash: hash=  ...
| ***emit ISAKMP NAT-D Payload:
|    next payload type: ISAKMP_NEXT_NONE
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D  2f ...
| emitting length of ISAKMP NAT-D Payload: 24
| emitting length of ISAKMP Message: 228
| ICOOKIE:  be a3 c0 e1  bc 0d 18 87
| RCOOKIE:  00 00 00 00  00 00 00 00
| state hash entry 22
| ICOOKIE:  be a3 c0 e1  bc 0d 18 87
| RCOOKIE:  2c 67 98 bd  7e a6 4a 52
| state hash entry 22
| inserting state object #1 on chain 22
| complete state transition with STF_OK
"VPN" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
| deleting event for #1
| sending reply packet to SERVERIP:500 (from port 500)
| sending 228 bytes for STATE_MAIN_I1 through wlan0:500 to
SERVERIP:500 (using #1)
...
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
| event added at head of queue
"VPN" #1: STATE_MAIN_I2: sent MI2, expecting MR2
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 1 messages from cryptographic helpers
| next event EVENT_RETRANSMIT in 10 seconds for #1
| next event EVENT_RETRANSMIT in 10 seconds for #1
|
| *received 316 bytes from SERVERIP:500 on wlan0 (port=500)
...
| **parse ISAKMP Message:
|    initiator cookie:
|   be a3 c0 e1  bc 0d 18 87
|    responder cookie:
|   2c 67 98 bd  7e a6 4a 52
|    next payload type: ISAKMP_NEXT_KE
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
|    exchange type: ISAKMP_XCHG_IDPROT
! helper 0 read 2744+4/2752 bytesfd: 8
! helper 0 doing compute dh+iv op id: 2
! peer's g:   d8 ...
|    flags: none
|    message ID:  00 00 00 00
|    length: 316
|  processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE:  be a3 c0 e1  bc 0d 18 87
| RCOOKIE:  2c 67 98 bd  7e a6 4a 52
| state hash entry 22
| v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
| v1 state object #1 found, in STATE_MAIN_I2
| processing connection VPN
! long term secret:   ...
! long term secret:   ...
! calc_dh_shared(): time elapsed (OAKLEY_GROUP_MODP1024): 766 usec
! DH shared-secret:
...
| got payload 0x10(ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080
| ***parse ISAKMP Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_NONCE
|    length: 132
| got payload 0x400(ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080
| ***parse ISAKMP Nonce Payload:
|    next payload type: ISAKMP_NEXT_CR
|    length: 24
| got payload 0x80(ISAKMP_NEXT_CR) needed: 0x0 opt: 0x102080
| ***parse ISAKMP Certificate RequestPayload:
...
! skeyid inputs (digi+NI+NR+shared) hasher: oakley_sha
! shared-secret:   8a ...
|    next payload type: ISAKMP_NEXT_NAT-D
|    length: 84
|    cert type: CERT_X509_SIGNATURE
| got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080
| ***parse ISAKMP NAT-D Payload:
|    next payload type: ISAKMP_NEXT_NAT-D
|    length: 24
| got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080
| ***parse ISAKMP NAT-D Payload:
|    next payload type: ISAKMP_NEXT_NONE
! shared-secret:   ...
! ni:   ...
! nr:   ...
! keyid:   ...
! DH_i: ...
|    length: 24
| **emit ISAKMP Message:
|    initiator cookie:
|   be a3 c0 e1  bc 0d 18 87
|    responder cookie:
|   2c 67 98 bd  7e a6 4a 52
|    next payload type: ISAKMP_NEXT_ID
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
|    exchange type: ISAKMP_XCHG_IDPROT
|    flags: ISAKMP_FLAG_ENCRYPTION
! DH_i: ...
! DH_r: ...
|    message ID:  00 00 00 00
| DH public value received:
...
! DH_r:  ...
! Skeyid:    ...
! Skeyid_d:  ...
! Skeyid_a:  ...
! Skeyid_e:  ...
| started looking for secret for DC=(me)->CN=(vpn.server) of kind PPK_PSK
| actually looking for secret for DC=(me)->CN=(vpn.server) of kind PPK_PSK
| line 1: key type PPK_PSK(DC=(me)) to type PPK_RSA
| concluding with best_match=0 best=(nil) (lineno=-1)
| parent1 type: 7 group: 2 len: 2752
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do compute dh+iv op on seq: 2 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #1
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
! enc key:  ...
! IV:  ...
| event added after event EVENT_PENDING_PHASE2
| complete state transition with STF_SUSPEND
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_PHASE2 in 119 seconds
| next event EVENT_PENDING_PHASE2 in 119 seconds
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#2
| calling callback function 0x42755e
| main inR2_outI3: calculated DH, sending R1
| processing connection VPN
| CR  30 4d ...
| requested CA: 'DC=...'
| thinking about whether to send my certificate:
|   I have RSA key: OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE
|   sendcert: CERT_ALWAYSSEND and I did get a certificate request
|   so send cert.
|  I am sending a certificate request
| _natd_hash: hasher=0x702d20(20)
| _natd_hash: icookie=
|   be a3 c0 e1  bc 0d 18 87
| _natd_hash: rcookie=
|   2c 67 98 bd  7e a6 4a 52
| _natd_hash: ip=  ...
| _natd_hash: port=500
| _natd_hash: hash=  ...
| _natd_hash: hasher=0x702d20(20)
| _natd_hash: icookie=
|   be a3 c0 e1  bc 0d 18 87
| _natd_hash: rcookie=
|   2c 67 98 bd  7e a6 4a 52
| _natd_hash: ip=  ...
| _natd_hash: port=500
| _natd_hash: hash=  ...
| NAT_TRAVERSAL hash=0 (me:0) (him:0)
| expected NAT-D(me):  ...
| expected NAT-D(him): ...
| received NAT-D:  ...
| NAT_TRAVERSAL hash=1 (me:0) (him:0)
| expected NAT-D(me):  ...
| expected NAT-D(him): ...
| received NAT-D:  ...
| NAT_TRAVERSAL hash=2 (me:0) (him:1)
"VPN" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
| inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
| event added at head of queue
| ***emit ISAKMP Identification Payload (IPsec DOI):
|    next payload type: ISAKMP_NEXT_CERT
|    ID type: ID_DER_ASN1_DN
|    Protocol ID: 0
|    port: 0
| emitting 195 raw bytes of my identity into ISAKMP Identification
Payload (IPsec DOI)
| my identity  30 81 ...
| emitting length of ISAKMP Identification Payload (IPsec DOI): 203
"VPN" #1: I am sending my cert
| ***emit ISAKMP Certificate Payload:
|    next payload type: ISAKMP_NEXT_CR
|    cert encoding: CERT_X509_SIGNATURE
| emitting 1642 raw bytes of CERT into ISAKMP Certificate Payload
| CERT  30 82 ...
| emitting length of ISAKMP Certificate Payload: 1647
"VPN" #1: I am sending a certificate request
| ***emit ISAKMP Certificate RequestPayload:
|    next payload type: ISAKMP_NEXT_SIG
|    cert type: CERT_X509_SIGNATURE
| emitting length of ISAKMP Certificate RequestPayload: 5
| hashing 424 bytes of SA
| started looking for secret for DC=(me)->CN=(vpn.server) of kind PPK_RSA
| searching for certificate PPK_RSA:AwEAAazKo vs PPK_RSA:AwEAAazKo
| signing hash with RSA Key *AwEAAazKo
| ***emit ISAKMP Signature Payload:
|    next payload type: ISAKMP_NEXT_NONE
| emitting 128 raw bytes of SIG_I into ISAKMP Signature Payload
| SIG_I  ...
| emitting length of ISAKMP Signature Payload: 132
| encrypting:
|   06 00 00 cb  ...
| IV: ...
| unpadded size is: 1987
| emitting 5 zero bytes of encryption padding into ISAKMP Message
| encrypting 1992 using OAKLEY_3DES_CBC
| next IV:  bf bc 27 68  cb ae fe 61
| emitting length of ISAKMP Message: 2020
| complete state transition with STF_OK
"VPN" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
| deleting event for #1
| NAT-T: floating to port 4500
| NAT-T connection has wrong interface definition 192.168.1.97:4500 vs
192.168.1.97:500
| NAT-T: using interface wlan0:4500
| sending reply packet to SERVERIP:4500 (from port 4500)
| sending 2020 bytes for STATE_MAIN_I2 through wlan0:4500 to
SERVERIP:4500 (using #1)
...
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
| event added at head of queue
"VPN" #1: STATE_MAIN_I3: sent MI3, expecting MR3
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 1 messages from cryptographic helpers
| next event EVENT_RETRANSMIT in 10 seconds for #1
| next event EVENT_RETRANSMIT in 10 seconds for #1
|
| *received 1572 bytes from SERVERIP:4500 on wlan0 (port=4500)
...
| **parse ISAKMP Message:
|    initiator cookie:
|   be a3 c0 e1  bc 0d 18 87
|    responder cookie:
|   2c 67 98 bd  7e a6 4a 52
|    next payload type: ISAKMP_NEXT_ID
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
|    exchange type: ISAKMP_XCHG_IDPROT
|    flags: ISAKMP_FLAG_ENCRYPTION
|    message ID:  00 00 00 00
|    length: 1572
|  processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE:  be a3 c0 e1  bc 0d 18 87
| RCOOKIE:  2c 67 98 bd  7e a6 4a 52
| state hash entry 22
| v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000
| v1 state object #1 found, in STATE_MAIN_I3
| processing connection VPN
| received encrypted packet from SERVERIP:4500
| decrypting 1544 bytes using algorithm OAKLEY_3DES_CBC
| decrypted:
...
| next IV:  f0 51 07 b1  ae 6c a9 39
| got payload 0x20(ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0
| ***parse ISAKMP Identification Payload:
|    next payload type: ISAKMP_NEXT_CERT
|    length: 10
|    ID type: ID_DER_ASN1_DN
|    DOI specific A: 0
|    DOI specific B: 0
|      obj:   30 00 09 00  05 74 04 30  82 05
| got payload 0x40(ISAKMP_NEXT_CERT) needed: 0x200 opt: 0x20c0
| ***parse ISAKMP Certificate Payload:
|    next payload type: ISAKMP_NEXT_SIG
|    length: 1396
|    cert encoding: CERT_X509_SIGNATURE
| got payload 0x200(ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0
| ***parse ISAKMP Signature Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    length: 132
| removing 6 bytes of padding
| DER ASN1 DN:  30 00
"VPN" #1: Main mode peer ID is ID_DER_ASN1_DN: '\020'
| L0 - certificate:
...
| L1 - tbsCertificate:
...
| L2 - DEFAULT v1:
| L3 - version:
|   02
|   v3
| L2 - serialNumber:
|   31 14 5b bd  00 01 00 00  94 1b
| L2 - signature:
| L3 - algorithmIdentifier:
| L4 - algorithm:
|   'sha-1WithRSAEncryption'
| L2 - issuer:
|   30 ...
|   'DC=...'
| L2 - validity:
| L3 - notBefore:
| L4 - utcTime:
|   'Mar ... 2009'
| L3 - notAfter:
| L4 - utcTime:
|   'Mar ... 2010'
| L2 - subject:
|   30 00
|   'DC=...'
| L2 - subjectPublicKeyInfo:
| L3 - algorithm:
| L4 - algorithmIdentifier:
| L5 - algorithm:
|   'rsaEncryption'
| L3 - subjectPublicKey:
| L4 - RSAPublicKey:
| L5 - modulus: ...
| L5 - publicExponent:
|   01 00 01
| L2 - optional extensions:
| L3 - extensions:
| L4 - extension:
| L5 - extnID:
|   'keyUsage'
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   03 02 05 a0
| L4 - extension:
| L5 - extnID:
|   2b 06 01 04  01 82 37 15  07
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   30 ...
| L4 - extension:
| L5 - extnID:
|   'extendedKeyUsage'
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   30 0a 06 08  2b 06 01 05  05 07 03 02
| L6 - extendedKeyUsage:
| L7 - keyPurposeID:
|   'clientAuth'
| L4 - extension:
| L5 - extnID:
|   2b 06 01 04  01 82 37 15  0a
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   30 0c 30 0a  06 08 2b 06  01 05 05 07  03 02
| L4 - extension:
| L5 - extnID:
|   'subjectAltName'
| L5 - critical:
|   ff
|   TRUE
| L5 - extnValue:
|   30 ...
| L6 - generalNames:
| L7 - generalName:
| L8 - dnsName:
|   ...
|   'vpn.server'
| L4 - extension:
| L5 - extnID:
|   'subjectKeyIdentifier'
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   04 ...
| L6 - keyIdentifier:
|   a0 ...
| L4 - extension:
| L5 - extnID:
|   'authorityKeyIdentifier'
| L5 - critical:
|   FALSE
| L5 - extnValue:
|   30 ...
| L6 - authorityKeyIdentifier:
| L7 - keyIdentifier:
|   80 ...
| L8 - keyIdentifier:
|   f8 ...
| L4 - extension:
| L5 - extnID:
|   'crlDistributionPoints'
| L5 - critical:
|   FALSE
| L5 - extnValue:
...
| L6 - crlDistributionPoints:
| L7 - DistributionPoint:
| L8 - distributionPoint:
| L9 - fullName:
...
| L10 - generalNames:
| L11 - generalName:
| L12 - uniformResourceIdentifier:
...
|   'ldap:///CN=...'
| L11 - generalName:
| L12 - uniformResourceIdentifier:
...
|   'http://...'
| L4 - extension:
| L5 - extnID:
|   'authorityInfoAccess'
| L5 - critical:
|   FALSE
| L5 - extnValue:
...
| L6 - authorityInfoAccess:
| L7 - accessDescription:
| L8 - accessMethod:
|   2b 06 01 05  05 07 30 02
| L8 - accessLocation:
| L7 - accessDescription:
| L8 - accessMethod:
|   2b 06 01 05  05 07 30 02
| L8 - accessLocation:
| L1 - signatureAlgorithm:
| L2 - algorithmIdentifier:
| L3 - algorithm:
|   'sha-1WithRSAEncryption'
| L1 - signatureValue:
...
| subject: 'DC=...'
| issuer:  'DC=...'
| authkey:  f8:...
|   not before  : Mar ... 2009
|   current time: Apr ... 2009
|   not after   : Mar ... 2010
| valid certificate for "DC=..."
| authcert list locked by 'verify_x509cert'
| issuer cacert "DC=..." found
| signature algorithm: 'sha-1WithRSAEncryption'
|   digest:  86 ...
|   decrypted signature:
|   00 00 01 ...
| valid certificate signature (DC=...)
| authcert list unlocked by 'verify_x509cert'
| crl list locked by 'verify_by_crl'
| crl list unlocked by 'verify_by_crl'
"VPN" #1: no crl from issuer "DC=..." found (strict=no)
| crl fetch request list locked by 'add_crl_fetch_request'
| crl fetch request added
| crl fetch request list unlocked by 'add_crl_fetch_request'
| subject: '...'
| issuer:  '...'
|   not before  : Apr ... 2008
|   current time: Apr ... 2009
|   not after   : Apr ... 2013
| valid certificate for "DC=..."
| authcert list locked by 'verify_x509cert'
| issuer cacert "DC=..." found
| signature algorithm: 'sha-1WithRSAEncryption'
|   digest:  26 ...
|   decrypted signature:
|   00 00 01 ...
| valid certificate signature (DC=...)
| authcert list unlocked by 'verify_x509cert'
| reached self-signed root ca
| Public key validated
"VPN" #1: we require peer to have ID 'CN=vpn.server', but peer declares ''
| complete state transition with (null)
"VPN" #1: sending encrypted notification INVALID_ID_INFORMATION to SERVERIP:4500


More information about the Users mailing list