[Openswan Users] Tunnel hangs
Greg Scott
GregScott at Infrasupport.com
Wed Nov 2 23:54:51 EDT 2011
I have a couple of tunnels that continue to hang. Here are details on
one that gave me trouble today. The right side is a central site
running U2.6.19 on Fedora 9. The left side is remote, running U2.6.36
on Fedora 15. This tunnel went offline today for no apparent reason.
The name of the tunnel with the problem is Superior-Everywhere. Here is
an extract from /var/log/secure on the left side. The right side
includes a few other tunnels and all of those are fine. It's only the
newer ipsec versions that give me trouble.
Looks like the problem started around 16:25. Things get really
interesting around 16:37 and the tunnel doesn't get back on track again
until 18:05. You'll see output from a couple of service ipsec restart
sessions around 18:00 or so. After some trial and error, the only way
to get this tunnel back up and running was, on the left side do:
service ipsec stop
And then on the right side:
ipsec auto --down Superior-Everywhere
ipsec auto --delete Superior-Everywhere
ipsec auto --add Superior-Everywhere
and then on the left side - service ipsec start. Restarting ipsec on
the left side without first deleting and then adding the tunnel on the
right side did not fix the problem - you'll see it in the log below.
Hopefully the email posting won't butcher the long log extract I'm
pasting in below. I can also make it available on an ftp site if this
comes out illegible in the email archive. And I can get an extract of
the right side log if it has anything relevant. Note that this tunnel
ran without problem for roughly a month before today's issue.
[root at Superior-fw gregs]# more extract.log
Nov 2 15:15:28 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
ignoring unknown Vendor ID payload [4f456b71484c42504f664d44]
Nov 2 15:15:28 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [Dead Peer Detection]
Nov 2 15:15:28 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [RFC 3947] method set to=109
Nov 2 15:15:28 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already
using method 109
Nov 2 15:15:28 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but alrea
dy using method 109
Nov 2 15:15:28 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already
using method 109
Nov 2 15:15:28 Superior-fw pluto[1497]: "Superior-Everywhere" #356:
responding to Main Mode
Nov 2 15:15:28 Superior-fw pluto[1497]: "Superior-Everywhere" #356:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 2 15:15:28 Superior-fw pluto[1497]: "Superior-Everywhere" #356:
STATE_MAIN_R1: sent MR1, expecting MI2
Nov 2 15:15:28 Superior-fw pluto[1497]: "Superior-Everywhere" #356:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Nov 2 15:15:28 Superior-fw pluto[1497]: "Superior-Everywhere" #356:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 2 15:15:28 Superior-fw pluto[1497]: "Superior-Everywhere" #356:
STATE_MAIN_R2: sent MR2, expecting MI3
Nov 2 15:15:29 Superior-fw pluto[1497]: "Superior-Everywhere" #356:
Main mode peer ID is ID_FQDN: '@hq.local'
Nov 2 15:15:29 Superior-fw pluto[1497]: "Superior-Everywhere" #356:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 2 15:15:29 Superior-fw pluto[1497]: "Superior-Everywhere" #356:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_128
prf=oakley_sha group=modp2048}
Nov 2 15:27:21 Superior-fw pluto[1497]: "Superior-Everywhere" #355:
received Delete SA payload: deleting ISAKMP State #355
Nov 2 15:27:21 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received and ignored informational message
Nov 2 16:04:45 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
ignoring unknown Vendor ID payload [4f456b71484c42504f664d44]
Nov 2 16:04:45 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [Dead Peer Detection]
Nov 2 16:04:45 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [RFC 3947] method set to=109
Nov 2 16:04:45 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already
using method 109
Nov 2 16:04:45 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but alrea
dy using method 109
Nov 2 16:04:45 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already
using method 109
Nov 2 16:04:45 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
responding to Main Mode
Nov 2 16:04:45 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 2 16:04:45 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
STATE_MAIN_R1: sent MR1, expecting MI2
Nov 2 16:04:45 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Nov 2 16:04:45 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 2 16:04:45 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
STATE_MAIN_R2: sent MR2, expecting MI3
Nov 2 16:04:45 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
Main mode peer ID is ID_FQDN: '@hq.local'
Nov 2 16:04:45 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 2 16:04:45 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_128
prf=oakley_sha group=modp2048}
Nov 2 16:15:29 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
Informational Exchange is for an unknown (expired?) SA with
MSGID:0x498c04b2
Nov 2 16:25:11 Superior-fw pluto[1497]: "Superior-Everywhere" #358:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
to replac
e #347 {using isakmp#357 msgid:d238d086 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Nov 2 16:26:21 Superior-fw pluto[1497]: "Superior-Everywhere" #358: max
number of retransmissions (2) reached STATE_QUICK_I1
Nov 2 16:26:21 Superior-fw pluto[1497]: "Superior-Everywhere" #358:
starting keying attempt 2 of an unlimited number
Nov 2 16:26:21 Superior-fw pluto[1497]: "Superior-Everywhere" #359:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
to replac
e #358 {using isakmp#357 msgid:739fa60d proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Nov 2 16:27:31 Superior-fw pluto[1497]: "Superior-Everywhere" #359: max
number of retransmissions (2) reached STATE_QUICK_I1
Nov 2 16:27:31 Superior-fw pluto[1497]: "Superior-Everywhere" #359:
starting keying attempt 3 of an unlimited number
Nov 2 16:27:31 Superior-fw pluto[1497]: "Superior-Everywhere" #360:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
to replac
e #359 {using isakmp#357 msgid:92ff0f32 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Nov 2 16:28:41 Superior-fw pluto[1497]: "Superior-Everywhere" #360: max
number of retransmissions (2) reached STATE_QUICK_I1
Nov 2 16:28:41 Superior-fw pluto[1497]: "Superior-Everywhere" #360:
starting keying attempt 4 of an unlimited number
Nov 2 16:28:41 Superior-fw pluto[1497]: "Superior-Everywhere" #361:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
to replac
e #360 {using isakmp#357 msgid:e0053b8f proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Nov 2 16:29:51 Superior-fw pluto[1497]: "Superior-Everywhere" #361: max
number of retransmissions (2) reached STATE_QUICK_I1
Nov 2 16:29:51 Superior-fw pluto[1497]: "Superior-Everywhere" #361:
starting keying attempt 5 of an unlimited number
Nov 2 16:29:51 Superior-fw pluto[1497]: "Superior-Everywhere" #362:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
to replac
e #361 {using isakmp#357 msgid:6950ff56 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Nov 2 16:31:01 Superior-fw pluto[1497]: "Superior-Everywhere" #362: max
number of retransmissions (2) reached STATE_QUICK_I1
Nov 2 16:31:01 Superior-fw pluto[1497]: "Superior-Everywhere" #362:
starting keying attempt 6 of an unlimited number
Nov 2 16:31:01 Superior-fw pluto[1497]: "Superior-Everywhere" #363:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
to replac
e #362 {using isakmp#357 msgid:7a3691c8 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Nov 2 16:32:11 Superior-fw pluto[1497]: "Superior-Everywhere" #363: max
number of retransmissions (2) reached STATE_QUICK_I1
Nov 2 16:32:11 Superior-fw pluto[1497]: "Superior-Everywhere" #363:
starting keying attempt 7 of an unlimited number
Nov 2 16:32:11 Superior-fw pluto[1497]: "Superior-Everywhere" #364:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
to replac
e #363 {using isakmp#357 msgid:cb565f24 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Nov 2 16:33:21 Superior-fw pluto[1497]: "Superior-Everywhere" #364: max
number of retransmissions (2) reached STATE_QUICK_I1
Nov 2 16:33:21 Superior-fw pluto[1497]: "Superior-Everywhere" #364:
starting keying attempt 8 of an unlimited number
Nov 2 16:33:21 Superior-fw pluto[1497]: "Superior-Everywhere" #365:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
to replac
e #364 {using isakmp#357 msgid:0ced83a2 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Nov 2 16:34:31 Superior-fw pluto[1497]: "Superior-Everywhere" #365: max
number of retransmissions (2) reached STATE_QUICK_I1
Nov 2 16:34:31 Superior-fw pluto[1497]: "Superior-Everywhere" #365:
starting keying attempt 9 of an unlimited number
Nov 2 16:34:31 Superior-fw pluto[1497]: "Superior-Everywhere" #366:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
to replac
e #365 {using isakmp#357 msgid:0acd5b1c proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Nov 2 16:35:41 Superior-fw pluto[1497]: "Superior-Everywhere" #366: max
number of retransmissions (2) reached STATE_QUICK_I1
Nov 2 16:35:41 Superior-fw pluto[1497]: "Superior-Everywhere" #366:
starting keying attempt 10 of an unlimited number
Nov 2 16:35:41 Superior-fw pluto[1497]: "Superior-Everywhere" #367:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
to replac
e #366 {using isakmp#357 msgid:fbb5bc31 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Nov 2 16:36:51 Superior-fw pluto[1497]: "Superior-Everywhere" #367: max
number of retransmissions (2) reached STATE_QUICK_I1
Nov 2 16:36:51 Superior-fw pluto[1497]: "Superior-Everywhere" #367:
starting keying attempt 11 of an unlimited number
Nov 2 16:36:51 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
to replac
e #367 {using isakmp#357 msgid:3f963697 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP2048}
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #357: the
peer proposed: 172.21.5.0/24:0/0 -> 192.168.0.0/16:0/0
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
responding to Quick Mode proposal {msgid:5c81e91f}
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
us:
172.21.5.0/24===216.70.22.228<216.70.22.228>[@superior.local,+S=C]---216
.7
0.22.1
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
them:
12.24.248.49---12.24.248.50<12.24.248.50>[@hq.local,+S=C]===192.168.0.0/
16
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
keeping refhim=4294901761 during rekey
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x20a82b2d
<0x881cfd3e xfrm
=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Nov 2 16:37:21 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:37:31 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:37:51 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:38:31 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:39:11 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:39:51 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:40:31 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:41:11 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:41:21 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
received Delete SA(0x57b1bcb5) payload: deleting IPSEC State #346
Nov 2 16:41:21 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
received and ignored informational message
Nov 2 16:41:37 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
received Delete SA(0x28c56332) payload: deleting IPSEC State #347
Nov 2 16:41:37 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
received and ignored informational message
Nov 2 16:41:51 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #357: the
peer proposed: 172.21.5.0/24:0/0 -> 192.168.0.0/16:0/0
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
responding to Quick Mode proposal {msgid:5c81e91f}
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
us:
172.21.5.0/24===216.70.22.228<216.70.22.228>[@superior.local,+S=C]---216
.7
0.22.1
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
them:
12.24.248.49---12.24.248.50<12.24.248.50>[@hq.local,+S=C]===192.168.0.0/
16
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
keeping refhim=4294901761 during rekey
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 2 16:37:07 Superior-fw pluto[1497]: "Superior-Everywhere" #369:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x20a82b2d
<0x881cfd3e xfrm
=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Nov 2 16:37:21 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:37:31 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:37:51 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:38:31 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:39:11 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:39:51 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:40:31 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:41:11 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:41:21 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
received Delete SA(0x57b1bcb5) payload: deleting IPSEC State #346
Nov 2 16:41:21 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
received and ignored informational message
Nov 2 16:41:37 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
received Delete SA(0x28c56332) payload: deleting IPSEC State #347
Nov 2 16:41:37 Superior-fw pluto[1497]: "Superior-Everywhere" #357:
received and ignored informational message
Nov 2 16:41:51 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:42:31 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:43:11 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:43:51 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:44:31 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:45:11 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:45:51 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:46:31 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:47:11 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:47:51 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:48:31 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:49:11 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:49:51 Superior-fw pluto[1497]: "Superior-Everywhere" #368:
ERROR: netlink response for Add SA esp.424aed10 at 216.70.22.228 included
errno 3: No
such process
Nov 2 16:53:28 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
ignoring unknown Vendor ID payload [4f456b71484c42504f664d44]
Nov 2 16:53:28 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [Dead Peer Detection]
Nov 2 16:53:28 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [RFC 3947] method set to=109
Nov 2 16:53:28 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already
using method 109
Nov 2 16:53:28 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but alrea
dy using method 109
Nov 2 16:53:28 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already
using method 109
Nov 2 16:53:28 Superior-fw pluto[1497]: "Superior-Everywhere" #370:
responding to Main Mode
Nov 2 16:53:28 Superior-fw pluto[1497]: "Superior-Everywhere" #370:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 2 16:53:28 Superior-fw pluto[1497]: "Superior-Everywhere" #370:
STATE_MAIN_R1: sent MR1, expecting MI2
Nov 2 16:53:28 Superior-fw pluto[1497]: "Superior-Everywhere" #370:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Nov 2 16:53:28 Superior-fw pluto[1497]: "Superior-Everywhere" #370:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 2 16:53:28 Superior-fw pluto[1497]: "Superior-Everywhere" #370:
STATE_MAIN_R2: sent MR2, expecting MI3
Nov 2 16:53:28 Superior-fw pluto[1497]: "Superior-Everywhere" #370:
Main mode peer ID is ID_FQDN: '@hq.local'
Nov 2 16:53:28 Superior-fw pluto[1497]: "Superior-Everywhere" #370:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 2 16:53:28 Superior-fw pluto[1497]: "Superior-Everywhere" #370:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_128
prf=oakley_sha group=modp2048}
Nov 2 17:04:46 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
Informational Exchange is for an unknown (expired?) SA with
MSGID:0x0f65f49e
Nov 2 17:40:33 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
ignoring unknown Vendor ID payload [4f456b71484c42504f664d44]
Nov 2 17:40:33 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [Dead Peer Detection]
Nov 2 17:40:33 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [RFC 3947] method set to=109
Nov 2 17:40:33 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already
using method 109
Nov 2 17:40:33 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but alrea
dy using method 109
Nov 2 17:40:33 Superior-fw pluto[1497]: packet from 12.24.248.50:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already
using method 109
Nov 2 17:40:33 Superior-fw pluto[1497]: "Superior-Everywhere" #371:
responding to Main Mode
Nov 2 17:40:33 Superior-fw pluto[1497]: "Superior-Everywhere" #371:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 2 17:40:33 Superior-fw pluto[1497]: "Superior-Everywhere" #371:
STATE_MAIN_R1: sent MR1, expecting MI2
Nov 2 17:40:33 Superior-fw pluto[1497]: "Superior-Everywhere" #371:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Nov 2 17:40:33 Superior-fw pluto[1497]: "Superior-Everywhere" #371:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 2 17:40:33 Superior-fw pluto[1497]: "Superior-Everywhere" #371:
STATE_MAIN_R2: sent MR2, expecting MI3
Nov 2 17:40:33 Superior-fw pluto[1497]: "Superior-Everywhere" #371:
Main mode peer ID is ID_FQDN: '@hq.local'
Nov 2 17:40:33 Superior-fw pluto[1497]: "Superior-Everywhere" #371:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 2 17:40:33 Superior-fw pluto[1497]: "Superior-Everywhere" #371:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_128
prf=oakley_sha group=modp2048}
Nov 2 17:48:30 Superior-fw runuser: pam_unix(runuser:session): session
opened for user root by (uid=0)
Nov 2 17:48:31 Superior-fw sshd[1323]: Server listening on 0.0.0.0 port
22.
Nov 2 17:48:31 Superior-fw sshd[1323]: Server listening on :: port 22.
Nov 2 17:48:31 Superior-fw runuser: pam_unix(runuser:session): session
closed for user root
Nov 2 17:48:32 Superior-fw ipsec__plutorun: Starting Pluto subsystem...
Nov 2 17:48:32 Superior-fw pluto[1491]: Starting Pluto (Openswan
Version 2.6.36; Vendor ID OEqltr]KZl]_) pid:1491
Nov 2 17:48:32 Superior-fw pluto[1491]: LEAK_DETECTIVE support
[disabled]
Nov 2 17:48:32 Superior-fw pluto[1491]: OCF support for IKE [disabled]
Nov 2 17:48:32 Superior-fw pluto[1491]: SAref support [disabled]:
Protocol not available
Nov 2 17:48:32 Superior-fw pluto[1491]: SAbind support [disabled]:
Protocol not available
Nov 2 17:48:32 Superior-fw pluto[1491]: NSS support [disabled]
Nov 2 17:48:32 Superior-fw pluto[1491]: HAVE_STATSD notification
support not compiled in
Nov 2 17:48:32 Superior-fw pluto[1491]: Setting NAT-Traversal port-4500
floating to on
Nov 2 17:48:32 Superior-fw pluto[1491]: port floating activation
criteria nat_t=1/port_float=1
Nov 2 17:48:32 Superior-fw pluto[1491]: NAT-Traversal support
[enabled]
Nov 2 17:48:32 Superior-fw pluto[1491]: 1 bad entries in
virtual_private - none loaded
Nov 2 17:48:32 Superior-fw pluto[1491]: using /dev/urandom as source of
random entropy
Nov 2 17:48:32 Superior-fw pluto[1491]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 2 17:48:32 Superior-fw pluto[1491]: starting up 1 cryptographic
helpers
Nov 2 17:48:32 Superior-fw pluto[1491]: started helper pid=1495 (fd:6)
Nov 2 17:48:32 Superior-fw pluto[1491]: Using Linux 2.6 IPsec interface
code on 2.6.40.6-0.fc15.x86_64 (experimental code)
Nov 2 17:48:32 Superior-fw pluto[1495]: using /dev/urandom as source of
random entropy
Nov 2 17:48:32 Superior-fw pluto[1491]: ike_alg_register_enc():
Activating aes_ccm_8: Ok (ret=0)
Nov 2 17:48:32 Superior-fw pluto[1491]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 17:48:32 Superior-fw pluto[1491]: ike_alg_register_enc():
Activating aes_ccm_12: FAILED (ret=-17)
Nov 2 17:48:32 Superior-fw pluto[1491]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 17:48:32 Superior-fw pluto[1491]: ike_alg_register_enc():
Activating aes_ccm_16: FAILED (ret=-17)
Nov 2 17:48:32 Superior-fw pluto[1491]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 17:48:32 Superior-fw pluto[1491]: ike_alg_register_enc():
Activating aes_gcm_8: FAILED (ret=-17)
Nov 2 17:48:32 Superior-fw pluto[1491]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 17:48:32 Superior-fw pluto[1491]: ike_alg_register_enc():
Activating aes_gcm_12: FAILED (ret=-17)
Nov 2 17:48:32 Superior-fw pluto[1491]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 17:48:32 Superior-fw pluto[1491]: ike_alg_register_enc():
Activating aes_gcm_16: FAILED (ret=-17)
Nov 2 17:48:32 Superior-fw pluto[1491]: Changed path to directory
'/etc/ipsec.d/cacerts'
Nov 2 17:48:32 Superior-fw pluto[1491]: Changed path to directory
'/etc/ipsec.d/aacerts'
Nov 2 17:48:32 Superior-fw pluto[1491]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Nov 2 17:48:32 Superior-fw pluto[1491]: Changing to directory
'/etc/ipsec.d/crls'
Nov 2 17:48:32 Superior-fw pluto[1491]: Warning: empty directory
Nov 2 17:48:32 Superior-fw pluto[1491]: added connection description
"Superior-Everywhere"
Nov 2 17:48:32 Superior-fw pluto[1491]: listening for IKE messages
Nov 2 17:48:32 Superior-fw pluto[1491]: adding interface p1p1/p1p1
172.21.5.100:500
Nov 2 17:48:32 Superior-fw pluto[1491]: adding interface p1p1/p1p1
172.21.5.100:4500
Nov 2 17:48:32 Superior-fw pluto[1491]: adding interface p2p1/p2p1
10.10.10.88:500
Nov 2 17:48:32 Superior-fw pluto[1491]: adding interface p2p1/p2p1
10.10.10.88:4500
Nov 2 17:48:32 Superior-fw pluto[1491]: adding interface em1/em1
216.70.22.228:500
Nov 2 17:48:32 Superior-fw pluto[1491]: adding interface em1/em1
216.70.22.228:4500
Nov 2 17:48:32 Superior-fw pluto[1491]: adding interface lo/lo
127.0.0.1:500
Nov 2 17:48:32 Superior-fw pluto[1491]: adding interface lo/lo
127.0.0.1:4500
Nov 2 17:48:32 Superior-fw pluto[1491]: adding interface lo/lo ::1:500
Nov 2 17:48:32 Superior-fw pluto[1491]: loading secrets from
"/etc/ipsec.secrets"
Nov 2 17:48:32 Superior-fw pluto[1491]: loading secrets from
"/etc/ipsec.d/hostkey.secrets"
Nov 2 17:48:32 Superior-fw pluto[1491]: loaded private key for keyid:
PPK_RSA:AQNl6eslo
Nov 2 17:48:32 Superior-fw pluto[1491]: "Superior-Everywhere":
prepare-client output: RTNETLINK answers: No such file or directory
Nov 2 17:48:32 Superior-fw pluto[1491]: "Superior-Everywhere":
prepare-client command exited with status 2
Nov 2 17:48:32 Superior-fw pluto[1491]: "Superior-Everywhere" #1:
initiating Main Mode
Nov 2 17:48:35 Superior-fw pluto[1491]: initiate on demand from
172.21.5.20:59347 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 17:48:16 Superior-fw pluto[1491]: time moved backwards 19 seconds
Nov 2 17:48:44 Superior-fw pluto[1491]: initiate on demand from
172.21.5.2:1067 to 192.168.3.1:23 proto=6 state: fos_start because:
acquire
Nov 2 17:48:54 Superior-fw pluto[1491]: initiate on demand from
172.21.5.2:1068 to 192.168.3.4:3389 proto=6 state: fos_start because:
acquire
Nov 2 17:49:18 Superior-fw pluto[1491]: initiate on demand from
172.21.5.2:1069 to 192.168.3.1:23 proto=6 state: fos_start because:
acquire
Nov 2 17:49:28 Superior-fw pluto[1491]: initiate on demand from
172.21.5.20:61571 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 17:50:00 Superior-fw pluto[1491]: initiate on demand from
172.21.5.20:49819 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 17:50:31 Superior-fw pluto[1491]: initiate on demand from
172.21.5.20:50111 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 17:51:43 Superior-fw pluto[1491]: initiate on demand from
172.21.5.20:50074 to 192.168.3.1:449 proto=6 state: fos_start because:
acquire
Nov 2 17:51:57 Superior-fw pluto[1491]: initiate on demand from
172.21.5.20:63719 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 17:52:54 Superior-fw pluto[1491]: initiate on demand from
172.21.5.20:62318 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 17:53:28 Superior-fw pluto[1491]: packet from 12.24.248.50:500:
Informational Exchange is for an unknown (expired?) SA with
MSGID:0x91b96018
Nov 2 17:53:46 Superior-fw pluto[1491]: initiate on demand from
172.21.5.20:62405 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 17:54:41 Superior-fw runuser: pam_unix(runuser:session): session
opened for user root by (uid=0)
Nov 2 17:54:41 Superior-fw sshd[1327]: Server listening on 0.0.0.0 port
22.
Nov 2 17:54:41 Superior-fw sshd[1327]: Server listening on :: port 22.
Nov 2 17:54:41 Superior-fw runuser: pam_unix(runuser:session): session
closed for user root
Nov 2 17:54:42 Superior-fw ipsec__plutorun: Starting Pluto subsystem...
Nov 2 17:54:42 Superior-fw pluto[1503]: Starting Pluto (Openswan
Version 2.6.36; Vendor ID OEqltr]KZl]_) pid:1503
Nov 2 17:54:42 Superior-fw pluto[1503]: LEAK_DETECTIVE support
[disabled]
Nov 2 17:54:42 Superior-fw pluto[1503]: OCF support for IKE [disabled]
Nov 2 17:54:42 Superior-fw pluto[1503]: SAref support [disabled]:
Protocol not available
Nov 2 17:54:42 Superior-fw pluto[1503]: SAbind support [disabled]:
Protocol not available
Nov 2 17:54:42 Superior-fw pluto[1503]: NSS support [disabled]
Nov 2 17:54:42 Superior-fw pluto[1503]: HAVE_STATSD notification
support not compiled in
Nov 2 17:54:42 Superior-fw pluto[1503]: Setting NAT-Traversal port-4500
floating to on
Nov 2 17:54:42 Superior-fw pluto[1503]: port floating activation
criteria nat_t=1/port_float=1
Nov 2 17:54:42 Superior-fw pluto[1503]: NAT-Traversal support
[enabled]
Nov 2 17:54:42 Superior-fw pluto[1503]: 1 bad entries in
virtual_private - none loaded
Nov 2 17:54:42 Superior-fw pluto[1503]: using /dev/urandom as source of
random entropy
Nov 2 17:54:42 Superior-fw pluto[1503]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 2 17:54:42 Superior-fw pluto[1503]: starting up 1 cryptographic
helpers
Nov 2 17:54:42 Superior-fw pluto[1503]: started helper pid=1505 (fd:6)
Nov 2 17:54:42 Superior-fw pluto[1503]: Using Linux 2.6 IPsec interface
code on 2.6.40.6-0.fc15.x86_64 (experimental code)
Nov 2 17:54:42 Superior-fw pluto[1505]: using /dev/urandom as source of
random entropy
Nov 2 17:54:42 Superior-fw pluto[1503]: ike_alg_register_enc():
Activating aes_ccm_8: Ok (ret=0)
Nov 2 17:54:42 Superior-fw pluto[1503]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 17:54:42 Superior-fw pluto[1503]: ike_alg_register_enc():
Activating aes_ccm_12: FAILED (ret=-17)
Nov 2 17:54:42 Superior-fw pluto[1503]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 17:54:42 Superior-fw pluto[1503]: ike_alg_register_enc():
Activating aes_ccm_16: FAILED (ret=-17)
Nov 2 17:54:42 Superior-fw pluto[1503]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 17:54:42 Superior-fw pluto[1503]: ike_alg_register_enc():
Activating aes_gcm_8: FAILED (ret=-17)
Nov 2 17:54:42 Superior-fw pluto[1503]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 17:54:42 Superior-fw pluto[1503]: ike_alg_register_enc():
Activating aes_gcm_12: FAILED (ret=-17)
Nov 2 17:54:42 Superior-fw pluto[1503]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 17:54:42 Superior-fw pluto[1503]: ike_alg_register_enc():
Activating aes_gcm_16: FAILED (ret=-17)
Nov 2 17:54:42 Superior-fw pluto[1503]: Changed path to directory
'/etc/ipsec.d/cacerts'
Nov 2 17:54:42 Superior-fw pluto[1503]: Changed path to directory
'/etc/ipsec.d/aacerts'
Nov 2 17:54:42 Superior-fw pluto[1503]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Nov 2 17:54:42 Superior-fw pluto[1503]: Changing to directory
'/etc/ipsec.d/crls'
Nov 2 17:54:42 Superior-fw pluto[1503]: Warning: empty directory
Nov 2 17:54:42 Superior-fw pluto[1503]: added connection description
"Superior-Everywhere"
Nov 2 17:54:42 Superior-fw pluto[1503]: listening for IKE messages
Nov 2 17:54:42 Superior-fw pluto[1503]: adding interface p1p1/p1p1
172.21.5.100:500
Nov 2 17:54:42 Superior-fw pluto[1503]: adding interface p1p1/p1p1
172.21.5.100:4500
Nov 2 17:54:42 Superior-fw pluto[1503]: adding interface p2p1/p2p1
10.10.10.88:500
Nov 2 17:54:42 Superior-fw pluto[1503]: adding interface p2p1/p2p1
10.10.10.88:4500
Nov 2 17:54:42 Superior-fw pluto[1503]: adding interface em1/em1
216.70.22.228:500
Nov 2 17:54:42 Superior-fw pluto[1503]: adding interface em1/em1
216.70.22.228:4500
Nov 2 17:54:42 Superior-fw pluto[1503]: adding interface lo/lo
127.0.0.1:500
Nov 2 17:54:43 Superior-fw pluto[1503]: adding interface lo/lo
127.0.0.1:4500
Nov 2 17:54:43 Superior-fw pluto[1503]: adding interface lo/lo ::1:500
Nov 2 17:54:43 Superior-fw pluto[1503]: loading secrets from
"/etc/ipsec.secrets"
Nov 2 17:54:43 Superior-fw pluto[1503]: loading secrets from
"/etc/ipsec.d/hostkey.secrets"
Nov 2 17:54:43 Superior-fw pluto[1503]: loaded private key for keyid:
PPK_RSA:AQNl6eslo
Nov 2 17:54:43 Superior-fw pluto[1503]: "Superior-Everywhere":
prepare-client output: RTNETLINK answers: No such file or directory
Nov 2 17:54:43 Superior-fw pluto[1503]: "Superior-Everywhere":
prepare-client command exited with status 2
Nov 2 17:54:43 Superior-fw pluto[1503]: "Superior-Everywhere" #1:
initiating Main Mode
Nov 2 17:55:07 Superior-fw pluto[1503]: initiate on demand from
172.21.5.2:1070 to 192.168.3.1:23 proto=6 state: fos_start because:
acquire
Nov 2 17:55:26 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:55809 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 17:56:29 Superior-fw pluto[1503]: initiate on demand from
172.21.5.3:1150 to 192.168.3.1:23 proto=6 state: fos_start because:
acquire
Nov 2 17:56:42 Superior-fw pluto[1503]: initiate on demand from
172.21.5.3:1151 to 192.168.3.4:3389 proto=6 state: fos_start because:
acquire
Nov 2 17:57:01 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:54609 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 17:57:32 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:61422 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 17:58:03 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:49830 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 17:58:35 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:64037 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 17:59:06 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:53540 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 17:59:38 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:50461 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 18:00:07 Superior-fw pluto[1503]: initiate on demand from
172.21.5.3:1152 to 192.168.3.1:23 proto=6 state: fos_start because:
acquire
Nov 2 18:00:08 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:62366 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 18:00:39 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:59123 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 18:00:59 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:49175 to 192.168.3.1:5000 proto=6 state: fos_start because:
acquire
Nov 2 18:01:12 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:50731 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 18:01:43 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:58837 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 18:02:14 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:51476 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 18:02:47 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:58355 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 18:03:04 Superior-fw sshd[1885]: Accepted password for root from
216.160.2.129 port 61315 ssh2
Nov 2 23:03:04 Superior-fw sshd[1886]: fatal: mm_request_receive: read:
Connection reset by peer
Nov 2 18:03:04 Superior-fw sshd[1885]: pam_unix(sshd:session): session
opened for user root by (uid=0)
Nov 2 18:03:21 Superior-fw pluto[1503]: initiate on demand from
172.21.5.20:63534 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 18:03:38 Superior-fw pluto[1503]: shutting down
Nov 2 18:03:38 Superior-fw pluto[1503]: forgetting secrets
Nov 2 18:03:38 Superior-fw pluto[1503]: "Superior-Everywhere": deleting
connection
Nov 2 18:03:38 Superior-fw pluto[1503]: "Superior-Everywhere" #1:
deleting state (STATE_MAIN_I1)
Nov 2 18:03:38 Superior-fw pluto[1503]: "Superior-Everywhere":
unroute-client output: /usr/local/lib/ipsec/_updown.netkey: doroute `ip
route del 192.1
68.0.0/16 via 216.70.22.1 dev em1 ' failed (RTNETLINK answers: No such
process)
Nov 2 18:03:38 Superior-fw pluto[1503]: shutting down interface lo/lo
::1:500
Nov 2 18:03:38 Superior-fw pluto[1503]: shutting down interface lo/lo
127.0.0.1:4500
Nov 2 18:03:38 Superior-fw pluto[1503]: shutting down interface lo/lo
127.0.0.1:500
Nov 2 18:03:38 Superior-fw pluto[1503]: shutting down interface em1/em1
216.70.22.228:4500
Nov 2 18:03:38 Superior-fw pluto[1503]: shutting down interface em1/em1
216.70.22.228:500
Nov 2 18:03:38 Superior-fw pluto[1503]: shutting down interface
p2p1/p2p1 10.10.10.88:4500
Nov 2 18:03:38 Superior-fw pluto[1503]: shutting down interface
p2p1/p2p1 10.10.10.88:500
Nov 2 18:03:38 Superior-fw pluto[1503]: shutting down interface
p1p1/p1p1 172.21.5.100:4500
Nov 2 18:03:38 Superior-fw pluto[1503]: shutting down interface
p1p1/p1p1 172.21.5.100:500
Nov 2 18:03:38 Superior-fw pluto[1505]: pluto_crypto_helper: helper (0)
is normal exiting
Nov 2 18:03:39 Superior-fw ipsec__plutorun: Starting Pluto subsystem...
Nov 2 18:03:39 Superior-fw pluto[2100]: Starting Pluto (Openswan
Version 2.6.36; Vendor ID OEqltr]KZl]_) pid:2100
Nov 2 18:03:39 Superior-fw pluto[2100]: LEAK_DETECTIVE support
[disabled]
Nov 2 18:03:39 Superior-fw pluto[2100]: OCF support for IKE [disabled]
Nov 2 18:03:39 Superior-fw pluto[2100]: SAref support [disabled]:
Protocol not available
Nov 2 18:03:39 Superior-fw pluto[2100]: SAbind support [disabled]:
Protocol not available
Nov 2 18:03:39 Superior-fw pluto[2100]: NSS support [disabled]
Nov 2 18:03:39 Superior-fw pluto[2100]: HAVE_STATSD notification
support not compiled in
Nov 2 18:03:39 Superior-fw pluto[2100]: Setting NAT-Traversal port-4500
floating to on
Nov 2 18:03:39 Superior-fw pluto[2100]: port floating activation
criteria nat_t=1/port_float=1
Nov 2 18:03:39 Superior-fw pluto[2100]: NAT-Traversal support
[enabled]
Nov 2 18:03:39 Superior-fw pluto[2100]: 1 bad entries in
virtual_private - none loaded
Nov 2 18:03:39 Superior-fw pluto[2100]: using /dev/urandom as source of
random entropy
Nov 2 18:03:39 Superior-fw pluto[2100]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 2 18:03:39 Superior-fw pluto[2100]: starting up 1 cryptographic
helpers
Nov 2 18:03:39 Superior-fw pluto[2100]: started helper pid=2103 (fd:6)
Nov 2 18:03:39 Superior-fw pluto[2100]: Using Linux 2.6 IPsec interface
code on 2.6.40.6-0.fc15.x86_64 (experimental code)
Nov 2 18:03:39 Superior-fw pluto[2103]: using /dev/urandom as source of
random entropy
Nov 2 18:03:39 Superior-fw pluto[2100]: ike_alg_register_enc():
Activating aes_ccm_8: Ok (ret=0)
Nov 2 18:03:39 Superior-fw pluto[2100]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 18:03:39 Superior-fw pluto[2100]: ike_alg_register_enc():
Activating aes_ccm_12: FAILED (ret=-17)
Nov 2 18:03:39 Superior-fw pluto[2100]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 18:03:39 Superior-fw pluto[2100]: ike_alg_register_enc():
Activating aes_ccm_16: FAILED (ret=-17)
Nov 2 18:03:39 Superior-fw pluto[2100]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 18:03:39 Superior-fw pluto[2100]: ike_alg_register_enc():
Activating aes_gcm_8: FAILED (ret=-17)
Nov 2 18:03:39 Superior-fw pluto[2100]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 18:03:39 Superior-fw pluto[2100]: ike_alg_register_enc():
Activating aes_gcm_12: FAILED (ret=-17)
Nov 2 18:03:39 Superior-fw pluto[2100]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 18:03:39 Superior-fw pluto[2100]: ike_alg_register_enc():
Activating aes_gcm_16: FAILED (ret=-17)
Nov 2 18:03:39 Superior-fw pluto[2100]: Changed path to directory
'/etc/ipsec.d/cacerts'
Nov 2 18:03:39 Superior-fw pluto[2100]: Changed path to directory
'/etc/ipsec.d/aacerts'
Nov 2 18:03:39 Superior-fw pluto[2100]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Nov 2 18:03:39 Superior-fw pluto[2100]: Changing to directory
'/etc/ipsec.d/crls'
Nov 2 18:03:39 Superior-fw pluto[2100]: Warning: empty directory
Nov 2 18:03:39 Superior-fw pluto[2100]: added connection description
"Superior-Everywhere"
Nov 2 18:03:39 Superior-fw pluto[2100]: listening for IKE messages
Nov 2 18:03:39 Superior-fw pluto[2100]: adding interface p1p1/p1p1
172.21.5.100:500
Nov 2 18:03:39 Superior-fw pluto[2100]: adding interface p1p1/p1p1
172.21.5.100:4500
Nov 2 18:03:39 Superior-fw pluto[2100]: adding interface p2p1/p2p1
10.10.10.88:500
Nov 2 18:03:39 Superior-fw pluto[2100]: adding interface p2p1/p2p1
10.10.10.88:4500
Nov 2 18:03:39 Superior-fw pluto[2100]: adding interface em1/em1
216.70.22.228:500
Nov 2 18:03:39 Superior-fw pluto[2100]: adding interface em1/em1
216.70.22.228:4500
Nov 2 18:03:39 Superior-fw pluto[2100]: adding interface lo/lo
127.0.0.1:500
Nov 2 18:03:39 Superior-fw pluto[2100]: adding interface lo/lo
127.0.0.1:4500
Nov 2 18:03:39 Superior-fw pluto[2100]: adding interface lo/lo ::1:500
Nov 2 18:03:39 Superior-fw pluto[2100]: loading secrets from
"/etc/ipsec.secrets"
Nov 2 18:03:39 Superior-fw pluto[2100]: loading secrets from
"/etc/ipsec.d/hostkey.secrets"
Nov 2 18:03:39 Superior-fw pluto[2100]: loaded private key for keyid:
PPK_RSA:AQNl6eslo
Nov 2 18:03:39 Superior-fw pluto[2100]: "Superior-Everywhere" #1:
initiating Main Mode
Nov 2 18:03:44 Superior-fw pluto[2100]: initiate on demand from
172.21.5.20:58600 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 18:04:18 Superior-fw pluto[2100]: initiate on demand from
172.21.5.20:59605 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 18:04:48 Superior-fw pluto[2100]: shutting down
Nov 2 18:04:48 Superior-fw pluto[2100]: forgetting secrets
Nov 2 18:04:48 Superior-fw pluto[2100]: "Superior-Everywhere": deleting
connection
Nov 2 18:04:48 Superior-fw pluto[2100]: "Superior-Everywhere" #1:
deleting state (STATE_MAIN_I1)
Nov 2 18:04:48 Superior-fw pluto[2100]: "Superior-Everywhere":
unroute-client output: /usr/local/lib/ipsec/_updown.netkey: doroute `ip
route del 192.1
68.0.0/16 via 216.70.22.1 dev em1 ' failed (RTNETLINK answers: No such
process)
Nov 2 18:04:48 Superior-fw pluto[2100]: shutting down interface lo/lo
::1:500
Nov 2 18:04:48 Superior-fw pluto[2100]: shutting down interface lo/lo
127.0.0.1:4500
Nov 2 18:04:48 Superior-fw pluto[2100]: shutting down interface lo/lo
127.0.0.1:500
Nov 2 18:04:48 Superior-fw pluto[2100]: shutting down interface em1/em1
216.70.22.228:4500
Nov 2 18:04:48 Superior-fw pluto[2100]: shutting down interface em1/em1
216.70.22.228:500
Nov 2 18:04:48 Superior-fw pluto[2100]: shutting down interface
p2p1/p2p1 10.10.10.88:4500
Nov 2 18:04:48 Superior-fw pluto[2100]: shutting down interface
p2p1/p2p1 10.10.10.88:500
Nov 2 18:04:48 Superior-fw pluto[2100]: shutting down interface
p1p1/p1p1 172.21.5.100:4500
Nov 2 18:04:48 Superior-fw pluto[2100]: shutting down interface
p1p1/p1p1 172.21.5.100:500
Nov 2 18:04:48 Superior-fw pluto[2103]: pluto_crypto_helper: helper (0)
is normal exiting
Nov 2 18:05:16 Superior-fw ipsec__plutorun: Starting Pluto subsystem...
Nov 2 18:05:16 Superior-fw pluto[2427]: Starting Pluto (Openswan
Version 2.6.36; Vendor ID OEqltr]KZl]_) pid:2427
Nov 2 18:05:16 Superior-fw pluto[2427]: LEAK_DETECTIVE support
[disabled]
Nov 2 18:05:16 Superior-fw pluto[2427]: OCF support for IKE [disabled]
Nov 2 18:05:16 Superior-fw pluto[2427]: SAref support [disabled]:
Protocol not available
Nov 2 18:05:16 Superior-fw pluto[2427]: SAbind support [disabled]:
Protocol not available
Nov 2 18:05:16 Superior-fw pluto[2427]: NSS support [disabled]
Nov 2 18:05:16 Superior-fw pluto[2427]: HAVE_STATSD notification
support not compiled in
Nov 2 18:05:16 Superior-fw pluto[2427]: Setting NAT-Traversal port-4500
floating to on
Nov 2 18:05:16 Superior-fw pluto[2427]: port floating activation
criteria nat_t=1/port_float=1
Nov 2 18:05:16 Superior-fw pluto[2427]: NAT-Traversal support
[enabled]
Nov 2 18:05:16 Superior-fw pluto[2427]: 1 bad entries in
virtual_private - none loaded
Nov 2 18:05:16 Superior-fw pluto[2427]: using /dev/urandom as source of
random entropy
Nov 2 18:05:16 Superior-fw pluto[2427]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 2 18:05:16 Superior-fw pluto[2427]: starting up 1 cryptographic
helpers
Nov 2 18:05:16 Superior-fw pluto[2427]: started helper pid=2429 (fd:6)
Nov 2 18:05:16 Superior-fw pluto[2427]: Using Linux 2.6 IPsec interface
code on 2.6.40.6-0.fc15.x86_64 (experimental code)
Nov 2 18:05:16 Superior-fw pluto[2429]: using /dev/urandom as source of
random entropy
Nov 2 18:05:16 Superior-fw pluto[2427]: ike_alg_register_enc():
Activating aes_ccm_8: Ok (ret=0)
Nov 2 18:05:16 Superior-fw pluto[2427]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 18:05:16 Superior-fw pluto[2427]: ike_alg_register_enc():
Activating aes_ccm_12: FAILED (ret=-17)
Nov 2 18:05:16 Superior-fw pluto[2427]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 18:05:16 Superior-fw pluto[2427]: ike_alg_register_enc():
Activating aes_ccm_16: FAILED (ret=-17)
Nov 2 18:05:16 Superior-fw pluto[2427]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 18:05:16 Superior-fw pluto[2427]: ike_alg_register_enc():
Activating aes_gcm_8: FAILED (ret=-17)
Nov 2 18:05:16 Superior-fw pluto[2427]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 18:05:16 Superior-fw pluto[2427]: ike_alg_register_enc():
Activating aes_gcm_12: FAILED (ret=-17)
Nov 2 18:05:16 Superior-fw pluto[2427]: ike_alg_add(): ERROR: Algorithm
already exists
Nov 2 18:05:16 Superior-fw pluto[2427]: ike_alg_register_enc():
Activating aes_gcm_16: FAILED (ret=-17)
Nov 2 18:05:16 Superior-fw pluto[2427]: Changed path to directory
'/etc/ipsec.d/cacerts'
Nov 2 18:05:16 Superior-fw pluto[2427]: Changed path to directory
'/etc/ipsec.d/aacerts'
Nov 2 18:05:16 Superior-fw pluto[2427]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Nov 2 18:05:16 Superior-fw pluto[2427]: Changing to directory
'/etc/ipsec.d/crls'
Nov 2 18:05:16 Superior-fw pluto[2427]: Warning: empty directory
Nov 2 18:05:16 Superior-fw pluto[2427]: added connection description
"Superior-Everywhere"
Nov 2 18:05:16 Superior-fw pluto[2427]: listening for IKE messages
Nov 2 18:05:16 Superior-fw pluto[2427]: adding interface p1p1/p1p1
172.21.5.100:500
Nov 2 18:05:16 Superior-fw pluto[2427]: adding interface p1p1/p1p1
172.21.5.100:4500
Nov 2 18:05:16 Superior-fw pluto[2427]: adding interface p2p1/p2p1
10.10.10.88:500
Nov 2 18:05:16 Superior-fw pluto[2427]: adding interface p2p1/p2p1
10.10.10.88:4500
Nov 2 18:05:16 Superior-fw pluto[2427]: adding interface em1/em1
216.70.22.228:500
Nov 2 18:05:16 Superior-fw pluto[2427]: adding interface em1/em1
216.70.22.228:4500
Nov 2 18:05:16 Superior-fw pluto[2427]: adding interface lo/lo
127.0.0.1:500
Nov 2 18:05:16 Superior-fw pluto[2427]: adding interface lo/lo
127.0.0.1:4500
Nov 2 18:05:16 Superior-fw pluto[2427]: adding interface lo/lo ::1:500
Nov 2 18:05:16 Superior-fw pluto[2427]: loading secrets from
"/etc/ipsec.secrets"
Nov 2 18:05:16 Superior-fw pluto[2427]: loading secrets from
"/etc/ipsec.d/hostkey.secrets"
Nov 2 18:05:16 Superior-fw pluto[2427]: loaded private key for keyid:
PPK_RSA:AQNl6eslo
Nov 2 18:05:16 Superior-fw pluto[2427]: "Superior-Everywhere" #1:
initiating Main Mode
Nov 2 18:05:17 Superior-fw pluto[2427]: initiate on demand from
172.21.5.20:57467 to 192.168.3.4:53 proto=17 state: fos_start because:
acquire
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #1:
ignoring unknown Vendor ID payload [4f456b71484c42504f664d44]
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #1:
received Vendor ID payload [Dead Peer Detection]
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #1:
received Vendor ID payload [RFC 3947] method set to=109
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #1:
enabling possible NAT-traversal with method 4
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #1:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #1:
STATE_MAIN_I2: sent MI2, expecting MR2
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #1:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #1:
STATE_MAIN_I3: sent MI3, expecting MR3
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #1:
received Vendor ID payload [CAN-IKEv2]
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #1: Main
mode peer ID is ID_FQDN: '@hq.local'
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #1:
transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #1:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128
prf=oakley_
sha group=modp2048}
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #2:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
{using isak
mp#1 msgid:4ebb452b proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #2:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 2 18:05:17 Superior-fw pluto[2427]: "Superior-Everywhere" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x9f7a97be <0xb86eb
2d4 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
[root at Superior-fw gregs]#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20111102/6c6fb7c4/attachment-0001.html
More information about the Users
mailing list