[Openswan Users] Connection established but ...

TheCajun thecajun at nmia.com
Fri Nov 16 12:28:10 EST 2012


I have 2 vpn connections to my office (from different locations).  Both
using similar configurations, both running Fedora 17.  I have one
working, the other says a vpn connection is established, but can't ping
or ssh.  Iptables is *not* running and nether is selinux.  The odd thing
about the disfunctional remote site is it worked after I set it up. I
rebooted it twice and ssh'ed down and back both times before I declared
it working.  After getting back to the office I found I could not ping
or ssh.  I have port forwarding on the Actiontec now so I can work on it
remotely.

The working vpn has a Zyxel Q100, the other has an Actiontec Q2000.
The company has NETGEAR ProSafe VPN Firewall FVS336GV2.

Here are all the logs and information I thought I could collect.  I hope
someone can find something.  Any help is appreciated.

Thank you.

Durwin


==== Output from NETGEAR ProSafe VPN Firewall FVS336GV2 ====
2012 Nov 16 09:45:33 [FVS336GV2] [IKE] DPD R-U-THERE-ACK received from "<remote_ip>[500]"_
2012 Nov 16 09:45:33 [FVS336GV2] [IKE] DPD R-U-THERE sent to "<remote_ip>[500]"_
2012 Nov 16 09:45:32 [FVS336GV2] [IKE] ISAKMP-SA established for <company_ip>[500]-<remote_ip>[500] with spi:50c0e24753c52d58:c5ab48fcfa849f6b_
2012 Nov 16 09:45:32 [FVS336GV2] [IKE] Received unknown Vendor ID_
2012 Nov 16 09:45:31 [FVS336GV2] [IKE] DPD is Enabled_
2012 Nov 16 09:45:31 [FVS336GV2] [IKE] Received Vendor ID: DPD_
2012 Nov 16 09:45:31 [FVS336GV2] [IKE] Received unknown Vendor ID_
2012 Nov 16 09:45:25 [FVS336GV2] [IKE] IPsec-SA established: ESP/Tunnel <company_ip>-><remote_ip> with spi=596455437(0x238d300d)_
2012 Nov 16 09:45:25 [FVS336GV2] [IKE] IPsec-SA established: ESP/Tunnel <remote_ip>-><company_ip> with spi=167735662(0x9ff716e)_
2012 Nov 16 09:45:24 [FVS336GV2] [IKE] IPsec-SA established: ESP/Tunnel <company_ip>-><remote_ip> with spi=1112143402(0x4249f62a)_
2012 Nov 16 09:45:24 [FVS336GV2] [IKE] IPsec-SA established: ESP/Tunnel <remote_ip>-><company_ip> with spi=146700774(0x8be79e6)_
2012 Nov 16 09:45:24 [FVS336GV2] [IKE] Initiating new phase 2 negotiation: <company_ip>[500]<=><remote_ip>[0]_
2012 Nov 16 09:45:23 [FVS336GV2] [IKE] Using IPsec SA configuration: 172.23.93.0/24<-><remote_ip>/24_
2012 Nov 16 09:45:23 [FVS336GV2] [IKE] Responding to new phase 2 negotiation: <company_ip>[0]<=><remote_ip>[0]_
2012 Nov 16 09:45:23 [FVS336GV2] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2012 Nov 16 09:45:23 [FVS336GV2] [IKE] ISAKMP-SA established for <company_ip>[500]-<remote_ip>[500] with spi:ed12a5ad8f2b3cbe:7f81d9f8f99ed2bd_
2012 Nov 16 09:45:22 [FVS336GV2] [IKE] Setting DPD Vendor ID_
                - Last output repeated twice -
2012 Nov 16 09:45:22 [FVS336GV2] [IKE] Received unknown Vendor ID_
2012 Nov 16 09:45:22 [FVS336GV2] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
                - Last output repeated twice -
2012 Nov 16 09:45:22 [FVS336GV2] [IKE] Received unknown Vendor ID_
2012 Nov 16 09:45:22 [FVS336GV2] [IKE] DPD is Enabled_
2012 Nov 16 09:45:22 [FVS336GV2] [IKE] Received Vendor ID: DPD_
2012 Nov 16 09:45:22 [FVS336GV2] [IKE] Received unknown Vendor ID_
2012 Nov 16 09:45:22 [FVS336GV2] [IKE] Beginning Identity Protection mode._
2012 Nov 16 09:45:22 [FVS336GV2] [IKE] Received request for new phase 1 negotiation: <company_ip>[500]<=><remote_ip>[500]_
2012 Nov 16 09:45:22 [FVS336GV2] [IKE] Configuration found for <remote_ip>[500]._



==== systemctl status ipsec.service ====
ipsec.service - LSB: Start Openswan IPsec at boot time
     Loaded: loaded (/etc/rc.d/init.d/ipsec)
     Active: active (running) since Fri, 16 Nov 2012 09:45:22 -0700; 3min 22s ago
    Process: 4012 ExecStop=/etc/rc.d/init.d/ipsec stop (code=exited, status=0/SUCCESS)
    Process: 4111 ExecStart=/etc/rc.d/init.d/ipsec start (code=exited, status=0/SUCCESS)
     CGroup: name=systemd:/system/ipsec.service
         + 4204 /bin/sh /usr/libexec/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive 10 --protostack netkey --force_keepalive yes --disable_port_fl...
         + 4205 logger -s -p daemon.error -t ipsec__plutorun
         + 4208 /bin/sh /usr/libexec/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive 10 --protostack netkey --force_keepalive yes --disable_port_fl...
         + 4209 /bin/sh /usr/libexec/ipsec/_plutoload --wait no --post
         + 4210 /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --nat_traversal --keep_alive 10 --force_keepalive --virtual_private %v4:10.0.0.0/8,%v4:172....
         + 4239 _pluto_adns

Nov 16 09:45:31 remote_site pluto[4210]: "thecompany" #4: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 16 09:45:32 remote_site pluto[4210]: "thecompany" #4: ignoring Vendor ID payload [KAME/racoon]
Nov 16 09:45:32 remote_site pluto[4210]: "thecompany" #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 16 09:45:32 remote_site pluto[4210]: "thecompany" #4: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 16 09:45:32 remote_site pluto[4210]: "thecompany" #4: Main mode peer ID is ID_IPV4_ADDR: '<company_ip>'
Nov 16 09:45:32 remote_site pluto[4210]: "thecompany" #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 16 09:45:32 remote_site pluto[4210]: "thecompany" #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Nov 16 09:45:52 remote_site pluto[4210]: "thecompany" #1: received Delete SA(0x08be79e6) payload: deleting IPSEC State #2
Nov 16 09:45:52 remote_site pluto[4210]: "thecompany" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x4249f62a) not found (maybe expired)
Nov 16 09:45:52 remote_site pluto[4210]: "thecompany" #1: received and ignored informational message



==== /var/log/secure ====
10607 Nov 16 09:45:22 remote_site ipsec__plutorun: Starting Pluto subsystem...
10608 Nov 16 09:45:22 remote_site pluto[4210]: nss directory plutomain: /etc/ipsec.d
10609 Nov 16 09:45:22 remote_site pluto[4210]: NSS Initialized
10610 Nov 16 09:45:22 remote_site pluto[4210]: Non-fips mode set in /proc/sys/crypto/fips_enabled
10611 Nov 16 09:45:22 remote_site pluto[4210]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:4210
10612 Nov 16 09:45:22 remote_site pluto[4210]: Non-fips mode set in /proc/sys/crypto/fips_enabled
10613 Nov 16 09:45:22 remote_site pluto[4210]: LEAK_DETECTIVE support [disabled]
10614 Nov 16 09:45:22 remote_site pluto[4210]: OCF support for IKE [disabled]
10615 Nov 16 09:45:22 remote_site pluto[4210]: SAref support [disabled]: Protocol not available
10616 Nov 16 09:45:22 remote_site pluto[4210]: SAbind support [disabled]: Protocol not available
10617 Nov 16 09:45:22 remote_site pluto[4210]: NSS support [enabled]
10618 Nov 16 09:45:22 remote_site pluto[4210]: HAVE_STATSD notification support not compiled in
10619 Nov 16 09:45:22 remote_site pluto[4210]: Setting NAT-Traversal port-4500 floating to on
10620 Nov 16 09:45:22 remote_site pluto[4210]:    port floating activation criteria nat_t=1/port_float=1
10621 Nov 16 09:45:22 remote_site pluto[4210]:    NAT-Traversal support  [enabled] [Force KeepAlive]
10622 Nov 16 09:45:22 remote_site pluto[4210]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
10623 Nov 16 09:45:22 remote_site pluto[4210]: starting up 1 cryptographic helpers
10624 Nov 16 09:45:22 remote_site pluto[4210]: started helper (thread) pid=-1229927616 (fd:7)
10625 Nov 16 09:45:22 remote_site pluto[4210]: Using Linux 2.6 IPsec interface code on 3.6.2-4.fc17.i686.PAE (experimental code)
10626 Nov 16 09:45:22 remote_site pluto[4210]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
10627 Nov 16 09:45:22 remote_site pluto[4210]: ike_alg_add(): ERROR: Algorithm already exists
10628 Nov 16 09:45:22 remote_site pluto[4210]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
10629 Nov 16 09:45:22 remote_site pluto[4210]: ike_alg_add(): ERROR: Algorithm already exists
10630 Nov 16 09:45:22 remote_site pluto[4210]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
10631 Nov 16 09:45:22 remote_site pluto[4210]: ike_alg_add(): ERROR: Algorithm already exists
10632 Nov 16 09:45:22 remote_site pluto[4210]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
10633 Nov 16 09:45:22 remote_site pluto[4210]: ike_alg_add(): ERROR: Algorithm already exists
10634 Nov 16 09:45:22 remote_site pluto[4210]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
10635 Nov 16 09:45:22 remote_site pluto[4210]: ike_alg_add(): ERROR: Algorithm already exists
10636 Nov 16 09:45:22 remote_site pluto[4210]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
10637 Nov 16 09:45:22 remote_site pluto[4210]: Could not change to directory '/etc/ipsec.d/cacerts': /
10638 Nov 16 09:45:22 remote_site pluto[4210]: Could not change to directory '/etc/ipsec.d/aacerts': /
10639 Nov 16 09:45:22 remote_site pluto[4210]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
10640 Nov 16 09:45:22 remote_site pluto[4210]: Could not change to directory '/etc/ipsec.d/crls'
10641 Nov 16 09:45:22 remote_site pluto[4210]: Non-fips mode set in /proc/sys/crypto/fips_enabled
10642 Nov 16 09:45:22 remote_site pluto[4210]: Non-fips mode set in /proc/sys/crypto/fips_enabled
10643 Nov 16 09:45:22 remote_site pluto[4210]: added connection description "thecompany"
10644 Nov 16 09:45:22 remote_site pluto[4210]: listening for IKE messages
10645 Nov 16 09:45:22 remote_site pluto[4210]: adding interface wlan0/wlan0 192.168.7.3:500
10646 Nov 16 09:45:22 remote_site pluto[4210]: adding interface wlan0/wlan0 192.168.7.3:4500
10647 Nov 16 09:45:22 remote_site pluto[4210]: adding interface lo/lo 127.0.0.1:500
10648 Nov 16 09:45:22 remote_site pluto[4210]: adding interface lo/lo 127.0.0.1:4500
10649 Nov 16 09:45:22 remote_site pluto[4210]: adding interface lo/lo ::1:500
10650 Nov 16 09:45:22 remote_site pluto[4210]: loading secrets from "/etc/ipsec.secrets"
10651 Nov 16 09:45:22 remote_site pluto[4210]: loading secrets from "/etc/ipsec.d/thecompany.secrets"
10652 Nov 16 09:45:22 remote_site pluto[4210]: "thecompany" #1: initiating Main Mode
10653 Nov 16 09:45:23 remote_site pluto[4210]: "thecompany" #1: received Vendor ID payload [Dead Peer Detection]
10654 Nov 16 09:45:23 remote_site pluto[4210]: "thecompany" #1: ignoring Vendor ID payload [KAME/racoon]
10655 Nov 16 09:45:23 remote_site pluto[4210]: "thecompany" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
10656 Nov 16 09:45:23 remote_site pluto[4210]: "thecompany" #1: STATE_MAIN_I2: sent MI2, expecting MR2
10657 Nov 16 09:45:23 remote_site pluto[4210]: "thecompany" #1: ignoring Vendor ID payload [KAME/racoon]
10658 Nov 16 09:45:23 remote_site pluto[4210]: "thecompany" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
10659 Nov 16 09:45:23 remote_site pluto[4210]: "thecompany" #1: STATE_MAIN_I3: sent MI3, expecting MR3
10660 Nov 16 09:45:23 remote_site pluto[4210]: "thecompany" #1: Main mode peer ID is ID_IPV4_ADDR: '<company_ip>'
10661 Nov 16 09:45:23 remote_site pluto[4210]: "thecompany" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
10662 Nov 16 09:45:23 remote_site pluto[4210]: "thecompany" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
10663 Nov 16 09:45:23 remote_site pluto[4210]: "thecompany" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:85249f9a proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
10664 Nov 16 09:45:23 remote_site pluto[4210]: "thecompany" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
10665 Nov 16 09:45:23 remote_site pluto[4210]: "thecompany" #1: received and ignored informational message
10666 Nov 16 09:45:24 remote_site pluto[4210]: "thecompany" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
10667 Nov 16 09:45:24 remote_site pluto[4210]: "thecompany" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x08be79e6 <0x4249f62a xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
10668 Nov 16 09:45:25 remote_site pluto[4210]: "thecompany" #1: the peer proposed: <remote_ip>/24:0/0 -> 172.23.93.0/24:0/0
10669 Nov 16 09:45:25 remote_site pluto[4210]: "thecompany" #3: responding to Quick Mode proposal {msgid:7d768781}
10670 Nov 16 09:45:25 remote_site pluto[4210]: "thecompany" #3:     us: <remote_ip>/24===192.168.7.3[+S=C]
10671 Nov 16 09:45:25 remote_site pluto[4210]: "thecompany" #3:   them: <company_ip><<company_ip>>[+S=C]===172.23.93.0/24
10672 Nov 16 09:45:25 remote_site pluto[4210]: "thecompany" #3: keeping refhim=4294901761 during rekey
10673 Nov 16 09:45:25 remote_site pluto[4210]: "thecompany" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
10674 Nov 16 09:45:25 remote_site pluto[4210]: "thecompany" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
10675 Nov 16 09:45:25 remote_site pluto[4210]: "thecompany" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
10676 Nov 16 09:45:25 remote_site pluto[4210]: "thecompany" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x09ff716e <0x238d300d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
10677 Nov 16 09:45:31 remote_site pluto[4210]: packet from <company_ip>:500: ignoring unknown Vendor ID payload [810fa565f8ab14369105d706fbd57279]
10678 Nov 16 09:45:31 remote_site pluto[4210]: packet from <company_ip>:500: received Vendor ID payload [Dead Peer Detection]
10679 Nov 16 09:45:31 remote_site pluto[4210]: "thecompany" #4: responding to Main Mode
10680 Nov 16 09:45:31 remote_site pluto[4210]: "thecompany" #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
10681 Nov 16 09:45:31 remote_site pluto[4210]: "thecompany" #4: STATE_MAIN_R1: sent MR1, expecting MI2
10682 Nov 16 09:45:32 remote_site pluto[4210]: "thecompany" #4: ignoring Vendor ID payload [KAME/racoon]
10683 Nov 16 09:45:32 remote_site pluto[4210]: "thecompany" #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
10684 Nov 16 09:45:32 remote_site pluto[4210]: "thecompany" #4: STATE_MAIN_R2: sent MR2, expecting MI3
10685 Nov 16 09:45:32 remote_site pluto[4210]: "thecompany" #4: Main mode peer ID is ID_IPV4_ADDR: '<company_ip>'
10686 Nov 16 09:45:32 remote_site pluto[4210]: "thecompany" #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
10687 Nov 16 09:45:32 remote_site pluto[4210]: "thecompany" #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
10688 Nov 16 09:45:52 remote_site pluto[4210]: "thecompany" #1: received Delete SA(0x08be79e6) payload: deleting IPSEC State #2
10689 Nov 16 09:45:52 remote_site pluto[4210]: "thecompany" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x4249f62a) not found (maybe expired)
10690 Nov 16 09:45:52 remote_site pluto[4210]: "thecompany" #1: received and ignored informational message


==== route ====
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.7.1     0.0.0.0         UG    0      0        0 wlan0
172.23.93.0     *               255.255.255.0   U     0      0        0 wlan0
192.168.7.0     *               255.255.255.0   U     0      0        0 wlan0


==== conn ====
conn thecompany
   left=%defaultroute
   leftsubnet=192.168.7.0/24
   leftsourceip=192.168.7.3
   right=<company_ip>
   rightsubnet=172.23.93.0/24
   type=tunnel
   authby=secret
   keyexchange=ike
   auto=start
   pfs=yes
   ike=3des-sha1-modp1024
   esp=3des-sha1
   rekey=yes
   salifetime=1h
   
==== .secret ====
67.42.66.39 192.168.7.3 <company_ip> : PSK "mysecret"


==== ipsec.conf ====
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # Debug-logging controls:  "none" for (almost) none, "all" for lots.
    # klipsdebug=none
    # plutodebug="control parsing"
    # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
    protostack=netkey
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.7.0/24
    oe=off
    # Enable this if you see "failed to find any available worker"
    # nhelpers=0
    force_keepalive=yes
    keep_alive=10

#You may put your configuration (.conf) file in the "/etc/ipsec.d/"
include /etc/ipsec.d/*.conf


==== ipsec auto --status ====
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface wlan0/wlan0 192.168.7.3
000 interface wlan0/wlan0 192.168.7.3
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
000 - disallowed 1 subnet: 192.168.7.0/24
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,1536} attrs={0,2,2048}
000
000 "thecompany": 192.168.7.0/24===192.168.7.3[+S=C]...<company_ip><<company_ip>>[+S=C]===172.23.93.0/24; erouted; eroute owner: #3
000 "thecompany":     myip=192.168.7.3; hisip=unset;
000 "thecompany":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "thecompany":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: wlan0;
000 "thecompany":   newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "thecompany":   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "thecompany":   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "thecompany":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "thecompany":   ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; flags=-strict
000 "thecompany":   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "thecompany":   ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=<Phase1>
000
000 #3: "thecompany":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2889s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #3: "thecompany" esp.2435299@<company_ip> esp.3d27f2a2 at 192.168.7.3 tun.0@<company_ip> tun.0 at 192.168.7.3 ref=0 refhim=4294901761
000 #1: "thecompany":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2164s; newest ISAKMP; lastdpd=2s(seq in:0 out:0); idle; import:admin initiate



More information about the Users mailing list