[Openswan Users] Established Tunnel Not Passing Traffic
Dave Ariens
dave at ariens.ca
Thu Jun 27 21:24:38 UTC 2013
I checked my iptables on the two end points and I only had:
-A INPUT -s 216.58.86.104/32 -i eth0 -p esp -j ACCEPT
-A INPUT -s 216.58.86.104/32 -i eth0 -p udp -m udp --sport 500 --dport 500
-j ACCEPT
-A INPUT -s 216.58.86.104/32 -i eth0 -p udp -m udp --sport 4500 --dport
4500 -j ACCEPT
...which was for the original tunnel that's been working fine not the one
between my two OpenSwan instances.
Adding the other end of the tunnel seems to have restored connectivity
across the tunnel, although I don't see any logs from Pluto after I made
the change.
How could the tunnel possibly have been established in the first place
without allowing esp/500/4500?
On Thu, Jun 27, 2013 at 3:46 PM, Neal Murphy <neal.p.murphy at alum.wpi.edu>wrote:
> It may be nothing, but why don't I see states QUICK_I1/R1/I2/R2? Possibly
> mismatched params between the two ends? (Unless you method doesn't use
> them.)
>
>
> On Thursday, June 27, 2013 02:42:26 PM Dave Ariens wrote:
> > I spoke to soon... Nothing can traverse the tunnel.
> >
> > Here's some logs for vps1 during the time that traffic stopped...
> >
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: initiating
> Main
> > Mode to replace #5
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: received
> Vendor
> > ID payload [Openswan (this version) 2.6.38 ]
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: received
> Vendor
> > ID payload [Dead Peer Detection]
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: received
> Vendor
> > ID payload [RFC 3947] method set to=115
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: enabling
> > possible NAT-traversal with method RFC 3947 (NAT-Traversal)
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: transition
> from
> > state STATE_MAIN_I1 to state STATE_MAIN_I2
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8:
> STATE_MAIN_I2:
> > sent MI2, expecting MR2
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8:
> NAT-Traversal:
> > Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: transition
> from
> > state STATE_MAIN_I2 to state STATE_MAIN_I3
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8:
> STATE_MAIN_I3:
> > sent MI3, expecting MR3
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: received
> Vendor
> > ID payload [CAN-IKEv2]
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: Main mode
> peer
> > ID is ID_IPV4_ADDR: '173.254.195.244'
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: transition
> from
> > state STATE_MAIN_I3 to state STATE_MAIN_I4
> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8:
> STATE_MAIN_I4:
> > ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
> > prf=oakley_sha group=modp2048}
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
> > 173.254.195.244:500: received Vendor ID payload [Openswan (this version)
> > 2.6.38 ]
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
> > 173.254.195.244:500: received Vendor ID payload [Dead Peer Detection]
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
> > 173.254.195.244:500: received Vendor ID payload [RFC 3947] method set
> > to=115 Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
> > 173.254.195.244:500: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
> > 173.254.195.244:500: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
> > 173.254.195.244:500: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
> > 173.254.195.244:500: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-00]
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: responding to
> > Main Mode
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: transition
> from
> > state STATE_MAIN_R0 to state STATE_MAIN_R1
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9:
> STATE_MAIN_R1:
> > sent MR1, expecting MI2
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9:
> NAT-Traversal:
> > Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: transition
> from
> > state STATE_MAIN_R1 to state STATE_MAIN_R2
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9:
> STATE_MAIN_R2:
> > sent MR2, expecting MI3
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: Main mode
> peer
> > ID is ID_IPV4_ADDR: '173.254.195.244'
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: transition
> from
> > state STATE_MAIN_R2 to state STATE_MAIN_R3
> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9:
> STATE_MAIN_R3:
> > sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
> > prf=oakley_sha group=modp2048}
> > Jun 27 13:51:04 vps1.layerzero.ca pluto[32576]: packet from
> > 173.254.195.244:500: Informational Exchange is for an unknown
> (expired?) SA
> > with MSGID:0x58fb6264
> > Jun 27 13:51:09 vps1.layerzero.ca pluto[32576]: "vps2" #5: received
> Delete
> > SA payload: deleting ISAKMP State #5
> > Jun 27 13:51:09 vps1.layerzero.ca pluto[32576]: packet from
> > 173.254.195.244:500: received and ignored informational message
> >
> > On Thu, Jun 27, 2013 at 2:04 PM, Dave Ariens <dave at ariens.ca> wrote:
> > > So far so good. After applying the rekeys=yes to the connections, I
> > > restarted (systemctl restart openswan) yet the problem seemed to recur
> > > twice. I then performed an ipsec auto --delete vps1/2 respectively,
> then
> > > an add, then a restart--and it's been fine since. Looking into the
> > > systemd scripts, it looks like a restart is a stop then a start (ipsec
> > > _realsetup then stop ipsec _realsetup start).
> > >
> > > Could there be any artifacts of the previously established tunnel
> around
> > > _somehow_? There's lots I don't understand about IPsec but can you
> > > enlighten me about what's going on?
> > >
> > > On Thu, Jun 27, 2013 at 11:35 AM, <dave at ariens.ca> wrote:
> > >> I will give that a shot. When I read up on it I understood that it was
> > >> defaulted to 'yes'.
> > >>
> > >> Thanks
> > >>
> > >> www.ariens.ca
> > >>
> > >> *From: *Giovanni Carbone
> > >>
> > >> *Sent: *Thursday, June 27, 2013 11:20 AM
> > >> *To: *Dave Ariens; users at lists.openswan.org
> > >> *Subject: *RE: [Openswan Users] Established Tunnel Not Passing Traffic
> > >>
> > >> Try adding “rekey=yes” in the conn(s).
> > >>
> > >> Example:
> > >>
> > >>
> > >>
> > >> conn vps1
> > >>
> > >> authby=secret
> > >>
> > >> left=173.254.195.244
> > >>
> > >> leftsourceip=192.168.200.10
> > >>
> > >> leftsubnet=192.168.200.10/32
> > >>
> > >> right=64.237.39.24
> > >>
> > >> rightsubnet=192.168.100.10/32
> > >>
> > >> auto=start
> > >>
> > >> rekey=yes
> > >>
> > >> *From:* users-bounces at lists.openswan.org [mailto:
> > >> users-bounces at lists.openswan.org] *On Behalf Of *Dave Ariens
> > >> *Sent:* Thursday, June 27, 2013 4:26 PM
> > >> *To:* users at lists.openswan.org
> > >> *Subject:* [Openswan Users] Established Tunnel Not Passing Traffic
> > >>
> > >>
> > >>
> > >> Hey there guys (first time posting),
> > >>
> > >> I have two servers (VPS) one on the US east coast, another on US west
> > >> coast. They both have an IPsec tunnel to my Juniper SRX firewall (on
> my
> > >> home network in Ontario, Canada). This tunnel is rock solid and I
> never
> > >> have any issues with it.
> > >>
> > >> I'm trying to configure an OpenSwan IPsec tunnel between the two VMs,
> > >> and it's up and running, I can ping through the tunnel, but some time
> > >> afterwards, traffic is unable to pass (tunnel remains established).
> > >>
> > >> This is really just a plain vanilla OpenSwan to OpenSwan
> implementation,
> > >> below are some config details, and some logs.
> > >>
> > >> Can anyone help me identify why the tunnel stops passing traffic after
> > >> some time < 15 minutes. I know the traffic stopped shortly after
> > >> midnight this morning (see logs below)
> > >>
> > >>
> > >>
> > >> [ariens at vps1 ~]$ pacman -Qs openswan
> > >>
> > >> local/openswan 2.6.38-1
> > >>
> > >> Open Source implementation of IPsec for the Linux operating system
> > >>
> > >> VPS2:/etc/ipsec.conf
> > >>
> > >>
> > >>
> > >> version 2.0
> > >>
> > >> config setup
> > >>
> > >> dumpdir=/var/run/pluto/
> > >>
> > >> nat_traversal=yes
> > >>
> > >> virtual_private=%v4:
> > >>
> 10.0.0.0/8,%v4:!192.168.200.0/24,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v
> > >> 4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<
> http://10.0.0.0/8,%25v4:%21192.1
> > >> 68.200.0/24,%25v4:
> 192.168.0.0/16,%25v4:172.16.0.0/12,%25v4:25.0.0.0/8,%2
> > >> 5v6:fd00::/8,%25v6:fe80::/10>
> > >>
> > >> oe=off
> > >>
> > >> protostack=netkey
> > >>
> > >> conn home.ariens.ca
> > >>
> > >> authby=secret
> > >>
> > >> left=173.254.195.244
> > >>
> > >> leftsourceip=192.168.200.10
> > >>
> > >> leftsubnet=0/0
> > >>
> > >> right=216.58.86.104
> > >>
> > >> rightsubnet=10.0.0.0/8
> > >>
> > >> auto=start
> > >>
> > >> conn vps1
> > >>
> > >> authby=secret
> > >>
> > >> left=173.254.195.244
> > >>
> > >> leftsourceip=192.168.200.10
> > >>
> > >> leftsubnet=192.168.200.10/32
> > >>
> > >> right=64.237.39.24
> > >>
> > >> rightsubnet=192.168.100.10/32
> > >>
> > >> auto=start
> > >>
> > >> VPS1:/etc/ipsec.conf
> > >>
> > >>
> > >>
> > >> version 2.0
> > >>
> > >>
> > >>
> > >> config setup
> > >>
> > >> dumpdir=/var/run/pluto/
> > >>
> > >> nat_traversal=yes
> > >>
> > >> virtual_private=%v4:
> > >>
> 10.0.0.0/8,%v4:!192.168.100.0/24,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v
> > >> 4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<
> http://10.0.0.0/8,%25v4:%21192.1
> > >> 68.100.0/24,%25v4:
> 192.168.0.0/16,%25v4:172.16.0.0/12,%25v4:25.0.0.0/8,%2
> > >> 5v6:fd00::/8,%25v6:fe80::/10>
> > >>
> > >> oe=off
> > >>
> > >> protostack=netkey
> > >>
> > >> conn home.ariens.ca
> > >>
> > >> authby=secret
> > >>
> > >> left=64.237.39.24
> > >>
> > >> leftsourceip=192.168.100.10
> > >>
> > >> leftsubnet=0/0
> > >>
> > >> right=216.58.86.104
> > >>
> > >> rightsubnet=10.0.0.0/8
> > >>
> > >> auto=start
> > >>
> > >> conn vps2
> > >>
> > >> authby=secret
> > >>
> > >> left=64.237.39.24
> > >>
> > >> leftsourceip=192.168.100.10
> > >>
> > >> leftsubnet=192.168.100.10/32
> > >>
> > >> right=173.254.195.244
> > >>
> > >> rightsubnet=192.168.200.10/32
> > >>
> > >> auto=start
> > >>
> > >> Logs from VPS1:
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload [Openswan (this
> version)
> > >> 2.6.38 ]
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload [Dead Peer Detection]
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload [RFC 3947] method set
> > >> to=115
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload
> > >> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload
> > >> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
> 115
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload
> > >> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload
> > >> [draft-ietf-ipsec-nat-t-ike-00]
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
> responding
> > >> to Main Mode
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
> transition
> > >> from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
> > >> STATE_MAIN_R1: sent MR1, expecting MI2
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
> > >> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no
> NAT
> > >> detected
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
> transition
> > >> from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
> > >> STATE_MAIN_R2: sent MR2, expecting MI3
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: Main mode
> > >> peer ID is ID_IPV4_ADDR: '173.254.195.244'
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
> transition
> > >> from state STATE_MAIN_R2 to state STATE_MAIN_R3
> > >>
> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
> > >> STATE_MAIN_R3: sent MR3, ISAKMP SA established
> > >> {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
> > >> group=modp2048}
> > >>
> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
> > >> Vendor ID payload [Openswan (this version) 2.6.38 ]
> > >>
> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
> > >> Vendor ID payload [Dead Peer Detection]
> > >>
> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
> > >> Vendor ID payload [RFC 3947] method set to=115
> > >>
> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: enabling
> > >> possible NAT-traversal with method RFC 3947 (NAT-Traversal)
> > >>
> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
> transition
> > >> from state STATE_MAIN_I1 to state STATE_MAIN_I2
> > >>
> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
> > >> STATE_MAIN_I2: sent MI2, expecting MR2
> > >>
> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
> > >> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no
> NAT
> > >> detected
> > >>
> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
> transition
> > >> from state STATE_MAIN_I2 to state STATE_MAIN_I3
> > >>
> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
> > >> STATE_MAIN_I3: sent MI3, expecting MR3
> > >>
> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
> > >> Vendor ID payload [CAN-IKEv2]
> > >>
> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: Main mode
> > >> peer ID is ID_IPV4_ADDR: '173.254.195.244'
> > >>
> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
> transition
> > >> from state STATE_MAIN_I3 to state STATE_MAIN_I4
> > >>
> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
> > >> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> > >> cipher=aes_128 prf=oakley_sha group=modp2048}
> > >>
> > >> Jun 27 00:09:01 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: Informational Exchange is for an unknown
> (expired?)
> > >> SA with MSGID:0xf86c4eb8
> > >>
> > >> Jun 27 00:09:19 vps1.layerzero.ca pluto[28819]: "vps2" #13: received
> > >> Delete SA payload: deleting ISAKMP State #13
> > >>
> > >> Jun 27 00:09:19 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received and ignored informational message
> > >>
> > >> Jun 27 00:48:54 vps1.layerzero.ca pluto[28819]: "vps2" #19:
> initiating
> > >> Main Mode to replace #16
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload [Openswan (this
> version)
> > >> 2.6.38 ]
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload [Dead Peer Detection]
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload [RFC 3947] method set
> > >> to=115
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload
> > >> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload
> > >> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
> 115
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload
> > >> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: received Vendor ID payload
> > >> [draft-ietf-ipsec-nat-t-ike-00]
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
> responding
> > >> to Main Mode
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
> transition
> > >> from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
> > >> STATE_MAIN_R1: sent MR1, expecting MI2
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
> > >> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no
> NAT
> > >> detected
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
> transition
> > >> from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
> > >> STATE_MAIN_R2: sent MR2, expecting MI3
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: Main mode
> > >> peer ID is ID_IPV4_ADDR: '173.254.195.244'
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
> transition
> > >> from state STATE_MAIN_R2 to state STATE_MAIN_R3
> > >>
> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
> > >> STATE_MAIN_R3: sent MR3, ISAKMP SA established
> > >> {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
> > >> group=modp2048}
> > >>
> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
> > >> Vendor ID payload [Openswan (this version) 2.6.38 ]
> > >>
> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
> > >> Vendor ID payload [Dead Peer Detection]
> > >>
> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
> > >> Vendor ID payload [RFC 3947] method set to=115
> > >>
> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: enabling
> > >> possible NAT-traversal with method RFC 3947 (NAT-Traversal)
> > >>
> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
> transition
> > >> from state STATE_MAIN_I1 to state STATE_MAIN_I2
> > >>
> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
> > >> STATE_MAIN_I2: sent MI2, expecting MR2
> > >>
> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
> > >> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no
> NAT
> > >> detected
> > >>
> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
> transition
> > >> from state STATE_MAIN_I2 to state STATE_MAIN_I3
> > >>
> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
> > >> STATE_MAIN_I3: sent MI3, expecting MR3
> > >>
> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
> > >> Vendor ID payload [CAN-IKEv2]
> > >>
> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: Main mode
> > >> peer ID is ID_IPV4_ADDR: '173.254.195.244'
> > >>
> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
> transition
> > >> from state STATE_MAIN_I3 to state STATE_MAIN_I4
> > >>
> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
> > >> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> > >> cipher=aes_128 prf=oakley_sha group=modp2048}
> > >>
> > >> Jun 27 01:04:49 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: Informational Exchange is for an unknown
> (expired?)
> > >> SA with MSGID:0x4a2e1ab1
> > >>
> > >> Jun 27 01:05:27 vps1.layerzero.ca pluto[28819]: packet from
> > >> 173.254.195.244:500: Informational Exchange is for an unknown
> (expired?)
> > >> SA with MSGID:0x999b390f
> > >>
> > >> Logs for VPS2:
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
> initiating
> > >> Main Mode to replace #11
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
> > >> Vendor ID payload [Openswan (this version) 2.6.38 ]
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
> > >> Vendor ID payload [Dead Peer Detection]
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
> > >> Vendor ID payload [RFC 3947] method set to=115
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: enabling
> > >> possible NAT-traversal with method RFC 3947 (NAT-Traversal)
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
> transition
> > >> from state STATE_MAIN_I1 to state STATE_MAIN_I2
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
> > >> STATE_MAIN_I2: sent MI2, expecting MR2
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
> > >> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no
> NAT
> > >> detected
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
> transition
> > >> from state STATE_MAIN_I2 to state STATE_MAIN_I3
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
> > >> STATE_MAIN_I3: sent MI3, expecting MR3
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
> > >> Vendor ID payload [CAN-IKEv2]
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: Main mode
> > >> peer ID is ID_IPV4_ADDR: '64.237.39.24'
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
> transition
> > >> from state STATE_MAIN_I3 to state STATE_MAIN_I4
> > >>
> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
> > >> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> > >> cipher=aes_128 prf=oakley_sha group=modp2048}
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> > >> 64.237.39.24:500: received Vendor ID payload [Openswan (this version)
> > >> 2.6.38 ]
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> > >> 64.237.39.24:500: received Vendor ID payload [Dead Peer Detection]
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> > >> 64.237.39.24:500: received Vendor ID payload [RFC 3947] method set
> > >> to=115
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> > >> 64.237.39.24:500: received Vendor ID payload
> > >> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> > >> 64.237.39.24:500: received Vendor ID payload
> > >> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
> 115
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> > >> 64.237.39.24:500: received Vendor ID payload
> > >> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
> > >> 64.237.39.24:500: received Vendor ID payload
> > >> [draft-ietf-ipsec-nat-t-ike-00]
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
> responding
> > >> to Main Mode
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
> transition
> > >> from state STATE_MAIN_R0 to state STATE_MAIN_R1
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
> > >> STATE_MAIN_R1: sent MR1, expecting MI2
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
> > >> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no
> NAT
> > >> detected
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
> transition
> > >> from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
> > >> STATE_MAIN_R2: sent MR2, expecting MI3
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: Main mode
> > >> peer ID is ID_IPV4_ADDR: '64.237.39.24'
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
> transition
> > >> from state STATE_MAIN_R2 to state STATE_MAIN_R3
> > >>
> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
> > >> STATE_MAIN_R3: sent MR3, ISAKMP SA established
> > >> {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
> > >> group=modp2048}
> > >>
> > >> Jun 27 00:09:34 vps2.layerzero.ca pluto[29906]: packet from
> > >> 64.237.39.24:500: Informational Exchange is for an unknown
> (expired?) SA
> > >> with MSGID:0xb8f1bbda
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> --
> > >>
> > >> www.ariens.ca
> > >>
> > >>
> > >>
> > >>
> > >> Informativa Privacy - Ai sensi del D. Lgs n. 196/2003 (Codice Privacy)
> > >> precisiamo che le informazioni contenute in questo messaggio sono
> > >> riservate e a uso esclusivo del destinatario. Ogni uso, copia o
> > >> distribuzione non autorizzata è proibita e passibile di sanzioni ai
> > >> termini di legge. Reitek non è responsabile di eventuali copie o
> > >> distribuzioni non autorizzate. Se questo messaggio è stato ricevuto
> per
> > >> errore, preghiamo gentilmente di eliminarlo e di informare il
> mittente.
> > >> Grazie.
> > >
> > > --
> > > www.ariens.ca
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
--
www.ariens.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130627/eafddfa5/attachment-0001.html>
More information about the Users
mailing list