[Openswan Users] Now I have "normal" IPSEC tunnels dropping
Greg Scott
GregScott at Infrasupport.com
Fri Jul 16 00:32:24 EDT 2010
One update on the IPSEC outage this morning - the telco hiccup happened
at 18:37 yesterday. Users came in this morning and evidently were able
to work for more than an hour, until 8:51AM when the outage happened.
But as the log below shows, both sides were blasting messages at each
other but neither side liking what the other side sent. Restarting
ipsec on both sides got everyone back up and running again.
- Greg
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Greg Scott
Sent: Thursday, July 15, 2010 10:27 AM
To: users at openswan.org
Subject: [Openswan Users] Now I have "normal" IPSEC tunnels dropping
Is this that same netkey bug?
Here is another customer with 2 sites. This one has just a single LAN
on each side and one tunnel connecting them. Everything should be
straightforward with this one. The left side is called HQ, the right
side Garelick. The HQ LAN is 10.86.0/24. The Garelick LAN is
10.86.2/24. The phone rang this morning and Garelick was offline.
Digging into it, the tunnel wasn't working and the tail of
/var/log/secure on both sides was full messages like this:
Jul 15 09:15:08 localhost pluto[2348]: initiate on demand from
10.86.2.105:2783 to 10.86.0.20:3389 proto=6 state: fos_start because:
acquire
Jul 15 09:15:47 localhost pluto[2348]: initiate on demand from
10.86.2.105:2785 to 10.86.0.20:3389 proto=6 state: fos_start because:
acquire
Jul 15 09:16:36 localhost pluto[2348]: initiate on demand from
10.86.2.106:8 to 10.86.0.9:0 proto=1 state: fos_start because: acquire
What in the world does that mean?
Restarting IPSEC at Garelick, I could see some but not all hosts on the
HQ side. Restarting IPSEC at the HQ site, now everyone is back online
with everyone else again.
Looking farther up at /var/log/secure, here is an extract. Take a look
at Jul 14 18:37 plus a few seconds. It looks like the telco connection
dropped and that's when the trouble started. Nobody noticed until
this morning when my phone rang. I dummied up the public IP Addresses.
Both sites use the same ISP, so I dummied up the first 2 octets to
"5.6". The HQ site is 5.6.46.182 and the Garelick site is 5.6.100.18.
Jul 14 16:56:21 localhost pluto[2348]: "garelick-hq" #249:
STATE_QUICK_I2: sent QI2, IPsec SA estab
lished tunnel mode {ESP=>0x517b77f5 <0x5bffa1a5 xfrm=AES_128-HMAC_SHA1
NATOA=none NATD=none DPD=non
e}
Jul 14 17:06:34 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [O
penswan (this version) 2.6.25 ]
Jul 14 17:06:34 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [D
ead Peer Detection]
Jul 14 17:06:34 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [R
FC 3947] method set to=109
Jul 14 17:06:34 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jul 14 17:06:34 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jul 14 17:06:34 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jul 14 17:06:34 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-00]
Jul 14 17:06:34 localhost pluto[2348]: "garelick-hq" #250: responding to
Main Mode
Jul 14 17:06:34 localhost pluto[2348]: "garelick-hq" #250: transition
from state STATE_MAIN_R0 to s
tate STATE_MAIN_R1
Jul 14 17:06:34 localhost pluto[2348]: "garelick-hq" #250:
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:06:34 localhost pluto[2348]: "garelick-hq" #250:
NAT-Traversal: Result using RFC 3947 (NA
T-Traversal): no NAT detected
Jul 14 17:06:34 localhost pluto[2348]: "garelick-hq" #250: transition
from state STATE_MAIN_R1 to s
tate STATE_MAIN_R2
Jul 14 17:06:34 localhost pluto[2348]: "garelick-hq" #250:
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 14 17:06:34 localhost pluto[2348]: "garelick-hq" #250: Main mode
peer ID is ID_FQDN: '@hq.local
'
Jul 14 17:06:34 localhost pluto[2348]: "garelick-hq" #250: transition
from state STATE_MAIN_R2 to s
tate STATE_MAIN_R3
Jul 14 17:06:34 localhost pluto[2348]: "garelick-hq" #250:
STATE_MAIN_R3: sent MR3, ISAKMP SA estab
lished {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha
group=modp2048}
Jul 14 17:08:18 localhost pluto[2348]: "garelick-hq" #250: ignoring
Delete SA payload: PROTO_IPSEC_
ESP SA(0xf053dd37) not found (maybe expired)
Jul 14 17:08:18 localhost pluto[2348]: "garelick-hq" #250: received and
ignored informational messa
ge
Jul 14 17:22:53 localhost pluto[2348]: packet from 5.6.46.182:500:
Informational Exchange is for
an unknown (expired?) SA with MSGID:0x99519bba
Jul 14 17:52:13 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [O
penswan (this version) 2.6.25 ]
Jul 14 17:52:13 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [D
ead Peer Detection]
Jul 14 17:52:13 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [R
FC 3947] method set to=109
Jul 14 17:52:13 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jul 14 17:52:13 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jul 14 17:52:13 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jul 14 17:52:13 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-00]
Jul 14 17:52:13 localhost pluto[2348]: "garelick-hq" #251: responding to
Main Mode
Jul 14 17:52:13 localhost pluto[2348]: "garelick-hq" #251: transition
from state STATE_MAIN_R0 to s
tate STATE_MAIN_R1
Jul 14 17:52:13 localhost pluto[2348]: "garelick-hq" #251:
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 17:52:13 localhost pluto[2348]: "garelick-hq" #251:
NAT-Traversal: Result using RFC 3947 (NA
T-Traversal): no NAT detected
Jul 14 17:52:13 localhost pluto[2348]: "garelick-hq" #251: transition
from state STATE_MAIN_R1 to s
tate STATE_MAIN_R2
Jul 14 17:52:13 localhost pluto[2348]: "garelick-hq" #251:
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 14 17:52:13 localhost pluto[2348]: "garelick-hq" #251: Main mode
peer ID is ID_FQDN: '@hq.local
'
Jul 14 17:52:13 localhost pluto[2348]: "garelick-hq" #251: transition
from state STATE_MAIN_R2 to s
tate STATE_MAIN_R3
Jul 14 17:52:13 localhost pluto[2348]: "garelick-hq" #251:
STATE_MAIN_R3: sent MR3, ISAKMP SA estab
lished {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha
group=modp2048}
Jul 14 18:06:34 localhost pluto[2348]: "garelick-hq" #250: received
Delete SA payload: deleting ISA
KMP State #250
Jul 14 18:06:34 localhost pluto[2348]: packet from 5.6.46.182:500:
received and ignored informat
ional message
Jul 14 18:37:19 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [O
penswan (this version) 2.6.25 ]
Jul 14 18:37:19 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [D
ead Peer Detection]
Jul 14 18:37:19 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [R
FC 3947] method set to=109
Jul 14 18:37:19 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jul 14 18:37:19 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jul 14 18:37:19 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jul 14 18:37:19 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-00]
Jul 14 18:37:19 localhost pluto[2348]: "garelick-hq" #252: responding to
Main Mode
Jul 14 18:37:19 localhost pluto[2348]: "garelick-hq" #252: transition
from state STATE_MAIN_R0 to s
tate STATE_MAIN_R1
Jul 14 18:37:19 localhost pluto[2348]: "garelick-hq" #252:
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 18:37:29 localhost pluto[2348]: ERROR: asynchronous network error
report on br0 (sport=500)
for message to 5.6.46.182 port 500, complainant 5.6.100.17: No route to
host [errno 113, orig
in ICMP type 3 code 1 (not authenticated)]
Jul 14 18:37:49 localhost pluto[2348]: ERROR: asynchronous network error
report on br0 (sport=500)
for message to 5.6.46.182 port 500, complainant 5.6.100.17: No route to
host [errno 113, orig
in ICMP type 3 code 1 (not authenticated)]
Jul 14 18:38:29 localhost pluto[2348]: "garelick-hq" #252: max number of
retransmissions (2) reache
d STATE_MAIN_R1
Jul 14 18:38:29 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [O
penswan (this version) 2.6.25 ]
Jul 14 18:38:29 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [D
ead Peer Detection]
Jul 14 18:38:29 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [R
FC 3947] method set to=109
Jul 14 18:38:29 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jul 14 18:38:29 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jul 14 18:38:29 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jul 14 18:38:29 localhost pluto[2348]: packet from 5.6.46.182:500:
received Vendor ID payload [d
raft-ietf-ipsec-nat-t-ike-00]
Jul 14 18:38:29 localhost pluto[2348]: "garelick-hq" #253: responding to
Main Mode
Jul 14 18:38:29 localhost pluto[2348]: "garelick-hq" #253: transition
from state STATE_MAIN_R0 to s
tate STATE_MAIN_R1
Jul 14 18:38:29 localhost pluto[2348]: "garelick-hq" #253:
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 14 18:38:29 localhost pluto[2348]: "garelick-hq" #253:
NAT-Traversal: Result using RFC 3947 (NA
T-Traversal): no NAT detected
Jul 14 18:38:29 localhost pluto[2348]: "garelick-hq" #253: transition
from state STATE_MAIN_R1 to s
tate STATE_MAIN_R2
Jul 14 18:38:29 localhost pluto[2348]: "garelick-hq" #253:
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 14 18:38:29 localhost pluto[2348]: "garelick-hq" #253: Main mode
peer ID is ID_FQDN: '@hq.local
'
Jul 14 18:38:29 localhost pluto[2348]: "garelick-hq" #253: transition
from state STATE_MAIN_R2 to s
--More--(78%)
It keeps going like this, trying to find its partner and unable to.
Looking at /var/log/secure on the Garelick side, sure enough, I see the
telecom outage at 18:37, but then a new SA Established message at
19:20:32. But I'll bet this tunnel was messed up starting with the
18:37 telecom outage and never was right until I restarted ipsec on both
sides.
Jul 14 17:52:13 localhost pluto[3288]: "garelick-hq" #2063:
STATE_MAIN_I4: ISAKMP SA established {au
th=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
Jul 14 18:06:34 localhost pluto[3288]: packet from 5.6.100.18:500:
Informational Exchange is for
an unknown (expired?) SA with MSGID:0x53a0b445
Jul 14 18:37:19 localhost pluto[3288]: "garelick-hq" #2064: initiating
Main Mode to replace #2063
Jul 14 18:37:29 localhost pluto[3288]: ERROR: asynchronous network error
report on br0 (sport=500) f
or message to 5.6.100.18 port 500, complainant 69.128.253.214: No route
to host [errno 113, origi
n ICMP type 11 code 0 (not authenticated)]
Jul 14 18:37:49 localhost pluto[3288]: ERROR: asynchronous network error
report on br0 (sport=500) f
or message to 5.6.100.18 port 500, complainant 69.128.253.214: No route
to host [errno 113, origi
n ICMP type 11 code 0 (not authenticated)]
Jul 14 18:38:29 localhost pluto[3288]: "garelick-hq" #2064: received
Vendor ID payload [Openswan (th
is version) 2.6.25 ]
Jul 14 18:38:29 localhost pluto[3288]: "garelick-hq" #2064: received
Vendor ID payload [Dead Peer De
tection]
Jul 14 18:38:29 localhost pluto[3288]: "garelick-hq" #2064: received
Vendor ID payload [RFC 3947] me
thod set to=109
Jul 14 18:38:29 localhost pluto[3288]: "garelick-hq" #2064: enabling
possible NAT-traversal with met
hod 4
Jul 14 18:38:29 localhost pluto[3288]: "garelick-hq" #2064: transition
from state STATE_MAIN_I1 to s
tate STATE_MAIN_I2
Jul 14 18:38:29 localhost pluto[3288]: "garelick-hq" #2064:
STATE_MAIN_I2: sent MI2, expecting MR2
Jul 14 18:38:29 localhost pluto[3288]: "garelick-hq" #2064:
NAT-Traversal: Result using RFC 3947 (NA
T-Traversal): no NAT detected
Jul 14 18:38:29 localhost pluto[3288]: "garelick-hq" #2064: transition
from state STATE_MAIN_I2 to s
tate STATE_MAIN_I3
Jul 14 18:38:29 localhost pluto[3288]: "garelick-hq" #2064:
STATE_MAIN_I3: sent MI3, expecting MR3
Jul 14 18:38:29 localhost pluto[3288]: "garelick-hq" #2064: received
Vendor ID payload [CAN-IKEv2]
Jul 14 18:38:29 localhost pluto[3288]: "garelick-hq" #2064: Main mode
peer ID is ID_FQDN: '@garelick
.local'
Jul 14 18:38:29 localhost pluto[3288]: "garelick-hq" #2064: transition
from state STATE_MAIN_I3 to s
tate STATE_MAIN_I4
Jul 14 18:38:29 localhost pluto[3288]: "garelick-hq" #2064:
STATE_MAIN_I4: ISAKMP SA established {au
th=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
Jul 14 18:52:13 localhost pluto[3288]: packet from 5.6.100.18:500:
Informational Exchange is for
an unknown (expired?) SA with MSGID:0x994da271
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065: initiating
Main Mode to replace #2064
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065: received
Vendor ID payload [Openswan (th
is version) 2.6.25 ]
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065: received
Vendor ID payload [Dead Peer De
tection]
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065: received
Vendor ID payload [RFC 3947] me
thod set to=109
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065: enabling
possible NAT-traversal with met
hod 4
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065: transition
from state STATE_MAIN_I1 to s
tate STATE_MAIN_I2
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065:
STATE_MAIN_I2: sent MI2, expecting MR2
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065:
NAT-Traversal: Result using RFC 3947 (NA
T-Traversal): no NAT detected
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065: transition
from state STATE_MAIN_I2 to s
tate STATE_MAIN_I3
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065:
STATE_MAIN_I3: sent MI3, expecting MR3
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065: received
Vendor ID payload [CAN-IKEv2]
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065: Main mode
peer ID is ID_FQDN: '@garelick
.local'
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065: transition
from state STATE_MAIN_I3 to s
tate STATE_MAIN_I4
Jul 14 19:20:32 localhost pluto[3288]: "garelick-hq" #2065:
STATE_MAIN_I4: ISAKMP SA established {au
th=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
Jul 14 19:38:29 localhost pluto[3288]: "garelick-hq" #2064: received
Delete SA payload: deleting ISA
KMP State #2064
Jul 14 19:38:29 localhost pluto[3288]: packet from 5.6.100.18:500:
received and ignored informati
onal message
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066: initiating
Main Mode to replace #2065
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066: received
Vendor ID payload [Openswan (th
is version) 2.6.25 ]
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066: received
Vendor ID payload [Dead Peer De
tection]
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066: received
Vendor ID payload [RFC 3947] me
thod set to=109
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066: enabling
possible NAT-traversal with met
hod 4
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066: transition
from state STATE_MAIN_I1 to s
tate STATE_MAIN_I2
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066:
STATE_MAIN_I2: sent MI2, expecting MR2
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066:
NAT-Traversal: Result using RFC 3947 (NA
T-Traversal): no NAT detected
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066: transition
from state STATE_MAIN_I2 to s
tate STATE_MAIN_I3
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066:
STATE_MAIN_I3: sent MI3, expecting MR3
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066: received
Vendor ID payload [CAN-IKEv2]
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066: Main mode
peer ID is ID_FQDN: '@garelick
.local'
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066: transition
from state STATE_MAIN_I3 to s
tate STATE_MAIN_I4
Jul 14 20:03:07 localhost pluto[3288]: "garelick-hq" #2066:
STATE_MAIN_I4: ISAKMP SA established {au
th=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
Jul 14 20:20:32 localhost pluto[3288]: packet from 5.6.100.18:500:
Informational Exchange is for
an unknown (expired?) SA with MSGID:0xdfa25099
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067: initiating
Main Mode to replace #2066
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067: received
Vendor ID payload [Openswan (th
is version) 2.6.25 ]
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067: received
Vendor ID payload [Dead Peer De
tection]
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067: received
Vendor ID payload [RFC 3947] me
thod set to=109
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067: enabling
possible NAT-traversal with met
hod 4
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067: transition
from state STATE_MAIN_I1 to s
tate STATE_MAIN_I2
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067:
STATE_MAIN_I2: sent MI2, expecting MR2
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067:
NAT-Traversal: Result using RFC 3947 (NA
T-Traversal): no NAT detected
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067: transition
from state STATE_MAIN_I2 to s
tate STATE_MAIN_I3
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067:
STATE_MAIN_I3: sent MI3, expecting MR3
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067: received
Vendor ID payload [CAN-IKEv2]
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067: Main mode
peer ID is ID_FQDN: '@garelick
.local'
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067: transition
from state STATE_MAIN_I3 to s
tate STATE_MAIN_I4
Jul 14 20:51:12 localhost pluto[3288]: "garelick-hq" #2067:
STATE_MAIN_I4: ISAKMP SA established {au
th=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
Jul 14 21:03:07 localhost pluto[3288]: packet from 5.6.100.18:500:
Informational Exchange is for
an unknown (expired?) SA with MSGID:0x3ad120f9
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068: initiating
Main Mode to replace #2067
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068: received
Vendor ID payload [Openswan (th
is version) 2.6.25 ]
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068: received
Vendor ID payload [Dead Peer De
tection]
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068: received
Vendor ID payload [RFC 3947] me
thod set to=109
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068: enabling
possible NAT-traversal with met
hod 4
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068: transition
from state STATE_MAIN_I1 to s
tate STATE_MAIN_I2
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068:
STATE_MAIN_I2: sent MI2, expecting MR2
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068:
NAT-Traversal: Result using RFC 3947 (NA
T-Traversal): no NAT detected
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068: transition
from state STATE_MAIN_I2 to s
tate STATE_MAIN_I3
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068:
STATE_MAIN_I3: sent MI3, expecting MR3
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068: received
Vendor ID payload [CAN-IKEv2]
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068: Main mode
peer ID is ID_FQDN: '@garelick
.local'
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068: transition
from state STATE_MAIN_I3 to s
tate STATE_MAIN_I4
Jul 14 21:34:20 localhost pluto[3288]: "garelick-hq" #2068:
STATE_MAIN_I4: ISAKMP SA established {au
th=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
Jul 14 21:51:12 localhost pluto[3288]: packet from 5.6.100.18:500:
Informational Exchange is for
an unknown (expired?) SA with MSGID:0xc401d943
Jul 14 22:20:02 localhost pluto[3288]: "garelick-hq" #2069: initiating
Main Mode to replace #2068
Jul 14 22:20:12 localhost pluto[3288]: "garelick-hq" #2069: received
Vendor ID payload [Openswan (th
is version) 2.6.25 ]
Jul 14 22:20:12 localhost pluto[3288]: "garelick-hq" #2069: received
Vendor ID payload [Dead Peer De
tection]
Jul 14 22:20:12 localhost pluto[3288]: "garelick-hq" #2069: received
Vendor ID payload [RFC 3947] me
thod set to=109
Jul 14 22:20:12 localhost pluto[3288]: "garelick-hq" #2069: enabling
possible NAT-traversal with met
hod 4
Jul 14 22:20:12 localhost pluto[3288]: "garelick-hq" #2069: transition
from state STATE_MAIN_I1 to s
tate STATE_MAIN_I2
Jul 14 22:20:12 localhost pluto[3288]: "garelick-hq" #2069:
STATE_MAIN_I2: sent MI2, expecting MR2
Jul 14 22:20:12 localhost pluto[3288]: packet from 5.6.100.18:500: phase
1 message is part of an
unknown exchange
Jul 14 22:20:12 localhost pluto[3288]: "garelick-hq" #2069:
NAT-Traversal: Result using RFC 3947 (NA
T-Traversal): no NAT detected
Jul 14 22:20:12 localhost pluto[3288]: "garelick-hq" #2069: transition
from state STATE_MAIN_I2 to s
tate STATE_MAIN_I3
Jul 14 22:20:12 localhost pluto[3288]: "garelick-hq" #2069:
STATE_MAIN_I3: sent MI3, expecting MR3
Jul 14 22:20:12 localhost pluto[3288]: "garelick-hq" #2069: received
Vendor ID payload [CAN-IKEv2]
Jul 14 22:20:12 localhost pluto[3288]: "garelick-hq" #2069: Main mode
peer ID is ID_FQDN: '@garelick
.local'
Jul 14 22:20:12 localhost pluto[3288]: "garelick-hq" #2069: transition
from state STATE_MAIN_I3 to s
tate STATE_MAIN_I4
Jul 14 22:20:12 localhost pluto[3288]: "garelick-hq" #2069:
STATE_MAIN_I4: ISAKMP SA established {au
th=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
Jul 14 22:20:32 localhost pluto[3288]: packet from 5.6.100.18:500: phase
1 message is part of an
unknown exchange
Jul 14 22:34:20 localhost pluto[3288]: "garelick-hq" #2068: received
Delete SA payload: deleting ISA
KMP State #2068
Jul 14 22:34:20 localhost pluto[3288]: packet from 5.6.100.18:500:
received and ignored informati
onal message
Jul 14 23:05:28 localhost pluto[3288]: "garelick-hq" #2070: initiating
Main Mode to replace #2069
Jul 14 23:05:38 localhost pluto[3288]: "garelick-hq" #2070: received
Vendor ID payload [Openswan (th
is version) 2.6.25 ]
Jul 14 23:05:38 localhost pluto[3288]: "garelick-hq" #2070: received
Vendor ID payload [Dead Peer De
tection]
Jul 14 23:05:38 localhost pluto[3288]: "garelick-hq" #2070: received
Vendor ID payload [RFC 3947] me
thod set to=109
Jul 14 23:05:38 localhost pluto[3288]: "garelick-hq" #2070: enabling
possible NAT-traversal with met
hod 4
Jul 14 23:05:38 localhost pluto[3288]: "garelick-hq" #2070: transition
from state STATE_MAIN_I1 to s
tate STATE_MAIN_I2
Jul 14 23:05:38 localhost pluto[3288]: "garelick-hq" #2070:
STATE_MAIN_I2: sent MI2, expecting MR2
Jul 14 23:05:38 localhost pluto[3288]: packet from 5.6.100.18:500: phase
1 message is part of an
unknown exchange
Jul 14 23:05:38 localhost pluto[3288]: "garelick-hq" #2070:
NAT-Traversal: Result using RFC 3947 (NA
T-Traversal): no NAT detected
Jul 14 23:05:38 localhost pluto[3288]: "garelick-hq" #2070: transition
from state STATE_MAIN_I2 to s
tate STATE_MAIN_I3
Jul 14 23:05:38 localhost pluto[3288]: "garelick-hq" #2070:
STATE_MAIN_I3: sent MI3, expecting MR3
Jul 14 23:05:38 localhost pluto[3288]: "garelick-hq" #2070: received
Vendor ID payload [CAN-IKEv2]
Jul 14 23:05:38 localhost pluto[3288]: "garelick-hq" #2070: Main mode
peer ID is ID_FQDN: '@garelick
.local'
Jul 14 23:05:38 localhost pluto[3288]: "garelick-hq" #2070: transition
from state STATE_MAIN_I3 to s
tate STATE_MAIN_I4
Jul 14 23:05:38 localhost pluto[3288]: "garelick-hq" #2070:
STATE_MAIN_I4: ISAKMP SA established {au
th=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
Jul 14 23:05:58 localhost pluto[3288]: packet from 5.6.100.18:500: phase
1 message is part of an
unknown exchange
Jul 14 23:20:12 localhost pluto[3288]: packet from 5.6.100.18:500:
Informational Exchange is for
an unknown (expired?) SA with MSGID:0xd18c1e07
Jul 14 23:49:48 localhost pluto[3288]: "garelick-hq" #2071: initiating
Main Mode to replace #2070
Jul 14 23:49:48 localhost pluto[3288]: "garelick-hq" #2071: received
Vendor ID payload [Openswan (th
is version) 2.6.25 ]
Jul 14 23:49:48 localhost pluto[3288]: "garelick-hq" #2071: received
Vendor ID payload [Dead Peer De
tection]
Jul 14 23:49:48 localhost pluto[3288]: "garelick-hq" #2071: received
Vendor ID payload [RFC 3947] me
thod set to=109
Jul 14 23:49:48 localhost pluto[3288]: "garelick-hq" #2071: enabling
possible NAT-traversal with met
hod 4
Jul 14 23:49:48 localhost pluto[3288]: "garelick-hq" #2071: transition
from state STATE_MAIN_I1 to s
tate STATE_MAIN_I2
Jul 14 23:49:48 localhost pluto[3288]: "garelick-hq" #2071:
STATE_MAIN_I2: sent MI2, expecting MR2
Jul 14 23:49:48 localhost pluto[3288]: "garelick-hq" #2071:
NAT-Traversal: Result using RFC 3947 (NA
T-Traversal): no NAT detected
Jul 14 23:49:48 localhost pluto[3288]: "garelick-hq" #2071: transition
from state STATE_MAIN_I2 to s
- Greg Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100715/fbde257f/attachment-0001.html
More information about the Users
mailing list