[Openswan Users] IPSec with IKEv2 through a NAT device and dynamic client/right IPs
Prashant Sunkari
P.Sunkari at F5.com
Thu Mar 3 13:42:32 EST 2016
Hi,
I am not able to setup a IPsec with IKEv2 connection via NAT device that changes the source address and port dynamically. The server side, openswan fails to find a proposal
| processing payload: ISAKMP_NEXT_v2V (len=16)
| find_host_connection2 called from ikev2parent_inI1outR1, me=10.20.0.2:500 him=4.4.0.250:7060 policy=IKEv2ALLOW
| find_host_pair: comparing to 10.20.0.2:500 0.0.0.0:500
| find_host_pair_conn (find_host_connection2): 10.20.0.2:500 4.4.0.250:7060 -> hp:none
| searching for connection with policy = IKEv2ALLOW
| find_host_connection2 returns empty
| no connection found
| complete v2 state transition with STF_FAIL
packet from 4.4.0.250:7060: sending notification v2N_NO_PROPOSAL_CHOSEN to 4.4.0.250:7060
| don't send packet when notification data empty
| state transition function for no-state failed: NO_PROPOSAL_CHOSEN
Can someone help to point out what I am doing wrong ? I bet there is something wrong is my ipsec.conf but haven't been able to figure it out.
Client1(10.10.0.2) ---A-- NAT device----B---Server1(10.20.0.2)
A - 10.10.0.0/16 subnet
B - 10.20.0.0/16 subnet
NAT device changes the IP and port of the traffic coming from client1 to let us say using any address from 4.4.0.0/16 and any port from 1025-60000
So, server1(left)'s ipsec.conf can't have a static IP as its right.
Below I have provided
1. Client and server ipsec.conf
2. Commands to start connection
3. server and client pluto std err log (with plutodebug=control)
4. server and client pluto std err log (with plutodebug=all)
Client 1 Ipsec.conf (left is server1, right is client1)
config setup
plutodebug=control
plutostderrlog="/var/log/pluto.log"
nat_traversal=yes
protostack=netkey
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn ikev2
type=tunnel
aggrmode=no
left=10.20.0.2
leftid="CN=sunkariserver1"
leftrsasigkey=%cert
rightrsasigkey=%cert
rightid="CN=sunkariclient1"
rightcert=sunkariclient1
rekey=no
right=10.10.0.2
auto=add
ikev2=insist
pfs=yes
ike=3des-sha1;modp2048
phase2alg=3des-sha1;modp1024
compress=no
Server 1Ipsec.conf(left is server1, right is client1)
# Openswan 2.6 config
config setup
plutodebug=control
plutostderrlog="/var/log/pluto.log"
nat_traversal=yes
protostack=netkey
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn ikev2
type=tunnel
aggrmode=no
left=10.20.0.2
leftid="CN=sunkariserver1"
leftrsasigkey=%cert
leftcert=sunkariserver1
right=%any
rightrsasigkey=%cert
rightid="CN=sunkariclient1"
rekey=no
auto=add
ikev2=insist
# NOT used
pfs=yes
ike=3des-sha1;modp2048
phase2alg=3des-sha1;modp1024
compress=no
Starting connection
[root at client f5ite]# ipsec auto --add ikev2
[root at client f5ite]# ipsec auto --up ikev2
133 "ikev2" #1: STATE_PARENT_I1: initiate
133 "ikev2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
010 "ikev2" #1: STATE_PARENT_I1: retransmission; will wait 20s for response
010 "ikev2" #1: STATE_PARENT_I1: retransmission; will wait 40s for response
031 "ikev2" #1: max number of retransmissions (2) reached STATE_PARENT_I1. No response (or no acceptable response) to our first IKE message
000 "ikev2" #1: starting keying attempt 2 of at most 1, but releasing whack
[root at client f5ite]#
Server pluto.log
|
| *received 372 bytes from 4.4.0.250:7060 on eth1 (port=500)
| processing version=2.0 packet with exchange type=ISAKMP_v2_SA_INIT (34)
| I am receiving an IKE Request
| I am the IKE SA Original Responder
| ICOOKIE: 4b 45 91 30 83 21 0e 05
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 6
| v2 state object not found
| ICOOKIE: 4b 45 91 30 83 21 0e 05
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 6
| v2 state object not found
| no connection found
| complete v2 state transition with STF_FAIL
packet from 4.4.0.250:7060: sending notification v2N_NO_PROPOSAL_CHOSEN to 4.4.0.250:7060
| state transition function for no-state failed: NO_PROPOSAL_CHOSEN
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 42 seconds
| next event EVENT_PENDING_DDNS in 42 seconds
^C
Client pluto.log
| *received whack message
| processing connection ikev2
"ikev2": deleting connection
| alg_info_delref(0x7f32c80a2c20) alg_info->ref_cnt=1
| alg_info_delref(0x7f32c80a2c20) freeing alg_info
| alg_info_delref(0x7f32c8096e10) alg_info->ref_cnt=1
| alg_info_delref(0x7f32c8096e10) freeing alg_info
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| Added new connection ikev2 with policy RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| from whack: got --esp=3des-sha1;modp1024
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| esp string values: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2)
| ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14)
| loopback=0 labeled_ipsec=0, policy_label=(null)
| counting wild cards for CN=sunkariserver1 is 0
loading certificate from sunkariclient1
| certificate is valid
| counting wild cards for CN=sunkariclient1 is 0
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=1
added connection description "ikev2"
| 10.10.0.2<10.10.0.2>[CN=sunkariclient1,+S=C]...10.20.0.2<10.20.0.2>[CN=sunkariserver1,+S=C]
| ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1; policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 46 seconds
| next event EVENT_PENDING_DDNS in 46 seconds
|
| *received whack message
| processing connection ikev2
| kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
| kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
| returning new proposal from esp_info
| creating state object #1 at 0x7f32c80a7d30
| processing connection ikev2
| ICOOKIE: 4b 45 91 30 83 21 0e 05
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 6
| inserting state object #1 on chain 6
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| processing connection ikev2
| Queuing pending Quick Mode with 10.20.0.2 "ikev2"
"ikev2" #1: initiating v2 parent SA
| 1: w->pcw_dead: 0 w->pcw_work: 0 cnt: 3
| asking helper 1 to do build_kenonce op on seq: 1 (len=2776, pcw_work=1)
| crypto helper write of request: cnt=2776<wlen=2776.
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 45 seconds
| next event EVENT_PENDING_DDNS in 45 seconds
| helper 1 read 2768+4/2776 bytes fd: 10
| helper 1 doing build_kenonce op id: 1
|
| helper 1 has finished work (cnt now 1)
| helper 1 replies to id: q#1
| processing connection ikev2
| sending 372 bytes for ikev2_parent_outI1_common through eth0:500 to 10.20.0.2:500 (using #1)
| inserting event EVENT_v2_RETRANSMIT, timeout in 10 seconds for #1
| complete v2 state transition with STF_OK
"ikev2" #1: transition from state STATE_IKEv2_START to state STATE_PARENT_I1
"ikev2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
| * processed 1 messages from cryptographic helpers
| next event EVENT_v2_RETRANSMIT in 10 seconds for #1
| next event EVENT_v2_RETRANSMIT in 10 seconds for #1
|
| next event EVENT_v2_RETRANSMIT in 0 seconds for #1
| *time to handle event
| handling event EVENT_v2_RETRANSMIT
| event after this is EVENT_PENDING_DDNS in 35 seconds
| processing connection ikev2
| handling event EVENT_v2_RETRANSMIT for 10.20.0.2 "ikev2" #1
| sending 372 bytes for EVENT_v2_RETRANSMIT through eth0:500 to 10.20.0.2:500 (using #1)
| inserting event EVENT_v2_RETRANSMIT, timeout in 20 seconds for #1
| next event EVENT_v2_RETRANSMIT in 20 seconds for #1
With pluto debug setup to all, following is the output
Server pluto.log
-------------------
|
| *received 372 bytes from 4.4.0.250:7060 on eth1 (port=500)
| cd 84 57 e9 63 67 79 6e 00 00 00 00 00 00 00 00
| 21 20 22 08 00 00 00 00 00 00 01 74 22 00 00 2c
| 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03
| 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
| 00 00 00 08 04 00 00 0e 28 00 01 08 00 0e 00 00
| 8a 20 23 39 6b bd 53 db cd 17 c6 95 a7 db 5f fb
| 0b 9e 32 d3 2d 53 68 32 e7 62 33 7a 21 b8 41 b1
| 5a 06 1e 31 d7 79 f0 57 6c 11 42 57 36 64 2c f3
| 76 ac de 3e 1c ad 75 a4 7e 3c 43 7c f0 0e ae 7d
| e6 54 b0 b1 4a 2c 58 7c d6 df 9f 81 85 09 3f ec
| 30 a8 1e 4e 3d 11 3c 92 ab f0 1e 81 c4 a6 6a 55
| c0 dd eb b2 41 86 01 3f fd b5 d4 99 3f 9d bb c2
| df f7 9b 54 0a 31 83 bc 3c fc 9e 0d 54 0d 6a c2
| ca aa fe 9a 99 42 12 a6 54 f3 73 b1 c1 1d 12 6a
| c3 e0 77 9d 84 da 6b cb 45 3d 18 1f d9 38 0e 0f
| 58 89 cc 37 2c cd 95 c8 6d 43 11 6c 17 93 19 c6
| ac 14 b8 8a 68 d7 f9 ba 03 2a f2 69 b2 73 65 ce
| 5c 29 28 4a d2 93 15 3a 0d 90 2f bc 48 13 7a 86
| 0f 26 42 ac 64 9a ec 32 cb d1 b2 2f 6a 90 2c db
| a6 b0 d8 f9 02 02 72 91 1c 12 8c aa aa 04 2b 13
| 79 d6 67 c5 84 98 28 14 fb a1 50 bc d7 3c e8 97
| 2b 00 00 14 08 b9 26 6d 51 71 0f 65 0c 77 9c 45
| 30 98 e2 61 00 00 00 10 4f 45 68 79 4c 64 41 43
| 65 63 66 61
| **parse ISAKMP Message:
| initiator cookie:
| cd 84 57 e9 63 67 79 6e
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_v2SA
| ISAKMP version: IKEv2 version 2.0 (rfc4306)
| exchange type: ISAKMP_v2_SA_INIT
| flags: ISAKMP_FLAG_INIT
| message ID: 00 00 00 00
| length: 372
| processing version=2.0 packet with exchange type=ISAKMP_v2_SA_INIT (34)
| I am receiving an IKE Request
| I am the IKE SA Original Responder
| I am IKE SA Responder
| ICOOKIE: cd 84 57 e9 63 67 79 6e
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 18
| v2 state object not found
| ICOOKIE: cd 84 57 e9 63 67 79 6e
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 18
| v2 state object not found
| ***parse IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2KE
| critical bit: none
| length: 44
| processing payload: ISAKMP_NEXT_v2SA (len=44)
| ***parse IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2Ni
| critical bit: none
| length: 264
| transform type: 14
| processing payload: ISAKMP_NEXT_v2KE (len=264)
| ***parse IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2V
| critical bit: none
| length: 20
| processing payload: ISAKMP_NEXT_v2Ni (len=20)
| ***parse IKEv2 Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| critical bit: none
| length: 16
| processing payload: ISAKMP_NEXT_v2V (len=16)
| find_host_connection2 called from ikev2parent_inI1outR1, me=10.20.0.2:500 him=4.4.0.250:7060 policy=IKEv2ALLOW
| find_host_pair: comparing to 10.20.0.2:500 0.0.0.0:500
| find_host_pair_conn (find_host_connection2): 10.20.0.2:500 4.4.0.250:7060 -> hp:none
| searching for connection with policy = IKEv2ALLOW
| find_host_connection2 returns empty
| no connection found
| complete v2 state transition with STF_FAIL
packet from 4.4.0.250:7060: sending notification v2N_NO_PROPOSAL_CHOSEN to 4.4.0.250:7060
| don't send packet when notification data empty
| state transition function for no-state failed: NO_PROPOSAL_CHOSEN
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 9 seconds
| next event EVENT_PENDING_DDNS in 9 seconds
Client pluto.log
|
| *received whack message
| processing connection ikev2
"ikev2": deleting connection
| certs and keys locked by 'release_x509cert'
| certs and keys unlocked by 'release_x509cert'
| alg_info_delref(0x7fb27f463c10) alg_info->ref_cnt=1
| alg_info_delref(0x7fb27f463c10) freeing alg_info
| alg_info_delref(0x7fb27f457e00) alg_info->ref_cnt=1
| alg_info_delref(0x7fb27f457e00) freeing alg_info
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x7fb27de495a0, "OAKLEY_3DES")
| enum_search_ppfixi () calling enum_search(0x7fb27de495a0, "OAKLEY_3DES_CBC")
| parser_alg_info_add() ealg_getbyname("3des")=5
| enum_search_prefix () calling enum_search(0x7fb27de43a40, "OAKLEY_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| enum_search_prefix () calling enum_search(0x7fb27de495e0, "OAKLEY_GROUP_MODP2048")
| parser_alg_info_add() modp_getbyname("modp2048")=14
| __alg_info_ike_add() ealg=5 aalg=2 modp_id=14, cnt=1
| Added new connection ikev2 with policy RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| from whack: got --esp=3des-sha1;modp1024
| enum_search_prefix () calling enum_search(0x7fb27de495e0, "OAKLEY_GROUP_MODP1024")
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x7fb27de43660, "ESP_3DES")
| parser_alg_info_add() ealg_getbyname("3des")=3
| enum_search_prefix () calling enum_search(0x7fb27de43860, "AUTH_ALGORITHM_HMAC_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| __alg_info_esp_add() ealg=3 aalg=2 cnt=1
| esp string values: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2)
| ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP2048(14)
| loopback=0 labeled_ipsec=0, policy_label=(null)
| counting wild cards for CN=sunkariserver1 is 0
loading certificate from sunkariclient1
| Found pointer to cert sunkariclient1 now giving it to further processing
| file coded in DER format
| L0 - certificate:
| 30 82 01 a6 30 82 01 0f a0 03 02 01 02 02 05 00
| a5 a0 a8 f1 30 0d 06 09 2a 86 48 86 f7 0d 01 01
| 05 05 00 30 15 31 13 30 11 06 03 55 04 03 13 0a
| 4f 70 65 6e 73 77 61 6e 43 41 30 1e 17 0d 31 36
| 30 33 30 31 32 33 33 39 34 36 5a 17 0d 31 37 30
| 33 30 31 32 33 33 39 34 36 5a 30 19 31 17 30 15
| 06 03 55 04 03 13 0e 73 75 6e 6b 61 72 69 63 6c
| 69 65 6e 74 31 30 81 9f 30 0d 06 09 2a 86 48 86
| f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81
| 81 00 af dd 33 e6 8d 87 ed bf 6c dd dd cb 05 1c
| bc 31 bb ac c3 26 8f 81 69 10 65 e9 13 94 5c d6
| 25 26 99 eb b6 46 2b db 05 f1 cf 49 02 01 21 66
| 8b 83 05 0c 6f e3 90 81 1f 56 f4 bd bf f7 a5 54
| 8a bd f6 ff 21 de cb 2b b0 c7 9a 17 41 18 91 02
| 32 55 0f 66 e3 e8 38 e8 59 e2 ef 99 ce 20 27 9f
| ce 6c 23 fc 79 d2 aa 69 57 d3 8b 2e 07 f3 f4 84
| 56 9f 7c e1 e7 7a ac 6d a6 68 b3 47 23 13 fa 95
| 70 b3 02 03 01 00 01 30 0d 06 09 2a 86 48 86 f7
| 0d 01 01 05 05 00 03 81 81 00 9d 85 9d d4 22 1e
| 0e 71 83 9d aa 82 7a a8 8a c5 6b 10 d0 44 2b 6f
| c5 ae 8a ee 47 b9 83 3b 60 14 02 f0 4a da 16 2c
| a1 dd 1e 52 8a d7 33 03 09 d6 0f 60 b4 64 70 57
| d3 ce ed 76 35 7f 57 fc 43 84 15 93 d7 93 9f 8d
| 4b 7e 81 fb 68 57 69 69 01 52 a6 79 5d 3a 90 ae
| 90 fa b8 07 68 28 5b b8 d1 2c a4 d3 5a b6 e0 0d
| 94 20 fa 27 f3 8f 29 c7 29 34 2c 4c c4 e1 46 51
| 2e 17 ad d8 b7 e0 64 ce ab 17
| L1 - tbsCertificate:
| 30 82 01 0f a0 03 02 01 02 02 05 00 a5 a0 a8 f1
| 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30
| 15 31 13 30 11 06 03 55 04 03 13 0a 4f 70 65 6e
| 73 77 61 6e 43 41 30 1e 17 0d 31 36 30 33 30 31
| 32 33 33 39 34 36 5a 17 0d 31 37 30 33 30 31 32
| 33 33 39 34 36 5a 30 19 31 17 30 15 06 03 55 04
| 03 13 0e 73 75 6e 6b 61 72 69 63 6c 69 65 6e 74
| 31 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01
| 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 af dd
| 33 e6 8d 87 ed bf 6c dd dd cb 05 1c bc 31 bb ac
| c3 26 8f 81 69 10 65 e9 13 94 5c d6 25 26 99 eb
| b6 46 2b db 05 f1 cf 49 02 01 21 66 8b 83 05 0c
| 6f e3 90 81 1f 56 f4 bd bf f7 a5 54 8a bd f6 ff
| 21 de cb 2b b0 c7 9a 17 41 18 91 02 32 55 0f 66
| e3 e8 38 e8 59 e2 ef 99 ce 20 27 9f ce 6c 23 fc
| 79 d2 aa 69 57 d3 8b 2e 07 f3 f4 84 56 9f 7c e1
| e7 7a ac 6d a6 68 b3 47 23 13 fa 95 70 b3 02 03
| 01 00 01
| L2 - DEFAULT v1:
| L3 - version:
| 02
| v3
| L2 - serialNumber:
| 00 a5 a0 a8 f1
| L2 - signature:
| L3 - algorithmIdentifier:
| L4 - algorithm:
| 'sha-1WithRSAEncryption'
| L2 - issuer:
| 30 15 31 13 30 11 06 03 55 04 03 13 0a 4f 70 65
| 6e 73 77 61 6e 43 41
| 'CN=OpenswanCA'
| L2 - validity:
| L3 - notBefore:
| L4 - utcTime:
| 'Mar 01 23:39:46 UTC 2016'
| L3 - notAfter:
| L4 - utcTime:
| 'Mar 01 23:39:46 UTC 2017'
| L2 - subject:
| 30 19 31 17 30 15 06 03 55 04 03 13 0e 73 75 6e
| 6b 61 72 69 63 6c 69 65 6e 74 31
| 'CN=sunkariclient1'
| L2 - subjectPublicKeyInfo:
| L3 - algorithm:
| L4 - algorithmIdentifier:
| L5 - algorithm:
| 'rsaEncryption'
| L3 - subjectPublicKey:
| L4 - RSAPublicKey:
| L5 - modulus:
| 00 af dd 33 e6 8d 87 ed bf 6c dd dd cb 05 1c bc
| 31 bb ac c3 26 8f 81 69 10 65 e9 13 94 5c d6 25
| 26 99 eb b6 46 2b db 05 f1 cf 49 02 01 21 66 8b
| 83 05 0c 6f e3 90 81 1f 56 f4 bd bf f7 a5 54 8a
| bd f6 ff 21 de cb 2b b0 c7 9a 17 41 18 91 02 32
| 55 0f 66 e3 e8 38 e8 59 e2 ef 99 ce 20 27 9f ce
| 6c 23 fc 79 d2 aa 69 57 d3 8b 2e 07 f3 f4 84 56
| 9f 7c e1 e7 7a ac 6d a6 68 b3 47 23 13 fa 95 70
| b3
| L5 - publicExponent:
| 01 00 01
| L1 - signatureAlgorithm:
| L2 - algorithmIdentifier:
| L3 - algorithm:
| 'sha-1WithRSAEncryption'
| L1 - signatureValue:
| 00 9d 85 9d d4 22 1e 0e 71 83 9d aa 82 7a a8 8a
| c5 6b 10 d0 44 2b 6f c5 ae 8a ee 47 b9 83 3b 60
| 14 02 f0 4a da 16 2c a1 dd 1e 52 8a d7 33 03 09
| d6 0f 60 b4 64 70 57 d3 ce ed 76 35 7f 57 fc 43
| 84 15 93 d7 93 9f 8d 4b 7e 81 fb 68 57 69 69 01
| 52 a6 79 5d 3a 90 ae 90 fa b8 07 68 28 5b b8 d1
| 2c a4 d3 5a b6 e0 0d 94 20 fa 27 f3 8f 29 c7 29
| 34 2c 4c c4 e1 46 51 2e 17 ad d8 b7 e0 64 ce ab
| 17
| not before : Mar 01 23:39:46 UTC 2016
| current time: Mar 03 18:30:06 UTC 2016
| not after : Mar 01 23:39:46 UTC 2017
| certificate is valid
| unreference key: 0x7fb27f461750 CN=sunkariclient1 cnt 1--
| certs and keys locked by 'add_x509cert'
| certs and keys unlocked by 'add_x509cert'
| counting wild cards for CN=sunkariclient1 is 0
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=1
| connect_to_host_pair: 10.10.0.2:500 10.20.0.2:500 -> hp:none
added connection description "ikev2"
| 10.10.0.2<10.10.0.2>[CN=sunkariclient1,+S=C]...10.20.0.2<10.20.0.2>[CN=sunkariserver1,+S=C]
| ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1; policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 8 seconds
| next event EVENT_PENDING_DDNS in 8 seconds
|
| *received whack message
| processing connection ikev2
| kernel_alg_db_new() initial trans_cnt=128
| kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
| kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
| returning new proposal from esp_info
| creating state object #1 at 0x7fb27f468b90
| processing connection ikev2
| ICOOKIE: cd 84 57 e9 63 67 79 6e
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 18
| inserting state object #1 on chain 18
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| event added at head of queue
| processing connection ikev2
| Queuing pending Quick Mode with 10.20.0.2 "ikev2"
"ikev2" #1: initiating v2 parent SA
| 1: w->pcw_dead: 0 w->pcw_work: 0 cnt: 3
| asking helper 1 to do build_kenonce op on seq: 1 (len=2776, pcw_work=1)
| crypto helper write of request: cnt=2776<wlen=2776.
| deleting event for #1
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
| event added after event EVENT_PENDING_PHASE2
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 7 seconds
| next event EVENT_PENDING_DDNS in 7 seconds
| helper 1 read 2768+4/2776 bytes fd: 10
| helper 1 doing build_kenonce op id: 1
| NSS: Value of Prime:
| ff ff ff ff ff ff ff ff c9 0f da a2 21 68 c2 34
| c4 c6 62 8b 80 dc 1c d1 29 02 4e 08 8a 67 cc 74
| 02 0b be a6 3b 13 9b 22 51 4a 08 79 8e 34 04 dd
| ef 95 19 b3 cd 3a 43 1b 30 2b 0a 6d f2 5f 14 37
| 4f e1 35 6d 6d 51 c2 45 e4 85 b5 76 62 5e 7e c6
| f4 4c 42 e9 a6 37 ed 6b 0b ff 5c b6 f4 06 b7 ed
| ee 38 6b fb 5a 89 9f a5 ae 9f 24 11 7c 4b 1f e6
| 49 28 66 51 ec e4 5b 3d c2 00 7c b8 a1 63 bf 05
| 98 da 48 36 1c 55 d3 9a 69 16 3f a8 fd 24 cf 5f
| 83 65 5d 23 dc a3 ad 96 1c 62 f3 56 20 85 52 bb
| 9e d5 29 07 70 96 96 6d 67 0c 35 4e 4a bc 98 04
| f1 74 6c 08 ca 18 21 7c 32 90 5e 46 2e 36 ce 3b
| e3 9e 77 2c 18 0e 86 03 9b 27 83 a2 ec 07 a2 8f
| b5 c5 5d f0 6f 4c 52 c9 de 2b cb f6 95 58 17 18
| 39 95 49 7c ea 95 6a e5 15 d2 26 18 98 fa 05 10
| 15 72 8e 5a 8a ac aa 68 ff ff ff ff ff ff ff ff
| NSS: Value of base:
| 02
| NSS: generated dh priv and pub keys: 256
| NSS: Local DH secret:
| 70 45 00 68 b2 7f 00 00
| NSS: Public DH value sent(computed in NSS):
| 8a 20 23 39 6b bd 53 db cd 17 c6 95 a7 db 5f fb
| 0b 9e 32 d3 2d 53 68 32 e7 62 33 7a 21 b8 41 b1
| 5a 06 1e 31 d7 79 f0 57 6c 11 42 57 36 64 2c f3
| 76 ac de 3e 1c ad 75 a4 7e 3c 43 7c f0 0e ae 7d
| e6 54 b0 b1 4a 2c 58 7c d6 df 9f 81 85 09 3f ec
| 30 a8 1e 4e 3d 11 3c 92 ab f0 1e 81 c4 a6 6a 55
| c0 dd eb b2 41 86 01 3f fd b5 d4 99 3f 9d bb c2
| df f7 9b 54 0a 31 83 bc 3c fc 9e 0d 54 0d 6a c2
| ca aa fe 9a 99 42 12 a6 54 f3 73 b1 c1 1d 12 6a
| c3 e0 77 9d 84 da 6b cb 45 3d 18 1f d9 38 0e 0f
| 58 89 cc 37 2c cd 95 c8 6d 43 11 6c 17 93 19 c6
| ac 14 b8 8a 68 d7 f9 ba 03 2a f2 69 b2 73 65 ce
| 5c 29 28 4a d2 93 15 3a 0d 90 2f bc 48 13 7a 86
| 0f 26 42 ac 64 9a ec 32 cb d1 b2 2f 6a 90 2c db
| a6 b0 d8 f9 02 02 72 91 1c 12 8c aa aa 04 2b 13
| 79 d6 67 c5 84 98 28 14 fb a1 50 bc d7 3c e8 97
| NSS: Local DH public value (pointer):
| 30 9d 46 7f b2 7f 00 00
| Generated nonce:
| 08 b9 26 6d 51 71 0f 65 0c 77 9c 45 30 98 e2 61
|
| helper 1 has finished work (cnt now 1)
| helper 1 replies to id: q#1
| calling callback function 0x7fb27db8b3b0
| ikev2 parent outI1: calculated ke+nonce, sending I1
| processing connection ikev2
| saving DH priv (local secret) and pub key into state struc
| **emit ISAKMP Message:
| initiator cookie:
| cd 84 57 e9 63 67 79 6e
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_v2SA
| ISAKMP version: IKEv2 version 2.0 (rfc4306)
| exchange type: ISAKMP_v2_SA_INIT
| flags: ISAKMP_FLAG_INIT
| message ID: 00 00 00 00
| ***emit IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2KE
| critical bit: none
| ****emit IKEv2 Proposal Substructure Payload:
| next payload type: ISAKMP_NEXT_NONE
| prop #: 1
| proto ID: 1
| spi size: 0
| # transforms: 4
| *****emit IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_T
| transform type: 1
| transform ID: 3
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_T
| transform type: 3
| transform ID: 2
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_T
| transform type: 2
| transform ID: 2
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_NONE
| transform type: 4
| transform ID: 14
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 40
| emitting length of IKEv2 Security Association Payload: 44
| ***emit IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2Ni
| critical bit: none
| transform type: 14
| emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
| ikev2 g^x 8a 20 23 39 6b bd 53 db cd 17 c6 95 a7 db 5f fb
| ikev2 g^x 0b 9e 32 d3 2d 53 68 32 e7 62 33 7a 21 b8 41 b1
| ikev2 g^x 5a 06 1e 31 d7 79 f0 57 6c 11 42 57 36 64 2c f3
| ikev2 g^x 76 ac de 3e 1c ad 75 a4 7e 3c 43 7c f0 0e ae 7d
| ikev2 g^x e6 54 b0 b1 4a 2c 58 7c d6 df 9f 81 85 09 3f ec
| ikev2 g^x 30 a8 1e 4e 3d 11 3c 92 ab f0 1e 81 c4 a6 6a 55
| ikev2 g^x c0 dd eb b2 41 86 01 3f fd b5 d4 99 3f 9d bb c2
| ikev2 g^x df f7 9b 54 0a 31 83 bc 3c fc 9e 0d 54 0d 6a c2
| ikev2 g^x ca aa fe 9a 99 42 12 a6 54 f3 73 b1 c1 1d 12 6a
| ikev2 g^x c3 e0 77 9d 84 da 6b cb 45 3d 18 1f d9 38 0e 0f
| ikev2 g^x 58 89 cc 37 2c cd 95 c8 6d 43 11 6c 17 93 19 c6
| ikev2 g^x ac 14 b8 8a 68 d7 f9 ba 03 2a f2 69 b2 73 65 ce
| ikev2 g^x 5c 29 28 4a d2 93 15 3a 0d 90 2f bc 48 13 7a 86
| ikev2 g^x 0f 26 42 ac 64 9a ec 32 cb d1 b2 2f 6a 90 2c db
| ikev2 g^x a6 b0 d8 f9 02 02 72 91 1c 12 8c aa aa 04 2b 13
| ikev2 g^x 79 d6 67 c5 84 98 28 14 fb a1 50 bc d7 3c e8 97
| emitting length of IKEv2 Key Exchange Payload: 264
| ***emit IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2V
| critical bit: none
| emitting 16 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
| IKEv2 nonce 08 b9 26 6d 51 71 0f 65 0c 77 9c 45 30 98 e2 61
| emitting length of IKEv2 Nonce Payload: 20
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
| Vendor ID 4f 45 68 79 4c 64 41 43 65 63 66 61
| emitting length of ISAKMP Vendor ID Payload: 16
| emitting length of ISAKMP Message: 372
| sending 372 bytes for ikev2_parent_outI1_common through eth0:500 to 10.20.0.2:500 (using #1)
| cd 84 57 e9 63 67 79 6e 00 00 00 00 00 00 00 00
| 21 20 22 08 00 00 00 00 00 00 01 74 22 00 00 2c
| 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03
| 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
| 00 00 00 08 04 00 00 0e 28 00 01 08 00 0e 00 00
| 8a 20 23 39 6b bd 53 db cd 17 c6 95 a7 db 5f fb
| 0b 9e 32 d3 2d 53 68 32 e7 62 33 7a 21 b8 41 b1
| 5a 06 1e 31 d7 79 f0 57 6c 11 42 57 36 64 2c f3
| 76 ac de 3e 1c ad 75 a4 7e 3c 43 7c f0 0e ae 7d
| e6 54 b0 b1 4a 2c 58 7c d6 df 9f 81 85 09 3f ec
| 30 a8 1e 4e 3d 11 3c 92 ab f0 1e 81 c4 a6 6a 55
| c0 dd eb b2 41 86 01 3f fd b5 d4 99 3f 9d bb c2
| df f7 9b 54 0a 31 83 bc 3c fc 9e 0d 54 0d 6a c2
| ca aa fe 9a 99 42 12 a6 54 f3 73 b1 c1 1d 12 6a
| c3 e0 77 9d 84 da 6b cb 45 3d 18 1f d9 38 0e 0f
| 58 89 cc 37 2c cd 95 c8 6d 43 11 6c 17 93 19 c6
| ac 14 b8 8a 68 d7 f9 ba 03 2a f2 69 b2 73 65 ce
| 5c 29 28 4a d2 93 15 3a 0d 90 2f bc 48 13 7a 86
| 0f 26 42 ac 64 9a ec 32 cb d1 b2 2f 6a 90 2c db
| a6 b0 d8 f9 02 02 72 91 1c 12 8c aa aa 04 2b 13
| 79 d6 67 c5 84 98 28 14 fb a1 50 bc d7 3c e8 97
| 2b 00 00 14 08 b9 26 6d 51 71 0f 65 0c 77 9c 45
| 30 98 e2 61 00 00 00 10 4f 45 68 79 4c 64 41 43
| 65 63 66 61
| deleting event for #1
| inserting event EVENT_v2_RETRANSMIT, timeout in 10 seconds for #1
| event added after event EVENT_PENDING_DDNS
| complete v2 state transition with STF_OK
"ikev2" #1: transition from state STATE_IKEv2_START to state STATE_PARENT_I1
"ikev2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
| * processed 1 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 7 seconds
Regards,
Prashant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160303/db58c5e9/attachment-0001.html>
More information about the Users
mailing list