[Openswan Users] Connection is getting reset every few seconds
Daniel Cave
dan.cave at me.com
Tue Sep 1 12:44:33 EDT 2015
Prakesh,
What happens when you set both sides of the Ipsec (asa and OpenSwan ) to use 3des-md5 ? i noticed you had the same compatibility problems with AES-Sha256 that I did.. Your start up logs are telling you that on the OpenSwan server..
It seems the ASA does not like the OpenSwan proposal for AES(256)-SHA.. if you comment out the phase 1&2 specific negotiation on the OpenSwan side, restart that, then re-configure the ASA to use 3des-md5 - i believe it should work - as this is what we're using.
Hope that helps.
d.
On Aug 27, 2015, at 03:44 PM, Prakash Palanisamy <ppalanisamy at sdl.com> wrote:
Hi Daniel,
Please find below the complete details. Will it be something to do with different DPD timeout configuration at both the ends?
Configuration details at ASA:
No Nat and Access-list :
access-list inside_nat0_outbound extended permit ip 10.100.0.0 255.255.0.0 172.21.8.0 255.255.255.0
access-list Outside_cryptomap_120 extended permit ip 10.100.0.0 255.255.0.0 172.21.8.0 255.255.255.0
Phase 1 ( any one of the policy will be picked up, here for aws tunnel the phase 1 policy is 60 ) :
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp policy 60
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
Crypto and PHase 2 :
crypto map Outside_map 120 match address Outside_cryptomap_120
crypto map Outside_map 120 set pfs
crypto map Outside_map 120 set peer 52.17.237.123
crypto map Outside_map 120 set transform-set ESP-AES-256-SHA
crypto map Outside_map 120 set security-association lifetime seconds 3600
tunnel-group 52.17.237.123 type ipsec-l2l
tunnel-group 52.17.237.123 ipsec-attributes
pre-shared-key ********
Transform set :
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Configuration at OpenSwan:
config setup
protostack=netkey
nat_traversal=no
conn Connection1 # Connection Name
type=tunnel
authby=secret
auto=start
pfs=yes
ike=aes256-sha1;modp1536!
phase2alg=aes256-sha1;modp1536
ikelifetime=28800s
salifetime=3600s
left=%defaultroute
leftid=52.17.237.123
leftsubnets={172.21.8.0/24}
right=87.213.46.220
rightsubnets={10.100.0.0/16}
ipsec status:
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 172.21.8.61
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000 error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,3,64} trans={0,3,3072} attrs={0,3,2048}
000
000 "Connection1/1x1": 172.21.8.0/24===172.21.8.61[52.17.237.123]...87.213.46.220<87.213.46.220>===10.100.0.0/16; erouted; eroute owner: #4
000 "Connection1/1x1": myip=unset; hisip=unset;
000 "Connection1/1x1": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "Connection1/1x1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,16; interface: eth0;
000 "Connection1/1x1": newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "Connection1/1x1": aliases: Connection1
000 "Connection1/1x1": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1536(5); flags=strict
000 "Connection1/1x1": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP1536(5)
000 "Connection1/1x1": IKE algorithm newest: AES_CBC_256-SHA1-MODP1536
000 "Connection1/1x1": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; pfsgroup=MODP1536(5); flags=-strict
000 "Connection1/1x1": ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000 "Connection1/1x1": ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=MODP1536
000
000 #5: "Connection1/1x1":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 18s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #4: "Connection1/1x1":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3252s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
000 #4: "Connection1/1x1" esp.70598aa at 87.213.46.220 esp.6fd8d5cc at 172.21.8.61 tun.0 at 87.213.46.220 tun.0 at 172.21.8.61 ref=0 refhim=4294901761
000 #3: "Connection1/1x1":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28452s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
Thanks,
Prakash
http://www.sdl.com
SDL PLC confidential, all rights reserved. If you are not the intended recipient of this mail SDL requests and requires that you delete it without acting upon or copying any of its contents, and we further request that you advise us.
SDL PLC is a public limited company registered in England and Wales. Registered number: 02675207.
Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire SL6 7DY, UK.
From: Daniel Cave [mailto:dan.cave at me.com]
Sent: Thursday, August 27, 2015 3:50 PM
To: Prakash Palanisamy <ppalanisamy at sdl.com>
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Connection is getting reset every few seconds
Hi Prakash, I think you misunderstood me (as I didn't make myself very clear)
I think the issues you're getting are configuration related at either side and not related to the EC2 instance specifically.
Can you post your config file from both sizes, it looks like - from your logs that Phase1/2 are not negotiating correctly and there's some kind of mismatch in timings .
Where im working, we have setup an EC2 instance, t2.small to a client in the USA, on a Cisco ASA 5510.. 3des-md5.. the tunnel has been up for months.. we're using the same version of OpenSwan/racoon that you are.
What I did originally was to remove any options to set phase1/2 algorithms and commented them out in my config until i got a working config on the openswan side.
if you run 'ipsec auto status' what do you see ?
it should look *something* like this
# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 172.11.44.240
000 interface eth0/eth0 172.11.44.240
000 interface tun0/tun0 10.8.0.1
000 interface tun0/tun0 10.8.0.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000 error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,11,64} trans={0,11,3072} attrs={0,11,2048}
000
000 "idc-dr/1x1": 172.11.44.0/16===172.11.44.240[52.x.x.x]...172.11.44.1---72.11.62.33<72.11.62.33>===192.168.30.0/24; erouted; eroute owner: #171
000 "idc-dr/1x1": myip=172.11.44.240; hisip=unset;
000 "idc-dr/1x1": ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "idc-dr/1x1": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,24; interface: eth0;
000 "idc-dr/1x1": newest ISAKMP SA: #169; newest IPsec SA: #171;
000 "idc-dr/1x1": aliases: idc-dr
000 "idc-dr/1x1": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1536(5), 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict
000 "idc-dr/1x1": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5)3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "idc-dr/1x1": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "idc-dr/1x1": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; flags=-strict
000 "idc-dr/1x1": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "idc-dr/1x1": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000
000 #171: "idc-dr/1x1":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 24593s; newest IPSEC; eroute owner; isakmp#169; idle; import:not set
000 #171: "idc-dr/1x1" esp.ace0ffe6 at 72.11.62.33 esp.7cc12623 at 172.11.44.240 tun.0 at 72.11.62.33 tun.0 at 172.11.44.240 ref=0 refhim=4294901761
000 #169: "idc-dr/1x1":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 45423s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000
start off by posting the configs from both sides (ipsec.conf / cisco asa) and check your phase 1/2 key times
On Aug 27, 2015, at 10:14 AM, Prakash Palanisamy <ppalanisamy at sdl.com> wrote:
Hi Daniel,
Thanks for your input. I tried different instance types, even with m4.2xlarge which got High Network performance & Enhanced Networking I could see the connection is getting reset after 90 seconds.
Thanks,
Prakash
http://www.sdl.com
SDL PLC confidential, all rights reserved. If you are not the intended recipient of this mail SDL requests and requires that you delete it without acting upon or copying any of its contents, and we further request that you advise us.
SDL PLC is a public limited company registered in England and Wales. Registered number: 02675207.
Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire SL6 7DY, UK.
From: Daniel Cave [mailto:dan.cave at me.com]
Sent: Wednesday, August 26, 2015 10:36 PM
To: Prakash Palanisamy <ppalanisamy at sdl.com>
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Connection is getting reset every few seconds
If you search the archives I had a similar problem about four months ago with an Asa except my instance in aws was too small for the volume of traffic I was using it for and my openSwan tunnel kept collapsing randomly.
Sent from my iPhone
On 26 Aug 2015, at 18:22, Prakash Palanisamy <ppalanisamy at sdl.com> wrote:
I have modified the config to set “rekey=no” based on feedback from lots of other threads, but this doesn’t help. I have requested for details at ASA to check the renegotiation policy at the other end.
What would be the other possible reasons for continuous reset?
Thanks,
Prakash
www.sdl.com
SDL PLC confidential, all rights reserved. If you are not the intended recipient of this mail SDL requests and requires that you delete it without acting upon or copying any of its contents, and we further request that you advise us.
SDL PLC is a public limited company registered in England and Wales. Registered number: 02675207.
Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire SL6 7DY, UK.
From: Prakash Palanisamy
Sent: Monday, August 24, 2015 4:54 PM
To: 'users at lists.openswan.org' <users at lists.openswan.org>
Subject: Connection is getting reset every few seconds
VPN connection between Linux Openswan U2.6.38 (Ubuntu EC2 instance in VPC with EIP) & Cisco ASA 5510 is getting reset every few seconds. Earlier today with the help of the community I solved the another problem with “pending phase 2” issue and after that we see that the connection is being very flaky.
Other details about the setup can be found in my previous thread - https://lists.openswan.org/pipermail/users/2015-August/023391.html
Auth logs:
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: initiating Main Mode
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received Vendor ID payload [Cisco-Unity]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received Vendor ID payload [XAUTH]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: ignoring unknown Vendor ID payload [ec43b53de4bd9e2ec73fcf4ea211143f]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received Vendor ID payload [Dead Peer Detection]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: Main mode peer ID is ID_FQDN: '@Connection1-ASA.global.sdl.corp'
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:b9dab225 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received and ignored informational message
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received Delete SA payload: deleting ISAKMP State #1
Aug 24 13:35:52 gateway3 pluto[31154]: packet from 87.213.46.220:500: received and ignored informational message
Aug 24 13:35:58 gateway3 pluto[31154]: packet from 87.213.46.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Aug 24 13:35:58 gateway3 pluto[31154]: packet from 87.213.46.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Aug 24 13:35:58 gateway3 pluto[31154]: packet from 87.213.46.220:500: received Vendor ID payload [RFC 3947] meth=115, but port floating is off
Aug 24 13:35:58 gateway3 pluto[31154]: packet from 87.213.46.220:500: ignoring Vendor ID payload [Cisco IKE Fragmentation]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: responding to Main Mode
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: received Vendor ID payload [Cisco-Unity]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: received Vendor ID payload [XAUTH]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: ignoring unknown Vendor ID payload [f7d4c0744bc4c632afa9ec7e85bf857b]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: received Vendor ID payload [Dead Peer Detection]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Main mode peer ID is ID_FQDN: '@Connection1-ASA.global.sdl.corp'
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: the peer proposed: 172.21.8.0/24:0/0 -> 10.100.0.0/16:0/0
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: responding to Quick Mode proposal {msgid:b23b46bc}
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: us: 172.21.8.0/24===172.21.8.43[52.17.237.123]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: them: 87.213.46.220<87.213.46.220>[@Connection1-ASA.global.sdl.corp]===10.100.0.0/16
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x22ef875d <0x409dd686 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Thanks,
Prakash
This message has been scanned for malware by Websense. www.websense.com
_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Click here to report this email as spam.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150901/23ed3ee1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 460 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20150901/23ed3ee1/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 460 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20150901/23ed3ee1/attachment-0003.jpg>
More information about the Users
mailing list