[strongSwan] Unable to receive traffic over link
Tony Hoyle
tony at hoyle.me.uk
Thu Apr 5 14:15:30 CEST 2018
Hi,
I'm having trouble getting a link working that was previously working on
another machine. The config is the same as the working one, but later
versions of the linux kernel and strongswan, so I'm missing some extra
required setup somewhere.
What appears to be happening is the outbound traffic is encrypted and
sent, the inbound comes back & never leaves the ppp interface.
So I ping 192.168.78.3 from 192.168.10.138, the request arrives at the
remote machine, is replied to, and appears on the ppp0 interface,
however it appears to have the wrong source IP:
12:23:20.281794 IP 8.0.78.3 > 192.168.10.138: ICMP echo reply, id 11530,
seq 173, length 64
I'm not sure if this is expected or not at this point.
The packet then never seems to appear anywhere else. Logging the
PREROUTING,POSTROUTING and FORWARD chains shows nothing interesting
(icmp shouldn't be blocked by any of them anyway).
Tony
-------------------
Config (warning.. long!):
ipsec.conf:
config setup
conn rps
authby=secret
auto=start
closeaction=restart
left=y.y.y.y
leftid=y.y.y.y
leftsubnet=192.168.10.0/24
right=x.x.x.x
rightid=x.x.x.x
rightsubnet=192.168.78.0/24
iptables:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [55:5046]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp1s0 -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m multiport --ports 500,4500 -j ACCEPT
-A INPUT -j REJECT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i enp1s0 -j ACCEPT
-A FORWARD -j REJECT
COMMIT
# Completed on Wed Oct 19 20:22:03 2016
# Generated by iptables-save v1.4.21 on Wed Oct 19 20:22:03 2016
*raw
:PREROUTING ACCEPT [1935088808:1834405659781]
:OUTPUT ACCEPT [11827633:1003268002]
COMMIT
# Completed on Wed Oct 19 20:22:03 2016
# Generated by iptables-save v1.4.21 on Wed Oct 19 20:22:03 2016
*nat
:PREROUTING ACCEPT [10720587:1007980120]
:INPUT ACCEPT [404895:39754858]
:POSTROUTING ACCEPT [4314897:532668674]
-A POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -o ppp+ -s 192.168.10.0/24 -j MASQUERADE
COMMIT
ip route table 220:
192.168.78.0/24 via x.x.x.x dev ppp0 proto static src 192.168.10.1
statusall:
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-2-amd64,
x86_64):
uptime: 5 seconds, since Apr 05 12:32:50 2018
malloc: sbrk 3092480, mmap 0, used 1065808, free 2026672
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1
md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7
pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp
curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink
resolve socket-default connmark farp stroke updown eap-identity eap-aka
eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc
xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify
certexpire led addrblock unity counters
Listening IP addresses:
81.187.6.161
192.168.10.1
2001:8b0:178:1::1
y.y.y.y
Connections:
rps: y.y.y.y...x.x.x.x IKEv1/2
rps: local: [y.y.y.y] uses pre-shared key authentication
rps: remote: [x.x.x.x] uses pre-shared key authentication
rps: child: 192.168.10.0/24 === 192.168.78.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
rps[1]: ESTABLISHED 4 seconds ago,
y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]
rps[1]: IKEv2 SPIs: dc7b3a9e04ba2fd0_i* 1edbc27f239cff2c_r,
pre-shared key reauthentication in 2 hours
rps[1]: IKE proposal:
AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048
rps{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c66a71a0_i
99232c52_o
rps{1}: AES_CBC_128/AES_XCBC_96, 420 bytes_i, 420 bytes_o (5
pkts, 1s ago), rekeying in 47 minutes
rps{1}: 192.168.10.0/24 === 192.168.78.0/24
log:
Thu, 2018-04-05 12:54 00[DMN] Starting IKE charon daemon (strongSwan
5.6.2, Linux 4.15.0-2-amd64, x86_64)
Thu, 2018-04-05 12:54 00[LIB] plugin 'test-vectors': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'ldap': loaded successfully
Thu, 2018-04-05 12:54 00[CFG] PKCS11 module '<name>' lacks library path
Thu, 2018-04-05 12:54 00[LIB] plugin 'pkcs11': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'tpm': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'aesni': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'aes': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'rc2': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'sha2': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'sha1': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'md5': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'mgf1': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'rdrand': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] no RDRAND support detected, disabled
Thu, 2018-04-05 12:54 00[LIB] plugin 'random': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'nonce': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'x509': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'revocation': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'constraints': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'pubkey': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'pkcs1': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'pkcs7': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'pkcs8': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'pkcs12': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'pgp': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'dnskey': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'sshkey': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'pem': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'openssl': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'gcrypt': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'af-alg': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'fips-prf': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'gmp': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'curve25519': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'agent': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'xcbc': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'cmac': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'hmac': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'ctr': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'ccm': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'gcm': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'curl': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'attr': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'kernel-netlink': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'resolve': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'socket-default': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'connmark': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'farp': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'stroke': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'updown': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'eap-identity': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'eap-aka': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'eap-md5': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'eap-gtc': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'eap-mschapv2': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'eap-radius': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'eap-tls': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'eap-ttls': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'eap-tnc': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'xauth-generic': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'xauth-eap': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'xauth-pam': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'tnc-tnccs': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'dhcp': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'ha': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'lookip': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'error-notify': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'certexpire': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'led': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'addrblock': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'unity': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] plugin 'counters': loaded successfully
Thu, 2018-04-05 12:54 00[LIB] feature PUBKEY:BLISS in plugin 'pem' has
unmet dependency: PUBKEY:BLISS
Thu, 2018-04-05 12:54 00[LIB] feature PUBKEY:DSA in plugin 'pem' has
unmet dependency: PUBKEY:DSA
Thu, 2018-04-05 12:54 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has
unmet dependency: PRIVKEY:DSA
Thu, 2018-04-05 12:54 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has
unmet dependency: PRIVKEY:BLISS
Thu, 2018-04-05 12:54 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin
'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
Thu, 2018-04-05 12:54 00[LIB] feature
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_224
Thu, 2018-04-05 12:54 00[LIB] feature
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_256
Thu, 2018-04-05 12:54 00[LIB] feature
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_384
Thu, 2018-04-05 12:54 00[LIB] feature
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_512
Thu, 2018-04-05 12:54 00[LIB] feature
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_224
Thu, 2018-04-05 12:54 00[LIB] feature
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_256
Thu, 2018-04-05 12:54 00[LIB] feature
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_384
Thu, 2018-04-05 12:54 00[LIB] feature
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_512
Thu, 2018-04-05 12:54 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Thu, 2018-04-05 12:54 00[CFG] loaded ca certificate "C=US, O=Let's
Encrypt, CN=Let's Encrypt Authority X3" from '/etc/ipsec.d/cacerts/ca.cer'
Thu, 2018-04-05 12:54 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Thu, 2018-04-05 12:54 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Thu, 2018-04-05 12:54 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Thu, 2018-04-05 12:54 00[CFG] loading crls from '/etc/ipsec.d/crls'
Thu, 2018-04-05 12:54 00[CFG] loading secrets from '/etc/ipsec.secrets'
Thu, 2018-04-05 12:54 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/zuul.key'
Thu, 2018-04-05 12:54 00[CFG] loaded IKE secret for y.y.y.y x.x.x.x
Thu, 2018-04-05 12:54 00[CFG] loaded EAP secret for user
Thu, 2018-04-05 12:54 00[CFG] loaded 0 RADIUS server configurations
Thu, 2018-04-05 12:54 00[CFG] HA config misses local/remote address
Thu, 2018-04-05 12:54 00[LIB] feature CUSTOM:ha in plugin 'ha' failed to
load
Thu, 2018-04-05 12:54 00[LIB] unloading plugin 'aesni' without loaded
features
Thu, 2018-04-05 12:54 00[LIB] unloading plugin 'rdrand' without loaded
features
Thu, 2018-04-05 12:54 00[LIB] unloading plugin 'ha' without loaded features
Thu, 2018-04-05 12:54 00[LIB] loaded plugins: charon test-vectors ldap
pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr
ccm gcm curl attr kernel-netlink resolve socket-default connmark farp
stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2
eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam
tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Thu, 2018-04-05 12:54 00[LIB] unable to load 14 plugin features (13 due
to unmet dependencies)
Thu, 2018-04-05 12:54 00[LIB] dropped capabilities, running as uid 0, gid 0
Thu, 2018-04-05 12:54 00[JOB] spawning 16 worker threads
Thu, 2018-04-05 12:54 01[LIB] created thread 01 [2406]
Thu, 2018-04-05 12:54 02[LIB] created thread 02 [2410]
Thu, 2018-04-05 12:54 03[LIB] created thread 03 [2408]
Thu, 2018-04-05 12:54 04[LIB] created thread 04 [2411]
Thu, 2018-04-05 12:54 05[LIB] created thread 05 [2413]
Thu, 2018-04-05 12:54 07[LIB] created thread 07 [2414]
Thu, 2018-04-05 12:54 08[LIB] created thread 08 [2415]
Thu, 2018-04-05 12:54 06[LIB] created thread 06 [2412]
Thu, 2018-04-05 12:54 09[LIB] created thread 09 [2409]
Thu, 2018-04-05 12:54 10[LIB] created thread 10 [2420]
Thu, 2018-04-05 12:54 11[LIB] created thread 11 [2407]
Thu, 2018-04-05 12:54 12[LIB] created thread 12 [2416]
Thu, 2018-04-05 12:54 12[CFG] received stroke: add connection 'rps'
Thu, 2018-04-05 12:54 12[CFG] conn rps
Thu, 2018-04-05 12:54 12[CFG] left=y.y.y.y
Thu, 2018-04-05 12:54 12[CFG] leftsubnet=192.168.10.0/24
Thu, 2018-04-05 12:54 12[CFG] leftauth=psk
Thu, 2018-04-05 12:54 12[CFG] leftid=y.y.y.y
Thu, 2018-04-05 12:54 12[CFG] right=x.x.x.x
Thu, 2018-04-05 12:54 12[CFG] rightsubnet=192.168.78.0/24
Thu, 2018-04-05 12:54 12[CFG] rightauth=psk
Thu, 2018-04-05 12:54 12[CFG] rightid=x.x.x.x
Thu, 2018-04-05 12:54 12[CFG] dpddelay=30
Thu, 2018-04-05 12:54 12[CFG] dpdtimeout=150
Thu, 2018-04-05 12:54 12[CFG] closeaction=3
Thu, 2018-04-05 12:54 12[CFG] sha256_96=no
Thu, 2018-04-05 12:54 12[CFG] mediation=no
Thu, 2018-04-05 12:54 13[LIB] created thread 13 [2421]
Thu, 2018-04-05 12:54 14[LIB] created thread 14 [2419]
Thu, 2018-04-05 12:54 15[LIB] created thread 15 [2418]
Thu, 2018-04-05 12:54 16[LIB] created thread 16 [2417]
Thu, 2018-04-05 12:54 12[CFG] added configuration 'rps'
Thu, 2018-04-05 12:54 01[CFG] received stroke: initiate 'rps'
Thu, 2018-04-05 12:54 01[IKE] <rps|1> queueing IKE_VENDOR task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> queueing IKE_INIT task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> queueing IKE_NATD task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> queueing IKE_CERT_PRE task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> queueing IKE_AUTH task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> queueing IKE_CERT_POST task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> queueing IKE_CONFIG task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> queueing IKE_AUTH_LIFETIME task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> queueing IKE_MOBIKE task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> queueing IKE_ME task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> queueing CHILD_CREATE task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> activating new tasks
Thu, 2018-04-05 12:54 01[IKE] <rps|1> activating IKE_VENDOR task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> activating IKE_INIT task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> activating IKE_NATD task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> activating IKE_CERT_PRE task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> activating IKE_ME task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> activating IKE_AUTH task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> activating IKE_CERT_POST task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> activating IKE_CONFIG task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> activating CHILD_CREATE task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> activating IKE_AUTH_LIFETIME task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> activating IKE_MOBIKE task
Thu, 2018-04-05 12:54 01[IKE] <rps|1> initiating IKE_SA rps[1] to x.x.x.x
Thu, 2018-04-05 12:54 01[IKE] <rps|1> IKE_SA rps[1] state change:
CREATED => CONNECTING
Thu, 2018-04-05 12:54 01[CFG] <rps|1> configured proposals:
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Thu, 2018-04-05 12:54 01[CFG] <rps|1> sending supported signature hash
algorithms: sha256 sha384 sha512 identity
Thu, 2018-04-05 12:54 01[ENC] <rps|1> generating IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Thu, 2018-04-05 12:54 01[NET] <rps|1> sending packet: from y.y.y.y[500]
to x.x.x.x[500] (1056 bytes)
Thu, 2018-04-05 12:54 03[NET] <rps|1> received packet: from x.x.x.x[500]
to y.y.y.y[500] (38 bytes)
Thu, 2018-04-05 12:54 03[ENC] <rps|1> parsed IKE_SA_INIT response 0 [
N(INVAL_KE) ]
Thu, 2018-04-05 12:54 03[IKE] <rps|1> peer didn't accept DH group
ECP_256, it requested MODP_2048
Thu, 2018-04-05 12:54 03[IKE] <rps|1> IKE_SA rps[1] state change:
CONNECTING => CREATED
Thu, 2018-04-05 12:54 03[IKE] <rps|1> queueing IKE_VENDOR task
Thu, 2018-04-05 12:54 03[IKE] <rps|1> queueing IKE_ME task
Thu, 2018-04-05 12:54 03[IKE] <rps|1> activating new tasks
Thu, 2018-04-05 12:54 03[IKE] <rps|1> activating IKE_VENDOR task
Thu, 2018-04-05 12:54 03[IKE] <rps|1> activating IKE_INIT task
Thu, 2018-04-05 12:54 03[IKE] <rps|1> activating IKE_NATD task
Thu, 2018-04-05 12:54 03[IKE] <rps|1> activating IKE_CERT_PRE task
Thu, 2018-04-05 12:54 03[IKE] <rps|1> activating IKE_ME task
Thu, 2018-04-05 12:54 03[IKE] <rps|1> activating IKE_AUTH task
Thu, 2018-04-05 12:54 03[IKE] <rps|1> activating IKE_CERT_POST task
Thu, 2018-04-05 12:54 03[IKE] <rps|1> activating IKE_CONFIG task
Thu, 2018-04-05 12:54 03[IKE] <rps|1> activating CHILD_CREATE task
Thu, 2018-04-05 12:54 03[IKE] <rps|1> activating IKE_AUTH_LIFETIME task
Thu, 2018-04-05 12:54 03[IKE] <rps|1> activating IKE_MOBIKE task
Thu, 2018-04-05 12:54 03[IKE] <rps|1> initiating IKE_SA rps[1] to x.x.x.x
Thu, 2018-04-05 12:54 03[IKE] <rps|1> IKE_SA rps[1] state change:
CREATED => CONNECTING
Thu, 2018-04-05 12:54 03[LIB] <rps|1> size of DH secret exponent: 2047 bits
Thu, 2018-04-05 12:54 03[CFG] <rps|1> configured proposals:
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Thu, 2018-04-05 12:54 03[CFG] <rps|1> sending supported signature hash
algorithms: sha256 sha384 sha512 identity
Thu, 2018-04-05 12:54 03[ENC] <rps|1> generating IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Thu, 2018-04-05 12:54 03[NET] <rps|1> sending packet: from y.y.y.y[500]
to x.x.x.x[500] (1248 bytes)
Thu, 2018-04-05 12:54 04[NET] <rps|1> received packet: from x.x.x.x[500]
to y.y.y.y[500] (445 bytes)
Thu, 2018-04-05 12:54 04[ENC] <rps|1> parsed IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Thu, 2018-04-05 12:54 04[CFG] <rps|1> selecting proposal:
Thu, 2018-04-05 12:54 04[CFG] <rps|1> proposal matches
Thu, 2018-04-05 12:54 04[CFG] <rps|1> received proposals:
IKE:AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048
Thu, 2018-04-05 12:54 04[CFG] <rps|1> configured proposals:
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Thu, 2018-04-05 12:54 04[CFG] <rps|1> selected proposal:
IKE:AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048
Thu, 2018-04-05 12:54 04[IKE] <rps|1> received cert request for unknown
ca with keyid f7:da:f8:fd:ce:ba:45:44:52:fe:46:fc:b2:26:af:9a:6b:46:14:bc
Thu, 2018-04-05 12:54 04[IKE] <rps|1> received 1 cert requests for an
unknown ca
Thu, 2018-04-05 12:54 04[IKE] <rps|1> reinitiating already active tasks
Thu, 2018-04-05 12:54 04[IKE] <rps|1> IKE_CERT_PRE task
Thu, 2018-04-05 12:54 04[IKE] <rps|1> IKE_AUTH task
Thu, 2018-04-05 12:54 04[IKE] <rps|1> sending cert request for "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Thu, 2018-04-05 12:54 04[IKE] <rps|1> authentication of 'y.y.y.y'
(myself) with pre-shared key
Thu, 2018-04-05 12:54 04[IKE] <rps|1> successfully created shared key MAC
Thu, 2018-04-05 12:54 04[CFG] <rps|1> proposing traffic selectors for us:
Thu, 2018-04-05 12:54 04[CFG] <rps|1> 192.168.10.0/24
Thu, 2018-04-05 12:54 04[CFG] <rps|1> proposing traffic selectors for other:
Thu, 2018-04-05 12:54 04[CFG] <rps|1> 192.168.78.0/24
Thu, 2018-04-05 12:54 04[CFG] <rps|1> configured proposals:
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Thu, 2018-04-05 12:54 04[IKE] <rps|1> establishing CHILD_SA rps{1}
Thu, 2018-04-05 12:54 04[ENC] <rps|1> generating IKE_AUTH request 1 [
IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Thu, 2018-04-05 12:54 04[NET] <rps|1> sending packet: from y.y.y.y[4500]
to x.x.x.x[4500] (364 bytes)
Thu, 2018-04-05 12:54 05[NET] <rps|1> received packet: from x.x.x.x[500]
to y.y.y.y[500] (220 bytes)
Thu, 2018-04-05 12:54 05[ENC] <rps|1> parsed IKE_AUTH response 1 [ IDr
N(INIT_CONTACT) AUTH N(NON_FIRST_FRAG) SA TSi TSr ]
Thu, 2018-04-05 12:54 05[IKE] <rps|1> received INITIAL_CONTACT notify
Thu, 2018-04-05 12:54 05[IKE] <rps|1> received NON_FIRST_FRAGMENTS_ALSO
notify
Thu, 2018-04-05 12:54 05[IKE] <rps|1> authentication of 'x.x.x.x' with
pre-shared key successful
Thu, 2018-04-05 12:54 05[IKE] <rps|1> IKE_SA rps[1] established between
y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]
Thu, 2018-04-05 12:54 05[IKE] <rps|1> IKE_SA rps[1] state change:
CONNECTING => ESTABLISHED
Thu, 2018-04-05 12:54 05[IKE] <rps|1> scheduling reauthentication in 9794s
Thu, 2018-04-05 12:54 05[IKE] <rps|1> maximum IKE_SA lifetime 10334s
Thu, 2018-04-05 12:54 05[CFG] <rps|1> selecting proposal:
Thu, 2018-04-05 12:54 05[CFG] <rps|1> proposal matches
Thu, 2018-04-05 12:54 05[CFG] <rps|1> received proposals:
ESP:AES_CBC_128/AES_XCBC_96/NO_EXT_SEQ
Thu, 2018-04-05 12:54 05[CFG] <rps|1> configured proposals:
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Thu, 2018-04-05 12:54 05[CFG] <rps|1> selected proposal:
ESP:AES_CBC_128/AES_XCBC_96/NO_EXT_SEQ
Thu, 2018-04-05 12:54 05[CFG] <rps|1> selecting traffic selectors for us:
Thu, 2018-04-05 12:54 05[CFG] <rps|1> config: 192.168.10.0/24,
received: 192.168.10.0/24 => match: 192.168.10.0/24
Thu, 2018-04-05 12:54 05[CFG] <rps|1> selecting traffic selectors for other:
Thu, 2018-04-05 12:54 05[CFG] <rps|1> config: 192.168.78.0/24,
received: 192.168.78.0/24 => match: 192.168.78.0/24
Thu, 2018-04-05 12:54 05[CHD] <rps|1> CHILD_SA rps{1} state change:
CREATED => INSTALLING
Thu, 2018-04-05 12:54 05[CHD] <rps|1> using AES_CBC for encryption
Thu, 2018-04-05 12:54 05[CHD] <rps|1> using AES_XCBC_96 for integrity
Thu, 2018-04-05 12:54 05[CHD] <rps|1> adding inbound ESP SA
Thu, 2018-04-05 12:54 05[CHD] <rps|1> SPI 0xcf03c6cf, src x.x.x.x dst
y.y.y.y
Thu, 2018-04-05 12:54 05[CHD] <rps|1> adding outbound ESP SA
Thu, 2018-04-05 12:54 05[CHD] <rps|1> SPI 0xe6f2c493, src y.y.y.y dst
x.x.x.x
Thu, 2018-04-05 12:54 05[IKE] <rps|1> CHILD_SA rps{1} established with
SPIs cf03c6cf_i e6f2c493_o and TS 192.168.10.0/24 === 192.168.78.0/24
Thu, 2018-04-05 12:54 05[CHD] <rps|1> CHILD_SA rps{1} state change:
INSTALLING => INSTALLED
Thu, 2018-04-05 12:54 05[IKE] <rps|1> activating new tasks
Thu, 2018-04-05 12:54 05[IKE] <rps|1> nothing to initiate
More information about the Users
mailing list