[Openswan Users] Established Tunnel Not Passing Traffic
Dave Ariens
dave at ariens.ca
Thu Jun 27 23:04:15 UTC 2013
Could me trying to ping the other end have allowed the ESP protocol / UDP
packets in somehow?
On Thu, Jun 27, 2013 at 5:24 PM, Dave Ariens <dave at ariens.ca> wrote:
> I checked my iptables on the two end points and I only had:
>
> -A INPUT -s 216.58.86.104/32 -i eth0 -p esp -j ACCEPT
> -A INPUT -s 216.58.86.104/32 -i eth0 -p udp -m udp --sport 500 --dport
> 500 -j ACCEPT
> -A INPUT -s 216.58.86.104/32 -i eth0 -p udp -m udp --sport 4500 --dport
> 4500 -j ACCEPT
>
> ...which was for the original tunnel that's been working fine not the one
> between my two OpenSwan instances.
>
> Adding the other end of the tunnel seems to have restored connectivity
> across the tunnel, although I don't see any logs from Pluto after I made
> the change.
>
> How could the tunnel possibly have been established in the first place
> without allowing esp/500/4500?
>
>
>
>
> On Thu, Jun 27, 2013 at 3:46 PM, Neal Murphy <neal.p.murphy at alum.wpi.edu>wrote:
>
>> It may be nothing, but why don't I see states QUICK_I1/R1/I2/R2? Possibly
>> mismatched params between the two ends? (Unless you method doesn't use
>> them.)
>>
>>
>> On Thursday, June 27, 2013 02:42:26 PM Dave Ariens wrote:
>> > I spoke to soon... Nothing can traverse the tunnel.
>> >
>> > Here's some logs for vps1 during the time that traffic stopped...
>> >
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: initiating
>> Main
>> > Mode to replace #5
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: received
>> Vendor
>> > ID payload [Openswan (this version) 2.6.38 ]
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: received
>> Vendor
>> > ID payload [Dead Peer Detection]
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: received
>> Vendor
>> > ID payload [RFC 3947] method set to=115
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: enabling
>> > possible NAT-traversal with method RFC 3947 (NAT-Traversal)
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: transition
>> from
>> > state STATE_MAIN_I1 to state STATE_MAIN_I2
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8:
>> STATE_MAIN_I2:
>> > sent MI2, expecting MR2
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8:
>> NAT-Traversal:
>> > Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: transition
>> from
>> > state STATE_MAIN_I2 to state STATE_MAIN_I3
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8:
>> STATE_MAIN_I3:
>> > sent MI3, expecting MR3
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: received
>> Vendor
>> > ID payload [CAN-IKEv2]
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: Main mode
>> peer
>> > ID is ID_IPV4_ADDR: '173.254.195.244'
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8: transition
>> from
>> > state STATE_MAIN_I3 to state STATE_MAIN_I4
>> > Jun 27 13:46:39 vps1.layerzero.ca pluto[32576]: "vps2" #8:
>> STATE_MAIN_I4:
>> > ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
>> > prf=oakley_sha group=modp2048}
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
>> > 173.254.195.244:500: received Vendor ID payload [Openswan (this
>> version)
>> > 2.6.38 ]
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
>> > 173.254.195.244:500: received Vendor ID payload [Dead Peer Detection]
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
>> > 173.254.195.244:500: received Vendor ID payload [RFC 3947] method set
>> > to=115 Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
>> > 173.254.195.244:500: received Vendor ID payload
>> > [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
>> > 173.254.195.244:500: received Vendor ID payload
>> > [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
>> > 173.254.195.244:500: received Vendor ID payload
>> > [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: packet from
>> > 173.254.195.244:500: received Vendor ID payload
>> > [draft-ietf-ipsec-nat-t-ike-00]
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: responding
>> to
>> > Main Mode
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: transition
>> from
>> > state STATE_MAIN_R0 to state STATE_MAIN_R1
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9:
>> STATE_MAIN_R1:
>> > sent MR1, expecting MI2
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9:
>> NAT-Traversal:
>> > Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: transition
>> from
>> > state STATE_MAIN_R1 to state STATE_MAIN_R2
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9:
>> STATE_MAIN_R2:
>> > sent MR2, expecting MI3
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: Main mode
>> peer
>> > ID is ID_IPV4_ADDR: '173.254.195.244'
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9: transition
>> from
>> > state STATE_MAIN_R2 to state STATE_MAIN_R3
>> > Jun 27 13:47:01 vps1.layerzero.ca pluto[32576]: "vps2" #9:
>> STATE_MAIN_R3:
>> > sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> cipher=aes_128
>> > prf=oakley_sha group=modp2048}
>> > Jun 27 13:51:04 vps1.layerzero.ca pluto[32576]: packet from
>> > 173.254.195.244:500: Informational Exchange is for an unknown
>> (expired?) SA
>> > with MSGID:0x58fb6264
>> > Jun 27 13:51:09 vps1.layerzero.ca pluto[32576]: "vps2" #5: received
>> Delete
>> > SA payload: deleting ISAKMP State #5
>> > Jun 27 13:51:09 vps1.layerzero.ca pluto[32576]: packet from
>> > 173.254.195.244:500: received and ignored informational message
>> >
>> > On Thu, Jun 27, 2013 at 2:04 PM, Dave Ariens <dave at ariens.ca> wrote:
>> > > So far so good. After applying the rekeys=yes to the connections, I
>> > > restarted (systemctl restart openswan) yet the problem seemed to recur
>> > > twice. I then performed an ipsec auto --delete vps1/2 respectively,
>> then
>> > > an add, then a restart--and it's been fine since. Looking into the
>> > > systemd scripts, it looks like a restart is a stop then a start (ipsec
>> > > _realsetup then stop ipsec _realsetup start).
>> > >
>> > > Could there be any artifacts of the previously established tunnel
>> around
>> > > _somehow_? There's lots I don't understand about IPsec but can you
>> > > enlighten me about what's going on?
>> > >
>> > > On Thu, Jun 27, 2013 at 11:35 AM, <dave at ariens.ca> wrote:
>> > >> I will give that a shot. When I read up on it I understood that it
>> was
>> > >> defaulted to 'yes'.
>> > >>
>> > >> Thanks
>> > >>
>> > >> www.ariens.ca
>> > >>
>> > >> *From: *Giovanni Carbone
>> > >>
>> > >> *Sent: *Thursday, June 27, 2013 11:20 AM
>> > >> *To: *Dave Ariens; users at lists.openswan.org
>> > >> *Subject: *RE: [Openswan Users] Established Tunnel Not Passing
>> Traffic
>> > >>
>> > >> Try adding “rekey=yes” in the conn(s).
>> > >>
>> > >> Example:
>> > >>
>> > >>
>> > >>
>> > >> conn vps1
>> > >>
>> > >> authby=secret
>> > >>
>> > >> left=173.254.195.244
>> > >>
>> > >> leftsourceip=192.168.200.10
>> > >>
>> > >> leftsubnet=192.168.200.10/32
>> > >>
>> > >> right=64.237.39.24
>> > >>
>> > >> rightsubnet=192.168.100.10/32
>> > >>
>> > >> auto=start
>> > >>
>> > >> rekey=yes
>> > >>
>> > >> *From:* users-bounces at lists.openswan.org [mailto:
>> > >> users-bounces at lists.openswan.org] *On Behalf Of *Dave Ariens
>> > >> *Sent:* Thursday, June 27, 2013 4:26 PM
>> > >> *To:* users at lists.openswan.org
>> > >> *Subject:* [Openswan Users] Established Tunnel Not Passing Traffic
>> > >>
>> > >>
>> > >>
>> > >> Hey there guys (first time posting),
>> > >>
>> > >> I have two servers (VPS) one on the US east coast, another on US west
>> > >> coast. They both have an IPsec tunnel to my Juniper SRX firewall
>> (on my
>> > >> home network in Ontario, Canada). This tunnel is rock solid and I
>> never
>> > >> have any issues with it.
>> > >>
>> > >> I'm trying to configure an OpenSwan IPsec tunnel between the two VMs,
>> > >> and it's up and running, I can ping through the tunnel, but some time
>> > >> afterwards, traffic is unable to pass (tunnel remains established).
>> > >>
>> > >> This is really just a plain vanilla OpenSwan to OpenSwan
>> implementation,
>> > >> below are some config details, and some logs.
>> > >>
>> > >> Can anyone help me identify why the tunnel stops passing traffic
>> after
>> > >> some time < 15 minutes. I know the traffic stopped shortly after
>> > >> midnight this morning (see logs below)
>> > >>
>> > >>
>> > >>
>> > >> [ariens at vps1 ~]$ pacman -Qs openswan
>> > >>
>> > >> local/openswan 2.6.38-1
>> > >>
>> > >> Open Source implementation of IPsec for the Linux operating
>> system
>> > >>
>> > >> VPS2:/etc/ipsec.conf
>> > >>
>> > >>
>> > >>
>> > >> version 2.0
>> > >>
>> > >> config setup
>> > >>
>> > >> dumpdir=/var/run/pluto/
>> > >>
>> > >> nat_traversal=yes
>> > >>
>> > >> virtual_private=%v4:
>> > >>
>> 10.0.0.0/8,%v4:!192.168.200.0/24,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v
>> > >> 4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<
>> http://10.0.0.0/8,%25v4:%21192.1
>> > >> 68.200.0/24,%25v4:
>> 192.168.0.0/16,%25v4:172.16.0.0/12,%25v4:25.0.0.0/8,%2
>> > >> 5v6:fd00::/8,%25v6:fe80::/10>
>> > >>
>> > >> oe=off
>> > >>
>> > >> protostack=netkey
>> > >>
>> > >> conn home.ariens.ca
>> > >>
>> > >> authby=secret
>> > >>
>> > >> left=173.254.195.244
>> > >>
>> > >> leftsourceip=192.168.200.10
>> > >>
>> > >> leftsubnet=0/0
>> > >>
>> > >> right=216.58.86.104
>> > >>
>> > >> rightsubnet=10.0.0.0/8
>> > >>
>> > >> auto=start
>> > >>
>> > >> conn vps1
>> > >>
>> > >> authby=secret
>> > >>
>> > >> left=173.254.195.244
>> > >>
>> > >> leftsourceip=192.168.200.10
>> > >>
>> > >> leftsubnet=192.168.200.10/32
>> > >>
>> > >> right=64.237.39.24
>> > >>
>> > >> rightsubnet=192.168.100.10/32
>> > >>
>> > >> auto=start
>> > >>
>> > >> VPS1:/etc/ipsec.conf
>> > >>
>> > >>
>> > >>
>> > >> version 2.0
>> > >>
>> > >>
>> > >>
>> > >> config setup
>> > >>
>> > >> dumpdir=/var/run/pluto/
>> > >>
>> > >> nat_traversal=yes
>> > >>
>> > >> virtual_private=%v4:
>> > >>
>> 10.0.0.0/8,%v4:!192.168.100.0/24,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v
>> > >> 4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<
>> http://10.0.0.0/8,%25v4:%21192.1
>> > >> 68.100.0/24,%25v4:
>> 192.168.0.0/16,%25v4:172.16.0.0/12,%25v4:25.0.0.0/8,%2
>> > >> 5v6:fd00::/8,%25v6:fe80::/10>
>> > >>
>> > >> oe=off
>> > >>
>> > >> protostack=netkey
>> > >>
>> > >> conn home.ariens.ca
>> > >>
>> > >> authby=secret
>> > >>
>> > >> left=64.237.39.24
>> > >>
>> > >> leftsourceip=192.168.100.10
>> > >>
>> > >> leftsubnet=0/0
>> > >>
>> > >> right=216.58.86.104
>> > >>
>> > >> rightsubnet=10.0.0.0/8
>> > >>
>> > >> auto=start
>> > >>
>> > >> conn vps2
>> > >>
>> > >> authby=secret
>> > >>
>> > >> left=64.237.39.24
>> > >>
>> > >> leftsourceip=192.168.100.10
>> > >>
>> > >> leftsubnet=192.168.100.10/32
>> > >>
>> > >> right=173.254.195.244
>> > >>
>> > >> rightsubnet=192.168.200.10/32
>> > >>
>> > >> auto=start
>> > >>
>> > >> Logs from VPS1:
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload [Openswan (this
>> version)
>> > >> 2.6.38 ]
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload [Dead Peer
>> Detection]
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload [RFC 3947] method
>> set
>> > >> to=115
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload
>> > >> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method
>> 115
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload
>> > >> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
>> 115
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload
>> > >> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method
>> 115
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload
>> > >> [draft-ietf-ipsec-nat-t-ike-00]
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
>> responding
>> > >> to Main Mode
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
>> transition
>> > >> from state STATE_MAIN_R0 to state STATE_MAIN_R1
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
>> > >> STATE_MAIN_R1: sent MR1, expecting MI2
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
>> > >> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no
>> NAT
>> > >> detected
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
>> transition
>> > >> from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
>> > >> STATE_MAIN_R2: sent MR2, expecting MI3
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: Main
>> mode
>> > >> peer ID is ID_IPV4_ADDR: '173.254.195.244'
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
>> transition
>> > >> from state STATE_MAIN_R2 to state STATE_MAIN_R3
>> > >>
>> > >> Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17:
>> > >> STATE_MAIN_R3: sent MR3, ISAKMP SA established
>> > >> {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
>> > >> group=modp2048}
>> > >>
>> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
>> > >> Vendor ID payload [Openswan (this version) 2.6.38 ]
>> > >>
>> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
>> > >> Vendor ID payload [Dead Peer Detection]
>> > >>
>> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
>> > >> Vendor ID payload [RFC 3947] method set to=115
>> > >>
>> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: enabling
>> > >> possible NAT-traversal with method RFC 3947 (NAT-Traversal)
>> > >>
>> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
>> transition
>> > >> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>> > >>
>> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
>> > >> STATE_MAIN_I2: sent MI2, expecting MR2
>> > >>
>> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
>> > >> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no
>> NAT
>> > >> detected
>> > >>
>> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
>> transition
>> > >> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>> > >>
>> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
>> > >> STATE_MAIN_I3: sent MI3, expecting MR3
>> > >>
>> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received
>> > >> Vendor ID payload [CAN-IKEv2]
>> > >>
>> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: Main
>> mode
>> > >> peer ID is ID_IPV4_ADDR: '173.254.195.244'
>> > >>
>> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
>> transition
>> > >> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>> > >>
>> > >> Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16:
>> > >> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> > >> cipher=aes_128 prf=oakley_sha group=modp2048}
>> > >>
>> > >> Jun 27 00:09:01 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: Informational Exchange is for an unknown
>> (expired?)
>> > >> SA with MSGID:0xf86c4eb8
>> > >>
>> > >> Jun 27 00:09:19 vps1.layerzero.ca pluto[28819]: "vps2" #13: received
>> > >> Delete SA payload: deleting ISAKMP State #13
>> > >>
>> > >> Jun 27 00:09:19 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received and ignored informational message
>> > >>
>> > >> Jun 27 00:48:54 vps1.layerzero.ca pluto[28819]: "vps2" #19:
>> initiating
>> > >> Main Mode to replace #16
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload [Openswan (this
>> version)
>> > >> 2.6.38 ]
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload [Dead Peer
>> Detection]
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload [RFC 3947] method
>> set
>> > >> to=115
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload
>> > >> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method
>> 115
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload
>> > >> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
>> 115
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload
>> > >> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method
>> 115
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: received Vendor ID payload
>> > >> [draft-ietf-ipsec-nat-t-ike-00]
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
>> responding
>> > >> to Main Mode
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
>> transition
>> > >> from state STATE_MAIN_R0 to state STATE_MAIN_R1
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
>> > >> STATE_MAIN_R1: sent MR1, expecting MI2
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
>> > >> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no
>> NAT
>> > >> detected
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
>> transition
>> > >> from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
>> > >> STATE_MAIN_R2: sent MR2, expecting MI3
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: Main
>> mode
>> > >> peer ID is ID_IPV4_ADDR: '173.254.195.244'
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
>> transition
>> > >> from state STATE_MAIN_R2 to state STATE_MAIN_R3
>> > >>
>> > >> Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20:
>> > >> STATE_MAIN_R3: sent MR3, ISAKMP SA established
>> > >> {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
>> > >> group=modp2048}
>> > >>
>> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
>> > >> Vendor ID payload [Openswan (this version) 2.6.38 ]
>> > >>
>> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
>> > >> Vendor ID payload [Dead Peer Detection]
>> > >>
>> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
>> > >> Vendor ID payload [RFC 3947] method set to=115
>> > >>
>> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: enabling
>> > >> possible NAT-traversal with method RFC 3947 (NAT-Traversal)
>> > >>
>> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
>> transition
>> > >> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>> > >>
>> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
>> > >> STATE_MAIN_I2: sent MI2, expecting MR2
>> > >>
>> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
>> > >> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no
>> NAT
>> > >> detected
>> > >>
>> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
>> transition
>> > >> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>> > >>
>> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
>> > >> STATE_MAIN_I3: sent MI3, expecting MR3
>> > >>
>> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received
>> > >> Vendor ID payload [CAN-IKEv2]
>> > >>
>> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: Main
>> mode
>> > >> peer ID is ID_IPV4_ADDR: '173.254.195.244'
>> > >>
>> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
>> transition
>> > >> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>> > >>
>> > >> Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19:
>> > >> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> > >> cipher=aes_128 prf=oakley_sha group=modp2048}
>> > >>
>> > >> Jun 27 01:04:49 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: Informational Exchange is for an unknown
>> (expired?)
>> > >> SA with MSGID:0x4a2e1ab1
>> > >>
>> > >> Jun 27 01:05:27 vps1.layerzero.ca pluto[28819]: packet from
>> > >> 173.254.195.244:500: Informational Exchange is for an unknown
>> (expired?)
>> > >> SA with MSGID:0x999b390f
>> > >>
>> > >> Logs for VPS2:
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
>> initiating
>> > >> Main Mode to replace #11
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
>> > >> Vendor ID payload [Openswan (this version) 2.6.38 ]
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
>> > >> Vendor ID payload [Dead Peer Detection]
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
>> > >> Vendor ID payload [RFC 3947] method set to=115
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: enabling
>> > >> possible NAT-traversal with method RFC 3947 (NAT-Traversal)
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
>> transition
>> > >> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
>> > >> STATE_MAIN_I2: sent MI2, expecting MR2
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
>> > >> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no
>> NAT
>> > >> detected
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
>> transition
>> > >> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
>> > >> STATE_MAIN_I3: sent MI3, expecting MR3
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received
>> > >> Vendor ID payload [CAN-IKEv2]
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: Main
>> mode
>> > >> peer ID is ID_IPV4_ADDR: '64.237.39.24'
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
>> transition
>> > >> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>> > >>
>> > >> Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13:
>> > >> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>> > >> cipher=aes_128 prf=oakley_sha group=modp2048}
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> > >> 64.237.39.24:500: received Vendor ID payload [Openswan (this
>> version)
>> > >> 2.6.38 ]
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> > >> 64.237.39.24:500: received Vendor ID payload [Dead Peer Detection]
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> > >> 64.237.39.24:500: received Vendor ID payload [RFC 3947] method set
>> > >> to=115
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> > >> 64.237.39.24:500: received Vendor ID payload
>> > >> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method
>> 115
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> > >> 64.237.39.24:500: received Vendor ID payload
>> > >> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
>> 115
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> > >> 64.237.39.24:500: received Vendor ID payload
>> > >> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method
>> 115
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from
>> > >> 64.237.39.24:500: received Vendor ID payload
>> > >> [draft-ietf-ipsec-nat-t-ike-00]
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
>> responding
>> > >> to Main Mode
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
>> transition
>> > >> from state STATE_MAIN_R0 to state STATE_MAIN_R1
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
>> > >> STATE_MAIN_R1: sent MR1, expecting MI2
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
>> > >> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no
>> NAT
>> > >> detected
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
>> transition
>> > >> from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
>> > >> STATE_MAIN_R2: sent MR2, expecting MI3
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: Main
>> mode
>> > >> peer ID is ID_IPV4_ADDR: '64.237.39.24'
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
>> transition
>> > >> from state STATE_MAIN_R2 to state STATE_MAIN_R3
>> > >>
>> > >> Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14:
>> > >> STATE_MAIN_R3: sent MR3, ISAKMP SA established
>> > >> {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
>> > >> group=modp2048}
>> > >>
>> > >> Jun 27 00:09:34 vps2.layerzero.ca pluto[29906]: packet from
>> > >> 64.237.39.24:500: Informational Exchange is for an unknown
>> (expired?) SA
>> > >> with MSGID:0xb8f1bbda
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> --
>> > >>
>> > >> www.ariens.ca
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> Informativa Privacy - Ai sensi del D. Lgs n. 196/2003 (Codice
>> Privacy)
>> > >> precisiamo che le informazioni contenute in questo messaggio sono
>> > >> riservate e a uso esclusivo del destinatario. Ogni uso, copia o
>> > >> distribuzione non autorizzata è proibita e passibile di sanzioni ai
>> > >> termini di legge. Reitek non è responsabile di eventuali copie o
>> > >> distribuzioni non autorizzate. Se questo messaggio è stato ricevuto
>> per
>> > >> errore, preghiamo gentilmente di eliminarlo e di informare il
>> mittente.
>> > >> Grazie.
>> > >
>> > > --
>> > > www.ariens.ca
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>
>
>
> --
> www.ariens.ca
>
--
www.ariens.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130627/d49405cc/attachment-0001.html>
More information about the Users
mailing list