[Openswan Users] EC2 <--> RoadWarrior routing problems

Daniel Cave dan.cave at me.com
Mon Nov 23 16:07:35 EST 2015


Hmm ok. A couple of things to try a bit at a time

Have you got ip_forwarding enabled on the ec2 instance?

Can you see the traffic coming from your client through the ec2 instance using tcpdump?

Like.  tcpdump -li eth0 <yourClientIp>

And try a ping test 

2. I noticed that the output of the IPSec status it says it's disallowed your ec2 client subnet.. You don't normally see that. What happens if you allow it, do t forget you have to restart IPSec if you make Conf changes

Fwiw I usually use openVpn Ssl UDP tunnelling instead of IPSec as its so problematic to setup for road warriors

Try googling for IPSec road warrior using aws of you get stuck. 

Sent from my iPhone

> On 23 Nov 2015, at 20:57, Richard Hurt <rnhurt at gmail.com> wrote:
> 
> Neither the server nor my laptop have a firewall enabled and the EC2
> security group is set to allow all traffic from 0.0.0.0/0 (while
> testing :)  Also, at some point in the past 3 days of trying things I
> *was* able to ping the server from my laptop, however I couldn't ping
> anything else.  :/
> 
> 
> Below is the output of "ipsec auto status" while the tunnel is running
> and my computer is connected.  This part looks interesting, but I
> don't know how to decode it:
> 
> 000 "roadwarrior"[6]:
> 10.223.0.0/16===10.223.6.20<10.223.6.20>[MS+XS+S=C]...69.196.222.250[192.168.59.26,+MC+XC+S=C];
> erouted; eroute owner: #6
> 
> =================================================
> 000 using kernel interface: netkey
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 10.223.6.20
> 000 interface eth0/eth0 10.223.6.20
> 000 %myid = (none)
> 000 debug none
> 000
> 000 virtual_private (%priv):
> 000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
> 000 - disallowed 1 subnet: 10.223.0.0/16
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
> keysizemin=40, keysizemax=128
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
> keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
> keysizemin=160, keysizemax=288
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
> keysizemin=384, keysizemax=384
> 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
> keysizemin=512, keysizemax=512
> 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "roadwarrior":
> 10.223.0.0/16===10.223.6.20<10.223.6.20>[MS+XS+S=C]...%virtual[+MC+XC+S=C]===?;
> unrouted; eroute owner: #0
> 000 "roadwarrior":     myip=unset; hisip=unset;
> 000 "roadwarrior":   ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "roadwarrior":   policy:
> PSK+ENCRYPT+TUNNEL+DONTREKEY+MODECFGPULL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
> prio: 16,32; interface: eth0;
> 000 "roadwarrior":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "roadwarrior"[6]:
> 10.223.0.0/16===10.223.6.20<10.223.6.20>[MS+XS+S=C]...69.196.222.250[192.168.59.26,+MC+XC+S=C];
> erouted; eroute owner: #6
> 000 "roadwarrior"[6]:     myip=unset; hisip=unset;
> 000 "roadwarrior"[6]:   ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "roadwarrior"[6]:   policy:
> PSK+ENCRYPT+TUNNEL+DONTREKEY+MODECFGPULL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
> prio: 16,32; interface: eth0;
> 000 "roadwarrior"[6]:   newest ISAKMP SA: #5; newest IPsec SA: #6;
> 000 "roadwarrior"[6]:   IKE algorithm newest: AES_CBC_256-SHA1-MODP1024
> 000
> 000 #6: "roadwarrior"[6] 69.196.222.250:61652 STATE_QUICK_R2 (IPsec SA
> established); EVENT_SA_EXPIRE in 3573s; newest IPSEC; eroute owner;
> isakmp#5; idle; imp
> ort:not set
> 000 #6: "roadwarrior"[6] 69.196.222.250 esp.52c66d2 at 69.196.222.250
> esp.cacb569a at 10.223.6.20 tun.0 at 69.196.222.250 tun.0 at 10.223.6.20 ref=0
> refhim=4294901761
> 000 #5: "roadwarrior"[6] 69.196.222.250:61652 STATE_MODE_CFG_R1
> (ModeCfg Set sent, expecting Ack); EVENT_SA_REPLACE in 28502s; newest
> ISAKMP; lastdpd=8s(seq i
> n:0 out:0); idle; import:not set
> 000
> =================================================
> Richard Hurt
> 
> 
> 
>> On Mon, Nov 23, 2015 at 3:46 PM, Daniel Cave <dan.cave at me.com> wrote:
>> If you run. IPSec auto status on the ec2 instance when your tunnel is up what does it say?
>> 
>> Have you got rules in your security groups to allow routing between your client and the host and rest of the traffic as well as rules on the ec2 Linux instances that are blocking traffic going through the box ??
>> 
>> Sent from my iPhone
>> 
>>> On 23 Nov 2015, at 17:29, Richard Hurt <rnhurt at gmail.com> wrote:
>>> 
>>> I'm trying to use OpenSwan (Linux Openswan
>>> U2.6.37/K4.1.10-17.31.amzn1.x86_64 (netkey)) to build a VPN between an
>>> EC2 VPC and my laptop.  It seems to almost work (authentication works,
>>> not logging any errors, etc.) but the routing is just not happing
>>> properly.  The EC2 server is in the 10.223.0.0/16 block (10.223.6.20
>>> in this case) and my local machine is behind a NAT in the
>>> 192.168.0.0/16 block (192.168.59.26 in this case).  I'm running Mac OS
>>> X 10.11 and bringing the VPN connection up using the native IPSec
>>> Cisco VPN client causes all packets to stop flowing everywhere.
>>> Playing around with the IPSec settings on the server I was able to get
>>> packets to flow to the server from my laptop but everything else was
>>> blocked (DNS, ping, etc.)
>>> 
>>> Basically, I want everything to stay out of the VPN except for traffic
>>> to 10.223.0.0/16.  What am I doing wrong?  One thing that looks really
>>> weird to me is that when I bring the tunnel up I see this in my
>>> ifconfig (0.2.0.4 doesn't look like a valid IP address to me):
>>> 
>>> utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>>>  inet 0.2.0.4 --> 0.2.0.4 netmask 0xffffffff
>>>  nd6 options=1<PERFORMNUD>
>>> 
>>> ===============================================
>>> # /etc/ipsec.conf
>>> version 2.0
>>> config setup
>>> protostack=netkey
>>> nat_traversal=yes
>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.223.0.0/16
>>> oe=off
>>> 
>>> include /etc/ipsec.d/*.conf
>>> ===============================================
>>> 
>>> 
>>> ===============================================
>>> # /etc/ipsec.d/roadwarrior.conf
>>> conn roadwarrior
>>> type=tunnel
>>> authby=secret
>>> auto=add
>>> rekey=no
>>> pfs=no
>>> forceencaps=yes
>>> 
>>> # Setup local side
>>> left=10.223.6.20
>>> leftsubnet=10.223.0.0/16
>>> leftxauthserver=yes
>>> leftmodecfgserver=yes
>>> 
>>> # Setup remote side
>>> right=%any
>>> rightsubnet=vhost:%priv,%no
>>> rightxauthclient=yes
>>> rightmodecfgclient=yes
>>> 
>>> # Config MODE
>>> modecfgpull=yes
>>> modecfgdns1=8.8.8.8
>>> modecfgdns2=8.8.4.4
>>> ===============================================
>>> 
>>> 
>>> ===============================================
>>> Nov 23 17:15:24 ip-10-223-6-20 ipsec__plutorun: Starting Pluto subsystem...
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: nss directory plutomain:
>>> /etc/ipsec.d
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: NSS Initialized
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Non-fips mode set in
>>> /proc/sys/crypto/fips_enabled
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Starting Pluto (Openswan
>>> Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:15882
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Non-fips mode set in
>>> /proc/sys/crypto/fips_enabled
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: LEAK_DETECTIVE support [disabled]
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: OCF support for IKE [disabled]
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: SAref support [disabled]:
>>> Protocol not available
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: SAbind support
>>> [disabled]: Protocol not available
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: NSS support [enabled]
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: HAVE_STATSD notification
>>> support not compiled in
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Setting NAT-Traversal
>>> port-4500 floating to on
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]:    port floating
>>> activation criteria nat_t=1/port_float=1
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]:    NAT-Traversal support  [enabled]
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>>> Activating OAKLEY_AES_CBC: Ok (ret=0)
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: starting up 1 cryptographic helpers
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: started helper (thread)
>>> pid=140240508929792 (fd:8)
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Using Linux 2.6 IPsec
>>> interface code on 4.1.10-17.31.amzn1.x86_64 (experimental code)
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>>> Activating aes_ccm_8: Ok (ret=0)
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
>>> Algorithm already exists
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>>> Activating aes_ccm_12: FAILED (ret=-17)
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
>>> Algorithm already exists
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>>> Activating aes_ccm_16: FAILED (ret=-17)
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
>>> Algorithm already exists
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>>> Activating aes_gcm_8: FAILED (ret=-17)
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
>>> Algorithm already exists
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>>> Activating aes_gcm_12: FAILED (ret=-17)
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
>>> Algorithm already exists
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>>> Activating aes_gcm_16: FAILED (ret=-17)
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
>>> directory '/etc/ipsec.d/cacerts': /
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
>>> directory '/etc/ipsec.d/aacerts': /
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
>>> directory '/etc/ipsec.d/ocspcerts': /
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
>>> directory '/etc/ipsec.d/crls'
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: added connection
>>> description "roadwarrior"
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: listening for IKE messages
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface
>>> eth0/eth0 10.223.6.20:500
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface
>>> eth0/eth0 10.223.6.20:4500
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo
>>> 127.0.0.1:500
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo
>>> 127.0.0.1:4500
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo ::1:500
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: loading secrets from
>>> "/etc/ipsec.secrets"
>>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: loading secrets from
>>> "/etc/ipsec.d/road-warrior.secrets"
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: received Vendor ID payload [RFC 3947] method set
>>> to=109
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: received Vendor ID payload
>>> [draft-ietf-ipsec-nat-t-ike] method set to=110
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: ignoring unknown Vendor ID payload
>>> [8f8d83826d246b6fc7a8a6a428c11de8]
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: ignoring unknown Vendor ID payload
>>> [439b59f8ba676c4c7737ae22eab8f582]
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: ignoring unknown Vendor ID payload
>>> [4d1e0e136deafa34c4f3ea9f02ec7285]
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: ignoring unknown Vendor ID payload
>>> [80d0bb3def54565ee84645d4c85ce3ee]
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: ignoring unknown Vendor ID payload
>>> [9909b64eed937c6573de52ace952fa6b]
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: received Vendor ID payload
>>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: received Vendor ID payload
>>> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: received Vendor ID payload
>>> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
>>> 110
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: received Vendor ID payload [XAUTH]
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: received Vendor ID payload [Cisco-Unity]
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: ignoring Vendor ID payload [FRAGMENTATION 80000000]
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:19: received Vendor ID payload [Dead Peer Detection]
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>>> 69.196.222.250 #1: responding to Main Mode from unknown peer
>>> 69.196.222.250
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>>> 69.196.222.250 #1: transition from state STATE_MAIN_R0 to state
>>> STATE_MAIN_R1
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>>> 69.196.222.250 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>>> 69.196.222.250 #1: NAT-Traversal: Result using
>>> draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>>> 69.196.222.250 #1: transition from state STATE_MAIN_R1 to state
>>> STATE_MAIN_R2
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>>> 69.196.222.250 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>>> 69.196.222.250 #1: ignoring informational payload, type
>>> IPSEC_INITIAL_CONTACT msgid=00000000
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>>> 69.196.222.250 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.59.26'
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>>> 69.196.222.250 #1: switched from "roadwarrior" to "roadwarrior"
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: deleting connection "roadwarrior" instance with
>>> peer 69.196.222.250 {isakmp=#0/ipsec=#0}
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: transition from state STATE_MAIN_R2 to state
>>> STATE_MAIN_R3
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: new NAT mapping for #1, was 69.196.222.250:19, now
>>> 69.196.222.250:1340
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
>>> {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
>>> group=modp1024}
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: XAUTH: Sending XAUTH Login/Password Request
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: XAUTH: Sending Username/Password request (XAUTH_R0)
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: XAUTH: User elison: Attempting to login
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: XAUTH: md5 authentication being called to
>>> authenticate user elison
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: XAUTH: password file (/etc/ipsec.d/passwd) open.
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: XAUTH: nope
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: XAUTH: nope
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: XAUTH: User elison: Authentication Successful
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: XAUTH: xauth_inR1(STF_OK)
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: transition from state STATE_XAUTH_R1 to state
>>> STATE_MAIN_R3
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: unsupported mode cfg attribute
>>> INTERNAL_ADDRESS_EXPIRY received.
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: unsupported mode cfg attribute APPLICATION_VERSION
>>> received.
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_BANNER
>>> received.
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_DEF_DOMAIN
>>> received.
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_SPLIT_DNS
>>> received.
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_SPLIT_INC
>>> received.
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_UNKNOWN
>>> received.
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_DO_PFS
>>> received.
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_SAVE_PW
>>> received.
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_FW_TYPE
>>> received.
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_BACKUP_SERVER
>>> received.
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: modecfg_inR0(STF_OK)
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: transition from state STATE_MODE_CFG_R0 to state
>>> STATE_MODE_CFG_R1
>>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
>>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: Applying workaround for Mac OS X NAT-OA bug,
>>> ignoring proposed subnet
>>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: the peer proposed: 0.0.0.0/0:0/0 ->
>>> 69.196.222.250/32:0/0
>>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #2: responding to Quick Mode proposal {msgid:ba3b61a4}
>>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #2:     us:
>>> 10.223.0.0/16===10.223.6.20<10.223.6.20>[MS+XS+S=C]
>>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #2:   them: 69.196.222.250[192.168.59.26,+MC+XC+S=C]
>>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #2: transition from state STATE_QUICK_R0 to state
>>> STATE_QUICK_R1
>>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
>>> installed, expecting QI2
>>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #2: transition from state STATE_QUICK_R1 to state
>>> STATE_QUICK_R2
>>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #2: STATE_QUICK_R2: IPsec SA established tunnel mode
>>> {ESP=>0x0e95dea0 <0x397c4b2d xfrm=AES_256-HMAC_SHA1 NATOA=none
>>> NATD=69.196.222.250:1340 DPD=none}
>>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: received Delete SA(0x0e95dea0) payload: deleting
>>> IPSEC State #2
>>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: received and ignored informational message
>>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250 #1: received Delete SA payload: deleting ISAKMP State
>>> #1
>>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>>> 69.196.222.250: deleting connection "roadwarrior" instance with peer
>>> 69.196.222.250 {isakmp=#0/ipsec=#0}
>>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: packet from
>>> 69.196.222.250:1340: received and ignored informational message
>>> 
>>> ===============================================
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list