[Openswan Users] IPSec tunnet not working (EVENT_CRYPTO_FAILED, INVALID_COOKIE)
Suraj Mundada
surajmundada at gmail.com
Thu Apr 16 23:55:59 EDT 2015
Hi,
I am trying to set up a IPSec tunnel between my VPS and partner network.
My VPS is a CentOS 6 server with a static public IP 69.39.93.93. For
partner network, I have a peer IP address and NAT address for actual
server.
I have configured my IPSec connection according as follow:
shell>yum install openswan lsof
shell>vi /etc/sysctl.conf
shell>set net.ipv4.ip_forward = 1
shell>iptables -A INPUT -p udp --dport 500 -j ACCEPT
shell>iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
shell>iptables -A INPUT -p udp --dport 4500 -j ACCEPT
shell>iptables -t nat -A POSTROUTING -s 69.39.93.93/24 -j MASQUERADE
shell>route add -host 103.225.112.7 gw 69.39.93.93
shell>/sbin/service iptables save
shell>service iptables restart
shell>/etc/init.d/ipsec restart
shell>ip route
103.225.112.27 via 69.39.93.93 dev eth0 scope link
69.39.92.0/23 dev eth0 proto kernel scope link src 69.39.93.93
69.39.0.0/16 dev eth0 scope link metric 1002
69.39.0.0/16 dev eth1 scope link metric 1003
default via 69.39.92.1 dev eth0
shell>service ipsec status
IPsec running - pluto pid: 8925
pluto pid 8925
No tunnels up
shell>ipsec auto --status
## output truncated ##
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64}
trans={0,1,3072} attrs={0,1,2048}
000
000 "prod_cibil_ipsec": 69.39.93.93/32===69.39.93.93
<69.39.93.93>[+S=C]---104.245.38.1...103.225.112.4<103.225.112.4>[+S=C]===
103.225.112.27/32; prospective erouted; eroute owner: #0
000 "prod_cibil_ipsec": myip=unset; hisip=unset;
000 "prod_cibil_ipsec": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "prod_cibil_ipsec": policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "prod_cibil_ipsec": dpd: action:clear; delay:0; timeout:0;
000 "prod_cibil_ipsec": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "prod_cibil_ipsec": IKE algorithms wanted:
AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)
000 "prod_cibil_ipsec": IKE algorithms found:
AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "prod_cibil_ipsec": ESP algorithms wanted: AES(12)_128-SHA1(2)_000;
pfsgroup=MODP1024(2)
000 "prod_cibil_ipsec": ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000
000 #827: "prod_cibil_ipsec":500 STATE_MAIN_I2 (sent MI2, expecting MR2);
EVENT_RETRANSMIT in 11s; nodpd; idle; import:admin initiate
000 #827: pending Phase 2 for "prod_cibil_ipsec" replacing #0
When I checked ipsec log file, I see two things that I think are the issues:
1. inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #17
2. Notify Message Type: INVALID_COOKIE.
Details logs and ipsec.conf are attached with the email.
I went through logs line by line but could not understand root cause of the
issue.
Need help to identify and fix the issue.
Suraj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150417/61f723dc/attachment-0001.html>
-------------- next part --------------
[root at apply ~]# tail -1000f /var/log/pluto.log
| af+type: OAKLEY_GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_KEY_LENGTH
| length/value: 128
| emitting length of ISAKMP Transform Payload (ISAKMP): 36
| emitting length of ISAKMP Proposal Payload: 44
| emitting length of ISAKMP Security Association Payload: 56
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
| Vendor ID 4f 45 68 79 4c 64 41 43 65 63 66 61
| emitting length of ISAKMP Vendor ID Payload: 16
| out_vendorid(): sending [Dead Peer Detection]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
| emitting length of ISAKMP Vendor ID Payload: 20
| nat traversal enabled: 1
| nat add vid. port: 1 nonike: 1
| out_vendorid(): sending [RFC 3947]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-03]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02_n]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-00]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
| emitting length of ISAKMP Vendor ID Payload: 20
| emitting length of ISAKMP Message: 220
| sending 220 bytes for main_outI1 through eth0:500 to 103.225.112.4:500 (using #17)
| b6 a2 01 9b 97 98 4f 70 00 00 00 00 00 00 00 00
| 01 10 02 00 00 00 00 00 00 00 00 dc 0d 00 00 38
| 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01
| 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10
| 80 01 00 07 80 02 00 02 80 03 00 01 80 04 00 02
| 80 0e 00 80 0d 00 00 10 4f 45 68 79 4c 64 41 43
| 65 63 66 61 0d 00 00 14 af ca d7 13 68 a1 f1 c9
| 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81
| 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14
| 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
| 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5
| ec 42 7b 1f 0d 00 00 14 cd 60 46 43 35 df 21 f8
| 7c fd b2 fc 68 b6 a4 48 00 00 00 14 44 85 15 2d
| 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
| deleting event for #17
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #17
| event added at head of queue
| deleting state #16
| deleting event for #16
| no suspended cryptographic state for 16
| ICOOKIE: ce 61 ac 2f 6f a3 b0 c5
| RCOOKIE: fe fb 01 37 88 89 1b fa
| state hash entry 10
| next event EVENT_RETRANSMIT in 10 seconds for #17
|
| *received 128 bytes from 103.225.112.4:500 on eth0 (port=500)
| b6 a2 01 9b 97 98 4f 70 85 7d 10 db 58 75 22 c4
| 01 10 02 00 00 00 00 00 00 00 00 80 0d 00 00 38
| 00 00 00 01 00 00 00 01 00 00 00 2c 01 01 00 01
| 00 00 00 24 00 01 00 00 80 01 00 07 80 0e 00 80
| 80 02 00 02 80 04 00 02 80 03 00 01 80 0b 00 01
| 80 0c 0e 10 0d 00 00 14 4a 13 1c 81 07 03 58 45
| 5c 57 28 f2 0e 95 45 2f 00 00 00 18 40 48 b7 d5
| 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 c0 00 00 00
| **parse ISAKMP Message:
| initiator cookie:
| b6 a2 01 9b 97 98 4f 70
| responder cookie:
| 85 7d 10 db 58 75 22 c4
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| length: 128
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE: b6 a2 01 9b 97 98 4f 70
| RCOOKIE: 85 7d 10 db 58 75 22 c4
| state hash entry 10
| v1 state object not found
| ICOOKIE: b6 a2 01 9b 97 98 4f 70
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 16
| v1 peer and cookies match on #17, provided msgid 00000000 vs 00000000
| v1 state object #17 found, in STATE_MAIN_I1
| processing connection prod_cibil_ipsec
| got payload 0x2(ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080
| ***parse ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 56
| DOI: ISAKMP_DOI_IPSEC
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 20
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 24
"prod_cibil_ipsec" #17: received Vendor ID payload [RFC 3947] method set to=109
"prod_cibil_ipsec" #17: ignoring Vendor ID payload [FRAGMENTATION c0000000]
| ****parse IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 44
| proposal number: 1
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 1
| *****parse ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| length: 36
| transform number: 0
| transform ID: KEY_IKE
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_ENCRYPTION_ALGORITHM
| length/value: 7
| [7 is OAKLEY_AES_CBC]
| ike_alg_enc_ok(ealg=7,key_len=0): blocksize=16, keyminlen=128, keydeflen=128, keymaxlen=256, ret=1
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_KEY_LENGTH
| length/value: 128
| ike_alg_enc_ok(ealg=7,key_len=128): blocksize=16, keyminlen=128, keydeflen=128, keymaxlen=256, ret=1
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_HASH_ALGORITHM
| length/value: 2
| [2 is OAKLEY_SHA1]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_AUTHENTICATION_METHOD
| length/value: 1
| [1 is OAKLEY_PRESHARED_KEY]
| started looking for secret for 69.39.93.93->103.225.112.4 of kind PPK_PSK
| actually looking for secret for 69.39.93.93->103.225.112.4 of kind PPK_PSK
| line 1: key type PPK_PSK(69.39.93.93) to type PPK_PSK
| 1: compared key 103.225.112.4 to 69.39.93.93 / 103.225.112.4 -> 4
| 2: compared key 69.39.93.93 to 69.39.93.93 / 103.225.112.4 -> 12
| line 1: match=12
| best_match 0>12 best=0x7f861ce8d680 (line=1)
| concluding with best_match=12 best=0x7f861ce8d680 (lineno=1)
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_TYPE
| length/value: 1
| [1 is OAKLEY_LIFE_SECONDS]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_DURATION
| length/value: 3600
| Oakley Transform 0 accepted
| sender checking NAT-t: 1 and 109
"prod_cibil_ipsec" #17: enabling possible NAT-traversal with method 4
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 17 (len=2776, pcw_work=1)
| helper 0 read 2768+4/2776 bytes fd: 8
| helper 0 doing build_kenonce op id: 17
| NSS: Value of Prime:
| ff ff ff ff ff ff ff ff c9 0f da a2 21 68 c2 34
| c4 c6 62 8b 80 dc 1c d1 29 02 4e 08 8a 67 cc 74
| 02 0b be a6 3b 13 9b 22 51 4a 08 79 8e 34 04 dd
| ef 95 19 b3 cd 3a 43 1b 30 2b 0a 6d f2 5f 14 37
| 4f e1 35 6d 6d 51 c2 45 e4 85 b5 76 62 5e 7e c6
| f4 4c 42 e9 a6 37 ed 6b 0b ff 5c b6 f4 06 b7 ed
| ee 38 6b fb 5a 89 9f a5 ae 9f 24 11 7c 4b 1f e6
| 49 28 66 51 ec e6 53 81 ff ff ff ff ff ff ff ff
| NSS: Value of base:
| 02
| NSS: generated dh priv and pub keys: 128
| NSS: Local DH secret:
| 00 49 00 10 86 7f 00 00
| NSS: Public DH value sent(computed in NSS):
| 0e 8a 95 6e 9c 0c 58 6b 02 88 91 72 2f 34 bb 3d
| 4d 4e a1 48 ed f6 aa ce b7 3b 9a b8 f2 99 2b 5e
| ed 5f 0e b9 62 92 9a c9 56 18 df ea 0f 60 cb ee
| 18 dd 00 d6 f8 3b 3e fc 6c a3 1c 31 95 2b 00 da
| 0b 40 19 04 cb 8c ee fa f8 70 22 48 19 e4 4c d7
| f2 4d 5e 06 dc 5c 80 70 8a 80 74 c4 63 00 e5 f2
| 0f b8 d5 39 0f b9 4f 6d 74 3f 33 d1 58 08 f8 8a
| 36 54 04 c5 1d be ff e9 07 90 bb 5b 1f 33 2d e4
| NSS: Local DH public value (pointer):
| 10 53 00 10 86 7f 00 00
| Generated nonce:
| 95 55 5c 60 d6 90 75 1f 14 59 58 98 39 5c 5f ec
| crypto helper write of request: cnt=2776<wlen=2776.
| deleting event for #17
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #17
| event added after event EVENT_PENDING_PHASE2
| peer supports fragmentation
| complete state transition with STF_SUSPEND
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 14 seconds
| next event EVENT_PENDING_DDNS in 14 seconds
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#17
| calling callback function 0x7f861c0637d0
| main inR1_outI2: calculated ke+nonce, sending I2
| processing connection prod_cibil_ipsec
| **emit ISAKMP Message:
| initiator cookie:
| b6 a2 01 9b 97 98 4f 70
| responder cookie:
| 85 7d 10 db 58 75 22 c4
| next payload type: ISAKMP_NEXT_KE
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| saving DH priv (local secret) and pub key into state struc
| ***emit ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONCE
| emitting 128 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value 0e 8a 95 6e 9c 0c 58 6b 02 88 91 72 2f 34 bb 3d
| keyex value 4d 4e a1 48 ed f6 aa ce b7 3b 9a b8 f2 99 2b 5e
| keyex value ed 5f 0e b9 62 92 9a c9 56 18 df ea 0f 60 cb ee
| keyex value 18 dd 00 d6 f8 3b 3e fc 6c a3 1c 31 95 2b 00 da
| keyex value 0b 40 19 04 cb 8c ee fa f8 70 22 48 19 e4 4c d7
| keyex value f2 4d 5e 06 dc 5c 80 70 8a 80 74 c4 63 00 e5 f2
| keyex value 0f b8 d5 39 0f b9 4f 6d 74 3f 33 d1 58 08 f8 8a
| keyex value 36 54 04 c5 1d be ff e9 07 90 bb 5b 1f 33 2d e4
| emitting length of ISAKMP Key Exchange Payload: 132
| ***emit ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of Ni into ISAKMP Nonce Payload
| Ni 95 55 5c 60 d6 90 75 1f 14 59 58 98 39 5c 5f ec
| emitting length of ISAKMP Nonce Payload: 20
| sending NATD payloads
| _natd_hash: hasher=0x7f861c3341a0(20)
| _natd_hash: icookie=
| b6 a2 01 9b 97 98 4f 70
| _natd_hash: rcookie=
| 85 7d 10 db 58 75 22 c4
| _natd_hash: ip= 67 e1 70 04
| _natd_hash: port=500
| _natd_hash: hash= 57 9f 8b 2b 8d 0d 20 8a 45 4c 0e 7c 5c cd 63 b2
| _natd_hash: hash= a1 39 6f 8b
| ***emit ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NAT-D_RFC
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D 57 9f 8b 2b 8d 0d 20 8a 45 4c 0e 7c 5c cd 63 b2
| NAT-D a1 39 6f 8b
| emitting length of ISAKMP NAT-D Payload: 24
| _natd_hash: hasher=0x7f861c3341a0(20)
| _natd_hash: icookie=
| b6 a2 01 9b 97 98 4f 70
| _natd_hash: rcookie=
| 85 7d 10 db 58 75 22 c4
| _natd_hash: ip= 68 f5 27 f3
| _natd_hash: port=500
| _natd_hash: hash= 35 eb 02 c8 12 e1 27 73 71 49 d5 bc 35 6d bb b3
| _natd_hash: hash= e1 83 36 ed
| ***emit ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D 35 eb 02 c8 12 e1 27 73 71 49 d5 bc 35 6d bb b3
| NAT-D e1 83 36 ed
| emitting length of ISAKMP NAT-D Payload: 24
| emitting length of ISAKMP Message: 228
| ICOOKIE: b6 a2 01 9b 97 98 4f 70
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 16
| ICOOKIE: b6 a2 01 9b 97 98 4f 70
| RCOOKIE: 85 7d 10 db 58 75 22 c4
| state hash entry 10
| inserting state object #17 on chain 10
| peer supports fragmentation
| complete state transition with STF_OK
"prod_cibil_ipsec" #17: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
| deleting event for #17
| sending reply packet to 103.225.112.4:500 (from port 500)
| sending 228 bytes for STATE_MAIN_I1 through eth0:500 to 103.225.112.4:500 (using #17)
| b6 a2 01 9b 97 98 4f 70 85 7d 10 db 58 75 22 c4
| 04 10 02 00 00 00 00 00 00 00 00 e4 0a 00 00 84
| 0e 8a 95 6e 9c 0c 58 6b 02 88 91 72 2f 34 bb 3d
| 4d 4e a1 48 ed f6 aa ce b7 3b 9a b8 f2 99 2b 5e
| ed 5f 0e b9 62 92 9a c9 56 18 df ea 0f 60 cb ee
| 18 dd 00 d6 f8 3b 3e fc 6c a3 1c 31 95 2b 00 da
| 0b 40 19 04 cb 8c ee fa f8 70 22 48 19 e4 4c d7
| f2 4d 5e 06 dc 5c 80 70 8a 80 74 c4 63 00 e5 f2
| 0f b8 d5 39 0f b9 4f 6d 74 3f 33 d1 58 08 f8 8a
| 36 54 04 c5 1d be ff e9 07 90 bb 5b 1f 33 2d e4
| 14 00 00 14 95 55 5c 60 d6 90 75 1f 14 59 58 98
| 39 5c 5f ec 14 00 00 18 57 9f 8b 2b 8d 0d 20 8a
| 45 4c 0e 7c 5c cd 63 b2 a1 39 6f 8b 00 00 00 18
| 35 eb 02 c8 12 e1 27 73 71 49 d5 bc 35 6d bb b3
| e1 83 36 ed
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #17
| event added at head of queue
"prod_cibil_ipsec" #17: STATE_MAIN_I2: sent MI2, expecting MR2
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 1 messages from cryptographic helpers
| next event EVENT_RETRANSMIT in 10 seconds for #17
| next event EVENT_RETRANSMIT in 10 seconds for #17
|
| next event EVENT_RETRANSMIT in 0 seconds for #17
| *time to handle event
| handling event EVENT_RETRANSMIT
| event after this is EVENT_PENDING_DDNS in 4 seconds
| processing connection prod_cibil_ipsec
| handling event EVENT_RETRANSMIT for 103.225.112.4 "prod_cibil_ipsec" #17
| sending 228 bytes for EVENT_RETRANSMIT through eth0:500 to 103.225.112.4:500 (using #17)
| b6 a2 01 9b 97 98 4f 70 85 7d 10 db 58 75 22 c4
| 04 10 02 00 00 00 00 00 00 00 00 e4 0a 00 00 84
| 0e 8a 95 6e 9c 0c 58 6b 02 88 91 72 2f 34 bb 3d
| 4d 4e a1 48 ed f6 aa ce b7 3b 9a b8 f2 99 2b 5e
| ed 5f 0e b9 62 92 9a c9 56 18 df ea 0f 60 cb ee
| 18 dd 00 d6 f8 3b 3e fc 6c a3 1c 31 95 2b 00 da
| 0b 40 19 04 cb 8c ee fa f8 70 22 48 19 e4 4c d7
| f2 4d 5e 06 dc 5c 80 70 8a 80 74 c4 63 00 e5 f2
| 0f b8 d5 39 0f b9 4f 6d 74 3f 33 d1 58 08 f8 8a
| 36 54 04 c5 1d be ff e9 07 90 bb 5b 1f 33 2d e4
| 14 00 00 14 95 55 5c 60 d6 90 75 1f 14 59 58 98
| 39 5c 5f ec 14 00 00 18 57 9f 8b 2b 8d 0d 20 8a
| 45 4c 0e 7c 5c cd 63 b2 a1 39 6f 8b 00 00 00 18
| 35 eb 02 c8 12 e1 27 73 71 49 d5 bc 35 6d bb b3
| e1 83 36 ed
| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #17
| event added after event EVENT_PENDING_DDNS
| next event EVENT_PENDING_DDNS in 4 seconds
|
| *received 68 bytes from 103.225.112.4:500 on eth0 (port=500)
| b6 a2 01 9b 97 98 4f 70 85 7d 10 db 58 75 22 c4
| 0b 10 05 00 00 00 00 00 00 00 00 44 00 00 00 28
| 00 00 00 01 00 00 00 04 d0 53 d9 32 ff 7f 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00
| **parse ISAKMP Message:
| initiator cookie:
| b6 a2 01 9b 97 98 4f 70
| responder cookie:
| 85 7d 10 db 58 75 22 c4
| next payload type: ISAKMP_NEXT_N
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_INFO
| flags: none
| message ID: 00 00 00 00
| length: 68
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5)
| ICOOKIE: b6 a2 01 9b 97 98 4f 70
| RCOOKIE: 85 7d 10 db 58 75 22 c4
| state hash entry 10
| peer and cookies match on #17, provided msgid 00000000 vs 00000000/00000000
| p15 state object #17 found, in STATE_MAIN_I2
| processing connection prod_cibil_ipsec
| got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
| ***parse ISAKMP Notification Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 40
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 0
| SPI size: 0
| Notify Message Type: INVALID_COOKIE
"prod_cibil_ipsec" #17: ignoring informational payload, type INVALID_COOKIE msgid=00000000
| info: d0 53 d9 32 ff 7f 00 00 00 00 00 00 00 00 00 00
| info: 00 00 00 00 00 00 00 00 00 00 00 00
| processing informational INVALID_COOKIE (4)
"prod_cibil_ipsec" #17: received and ignored informational message
| complete state transition with STF_IGNORE
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 4 seconds
| next event EVENT_PENDING_DDNS in 4 seconds
|
| next event EVENT_PENDING_DDNS in 0 seconds
| *time to handle event
| handling event EVENT_PENDING_DDNS
| event after this is EVENT_RETRANSMIT in 16 seconds
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added after event EVENT_RETRANSMIT for #17
| next event EVENT_RETRANSMIT in 16 seconds for #17
|
| next event EVENT_RETRANSMIT in 0 seconds for #17
| *time to handle event
| handling event EVENT_RETRANSMIT
| event after this is EVENT_PENDING_DDNS in 44 seconds
| processing connection prod_cibil_ipsec
| handling event EVENT_RETRANSMIT for 103.225.112.4 "prod_cibil_ipsec" #17
| sending 228 bytes for EVENT_RETRANSMIT through eth0:500 to 103.225.112.4:500 (using #17)
| b6 a2 01 9b 97 98 4f 70 85 7d 10 db 58 75 22 c4
| 04 10 02 00 00 00 00 00 00 00 00 e4 0a 00 00 84
| 0e 8a 95 6e 9c 0c 58 6b 02 88 91 72 2f 34 bb 3d
| 4d 4e a1 48 ed f6 aa ce b7 3b 9a b8 f2 99 2b 5e
| ed 5f 0e b9 62 92 9a c9 56 18 df ea 0f 60 cb ee
| 18 dd 00 d6 f8 3b 3e fc 6c a3 1c 31 95 2b 00 da
| 0b 40 19 04 cb 8c ee fa f8 70 22 48 19 e4 4c d7
| f2 4d 5e 06 dc 5c 80 70 8a 80 74 c4 63 00 e5 f2
| 0f b8 d5 39 0f b9 4f 6d 74 3f 33 d1 58 08 f8 8a
| 36 54 04 c5 1d be ff e9 07 90 bb 5b 1f 33 2d e4
| 14 00 00 14 95 55 5c 60 d6 90 75 1f 14 59 58 98
| 39 5c 5f ec 14 00 00 18 57 9f 8b 2b 8d 0d 20 8a
| 45 4c 0e 7c 5c cd 63 b2 a1 39 6f 8b 00 00 00 18
| 35 eb 02 c8 12 e1 27 73 71 49 d5 bc 35 6d bb b3
| e1 83 36 ed
| inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #17
| event added at head of queue
| next event EVENT_RETRANSMIT in 40 seconds for #17
|
| *received 68 bytes from 103.225.112.4:500 on eth0 (port=500)
| b6 a2 01 9b 97 98 4f 70 85 7d 10 db 58 75 22 c4
| 0b 10 05 00 00 00 00 00 00 00 00 44 00 00 00 28
| 00 00 00 01 00 00 00 04 d0 53 d9 32 ff 7f 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00
| **parse ISAKMP Message:
| initiator cookie:
| b6 a2 01 9b 97 98 4f 70
| responder cookie:
| 85 7d 10 db 58 75 22 c4
| next payload type: ISAKMP_NEXT_N
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_INFO
| flags: none
| message ID: 00 00 00 00
| length: 68
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5)
| ICOOKIE: b6 a2 01 9b 97 98 4f 70
| RCOOKIE: 85 7d 10 db 58 75 22 c4
| state hash entry 10
| peer and cookies match on #17, provided msgid 00000000 vs 00000000/00000000
| p15 state object #17 found, in STATE_MAIN_I2
| processing connection prod_cibil_ipsec
| got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
| ***parse ISAKMP Notification Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 40
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 0
| SPI size: 0
| Notify Message Type: INVALID_COOKIE
"prod_cibil_ipsec" #17: ignoring informational payload, type INVALID_COOKIE msgid=00000000
| info: d0 53 d9 32 ff 7f 00 00 00 00 00 00 00 00 00 00
| info: 00 00 00 00 00 00 00 00 00 00 00 00
| processing informational INVALID_COOKIE (4)
"prod_cibil_ipsec" #17: received and ignored informational message
| complete state transition with STF_IGNORE
| * processed 0 messages from cryptographic helpers
| next event EVENT_RETRANSMIT in 39 seconds for #17
| next event EVENT_RETRANSMIT in 39 seconds for #17
|
| next event EVENT_RETRANSMIT in 0 seconds for #17
| *time to handle event
| handling event EVENT_RETRANSMIT
| event after this is EVENT_PENDING_DDNS in 4 seconds
| processing connection prod_cibil_ipsec
| handling event EVENT_RETRANSMIT for 103.225.112.4 "prod_cibil_ipsec" #17
"prod_cibil_ipsec" #17: max number of retransmissions (2) reached STATE_MAIN_I2
"prod_cibil_ipsec" #17: starting keying attempt 18 of an unlimited number
| creating state object #18 at 0x7f861ce90580
| processing connection prod_cibil_ipsec
| ICOOKIE: 57 cd f5 53 12 69 3b c0
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 24
| inserting state object #18 on chain 24
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #18
| event added at head of queue
| processing connection prod_cibil_ipsec
"prod_cibil_ipsec" #18: initiating Main Mode to replace #17
| **emit ISAKMP Message:
| initiator cookie:
| 57 cd f5 53 12 69 3b c0
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| ***emit ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| DOI: ISAKMP_DOI_IPSEC
| ****emit IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| out_sa pcn: 0 has 1 valid proposals
| out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 1
| ****emit ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| proposal number: 0
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 1
| *****emit ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| transform number: 0
| transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_TYPE
| length/value: 1
| [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_DURATION
| length/value: 3600
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_ENCRYPTION_ALGORITHM
| length/value: 7
| [7 is OAKLEY_AES_CBC]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_HASH_ALGORITHM
| length/value: 2
| [2 is OAKLEY_SHA1]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_AUTHENTICATION_METHOD
| length/value: 1
| [1 is OAKLEY_PRESHARED_KEY]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_KEY_LENGTH
| length/value: 128
| emitting length of ISAKMP Transform Payload (ISAKMP): 36
| emitting length of ISAKMP Proposal Payload: 44
| emitting length of ISAKMP Security Association Payload: 56
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
| Vendor ID 4f 45 68 79 4c 64 41 43 65 63 66 61
| emitting length of ISAKMP Vendor ID Payload: 16
| out_vendorid(): sending [Dead Peer Detection]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
| emitting length of ISAKMP Vendor ID Payload: 20
| nat traversal enabled: 1
| nat add vid. port: 1 nonike: 1
| out_vendorid(): sending [RFC 3947]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-03]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02_n]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-00]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
| emitting length of ISAKMP Vendor ID Payload: 20
| emitting length of ISAKMP Message: 220
| sending 220 bytes for main_outI1 through eth0:500 to 103.225.112.4:500 (using #18)
| 57 cd f5 53 12 69 3b c0 00 00 00 00 00 00 00 00
| 01 10 02 00 00 00 00 00 00 00 00 dc 0d 00 00 38
| 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01
| 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10
| 80 01 00 07 80 02 00 02 80 03 00 01 80 04 00 02
| 80 0e 00 80 0d 00 00 10 4f 45 68 79 4c 64 41 43
| 65 63 66 61 0d 00 00 14 af ca d7 13 68 a1 f1 c9
| 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81
| 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14
| 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
| 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5
| ec 42 7b 1f 0d 00 00 14 cd 60 46 43 35 df 21 f8
| 7c fd b2 fc 68 b6 a4 48 00 00 00 14 44 85 15 2d
| 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
| deleting event for #18
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #18
| event added after event EVENT_PENDING_PHASE2
| deleting state #17
| deleting event for #17
| no suspended cryptographic state for 17
| ICOOKIE: b6 a2 01 9b 97 98 4f 70
| RCOOKIE: 85 7d 10 db 58 75 22 c4
| state hash entry 10
| next event EVENT_PENDING_DDNS in 4 seconds
|
| *received 128 bytes from 103.225.112.4:500 on eth0 (port=500)
| 57 cd f5 53 12 69 3b c0 71 08 c8 74 94 7b 09 00
| 01 10 02 00 00 00 00 00 00 00 00 80 0d 00 00 38
| 00 00 00 01 00 00 00 01 00 00 00 2c 01 01 00 01
| 00 00 00 24 00 01 00 00 80 01 00 07 80 0e 00 80
| 80 02 00 02 80 04 00 02 80 03 00 01 80 0b 00 01
| 80 0c 0e 10 0d 00 00 14 4a 13 1c 81 07 03 58 45
| 5c 57 28 f2 0e 95 45 2f 00 00 00 18 40 48 b7 d5
| 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 c0 00 00 00
| **parse ISAKMP Message:
| initiator cookie:
| 57 cd f5 53 12 69 3b c0
| responder cookie:
| 71 08 c8 74 94 7b 09 00
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| length: 128
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE: 57 cd f5 53 12 69 3b c0
| RCOOKIE: 71 08 c8 74 94 7b 09 00
| state hash entry 9
| v1 state object not found
| ICOOKIE: 57 cd f5 53 12 69 3b c0
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 24
| v1 peer and cookies match on #18, provided msgid 00000000 vs 00000000
| v1 state object #18 found, in STATE_MAIN_I1
| processing connection prod_cibil_ipsec
| got payload 0x2(ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080
| ***parse ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 56
| DOI: ISAKMP_DOI_IPSEC
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 20
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 24
"prod_cibil_ipsec" #18: received Vendor ID payload [RFC 3947] method set to=109
"prod_cibil_ipsec" #18: ignoring Vendor ID payload [FRAGMENTATION c0000000]
| ****parse IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 44
| proposal number: 1
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 1
| *****parse ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| length: 36
| transform number: 0
| transform ID: KEY_IKE
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_ENCRYPTION_ALGORITHM
| length/value: 7
| [7 is OAKLEY_AES_CBC]
| ike_alg_enc_ok(ealg=7,key_len=0): blocksize=16, keyminlen=128, keydeflen=128, keymaxlen=256, ret=1
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_KEY_LENGTH
| length/value: 128
| ike_alg_enc_ok(ealg=7,key_len=128): blocksize=16, keyminlen=128, keydeflen=128, keymaxlen=256, ret=1
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_HASH_ALGORITHM
| length/value: 2
| [2 is OAKLEY_SHA1]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_AUTHENTICATION_METHOD
| length/value: 1
| [1 is OAKLEY_PRESHARED_KEY]
| started looking for secret for 69.39.93.93->103.225.112.4 of kind PPK_PSK
| actually looking for secret for 69.39.93.93->103.225.112.4 of kind PPK_PSK
| line 1: key type PPK_PSK(69.39.93.93) to type PPK_PSK
| 1: compared key 103.225.112.4 to 69.39.93.93 / 103.225.112.4 -> 4
| 2: compared key 69.39.93.93 to 69.39.93.93 / 103.225.112.4 -> 12
| line 1: match=12
| best_match 0>12 best=0x7f861ce8d680 (line=1)
| concluding with best_match=12 best=0x7f861ce8d680 (lineno=1)
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_TYPE
| length/value: 1
| [1 is OAKLEY_LIFE_SECONDS]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_DURATION
| length/value: 3600
| Oakley Transform 0 accepted
| sender checking NAT-t: 1 and 109
"prod_cibil_ipsec" #18: enabling possible NAT-traversal with method 4
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 18 (len=2776, pcw_work=1)
| crypto helper write of request: cnt=2776<wlen=2776.
| deleting event for #18
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #18
| event added after event EVENT_PENDING_PHASE2
| peer supports fragmentation
| complete state transition with STF_SUSPEND
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 4 seconds
| next event EVENT_PENDING_DDNS in 4 seconds
| helper 0 read 2768+4/2776 bytes fd: 8
| helper 0 doing build_kenonce op id: 18
| NSS: Value of Prime:
| ff ff ff ff ff ff ff ff c9 0f da a2 21 68 c2 34
| c4 c6 62 8b 80 dc 1c d1 29 02 4e 08 8a 67 cc 74
| 02 0b be a6 3b 13 9b 22 51 4a 08 79 8e 34 04 dd
| ef 95 19 b3 cd 3a 43 1b 30 2b 0a 6d f2 5f 14 37
| 4f e1 35 6d 6d 51 c2 45 e4 85 b5 76 62 5e 7e c6
| f4 4c 42 e9 a6 37 ed 6b 0b ff 5c b6 f4 06 b7 ed
| ee 38 6b fb 5a 89 9f a5 ae 9f 24 11 7c 4b 1f e6
| 49 28 66 51 ec e6 53 81 ff ff ff ff ff ff ff ff
| NSS: Value of base:
| 02
| NSS: generated dh priv and pub keys: 128
| NSS: Local DH secret:
| 60 3f 00 10 86 7f 00 00
| NSS: Public DH value sent(computed in NSS):
| dd dd df d6 d6 2e be 93 3b 85 a6 64 78 5a f5 8a
| 04 38 d2 c2 d3 a3 e9 53 66 f9 fa e5 95 3c f1 40
| ce 9e 77 85 92 0b e6 c9 40 19 e5 52 d7 6b 7f b9
| 99 22 9d 39 31 a6 f9 fa e7 c5 5c 29 be 86 98 bd
| 5e d1 67 09 57 db f3 9a ca 61 5a 00 4b fc 1a c5
| f0 66 c5 fb 8c 92 15 be 86 fb 75 6a d1 e0 2c a1
| b5 58 80 56 3b 73 27 8f c5 55 89 83 ab 3d 59 67
| 14 01 d1 35 fd f6 24 0f 0c ec 70 73 fa f0 8a 71
| NSS: Local DH public value (pointer):
| 10 53 00 10 86 7f 00 00
| Generated nonce:
| b9 4d b3 b4 09 a8 2a c7 49 57 88 17 c2 8d 3f 4c
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#18
| calling callback function 0x7f861c0637d0
| main inR1_outI2: calculated ke+nonce, sending I2
| processing connection prod_cibil_ipsec
| **emit ISAKMP Message:
| initiator cookie:
| 57 cd f5 53 12 69 3b c0
| responder cookie:
| 71 08 c8 74 94 7b 09 00
| next payload type: ISAKMP_NEXT_KE
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| saving DH priv (local secret) and pub key into state struc
| ***emit ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONCE
| emitting 128 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value dd dd df d6 d6 2e be 93 3b 85 a6 64 78 5a f5 8a
| keyex value 04 38 d2 c2 d3 a3 e9 53 66 f9 fa e5 95 3c f1 40
| keyex value ce 9e 77 85 92 0b e6 c9 40 19 e5 52 d7 6b 7f b9
| keyex value 99 22 9d 39 31 a6 f9 fa e7 c5 5c 29 be 86 98 bd
| keyex value 5e d1 67 09 57 db f3 9a ca 61 5a 00 4b fc 1a c5
| keyex value f0 66 c5 fb 8c 92 15 be 86 fb 75 6a d1 e0 2c a1
| keyex value b5 58 80 56 3b 73 27 8f c5 55 89 83 ab 3d 59 67
| keyex value 14 01 d1 35 fd f6 24 0f 0c ec 70 73 fa f0 8a 71
| emitting length of ISAKMP Key Exchange Payload: 132
| ***emit ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of Ni into ISAKMP Nonce Payload
| Ni b9 4d b3 b4 09 a8 2a c7 49 57 88 17 c2 8d 3f 4c
| emitting length of ISAKMP Nonce Payload: 20
| sending NATD payloads
| _natd_hash: hasher=0x7f861c3341a0(20)
| _natd_hash: icookie=
| 57 cd f5 53 12 69 3b c0
| _natd_hash: rcookie=
| 71 08 c8 74 94 7b 09 00
| _natd_hash: ip= 67 e1 70 04
| _natd_hash: port=500
| _natd_hash: hash= 7c 28 b6 9e 7b 47 16 07 4f 6d df 62 26 66 9b ab
| _natd_hash: hash= a4 e1 95 70
| ***emit ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NAT-D_RFC
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D 7c 28 b6 9e 7b 47 16 07 4f 6d df 62 26 66 9b ab
| NAT-D a4 e1 95 70
| emitting length of ISAKMP NAT-D Payload: 24
| _natd_hash: hasher=0x7f861c3341a0(20)
| _natd_hash: icookie=
| 57 cd f5 53 12 69 3b c0
| _natd_hash: rcookie=
| 71 08 c8 74 94 7b 09 00
| _natd_hash: ip= 68 f5 27 f3
| _natd_hash: port=500
| _natd_hash: hash= 0f c9 16 f3 9a 33 b1 90 3c 90 76 24 6d 9b 13 7e
| _natd_hash: hash= b4 4e 45 49
| ***emit ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D 0f c9 16 f3 9a 33 b1 90 3c 90 76 24 6d 9b 13 7e
| NAT-D b4 4e 45 49
| emitting length of ISAKMP NAT-D Payload: 24
| emitting length of ISAKMP Message: 228
| ICOOKIE: 57 cd f5 53 12 69 3b c0
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 24
| ICOOKIE: 57 cd f5 53 12 69 3b c0
| RCOOKIE: 71 08 c8 74 94 7b 09 00
| state hash entry 9
| inserting state object #18 on chain 9
| peer supports fragmentation
| complete state transition with STF_OK
"prod_cibil_ipsec" #18: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
| deleting event for #18
| sending reply packet to 103.225.112.4:500 (from port 500)
| sending 228 bytes for STATE_MAIN_I1 through eth0:500 to 103.225.112.4:500 (using #18)
| 57 cd f5 53 12 69 3b c0 71 08 c8 74 94 7b 09 00
| 04 10 02 00 00 00 00 00 00 00 00 e4 0a 00 00 84
| dd dd df d6 d6 2e be 93 3b 85 a6 64 78 5a f5 8a
| 04 38 d2 c2 d3 a3 e9 53 66 f9 fa e5 95 3c f1 40
| ce 9e 77 85 92 0b e6 c9 40 19 e5 52 d7 6b 7f b9
| 99 22 9d 39 31 a6 f9 fa e7 c5 5c 29 be 86 98 bd
| 5e d1 67 09 57 db f3 9a ca 61 5a 00 4b fc 1a c5
| f0 66 c5 fb 8c 92 15 be 86 fb 75 6a d1 e0 2c a1
| b5 58 80 56 3b 73 27 8f c5 55 89 83 ab 3d 59 67
| 14 01 d1 35 fd f6 24 0f 0c ec 70 73 fa f0 8a 71
| 14 00 00 14 b9 4d b3 b4 09 a8 2a c7 49 57 88 17
| c2 8d 3f 4c 14 00 00 18 7c 28 b6 9e 7b 47 16 07
| 4f 6d df 62 26 66 9b ab a4 e1 95 70 00 00 00 18
| 0f c9 16 f3 9a 33 b1 90 3c 90 76 24 6d 9b 13 7e
| b4 4e 45 49
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #18
| event added after event EVENT_PENDING_PHASE2
"prod_cibil_ipsec" #18: STATE_MAIN_I2: sent MI2, expecting MR2
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 1 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 4 seconds
| next event EVENT_PENDING_DDNS in 4 seconds
|
| next event EVENT_PENDING_DDNS in 0 seconds
| *time to handle event
| handling event EVENT_PENDING_DDNS
| event after this is EVENT_PENDING_PHASE2 in 0 seconds
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added after event EVENT_RETRANSMIT for #18
| handling event EVENT_PENDING_PHASE2
| event after this is EVENT_RETRANSMIT in 6 seconds
| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
| event added after event EVENT_PENDING_DDNS
| pending review: connection "prod_cibil_ipsec" checked
| checking connection "prod_cibil_ipsec" for stuck phase 2s (1429183984+ 3*0) <= 1429185184
| next event EVENT_RETRANSMIT in 6 seconds for #18
|
| next event EVENT_RETRANSMIT in 0 seconds for #18
| *time to handle event
| handling event EVENT_RETRANSMIT
| event after this is EVENT_PENDING_DDNS in 54 seconds
| processing connection prod_cibil_ipsec
| handling event EVENT_RETRANSMIT for 103.225.112.4 "prod_cibil_ipsec" #18
| sending 228 bytes for EVENT_RETRANSMIT through eth0:500 to 103.225.112.4:500 (using #18)
| 57 cd f5 53 12 69 3b c0 71 08 c8 74 94 7b 09 00
| 04 10 02 00 00 00 00 00 00 00 00 e4 0a 00 00 84
| dd dd df d6 d6 2e be 93 3b 85 a6 64 78 5a f5 8a
| 04 38 d2 c2 d3 a3 e9 53 66 f9 fa e5 95 3c f1 40
| ce 9e 77 85 92 0b e6 c9 40 19 e5 52 d7 6b 7f b9
| 99 22 9d 39 31 a6 f9 fa e7 c5 5c 29 be 86 98 bd
| 5e d1 67 09 57 db f3 9a ca 61 5a 00 4b fc 1a c5
| f0 66 c5 fb 8c 92 15 be 86 fb 75 6a d1 e0 2c a1
| b5 58 80 56 3b 73 27 8f c5 55 89 83 ab 3d 59 67
| 14 01 d1 35 fd f6 24 0f 0c ec 70 73 fa f0 8a 71
| 14 00 00 14 b9 4d b3 b4 09 a8 2a c7 49 57 88 17
| c2 8d 3f 4c 14 00 00 18 7c 28 b6 9e 7b 47 16 07
| 4f 6d df 62 26 66 9b ab a4 e1 95 70 00 00 00 18
| 0f c9 16 f3 9a 33 b1 90 3c 90 76 24 6d 9b 13 7e
| b4 4e 45 49
| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #18
| event added at head of queue
| next event EVENT_RETRANSMIT in 20 seconds for #18
|
| *received 68 bytes from 103.225.112.4:500 on eth0 (port=500)
| 57 cd f5 53 12 69 3b c0 71 08 c8 74 94 7b 09 00
| 0b 10 05 00 00 00 00 00 00 00 00 44 00 00 00 28
| 00 00 00 01 00 00 00 04 d0 53 d9 32 ff 7f 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00
| **parse ISAKMP Message:
| initiator cookie:
| 57 cd f5 53 12 69 3b c0
| responder cookie:
| 71 08 c8 74 94 7b 09 00
| next payload type: ISAKMP_NEXT_N
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_INFO
| flags: none
| message ID: 00 00 00 00
| length: 68
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5)
| ICOOKIE: 57 cd f5 53 12 69 3b c0
| RCOOKIE: 71 08 c8 74 94 7b 09 00
| state hash entry 9
| peer and cookies match on #18, provided msgid 00000000 vs 00000000/00000000
| p15 state object #18 found, in STATE_MAIN_I2
| processing connection prod_cibil_ipsec
| got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
| ***parse ISAKMP Notification Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 40
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 0
| SPI size: 0
| Notify Message Type: INVALID_COOKIE
"prod_cibil_ipsec" #18: ignoring informational payload, type INVALID_COOKIE msgid=00000000
| info: d0 53 d9 32 ff 7f 00 00 00 00 00 00 00 00 00 00
| info: 00 00 00 00 00 00 00 00 00 00 00 00
| processing informational INVALID_COOKIE (4)
"prod_cibil_ipsec" #18: received and ignored informational message
| complete state transition with STF_IGNORE
| * processed 0 messages from cryptographic helpers
| next event EVENT_RETRANSMIT in 20 seconds for #18
| next event EVENT_RETRANSMIT in 20 seconds for #18
|
| next event EVENT_RETRANSMIT in 0 seconds for #18
| *time to handle event
| handling event EVENT_RETRANSMIT
| event after this is EVENT_PENDING_DDNS in 34 seconds
| processing connection prod_cibil_ipsec
| handling event EVENT_RETRANSMIT for 103.225.112.4 "prod_cibil_ipsec" #18
| sending 228 bytes for EVENT_RETRANSMIT through eth0:500 to 103.225.112.4:500 (using #18)
| 57 cd f5 53 12 69 3b c0 71 08 c8 74 94 7b 09 00
| 04 10 02 00 00 00 00 00 00 00 00 e4 0a 00 00 84
| dd dd df d6 d6 2e be 93 3b 85 a6 64 78 5a f5 8a
| 04 38 d2 c2 d3 a3 e9 53 66 f9 fa e5 95 3c f1 40
| ce 9e 77 85 92 0b e6 c9 40 19 e5 52 d7 6b 7f b9
| 99 22 9d 39 31 a6 f9 fa e7 c5 5c 29 be 86 98 bd
| 5e d1 67 09 57 db f3 9a ca 61 5a 00 4b fc 1a c5
| f0 66 c5 fb 8c 92 15 be 86 fb 75 6a d1 e0 2c a1
| b5 58 80 56 3b 73 27 8f c5 55 89 83 ab 3d 59 67
| 14 01 d1 35 fd f6 24 0f 0c ec 70 73 fa f0 8a 71
| 14 00 00 14 b9 4d b3 b4 09 a8 2a c7 49 57 88 17
| c2 8d 3f 4c 14 00 00 18 7c 28 b6 9e 7b 47 16 07
| 4f 6d df 62 26 66 9b ab a4 e1 95 70 00 00 00 18
| 0f c9 16 f3 9a 33 b1 90 3c 90 76 24 6d 9b 13 7e
| b4 4e 45 49
| inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #18
| event added after event EVENT_PENDING_DDNS
| next event EVENT_PENDING_DDNS in 34 seconds
|
| *received 68 bytes from 103.225.112.4:500 on eth0 (port=500)
| 57 cd f5 53 12 69 3b c0 71 08 c8 74 94 7b 09 00
| 0b 10 05 00 00 00 00 00 00 00 00 44 00 00 00 28
| 00 00 00 01 00 00 00 04 d0 53 d9 32 ff 7f 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00
| **parse ISAKMP Message:
| initiator cookie:
| 57 cd f5 53 12 69 3b c0
| responder cookie:
| 71 08 c8 74 94 7b 09 00
| next payload type: ISAKMP_NEXT_N
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_INFO
| flags: none
| message ID: 00 00 00 00
| length: 68
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5)
| ICOOKIE: 57 cd f5 53 12 69 3b c0
| RCOOKIE: 71 08 c8 74 94 7b 09 00
| state hash entry 9
| peer and cookies match on #18, provided msgid 00000000 vs 00000000/00000000
| p15 state object #18 found, in STATE_MAIN_I2
| processing connection prod_cibil_ipsec
| got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
| ***parse ISAKMP Notification Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 40
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 0
| SPI size: 0
| Notify Message Type: INVALID_COOKIE
"prod_cibil_ipsec" #18: ignoring informational payload, type INVALID_COOKIE msgid=00000000
| info: d0 53 d9 32 ff 7f 00 00 00 00 00 00 00 00 00 00
| info: 00 00 00 00 00 00 00 00 00 00 00 00
| processing informational INVALID_COOKIE (4)
"prod_cibil_ipsec" #18: received and ignored informational message
| complete state transition with STF_IGNORE
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 33 seconds
| next event EVENT_PENDING_DDNS in 33 seconds
|
| next event EVENT_PENDING_DDNS in 0 seconds
| *time to handle event
| handling event EVENT_PENDING_DDNS
| event after this is EVENT_RETRANSMIT in 6 seconds
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added after event EVENT_RETRANSMIT for #18
| next event EVENT_RETRANSMIT in 6 seconds for #18
|
| next event EVENT_RETRANSMIT in 0 seconds for #18
| *time to handle event
| handling event EVENT_RETRANSMIT
| event after this is EVENT_PENDING_DDNS in 54 seconds
| processing connection prod_cibil_ipsec
| handling event EVENT_RETRANSMIT for 103.225.112.4 "prod_cibil_ipsec" #18
"prod_cibil_ipsec" #18: max number of retransmissions (2) reached STATE_MAIN_I2
"prod_cibil_ipsec" #18: starting keying attempt 19 of an unlimited number
| creating state object #19 at 0x7f861ce8fcb0
| processing connection prod_cibil_ipsec
| ICOOKIE: bf 62 80 ec c9 a7 da fb
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 14
| inserting state object #19 on chain 14
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #19
| event added at head of queue
| processing connection prod_cibil_ipsec
"prod_cibil_ipsec" #19: initiating Main Mode to replace #18
| **emit ISAKMP Message:
| initiator cookie:
| bf 62 80 ec c9 a7 da fb
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| ***emit ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| DOI: ISAKMP_DOI_IPSEC
| ****emit IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| out_sa pcn: 0 has 1 valid proposals
| out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 1
| ****emit ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| proposal number: 0
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 1
| *****emit ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| transform number: 0
| transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_TYPE
| length/value: 1
| [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_DURATION
| length/value: 3600
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_ENCRYPTION_ALGORITHM
| length/value: 7
| [7 is OAKLEY_AES_CBC]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_HASH_ALGORITHM
| length/value: 2
| [2 is OAKLEY_SHA1]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_AUTHENTICATION_METHOD
| length/value: 1
| [1 is OAKLEY_PRESHARED_KEY]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_KEY_LENGTH
| length/value: 128
| emitting length of ISAKMP Transform Payload (ISAKMP): 36
| emitting length of ISAKMP Proposal Payload: 44
| emitting length of ISAKMP Security Association Payload: 56
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
| Vendor ID 4f 45 68 79 4c 64 41 43 65 63 66 61
| emitting length of ISAKMP Vendor ID Payload: 16
| out_vendorid(): sending [Dead Peer Detection]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
| emitting length of ISAKMP Vendor ID Payload: 20
| nat traversal enabled: 1
| nat add vid. port: 1 nonike: 1
| out_vendorid(): sending [RFC 3947]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-03]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02_n]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-00]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
| emitting length of ISAKMP Vendor ID Payload: 20
| emitting length of ISAKMP Message: 220
| sending 220 bytes for main_outI1 through eth0:500 to 103.225.112.4:500 (using #19)
| bf 62 80 ec c9 a7 da fb 00 00 00 00 00 00 00 00
| 01 10 02 00 00 00 00 00 00 00 00 dc 0d 00 00 38
| 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01
| 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10
| 80 01 00 07 80 02 00 02 80 03 00 01 80 04 00 02
| 80 0e 00 80 0d 00 00 10 4f 45 68 79 4c 64 41 43
| 65 63 66 61 0d 00 00 14 af ca d7 13 68 a1 f1 c9
| 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81
| 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14
| 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
| 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5
| ec 42 7b 1f 0d 00 00 14 cd 60 46 43 35 df 21 f8
| 7c fd b2 fc 68 b6 a4 48 00 00 00 14 44 85 15 2d
| 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
| deleting event for #19
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #19
| event added at head of queue
| deleting state #18
| deleting event for #18
| no suspended cryptographic state for 18
| ICOOKIE: 57 cd f5 53 12 69 3b c0
| RCOOKIE: 71 08 c8 74 94 7b 09 00
| state hash entry 9
| next event EVENT_RETRANSMIT in 10 seconds for #19
|
| *received 128 bytes from 103.225.112.4:500 on eth0 (port=500)
| bf 62 80 ec c9 a7 da fb e0 be e6 2c a7 4c be 04
| 01 10 02 00 00 00 00 00 00 00 00 80 0d 00 00 38
| 00 00 00 01 00 00 00 01 00 00 00 2c 01 01 00 01
| 00 00 00 24 00 01 00 00 80 01 00 07 80 0e 00 80
| 80 02 00 02 80 04 00 02 80 03 00 01 80 0b 00 01
| 80 0c 0e 10 0d 00 00 14 4a 13 1c 81 07 03 58 45
| 5c 57 28 f2 0e 95 45 2f 00 00 00 18 40 48 b7 d5
| 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 c0 00 00 00
| **parse ISAKMP Message:
| initiator cookie:
| bf 62 80 ec c9 a7 da fb
| responder cookie:
| e0 be e6 2c a7 4c be 04
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| length: 128
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE: bf 62 80 ec c9 a7 da fb
| RCOOKIE: e0 be e6 2c a7 4c be 04
| state hash entry 21
| v1 state object not found
| ICOOKIE: bf 62 80 ec c9 a7 da fb
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 14
| v1 peer and cookies match on #19, provided msgid 00000000 vs 00000000
| v1 state object #19 found, in STATE_MAIN_I1
| processing connection prod_cibil_ipsec
| got payload 0x2(ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080
| ***parse ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 56
| DOI: ISAKMP_DOI_IPSEC
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 20
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 24
"prod_cibil_ipsec" #19: received Vendor ID payload [RFC 3947] method set to=109
"prod_cibil_ipsec" #19: ignoring Vendor ID payload [FRAGMENTATION c0000000]
| ****parse IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 44
| proposal number: 1
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 1
| *****parse ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| length: 36
| transform number: 0
| transform ID: KEY_IKE
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_ENCRYPTION_ALGORITHM
| length/value: 7
| [7 is OAKLEY_AES_CBC]
| ike_alg_enc_ok(ealg=7,key_len=0): blocksize=16, keyminlen=128, keydeflen=128, keymaxlen=256, ret=1
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_KEY_LENGTH
| length/value: 128
| ike_alg_enc_ok(ealg=7,key_len=128): blocksize=16, keyminlen=128, keydeflen=128, keymaxlen=256, ret=1
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_HASH_ALGORITHM
| length/value: 2
| [2 is OAKLEY_SHA1]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_AUTHENTICATION_METHOD
| length/value: 1
| [1 is OAKLEY_PRESHARED_KEY]
| started looking for secret for 69.39.93.93->103.225.112.4 of kind PPK_PSK
| actually looking for secret for 69.39.93.93->103.225.112.4 of kind PPK_PSK
| line 1: key type PPK_PSK(69.39.93.93) to type PPK_PSK
| 1: compared key 103.225.112.4 to 69.39.93.93 / 103.225.112.4 -> 4
| 2: compared key 69.39.93.93 to 69.39.93.93 / 103.225.112.4 -> 12
| line 1: match=12
| best_match 0>12 best=0x7f861ce8d680 (line=1)
| concluding with best_match=12 best=0x7f861ce8d680 (lineno=1)
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_TYPE
| length/value: 1
| [1 is OAKLEY_LIFE_SECONDS]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_DURATION
| length/value: 3600
| Oakley Transform 0 accepted
| sender checking NAT-t: 1 and 109
"prod_cibil_ipsec" #19: enabling possible NAT-traversal with method 4
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 19 (len=2776, pcw_work=1)
| crypto helper write of request: cnt=2776<wlen=2776.
| deleting event for #19
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #19
| event added after event EVENT_PENDING_PHASE2
| peer supports fragmentation
| complete state transition with STF_SUSPEND
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 54 seconds
| next event EVENT_PENDING_DDNS in 54 seconds
| helper 0 read 2768+4/2776 bytes fd: 8
| helper 0 doing build_kenonce op id: 19
| NSS: Value of Prime:
| ff ff ff ff ff ff ff ff c9 0f da a2 21 68 c2 34
| c4 c6 62 8b 80 dc 1c d1 29 02 4e 08 8a 67 cc 74
| 02 0b be a6 3b 13 9b 22 51 4a 08 79 8e 34 04 dd
| ef 95 19 b3 cd 3a 43 1b 30 2b 0a 6d f2 5f 14 37
| 4f e1 35 6d 6d 51 c2 45 e4 85 b5 76 62 5e 7e c6
| f4 4c 42 e9 a6 37 ed 6b 0b ff 5c b6 f4 06 b7 ed
| ee 38 6b fb 5a 89 9f a5 ae 9f 24 11 7c 4b 1f e6
| 49 28 66 51 ec e6 53 81 ff ff ff ff ff ff ff ff
| NSS: Value of base:
| 02
| NSS: generated dh priv and pub keys: 128
| NSS: Local DH secret:
| 20 5b 00 10 86 7f 00 00
| NSS: Public DH value sent(computed in NSS):
| 3d 2e 90 d7 2a 62 7e 93 a4 2d 51 db 6d 07 20 5f
| af be 2f cb aa b7 c7 ce 69 3b 60 4e 7b 8c fd e3
| 20 e7 c0 25 72 e2 66 7c 15 24 ac da d3 60 e8 09
| 66 c0 0e 4e e9 82 24 27 c8 be 45 30 a9 08 89 74
| 4d 89 0b 8d 51 b5 2c 88 93 fe 85 4d f1 84 0e e6
| 33 25 75 57 ba b7 df ac 54 41 2b 0c f2 22 4f 63
| b7 29 3e b5 11 ed b6 79 3b 8e b7 2d 06 75 bb 99
| 63 74 34 4e f1 7a 72 af 53 25 eb 05 ea ee f4 f4
| NSS: Local DH public value (pointer):
| 10 53 00 10 86 7f 00 00
| Generated nonce:
| 07 66 79 bf 1a 6a 52 c4 5c 32 d3 3e 0d 8c 74 84
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#19
| calling callback function 0x7f861c0637d0
| main inR1_outI2: calculated ke+nonce, sending I2
| processing connection prod_cibil_ipsec
| **emit ISAKMP Message:
| initiator cookie:
| bf 62 80 ec c9 a7 da fb
| responder cookie:
| e0 be e6 2c a7 4c be 04
| next payload type: ISAKMP_NEXT_KE
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| saving DH priv (local secret) and pub key into state struc
| ***emit ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONCE
| emitting 128 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value 3d 2e 90 d7 2a 62 7e 93 a4 2d 51 db 6d 07 20 5f
| keyex value af be 2f cb aa b7 c7 ce 69 3b 60 4e 7b 8c fd e3
| keyex value 20 e7 c0 25 72 e2 66 7c 15 24 ac da d3 60 e8 09
| keyex value 66 c0 0e 4e e9 82 24 27 c8 be 45 30 a9 08 89 74
| keyex value 4d 89 0b 8d 51 b5 2c 88 93 fe 85 4d f1 84 0e e6
| keyex value 33 25 75 57 ba b7 df ac 54 41 2b 0c f2 22 4f 63
| keyex value b7 29 3e b5 11 ed b6 79 3b 8e b7 2d 06 75 bb 99
| keyex value 63 74 34 4e f1 7a 72 af 53 25 eb 05 ea ee f4 f4
| emitting length of ISAKMP Key Exchange Payload: 132
| ***emit ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of Ni into ISAKMP Nonce Payload
| Ni 07 66 79 bf 1a 6a 52 c4 5c 32 d3 3e 0d 8c 74 84
| emitting length of ISAKMP Nonce Payload: 20
| sending NATD payloads
| _natd_hash: hasher=0x7f861c3341a0(20)
| _natd_hash: icookie=
| bf 62 80 ec c9 a7 da fb
| _natd_hash: rcookie=
| e0 be e6 2c a7 4c be 04
| _natd_hash: ip= 67 e1 70 04
| _natd_hash: port=500
| _natd_hash: hash= 92 d0 d9 5a f6 89 e4 21 f3 79 ea f3 50 16 bd 4b
| _natd_hash: hash= a0 1f 21 ad
| ***emit ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NAT-D_RFC
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D 92 d0 d9 5a f6 89 e4 21 f3 79 ea f3 50 16 bd 4b
| NAT-D a0 1f 21 ad
| emitting length of ISAKMP NAT-D Payload: 24
| _natd_hash: hasher=0x7f861c3341a0(20)
| _natd_hash: icookie=
| bf 62 80 ec c9 a7 da fb
| _natd_hash: rcookie=
| e0 be e6 2c a7 4c be 04
| _natd_hash: ip= 68 f5 27 f3
| _natd_hash: port=500
| _natd_hash: hash= 1a d8 4f a9 4d b2 7a dc 5d 66 31 15 4c 9a 26 ad
| _natd_hash: hash= 47 f8 ab 55
| ***emit ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D 1a d8 4f a9 4d b2 7a dc 5d 66 31 15 4c 9a 26 ad
| NAT-D 47 f8 ab 55
| emitting length of ISAKMP NAT-D Payload: 24
| emitting length of ISAKMP Message: 228
| ICOOKIE: bf 62 80 ec c9 a7 da fb
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 14
| ICOOKIE: bf 62 80 ec c9 a7 da fb
| RCOOKIE: e0 be e6 2c a7 4c be 04
| state hash entry 21
| inserting state object #19 on chain 21
| peer supports fragmentation
| complete state transition with STF_OK
"prod_cibil_ipsec" #19: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
| deleting event for #19
| sending reply packet to 103.225.112.4:500 (from port 500)
| sending 228 bytes for STATE_MAIN_I1 through eth0:500 to 103.225.112.4:500 (using #19)
| bf 62 80 ec c9 a7 da fb e0 be e6 2c a7 4c be 04
| 04 10 02 00 00 00 00 00 00 00 00 e4 0a 00 00 84
| 3d 2e 90 d7 2a 62 7e 93 a4 2d 51 db 6d 07 20 5f
| af be 2f cb aa b7 c7 ce 69 3b 60 4e 7b 8c fd e3
| 20 e7 c0 25 72 e2 66 7c 15 24 ac da d3 60 e8 09
| 66 c0 0e 4e e9 82 24 27 c8 be 45 30 a9 08 89 74
| 4d 89 0b 8d 51 b5 2c 88 93 fe 85 4d f1 84 0e e6
| 33 25 75 57 ba b7 df ac 54 41 2b 0c f2 22 4f 63
| b7 29 3e b5 11 ed b6 79 3b 8e b7 2d 06 75 bb 99
| 63 74 34 4e f1 7a 72 af 53 25 eb 05 ea ee f4 f4
| 14 00 00 14 07 66 79 bf 1a 6a 52 c4 5c 32 d3 3e
| 0d 8c 74 84 14 00 00 18 92 d0 d9 5a f6 89 e4 21
| f3 79 ea f3 50 16 bd 4b a0 1f 21 ad 00 00 00 18
| 1a d8 4f a9 4d b2 7a dc 5d 66 31 15 4c 9a 26 ad
| 47 f8 ab 55
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #19
| event added at head of queue
"prod_cibil_ipsec" #19: STATE_MAIN_I2: sent MI2, expecting MR2
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 1 messages from cryptographic helpers
| next event EVENT_RETRANSMIT in 10 seconds for #19
| next event EVENT_RETRANSMIT in 10 seconds for #19
|
| next event EVENT_RETRANSMIT in 0 seconds for #19
| *time to handle event
| handling event EVENT_RETRANSMIT
| event after this is EVENT_PENDING_DDNS in 44 seconds
| processing connection prod_cibil_ipsec
| handling event EVENT_RETRANSMIT for 103.225.112.4 "prod_cibil_ipsec" #19
| sending 228 bytes for EVENT_RETRANSMIT through eth0:500 to 103.225.112.4:500 (using #19)
| bf 62 80 ec c9 a7 da fb e0 be e6 2c a7 4c be 04
| 04 10 02 00 00 00 00 00 00 00 00 e4 0a 00 00 84
| 3d 2e 90 d7 2a 62 7e 93 a4 2d 51 db 6d 07 20 5f
| af be 2f cb aa b7 c7 ce 69 3b 60 4e 7b 8c fd e3
| 20 e7 c0 25 72 e2 66 7c 15 24 ac da d3 60 e8 09
| 66 c0 0e 4e e9 82 24 27 c8 be 45 30 a9 08 89 74
| 4d 89 0b 8d 51 b5 2c 88 93 fe 85 4d f1 84 0e e6
| 33 25 75 57 ba b7 df ac 54 41 2b 0c f2 22 4f 63
| b7 29 3e b5 11 ed b6 79 3b 8e b7 2d 06 75 bb 99
| 63 74 34 4e f1 7a 72 af 53 25 eb 05 ea ee f4 f4
| 14 00 00 14 07 66 79 bf 1a 6a 52 c4 5c 32 d3 3e
| 0d 8c 74 84 14 00 00 18 92 d0 d9 5a f6 89 e4 21
| f3 79 ea f3 50 16 bd 4b a0 1f 21 ad 00 00 00 18
| 1a d8 4f a9 4d b2 7a dc 5d 66 31 15 4c 9a 26 ad
| 47 f8 ab 55
| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #19
| event added at head of queue
| next event EVENT_RETRANSMIT in 20 seconds for #19
|
| *received 68 bytes from 103.225.112.4:500 on eth0 (port=500)
| bf 62 80 ec c9 a7 da fb e0 be e6 2c a7 4c be 04
| 0b 10 05 00 00 00 00 00 00 00 00 44 00 00 00 28
| 00 00 00 01 00 00 00 04 d0 53 d9 32 ff 7f 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00
| **parse ISAKMP Message:
| initiator cookie:
| bf 62 80 ec c9 a7 da fb
| responder cookie:
| e0 be e6 2c a7 4c be 04
| next payload type: ISAKMP_NEXT_N
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_INFO
| flags: none
| message ID: 00 00 00 00
| length: 68
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5)
| ICOOKIE: bf 62 80 ec c9 a7 da fb
| RCOOKIE: e0 be e6 2c a7 4c be 04
| state hash entry 21
| peer and cookies match on #19, provided msgid 00000000 vs 00000000/00000000
| p15 state object #19 found, in STATE_MAIN_I2
| processing connection prod_cibil_ipsec
| got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
| ***parse ISAKMP Notification Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 40
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 0
| SPI size: 0
| Notify Message Type: INVALID_COOKIE
"prod_cibil_ipsec" #19: ignoring informational payload, type INVALID_COOKIE msgid=00000000
| info: d0 53 d9 32 ff 7f 00 00 00 00 00 00 00 00 00 00
| info: 00 00 00 00 00 00 00 00 00 00 00 00
| processing informational INVALID_COOKIE (4)
"prod_cibil_ipsec" #19: received and ignored informational message
| complete state transition with STF_IGNORE
| * processed 0 messages from cryptographic helpers
| next event EVENT_RETRANSMIT in 20 seconds for #19
| next event EVENT_RETRANSMIT in 20 seconds for #19
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.conf
Type: application/octet-stream
Size: 1206 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20150417/61f723dc/attachment-0001.obj>
More information about the Users
mailing list