[Openswan Users] IPSec with IKEv2 through a NAT device and dynamic client/right IPs

Prashant Sunkari P.Sunkari at F5.com
Thu Mar 3 13:42:32 EST 2016


Hi,
  I am not able to setup a IPsec with IKEv2 connection via NAT device that changes the source address and port dynamically. The server side, openswan fails to find a proposal

| processing payload: ISAKMP_NEXT_v2V (len=16)
| find_host_connection2 called from ikev2parent_inI1outR1, me=10.20.0.2:500 him=4.4.0.250:7060 policy=IKEv2ALLOW
| find_host_pair: comparing to 10.20.0.2:500 0.0.0.0:500
| find_host_pair_conn (find_host_connection2): 10.20.0.2:500 4.4.0.250:7060 -> hp:none
| searching for connection with policy = IKEv2ALLOW
| find_host_connection2 returns empty
| no connection found
| complete v2 state transition with STF_FAIL
packet from 4.4.0.250:7060: sending notification v2N_NO_PROPOSAL_CHOSEN to 4.4.0.250:7060
| don't send packet when notification data empty
| state transition function for no-state failed: NO_PROPOSAL_CHOSEN


Can someone help to point out what I am doing wrong ? I bet there is something wrong is my  ipsec.conf but haven't been able to figure it out.

   Client1(10.10.0.2) ---A-- NAT device----B---Server1(10.20.0.2)
                A - 10.10.0.0/16 subnet
                B - 10.20.0.0/16 subnet
   NAT device changes the IP and port of the traffic coming from client1 to let us say using any address from 4.4.0.0/16 and any port from 1025-60000
  So, server1(left)'s ipsec.conf can't have a static IP as its right.



Below I have provided
1. Client and server ipsec.conf
2. Commands to start connection
3. server and client pluto std err log (with plutodebug=control)
4. server and client pluto std err log (with plutodebug=all)


Client 1 Ipsec.conf (left is server1, right is client1)
config setup
         plutodebug=control
         plutostderrlog="/var/log/pluto.log"
         nat_traversal=yes
         protostack=netkey

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1



conn ikev2
        type=tunnel
        aggrmode=no
        left=10.20.0.2
        leftid="CN=sunkariserver1"
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        rightid="CN=sunkariclient1"
        rightcert=sunkariclient1
        rekey=no
        right=10.10.0.2
        auto=add
        ikev2=insist
        pfs=yes
        ike=3des-sha1;modp2048
        phase2alg=3des-sha1;modp1024
        compress=no


Server 1Ipsec.conf(left is server1, right is client1)

# Openswan 2.6 config
config setup
         plutodebug=control
         plutostderrlog="/var/log/pluto.log"
         nat_traversal=yes
         protostack=netkey



conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1

conn ikev2
        type=tunnel
        aggrmode=no
        left=10.20.0.2
        leftid="CN=sunkariserver1"
        leftrsasigkey=%cert
        leftcert=sunkariserver1
        right=%any
        rightrsasigkey=%cert
        rightid="CN=sunkariclient1"
        rekey=no
        auto=add
        ikev2=insist
        # NOT used
        pfs=yes
        ike=3des-sha1;modp2048
        phase2alg=3des-sha1;modp1024
        compress=no

Starting connection

[root at client f5ite]# ipsec auto --add ikev2
[root at client f5ite]# ipsec auto --up ikev2
133 "ikev2" #1: STATE_PARENT_I1: initiate
133 "ikev2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
010 "ikev2" #1: STATE_PARENT_I1: retransmission; will wait 20s for response
010 "ikev2" #1: STATE_PARENT_I1: retransmission; will wait 40s for response
031 "ikev2" #1: max number of retransmissions (2) reached STATE_PARENT_I1.  No response (or no acceptable response) to our first IKE message
000 "ikev2" #1: starting keying attempt 2 of at most 1, but releasing whack
[root at client f5ite]#

Server pluto.log

|
| *received 372 bytes from 4.4.0.250:7060 on eth1 (port=500)
|  processing version=2.0 packet with exchange type=ISAKMP_v2_SA_INIT (34)
| I am receiving an IKE Request
| I am the IKE SA Original Responder
| ICOOKIE:  4b 45 91 30  83 21 0e 05
| RCOOKIE:  00 00 00 00  00 00 00 00
| state hash entry 6
| v2 state object not found
| ICOOKIE:  4b 45 91 30  83 21 0e 05
| RCOOKIE:  00 00 00 00  00 00 00 00
| state hash entry 6
| v2 state object not found
| no connection found
| complete v2 state transition with STF_FAIL
packet from 4.4.0.250:7060: sending notification v2N_NO_PROPOSAL_CHOSEN to 4.4.0.250:7060
| state transition function for no-state failed: NO_PROPOSAL_CHOSEN
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 42 seconds
| next event EVENT_PENDING_DDNS in 42 seconds
^C


Client pluto.log

| *received whack message
| processing connection ikev2
"ikev2": deleting connection
| alg_info_delref(0x7f32c80a2c20) alg_info->ref_cnt=1
| alg_info_delref(0x7f32c80a2c20) freeing alg_info
| alg_info_delref(0x7f32c8096e10) alg_info->ref_cnt=1
| alg_info_delref(0x7f32c8096e10) freeing alg_info
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0  aklen=0
| Added new connection ikev2 with policy RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| from whack: got --esp=3des-sha1;modp1024
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0  aklen=0
| esp string values: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2)
| ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14)
| loopback=0 labeled_ipsec=0, policy_label=(null)
| counting wild cards for CN=sunkariserver1 is 0
loading certificate from sunkariclient1
| certificate is valid
| counting wild cards for CN=sunkariclient1 is 0
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=1
added connection description "ikev2"
| 10.10.0.2<10.10.0.2>[CN=sunkariclient1,+S=C]...10.20.0.2<10.20.0.2>[CN=sunkariserver1,+S=C]
| ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1; policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 46 seconds
| next event EVENT_PENDING_DDNS in 46 seconds
|
| *received whack message
| processing connection ikev2
| kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
| kernel_alg_db_new()     trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
| returning new proposal from esp_info
| creating state object #1 at 0x7f32c80a7d30
| processing connection ikev2
| ICOOKIE:  4b 45 91 30  83 21 0e 05
| RCOOKIE:  00 00 00 00  00 00 00 00
| state hash entry 6
| inserting state object #1 on chain 6
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| processing connection ikev2
| Queuing pending Quick Mode with 10.20.0.2 "ikev2"
"ikev2" #1: initiating v2 parent SA
| 1: w->pcw_dead: 0 w->pcw_work: 0 cnt: 3
| asking helper 1 to do build_kenonce op on seq: 1 (len=2776, pcw_work=1)
| crypto helper write of request: cnt=2776<wlen=2776.
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 45 seconds
| next event EVENT_PENDING_DDNS in 45 seconds
| helper 1 read 2768+4/2776 bytes fd: 10
| helper 1 doing build_kenonce op id: 1
|
| helper 1 has finished work (cnt now 1)
| helper 1 replies to id: q#1
| processing connection ikev2
| sending 372 bytes for ikev2_parent_outI1_common through eth0:500 to 10.20.0.2:500 (using #1)
| inserting event EVENT_v2_RETRANSMIT, timeout in 10 seconds for #1
| complete v2 state transition with STF_OK
"ikev2" #1: transition from state STATE_IKEv2_START to state STATE_PARENT_I1
"ikev2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
| * processed 1 messages from cryptographic helpers
| next event EVENT_v2_RETRANSMIT in 10 seconds for #1
| next event EVENT_v2_RETRANSMIT in 10 seconds for #1
|
| next event EVENT_v2_RETRANSMIT in 0 seconds for #1
| *time to handle event
| handling event EVENT_v2_RETRANSMIT
| event after this is EVENT_PENDING_DDNS in 35 seconds
| processing connection ikev2
| handling event EVENT_v2_RETRANSMIT for 10.20.0.2 "ikev2" #1
| sending 372 bytes for EVENT_v2_RETRANSMIT through eth0:500 to 10.20.0.2:500 (using #1)
| inserting event EVENT_v2_RETRANSMIT, timeout in 20 seconds for #1
| next event EVENT_v2_RETRANSMIT in 20 seconds for #1


With pluto debug setup to all, following is the output

Server pluto.log
-------------------

|
| *received 372 bytes from 4.4.0.250:7060 on eth1 (port=500)
|   cd 84 57 e9  63 67 79 6e  00 00 00 00  00 00 00 00
|   21 20 22 08  00 00 00 00  00 00 01 74  22 00 00 2c
|   00 00 00 28  01 01 00 04  03 00 00 08  01 00 00 03
|   03 00 00 08  03 00 00 02  03 00 00 08  02 00 00 02
|   00 00 00 08  04 00 00 0e  28 00 01 08  00 0e 00 00
|   8a 20 23 39  6b bd 53 db  cd 17 c6 95  a7 db 5f fb
|   0b 9e 32 d3  2d 53 68 32  e7 62 33 7a  21 b8 41 b1
|   5a 06 1e 31  d7 79 f0 57  6c 11 42 57  36 64 2c f3
|   76 ac de 3e  1c ad 75 a4  7e 3c 43 7c  f0 0e ae 7d
|   e6 54 b0 b1  4a 2c 58 7c  d6 df 9f 81  85 09 3f ec
|   30 a8 1e 4e  3d 11 3c 92  ab f0 1e 81  c4 a6 6a 55
|   c0 dd eb b2  41 86 01 3f  fd b5 d4 99  3f 9d bb c2
|   df f7 9b 54  0a 31 83 bc  3c fc 9e 0d  54 0d 6a c2
|   ca aa fe 9a  99 42 12 a6  54 f3 73 b1  c1 1d 12 6a
|   c3 e0 77 9d  84 da 6b cb  45 3d 18 1f  d9 38 0e 0f
|   58 89 cc 37  2c cd 95 c8  6d 43 11 6c  17 93 19 c6
|   ac 14 b8 8a  68 d7 f9 ba  03 2a f2 69  b2 73 65 ce
|   5c 29 28 4a  d2 93 15 3a  0d 90 2f bc  48 13 7a 86
|   0f 26 42 ac  64 9a ec 32  cb d1 b2 2f  6a 90 2c db
|   a6 b0 d8 f9  02 02 72 91  1c 12 8c aa  aa 04 2b 13
|   79 d6 67 c5  84 98 28 14  fb a1 50 bc  d7 3c e8 97
|   2b 00 00 14  08 b9 26 6d  51 71 0f 65  0c 77 9c 45
|   30 98 e2 61  00 00 00 10  4f 45 68 79  4c 64 41 43
|   65 63 66 61
| **parse ISAKMP Message:
|    initiator cookie:
|   cd 84 57 e9  63 67 79 6e
|    responder cookie:
|   00 00 00 00  00 00 00 00
|    next payload type: ISAKMP_NEXT_v2SA
|    ISAKMP version: IKEv2 version 2.0 (rfc4306)
|    exchange type: ISAKMP_v2_SA_INIT
|    flags: ISAKMP_FLAG_INIT
|    message ID:  00 00 00 00
|    length: 372
|  processing version=2.0 packet with exchange type=ISAKMP_v2_SA_INIT (34)
| I am receiving an IKE Request
| I am the IKE SA Original Responder
| I am IKE SA Responder
| ICOOKIE:  cd 84 57 e9  63 67 79 6e
| RCOOKIE:  00 00 00 00  00 00 00 00
| state hash entry 18
| v2 state object not found
| ICOOKIE:  cd 84 57 e9  63 67 79 6e
| RCOOKIE:  00 00 00 00  00 00 00 00
| state hash entry 18
| v2 state object not found
| ***parse IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2KE
|    critical bit: none
|    length: 44
| processing payload: ISAKMP_NEXT_v2SA (len=44)
| ***parse IKEv2 Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_v2Ni
|    critical bit: none
|    length: 264
|    transform type: 14
| processing payload: ISAKMP_NEXT_v2KE (len=264)
| ***parse IKEv2 Nonce Payload:
|    next payload type: ISAKMP_NEXT_v2V
|    critical bit: none
|    length: 20
| processing payload: ISAKMP_NEXT_v2Ni (len=20)
| ***parse IKEv2 Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    critical bit: none
|    length: 16
| processing payload: ISAKMP_NEXT_v2V (len=16)
| find_host_connection2 called from ikev2parent_inI1outR1, me=10.20.0.2:500 him=4.4.0.250:7060 policy=IKEv2ALLOW
| find_host_pair: comparing to 10.20.0.2:500 0.0.0.0:500
| find_host_pair_conn (find_host_connection2): 10.20.0.2:500 4.4.0.250:7060 -> hp:none
| searching for connection with policy = IKEv2ALLOW
| find_host_connection2 returns empty
| no connection found
| complete v2 state transition with STF_FAIL
packet from 4.4.0.250:7060: sending notification v2N_NO_PROPOSAL_CHOSEN to 4.4.0.250:7060
| don't send packet when notification data empty
| state transition function for no-state failed: NO_PROPOSAL_CHOSEN
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 9 seconds
| next event EVENT_PENDING_DDNS in 9 seconds




Client pluto.log



|
| *received whack message
| processing connection ikev2
"ikev2": deleting connection
| certs and keys locked by 'release_x509cert'
| certs and keys unlocked by 'release_x509cert'
| alg_info_delref(0x7fb27f463c10) alg_info->ref_cnt=1
| alg_info_delref(0x7fb27f463c10) freeing alg_info
| alg_info_delref(0x7fb27f457e00) alg_info->ref_cnt=1
| alg_info_delref(0x7fb27f457e00) freeing alg_info
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0  aklen=0
| enum_search_prefix () calling enum_search(0x7fb27de495a0, "OAKLEY_3DES")
| enum_search_ppfixi () calling enum_search(0x7fb27de495a0, "OAKLEY_3DES_CBC")
| parser_alg_info_add() ealg_getbyname("3des")=5
| enum_search_prefix () calling enum_search(0x7fb27de43a40, "OAKLEY_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| enum_search_prefix () calling enum_search(0x7fb27de495e0, "OAKLEY_GROUP_MODP2048")
| parser_alg_info_add() modp_getbyname("modp2048")=14
| __alg_info_ike_add() ealg=5 aalg=2 modp_id=14, cnt=1
| Added new connection ikev2 with policy RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| from whack: got --esp=3des-sha1;modp1024
| enum_search_prefix () calling enum_search(0x7fb27de495e0, "OAKLEY_GROUP_MODP1024")
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0  aklen=0
| enum_search_prefix () calling enum_search(0x7fb27de43660, "ESP_3DES")
| parser_alg_info_add() ealg_getbyname("3des")=3
| enum_search_prefix () calling enum_search(0x7fb27de43860, "AUTH_ALGORITHM_HMAC_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| __alg_info_esp_add() ealg=3 aalg=2 cnt=1
| esp string values: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2)
| ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14)
| loopback=0 labeled_ipsec=0, policy_label=(null)
| counting wild cards for CN=sunkariserver1 is 0
loading certificate from sunkariclient1
| Found pointer to cert sunkariclient1 now giving it to further processing
| file coded in DER format
| L0 - certificate:
|   30 82 01 a6  30 82 01 0f  a0 03 02 01  02 02 05 00
|   a5 a0 a8 f1  30 0d 06 09  2a 86 48 86  f7 0d 01 01
|   05 05 00 30  15 31 13 30  11 06 03 55  04 03 13 0a
|   4f 70 65 6e  73 77 61 6e  43 41 30 1e  17 0d 31 36
|   30 33 30 31  32 33 33 39  34 36 5a 17  0d 31 37 30
|   33 30 31 32  33 33 39 34  36 5a 30 19  31 17 30 15
|   06 03 55 04  03 13 0e 73  75 6e 6b 61  72 69 63 6c
|   69 65 6e 74  31 30 81 9f  30 0d 06 09  2a 86 48 86
|   f7 0d 01 01  01 05 00 03  81 8d 00 30  81 89 02 81
|   81 00 af dd  33 e6 8d 87  ed bf 6c dd  dd cb 05 1c
|   bc 31 bb ac  c3 26 8f 81  69 10 65 e9  13 94 5c d6
|   25 26 99 eb  b6 46 2b db  05 f1 cf 49  02 01 21 66
|   8b 83 05 0c  6f e3 90 81  1f 56 f4 bd  bf f7 a5 54
|   8a bd f6 ff  21 de cb 2b  b0 c7 9a 17  41 18 91 02
|   32 55 0f 66  e3 e8 38 e8  59 e2 ef 99  ce 20 27 9f
|   ce 6c 23 fc  79 d2 aa 69  57 d3 8b 2e  07 f3 f4 84
|   56 9f 7c e1  e7 7a ac 6d  a6 68 b3 47  23 13 fa 95
|   70 b3 02 03  01 00 01 30  0d 06 09 2a  86 48 86 f7
|   0d 01 01 05  05 00 03 81  81 00 9d 85  9d d4 22 1e
|   0e 71 83 9d  aa 82 7a a8  8a c5 6b 10  d0 44 2b 6f
|   c5 ae 8a ee  47 b9 83 3b  60 14 02 f0  4a da 16 2c
|   a1 dd 1e 52  8a d7 33 03  09 d6 0f 60  b4 64 70 57
|   d3 ce ed 76  35 7f 57 fc  43 84 15 93  d7 93 9f 8d
|   4b 7e 81 fb  68 57 69 69  01 52 a6 79  5d 3a 90 ae
|   90 fa b8 07  68 28 5b b8  d1 2c a4 d3  5a b6 e0 0d
|   94 20 fa 27  f3 8f 29 c7  29 34 2c 4c  c4 e1 46 51
|   2e 17 ad d8  b7 e0 64 ce  ab 17
| L1 - tbsCertificate:
|   30 82 01 0f  a0 03 02 01  02 02 05 00  a5 a0 a8 f1
|   30 0d 06 09  2a 86 48 86  f7 0d 01 01  05 05 00 30
|   15 31 13 30  11 06 03 55  04 03 13 0a  4f 70 65 6e
|   73 77 61 6e  43 41 30 1e  17 0d 31 36  30 33 30 31
|   32 33 33 39  34 36 5a 17  0d 31 37 30  33 30 31 32
|   33 33 39 34  36 5a 30 19  31 17 30 15  06 03 55 04
|   03 13 0e 73  75 6e 6b 61  72 69 63 6c  69 65 6e 74
|   31 30 81 9f  30 0d 06 09  2a 86 48 86  f7 0d 01 01
|   01 05 00 03  81 8d 00 30  81 89 02 81  81 00 af dd
|   33 e6 8d 87  ed bf 6c dd  dd cb 05 1c  bc 31 bb ac
|   c3 26 8f 81  69 10 65 e9  13 94 5c d6  25 26 99 eb
|   b6 46 2b db  05 f1 cf 49  02 01 21 66  8b 83 05 0c
|   6f e3 90 81  1f 56 f4 bd  bf f7 a5 54  8a bd f6 ff
|   21 de cb 2b  b0 c7 9a 17  41 18 91 02  32 55 0f 66
|   e3 e8 38 e8  59 e2 ef 99  ce 20 27 9f  ce 6c 23 fc
|   79 d2 aa 69  57 d3 8b 2e  07 f3 f4 84  56 9f 7c e1
|   e7 7a ac 6d  a6 68 b3 47  23 13 fa 95  70 b3 02 03
|   01 00 01
| L2 - DEFAULT v1:
| L3 - version:
|   02
|   v3
| L2 - serialNumber:
|   00 a5 a0 a8  f1
| L2 - signature:
| L3 - algorithmIdentifier:
| L4 - algorithm:
|   'sha-1WithRSAEncryption'
| L2 - issuer:
|   30 15 31 13  30 11 06 03  55 04 03 13  0a 4f 70 65
|   6e 73 77 61  6e 43 41
|   'CN=OpenswanCA'
| L2 - validity:
| L3 - notBefore:
| L4 - utcTime:
|   'Mar 01 23:39:46 UTC 2016'
| L3 - notAfter:
| L4 - utcTime:
|   'Mar 01 23:39:46 UTC 2017'
| L2 - subject:
|   30 19 31 17  30 15 06 03  55 04 03 13  0e 73 75 6e
|   6b 61 72 69  63 6c 69 65  6e 74 31
|   'CN=sunkariclient1'
| L2 - subjectPublicKeyInfo:
| L3 - algorithm:
| L4 - algorithmIdentifier:
| L5 - algorithm:
|   'rsaEncryption'
| L3 - subjectPublicKey:
| L4 - RSAPublicKey:
| L5 - modulus:
|   00 af dd 33  e6 8d 87 ed  bf 6c dd dd  cb 05 1c bc
|   31 bb ac c3  26 8f 81 69  10 65 e9 13  94 5c d6 25
|   26 99 eb b6  46 2b db 05  f1 cf 49 02  01 21 66 8b
|   83 05 0c 6f  e3 90 81 1f  56 f4 bd bf  f7 a5 54 8a
|   bd f6 ff 21  de cb 2b b0  c7 9a 17 41  18 91 02 32
|   55 0f 66 e3  e8 38 e8 59  e2 ef 99 ce  20 27 9f ce
|   6c 23 fc 79  d2 aa 69 57  d3 8b 2e 07  f3 f4 84 56
|   9f 7c e1 e7  7a ac 6d a6  68 b3 47 23  13 fa 95 70
|   b3
| L5 - publicExponent:
|   01 00 01
| L1 - signatureAlgorithm:
| L2 - algorithmIdentifier:
| L3 - algorithm:
|   'sha-1WithRSAEncryption'
| L1 - signatureValue:
|   00 9d 85 9d  d4 22 1e 0e  71 83 9d aa  82 7a a8 8a
|   c5 6b 10 d0  44 2b 6f c5  ae 8a ee 47  b9 83 3b 60
|   14 02 f0 4a  da 16 2c a1  dd 1e 52 8a  d7 33 03 09
|   d6 0f 60 b4  64 70 57 d3  ce ed 76 35  7f 57 fc 43
|   84 15 93 d7  93 9f 8d 4b  7e 81 fb 68  57 69 69 01
|   52 a6 79 5d  3a 90 ae 90  fa b8 07 68  28 5b b8 d1
|   2c a4 d3 5a  b6 e0 0d 94  20 fa 27 f3  8f 29 c7 29
|   34 2c 4c c4  e1 46 51 2e  17 ad d8 b7  e0 64 ce ab
|   17
|   not before  : Mar 01 23:39:46 UTC 2016
|   current time: Mar 03 18:30:06 UTC 2016
|   not after   : Mar 01 23:39:46 UTC 2017
| certificate is valid
| unreference key: 0x7fb27f461750 CN=sunkariclient1 cnt 1--
| certs and keys locked by 'add_x509cert'
| certs and keys unlocked by 'add_x509cert'
| counting wild cards for CN=sunkariclient1 is 0
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=1
| connect_to_host_pair: 10.10.0.2:500 10.20.0.2:500 -> hp:none
added connection description "ikev2"
| 10.10.0.2<10.10.0.2>[CN=sunkariclient1,+S=C]...10.20.0.2<10.20.0.2>[CN=sunkariserver1,+S=C]
| ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1; policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 8 seconds
| next event EVENT_PENDING_DDNS in 8 seconds
|
| *received whack message
| processing connection ikev2
| kernel_alg_db_new() initial trans_cnt=128
| kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
| kernel_alg_db_new()     trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
| returning new proposal from esp_info
| creating state object #1 at 0x7fb27f468b90
| processing connection ikev2
| ICOOKIE:  cd 84 57 e9  63 67 79 6e
| RCOOKIE:  00 00 00 00  00 00 00 00
| state hash entry 18
| inserting state object #1 on chain 18
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| event added at head of queue
| processing connection ikev2
| Queuing pending Quick Mode with 10.20.0.2 "ikev2"
"ikev2" #1: initiating v2 parent SA
| 1: w->pcw_dead: 0 w->pcw_work: 0 cnt: 3
| asking helper 1 to do build_kenonce op on seq: 1 (len=2776, pcw_work=1)
| crypto helper write of request: cnt=2776<wlen=2776.
| deleting event for #1
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
| event added after event EVENT_PENDING_PHASE2
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 7 seconds
| next event EVENT_PENDING_DDNS in 7 seconds
| helper 1 read 2768+4/2776 bytes fd: 10
| helper 1 doing build_kenonce op id: 1
| NSS: Value of Prime:
|   ff ff ff ff  ff ff ff ff  c9 0f da a2  21 68 c2 34
|   c4 c6 62 8b  80 dc 1c d1  29 02 4e 08  8a 67 cc 74
|   02 0b be a6  3b 13 9b 22  51 4a 08 79  8e 34 04 dd
|   ef 95 19 b3  cd 3a 43 1b  30 2b 0a 6d  f2 5f 14 37
|   4f e1 35 6d  6d 51 c2 45  e4 85 b5 76  62 5e 7e c6
|   f4 4c 42 e9  a6 37 ed 6b  0b ff 5c b6  f4 06 b7 ed
|   ee 38 6b fb  5a 89 9f a5  ae 9f 24 11  7c 4b 1f e6
|   49 28 66 51  ec e4 5b 3d  c2 00 7c b8  a1 63 bf 05
|   98 da 48 36  1c 55 d3 9a  69 16 3f a8  fd 24 cf 5f
|   83 65 5d 23  dc a3 ad 96  1c 62 f3 56  20 85 52 bb
|   9e d5 29 07  70 96 96 6d  67 0c 35 4e  4a bc 98 04
|   f1 74 6c 08  ca 18 21 7c  32 90 5e 46  2e 36 ce 3b
|   e3 9e 77 2c  18 0e 86 03  9b 27 83 a2  ec 07 a2 8f
|   b5 c5 5d f0  6f 4c 52 c9  de 2b cb f6  95 58 17 18
|   39 95 49 7c  ea 95 6a e5  15 d2 26 18  98 fa 05 10
|   15 72 8e 5a  8a ac aa 68  ff ff ff ff  ff ff ff ff
| NSS: Value of base:
|   02
| NSS: generated dh priv and pub keys: 256
| NSS: Local DH secret:
|   70 45 00 68  b2 7f 00 00
| NSS: Public DH value sent(computed in NSS):
|   8a 20 23 39  6b bd 53 db  cd 17 c6 95  a7 db 5f fb
|   0b 9e 32 d3  2d 53 68 32  e7 62 33 7a  21 b8 41 b1
|   5a 06 1e 31  d7 79 f0 57  6c 11 42 57  36 64 2c f3
|   76 ac de 3e  1c ad 75 a4  7e 3c 43 7c  f0 0e ae 7d
|   e6 54 b0 b1  4a 2c 58 7c  d6 df 9f 81  85 09 3f ec
|   30 a8 1e 4e  3d 11 3c 92  ab f0 1e 81  c4 a6 6a 55
|   c0 dd eb b2  41 86 01 3f  fd b5 d4 99  3f 9d bb c2
|   df f7 9b 54  0a 31 83 bc  3c fc 9e 0d  54 0d 6a c2
|   ca aa fe 9a  99 42 12 a6  54 f3 73 b1  c1 1d 12 6a
|   c3 e0 77 9d  84 da 6b cb  45 3d 18 1f  d9 38 0e 0f
|   58 89 cc 37  2c cd 95 c8  6d 43 11 6c  17 93 19 c6
|   ac 14 b8 8a  68 d7 f9 ba  03 2a f2 69  b2 73 65 ce
|   5c 29 28 4a  d2 93 15 3a  0d 90 2f bc  48 13 7a 86
|   0f 26 42 ac  64 9a ec 32  cb d1 b2 2f  6a 90 2c db
|   a6 b0 d8 f9  02 02 72 91  1c 12 8c aa  aa 04 2b 13
|   79 d6 67 c5  84 98 28 14  fb a1 50 bc  d7 3c e8 97
| NSS: Local DH public value (pointer):
|   30 9d 46 7f  b2 7f 00 00
| Generated nonce:
|   08 b9 26 6d  51 71 0f 65  0c 77 9c 45  30 98 e2 61
|
| helper 1 has finished work (cnt now 1)
| helper 1 replies to id: q#1
| calling callback function 0x7fb27db8b3b0
| ikev2 parent outI1: calculated ke+nonce, sending I1
| processing connection ikev2
| saving DH priv (local secret) and pub key into state struc
| **emit ISAKMP Message:
|    initiator cookie:
|   cd 84 57 e9  63 67 79 6e
|    responder cookie:
|   00 00 00 00  00 00 00 00
|    next payload type: ISAKMP_NEXT_v2SA
|    ISAKMP version: IKEv2 version 2.0 (rfc4306)
|    exchange type: ISAKMP_v2_SA_INIT
|    flags: ISAKMP_FLAG_INIT
|    message ID:  00 00 00 00
| ***emit IKEv2 Security Association Payload:
|    next payload type: ISAKMP_NEXT_v2KE
|    critical bit: none
| ****emit IKEv2 Proposal Substructure Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    prop #: 1
|    proto ID: 1
|    spi size: 0
|    # transforms: 4
| *****emit IKEv2 Transform Substructure Payload:
|    next payload type: ISAKMP_NEXT_T
|    transform type: 1
|    transform ID: 3
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    next payload type: ISAKMP_NEXT_T
|    transform type: 3
|    transform ID: 2
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    next payload type: ISAKMP_NEXT_T
|    transform type: 2
|    transform ID: 2
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    transform type: 4
|    transform ID: 14
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 40
| emitting length of IKEv2 Security Association Payload: 44
| ***emit IKEv2 Key Exchange Payload:
|    next payload type: ISAKMP_NEXT_v2Ni
|    critical bit: none
|    transform type: 14
| emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
| ikev2 g^x  8a 20 23 39  6b bd 53 db  cd 17 c6 95  a7 db 5f fb
| ikev2 g^x  0b 9e 32 d3  2d 53 68 32  e7 62 33 7a  21 b8 41 b1
| ikev2 g^x  5a 06 1e 31  d7 79 f0 57  6c 11 42 57  36 64 2c f3
| ikev2 g^x  76 ac de 3e  1c ad 75 a4  7e 3c 43 7c  f0 0e ae 7d
| ikev2 g^x  e6 54 b0 b1  4a 2c 58 7c  d6 df 9f 81  85 09 3f ec
| ikev2 g^x  30 a8 1e 4e  3d 11 3c 92  ab f0 1e 81  c4 a6 6a 55
| ikev2 g^x  c0 dd eb b2  41 86 01 3f  fd b5 d4 99  3f 9d bb c2
| ikev2 g^x  df f7 9b 54  0a 31 83 bc  3c fc 9e 0d  54 0d 6a c2
| ikev2 g^x  ca aa fe 9a  99 42 12 a6  54 f3 73 b1  c1 1d 12 6a
| ikev2 g^x  c3 e0 77 9d  84 da 6b cb  45 3d 18 1f  d9 38 0e 0f
| ikev2 g^x  58 89 cc 37  2c cd 95 c8  6d 43 11 6c  17 93 19 c6
| ikev2 g^x  ac 14 b8 8a  68 d7 f9 ba  03 2a f2 69  b2 73 65 ce
| ikev2 g^x  5c 29 28 4a  d2 93 15 3a  0d 90 2f bc  48 13 7a 86
| ikev2 g^x  0f 26 42 ac  64 9a ec 32  cb d1 b2 2f  6a 90 2c db
| ikev2 g^x  a6 b0 d8 f9  02 02 72 91  1c 12 8c aa  aa 04 2b 13
| ikev2 g^x  79 d6 67 c5  84 98 28 14  fb a1 50 bc  d7 3c e8 97
| emitting length of IKEv2 Key Exchange Payload: 264
| ***emit IKEv2 Nonce Payload:
|    next payload type: ISAKMP_NEXT_v2V
|    critical bit: none
| emitting 16 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
| IKEv2 nonce  08 b9 26 6d  51 71 0f 65  0c 77 9c 45  30 98 e2 61
| emitting length of IKEv2 Nonce Payload: 20
| ***emit ISAKMP Vendor ID Payload:
|    next payload type: ISAKMP_NEXT_NONE
| emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
| Vendor ID  4f 45 68 79  4c 64 41 43  65 63 66 61
| emitting length of ISAKMP Vendor ID Payload: 16
| emitting length of ISAKMP Message: 372
| sending 372 bytes for ikev2_parent_outI1_common through eth0:500 to 10.20.0.2:500 (using #1)
|   cd 84 57 e9  63 67 79 6e  00 00 00 00  00 00 00 00
|   21 20 22 08  00 00 00 00  00 00 01 74  22 00 00 2c
|   00 00 00 28  01 01 00 04  03 00 00 08  01 00 00 03
|   03 00 00 08  03 00 00 02  03 00 00 08  02 00 00 02
|   00 00 00 08  04 00 00 0e  28 00 01 08  00 0e 00 00
|   8a 20 23 39  6b bd 53 db  cd 17 c6 95  a7 db 5f fb
|   0b 9e 32 d3  2d 53 68 32  e7 62 33 7a  21 b8 41 b1
|   5a 06 1e 31  d7 79 f0 57  6c 11 42 57  36 64 2c f3
|   76 ac de 3e  1c ad 75 a4  7e 3c 43 7c  f0 0e ae 7d
|   e6 54 b0 b1  4a 2c 58 7c  d6 df 9f 81  85 09 3f ec
|   30 a8 1e 4e  3d 11 3c 92  ab f0 1e 81  c4 a6 6a 55
|   c0 dd eb b2  41 86 01 3f  fd b5 d4 99  3f 9d bb c2
|   df f7 9b 54  0a 31 83 bc  3c fc 9e 0d  54 0d 6a c2
|   ca aa fe 9a  99 42 12 a6  54 f3 73 b1  c1 1d 12 6a
|   c3 e0 77 9d  84 da 6b cb  45 3d 18 1f  d9 38 0e 0f
|   58 89 cc 37  2c cd 95 c8  6d 43 11 6c  17 93 19 c6
|   ac 14 b8 8a  68 d7 f9 ba  03 2a f2 69  b2 73 65 ce
|   5c 29 28 4a  d2 93 15 3a  0d 90 2f bc  48 13 7a 86
|   0f 26 42 ac  64 9a ec 32  cb d1 b2 2f  6a 90 2c db
|   a6 b0 d8 f9  02 02 72 91  1c 12 8c aa  aa 04 2b 13
|   79 d6 67 c5  84 98 28 14  fb a1 50 bc  d7 3c e8 97
|   2b 00 00 14  08 b9 26 6d  51 71 0f 65  0c 77 9c 45
|   30 98 e2 61  00 00 00 10  4f 45 68 79  4c 64 41 43
|   65 63 66 61
| deleting event for #1
| inserting event EVENT_v2_RETRANSMIT, timeout in 10 seconds for #1
| event added after event EVENT_PENDING_DDNS
| complete v2 state transition with STF_OK
"ikev2" #1: transition from state STATE_IKEv2_START to state STATE_PARENT_I1
"ikev2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
| * processed 1 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 7 seconds

Regards,
Prashant

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160303/db58c5e9/attachment-0001.html>


More information about the Users mailing list