[Openswan Users] Established Tunnel Not Passing Traffic

Dave Ariens dave at ariens.ca
Thu Jun 27 18:42:26 UTC 2013


I spoke to soon... Nothing can traverse the tunnel.

Here's some logs for vps1 during the time that traffic stopped...

Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: initiating Main
Mode to replace #5
Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: received Vendor
ID payload [Openswan (this version) 2.6.38 ]
Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: received Vendor
ID payload [Dead Peer Detection]
Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: received Vendor
ID payload [RFC 3947] method set to=115
Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: enabling
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: STATE_MAIN_I2:
sent MI2, expecting MR2
Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: STATE_MAIN_I3:
sent MI3, expecting MR3
Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: received Vendor
ID payload [CAN-IKEv2]
Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: Main mode peer
ID is ID_IPV4_ADDR: '173.254.195.244'
Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
prf=oakley_sha group=modp2048}
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
173.254.195.244:500: received Vendor ID payload [Openswan (this version)
2.6.38 ]
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
173.254.195.244:500: received Vendor ID payload [Dead Peer Detection]
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
173.254.195.244:500: received Vendor ID payload [RFC 3947] method set to=115
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
173.254.195.244:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
173.254.195.244:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
173.254.195.244:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
173.254.195.244:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: responding to
Main Mode
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: STATE_MAIN_R1:
sent MR1, expecting MI2
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: STATE_MAIN_R2:
sent MR2, expecting MI3
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: Main mode peer
ID is ID_IPV4_ADDR: '173.254.195.244'
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
prf=oakley_sha group=modp2048}
Jun 27 13:51:04 vps1.layerzero.ca pluto[32576]: packet from
173.254.195.244:500: Informational Exchange is for an unknown (expired?) SA
with MSGID:0x58fb6264
Jun 27 13:51:09 vps1.layerzero.ca pluto[32576]: "vps2" #5: received Delete
SA payload: deleting ISAKMP State #5
Jun 27 13:51:09 vps1.layerzero.ca pluto[32576]: packet from
173.254.195.244:500: received and ignored informational message


On Thu, Jun 27, 2013 at 2:04 PM, Dave Ariens <dave at ariens.ca> wrote:

> So far so good.  After applying the rekeys=yes to the connections, I
> restarted (systemctl restart openswan) yet the problem seemed to recur
> twice.  I then performed an ipsec auto --delete vps1/2 respectively, then
> an add, then a restart--and it's been fine since.  Looking into the systemd
> scripts, it looks like a restart is a stop then a start (ipsec _realsetup
> then stop ipsec _realsetup start).
>
> Could there be any artifacts of the previously established tunnel around
> _somehow_?   There's lots I don't understand about IPsec but can you
> enlighten me about what's going on?
>
>
> On Thu, Jun 27, 2013 at 11:35 AM, <dave at ariens.ca> wrote:
>
>> I will give that a shot. When I read up on it I understood that it was
>> defaulted to 'yes'.
>>
>> Thanks
>>
>>  www.ariens.ca
>>   *From: *Giovanni Carbone
>> *Sent: *Thursday, June 27, 2013 11:20 AM
>> *To: *Dave Ariens; users at lists.openswan.org
>> *Subject: *RE: [Openswan Users] Established Tunnel Not Passing Traffic
>>
>>  Try adding “rekey=yes” in the conn(s).
>>
>>
>>
>> Example:
>>
>>
>>
>> conn vps1
>>
>>     authby=secret
>>
>>     left=173.254.195.244
>>
>>     leftsourceip=192.168.200.10
>>
>>     leftsubnet=192.168.200.10/32
>>
>>     right=64.237.39.24
>>
>>     rightsubnet=192.168.100.10/32
>>
>>     auto=start
>>
>>     rekey=yes
>>
>>
>>
>>
>>
>>
>>
>> *From:* users-bounces at lists.openswan.org [mailto:
>> users-bounces at lists.openswan.org] *On Behalf Of *Dave Ariens
>> *Sent:* Thursday, June 27, 2013 4:26 PM
>> *To:* users at lists.openswan.org
>> *Subject:* [Openswan Users] Established Tunnel Not Passing Traffic
>>
>>
>>
>> Hey there guys (first time posting),
>>
>> I have two servers (VPS) one on the US east coast, another on US west
>> coast.  They both have an IPsec tunnel to my Juniper SRX firewall (on my
>> home network in Ontario, Canada).  This tunnel is rock solid and I never
>> have any issues with it.
>>
>> I'm trying to configure an OpenSwan IPsec tunnel between the two VMs, and
>> it's up and running, I can ping through the tunnel, but some time
>> afterwards, traffic is unable to pass (tunnel remains established).
>>
>> This is really just a plain vanilla OpenSwan to OpenSwan implementation,
>> below are some config details, and some logs.
>>
>> Can anyone help me identify why the tunnel stops passing traffic after
>> some time < 15 minutes.  I know the traffic stopped shortly after midnight
>> this morning (see logs below)
>>
>>
>>
>> [ariens at vps1 ~]$ pacman -Qs openswan
>>
>> local/openswan 2.6.38-1
>>
>>     Open Source implementation of IPsec for the Linux operating system
>>
>>
>>
>> VPS2:/etc/ipsec.conf
>>
>>
>>
>> version 2.0
>>
>> config setup
>>
>>
>>
>>     dumpdir=/var/run/pluto/
>>
>>     nat_traversal=yes
>>
>>     virtual_private=%v4:
>> 10.0.0.0/8,%v4:!192.168.200.0/24,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<http://10.0.0.0/8,%25v4:%21192.168.200.0/24,%25v4:192.168.0.0/16,%25v4:172.16.0.0/12,%25v4:25.0.0.0/8,%25v6:fd00::/8,%25v6:fe80::/10>
>>
>>     oe=off
>>
>>     protostack=netkey
>>
>>
>>
>> conn home.ariens.ca
>>
>>
>>
>>     authby=secret
>>
>>     left=173.254.195.244
>>
>>     leftsourceip=192.168.200.10
>>
>>     leftsubnet=0/0
>>
>>     right=216.58.86.104
>>
>>     rightsubnet=10.0.0.0/8
>>
>>     auto=start
>>
>>
>>
>> conn vps1
>>
>>
>>
>>     authby=secret
>>
>>     left=173.254.195.244
>>
>>     leftsourceip=192.168.200.10
>>
>>     leftsubnet=192.168.200.10/32
>>
>>     right=64.237.39.24
>>
>>     rightsubnet=192.168.100.10/32
>>
>>     auto=start
>>
>>
>>
>> VPS1:/etc/ipsec.conf
>>
>>
>>
>> version 2.0
>>
>>
>>
>> config setup
>>
>>
>>
>>     dumpdir=/var/run/pluto/
>>
>>     nat_traversal=yes
>>
>>     virtual_private=%v4:
>> 10.0.0.0/8,%v4:!192.168.100.0/24,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<http://10.0.0.0/8,%25v4:%21192.168.100.0/24,%25v4:192.168.0.0/16,%25v4:172.16.0.0/12,%25v4:25.0.0.0/8,%25v6:fd00::/8,%25v6:fe80::/10>
>>
>>     oe=off
>>
>>     protostack=netkey
>>
>>
>>
>> conn home.ariens.ca
>>
>>
>>
>>     authby=secret
>>
>>     left=64.237.39.24
>>
>>     leftsourceip=192.168.100.10
>>
>>     leftsubnet=0/0
>>
>>     right=216.58.86.104
>>
>>     rightsubnet=10.0.0.0/8
>>
>>     auto=start
>>
>>
>>
>> conn vps2
>>
>>     authby=secret
>>
>>     left=64.237.39.24
>>
>>     leftsourceip=192.168.100.10
>>
>>     leftsubnet=192.168.100.10/32
>>
>>     right=173.254.195.244
>>
>>     rightsubnet=192.168.200.10/32
>>
>>     auto=start
>>
>>
>>
>> Logs from VPS1:
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload [Openswan (this version)
>> 2.6.38 ]
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload [Dead Peer Detection]
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload [RFC 3947] method set
>> to=115
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-00]
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: responding
>> to Main Mode
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: transition
>> from state STATE_MAIN_R0 to state STATE_MAIN_R1
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
>> STATE_MAIN_R1: sent MR1, expecting MI2
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
>> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
>> detected
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: transition
>> from state STATE_MAIN_R1 to state STATE_MAIN_R2
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
>> STATE_MAIN_R2: sent MR2, expecting MI3
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: Main mode
>> peer ID is ID_IPV4_ADDR: '173.254.195.244'
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: transition
>> from state STATE_MAIN_R2 to state STATE_MAIN_R3
>>
>> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
>> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> cipher=aes_128 prf=oakley_sha group=modp2048}
>>
>> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
>> Vendor ID payload [Openswan (this version) 2.6.38 ]
>>
>> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
>> Vendor ID payload [Dead Peer Detection]
>>
>> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
>> Vendor ID payload [RFC 3947] method set to=115
>>
>> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: enabling
>> possible NAT-traversal with method RFC 3947 (NAT-Traversal)
>>
>> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: transition
>> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>
>> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
>> STATE_MAIN_I2: sent MI2, expecting MR2
>>
>> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
>> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
>> detected
>>
>> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: transition
>> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>>
>> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
>> STATE_MAIN_I3: sent MI3, expecting MR3
>>
>> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
>> Vendor ID payload [CAN-IKEv2]
>>
>> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: Main mode
>> peer ID is ID_IPV4_ADDR: '173.254.195.244'
>>
>> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: transition
>> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>>
>> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
>> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> cipher=aes_128 prf=oakley_sha group=modp2048}
>>
>> Jun 27 00:09:01 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: Informational Exchange is for an unknown (expired?)
>> SA with MSGID:0xf86c4eb8
>>
>> Jun 27 00:09:19 vps1.layerzero.ca pluto[28819]: "vps2" #13: received
>> Delete SA payload: deleting ISAKMP State #13
>>
>> Jun 27 00:09:19 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received and ignored informational message
>>
>> Jun 27 00:48:54 vps1.layerzero.ca pluto[28819]: "vps2" #19: initiating
>> Main Mode to replace #16
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload [Openswan (this version)
>> 2.6.38 ]
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload [Dead Peer Detection]
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload [RFC 3947] method set
>> to=115
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-00]
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: responding
>> to Main Mode
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: transition
>> from state STATE_MAIN_R0 to state STATE_MAIN_R1
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
>> STATE_MAIN_R1: sent MR1, expecting MI2
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
>> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
>> detected
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: transition
>> from state STATE_MAIN_R1 to state STATE_MAIN_R2
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
>> STATE_MAIN_R2: sent MR2, expecting MI3
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: Main mode
>> peer ID is ID_IPV4_ADDR: '173.254.195.244'
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: transition
>> from state STATE_MAIN_R2 to state STATE_MAIN_R3
>>
>> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
>> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> cipher=aes_128 prf=oakley_sha group=modp2048}
>>
>> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
>> Vendor ID payload [Openswan (this version) 2.6.38 ]
>>
>> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
>> Vendor ID payload [Dead Peer Detection]
>>
>> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
>> Vendor ID payload [RFC 3947] method set to=115
>>
>> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: enabling
>> possible NAT-traversal with method RFC 3947 (NAT-Traversal)
>>
>> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: transition
>> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>
>> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
>> STATE_MAIN_I2: sent MI2, expecting MR2
>>
>> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
>> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
>> detected
>>
>> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: transition
>> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>>
>> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
>> STATE_MAIN_I3: sent MI3, expecting MR3
>>
>> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
>> Vendor ID payload [CAN-IKEv2]
>>
>> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: Main mode
>> peer ID is ID_IPV4_ADDR: '173.254.195.244'
>>
>> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: transition
>> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>>
>> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
>> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> cipher=aes_128 prf=oakley_sha group=modp2048}
>>
>> Jun 27 01:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: Informational Exchange is for an unknown (expired?)
>> SA with MSGID:0x4a2e1ab1
>>
>> Jun 27 01:05:27 vps1.layerzero.ca pluto[28819]: packet from
>> 173.254.195.244:500: Informational Exchange is for an unknown (expired?)
>> SA with MSGID:0x999b390f
>>
>> Logs for VPS2:
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: initiating
>> Main Mode to replace #11
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
>> Vendor ID payload [Openswan (this version) 2.6.38 ]
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
>> Vendor ID payload [Dead Peer Detection]
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
>> Vendor ID payload [RFC 3947] method set to=115
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: enabling
>> possible NAT-traversal with method RFC 3947 (NAT-Traversal)
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: transition
>> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
>> STATE_MAIN_I2: sent MI2, expecting MR2
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
>> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
>> detected
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: transition
>> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
>> STATE_MAIN_I3: sent MI3, expecting MR3
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
>> Vendor ID payload [CAN-IKEv2]
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: Main mode
>> peer ID is ID_IPV4_ADDR: '64.237.39.24'
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: transition
>> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>>
>> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
>> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> cipher=aes_128 prf=oakley_sha group=modp2048}
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> 64.237.39.24:500: received Vendor ID payload [Openswan (this version)
>> 2.6.38 ]
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> 64.237.39.24:500: received Vendor ID payload [Dead Peer Detection]
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> 64.237.39.24:500: received Vendor ID payload [RFC 3947] method set to=115
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> 64.237.39.24:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> 64.237.39.24:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> 64.237.39.24:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> 64.237.39.24:500: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-00]
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: responding
>> to Main Mode
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: transition
>> from state STATE_MAIN_R0 to state STATE_MAIN_R1
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
>> STATE_MAIN_R1: sent MR1, expecting MI2
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
>> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
>> detected
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: transition
>> from state STATE_MAIN_R1 to state STATE_MAIN_R2
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
>> STATE_MAIN_R2: sent MR2, expecting MI3
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: Main mode
>> peer ID is ID_IPV4_ADDR: '64.237.39.24'
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: transition
>> from state STATE_MAIN_R2 to state STATE_MAIN_R3
>>
>> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
>> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> cipher=aes_128 prf=oakley_sha group=modp2048}
>>
>> Jun 27 00:09:34 vps2.layerzero.ca pluto[29906]: packet from
>> 64.237.39.24:500: Informational Exchange is for an unknown (expired?) SA
>> with MSGID:0xb8f1bbda
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> www.ariens.ca
>>
>>
>>
>>
>> Informativa Privacy - Ai sensi del D. Lgs n. 196/2003 (Codice Privacy)
>> precisiamo che le informazioni contenute in questo messaggio sono riservate
>> e a uso esclusivo del destinatario. Ogni uso, copia o distribuzione non
>> autorizzata è proibita e passibile di sanzioni ai termini di legge. Reitek
>> non è responsabile di eventuali copie o distribuzioni non autorizzate. Se
>> questo messaggio è stato ricevuto per errore, preghiamo gentilmente di
>> eliminarlo e di informare il mittente. Grazie.
>>
>>
>>
>
>
> --
> www.ariens.ca
>



-- 
www.ariens.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130627/cb4c89a7/attachment-0001.html>


More information about the Users mailing list