Hi all,<br><br>I'm trying to test EAP-AKA authentication with radius server, with strongswan 4.3.6 and hostapd 0.6.10.<br><br>I set up the following test environment:<br>                                                                                            Radius / HLR/Auc<br>
                                                                                                       |<br>                                                                                                       |<br>                                                                                                       |<br>
                                                                                                       |<br>            H1 -------------- NUT1 =========================== NUT2 -------------- H2<br>                               EAP Client                                                 EAP Server<br>
<br>It seems that the milenage implementations in hostapd and in charon are different, so I have to migrate part of chaon's milenage implementation to hostapd. And now when ping H2 on H1, the EAP peer is successfully authenticated by hostapd, and SAs are negotiated. The question is that there's no OP or OPc value in charon, I can only find a pre-defined 64-byte long data filled with 0x5c, on which sha1 hash is performed then the hash result is used to calculate the quintuplets. In this way, there will not be a provider specific OP value? It seems in hostapd a pre-calculated OPc is stored for each IMSI in some database.<br>
<br>Another question is the EAP-AKA re-authentication: I see the eap-simaka-reauth plugin,and it seems this plugin could do the work of eap-aka reauthentication. But at each time the permenant identity is sent to radius server, even after a first full authentication and the reauth identity is stored on peer (according to the log messages on peer). Am I missing some configuration?<br>
<br>Thanks for any reply:)<br><br><br>Here are some configurations and screen shots:<br><br>Configurations on EAP peer<br>==========================<br><br>admin@saturn:~/IKEv2client_EAPAKA> cat ipsec.conf<br><br>config setup<br>
        charonstart=yes<br>        plutostart=no<br>        charondebug="ike 2, cfg 2"<br><br>conn %default<br>        auto=route<br>        keyexchange=ikev2<br>        keyingtries=1<br><br>conn myvpn~myrule<br>
        mobike=no<br>        left=10.23.3.103<br>        right=10.23.3.203<br>        leftsubnet=<a href="http://10.22.3.0/24">10.22.3.0/24</a><br>        rightsubnet=<a href="http://10.24.3.0/24">10.24.3.0/24</a><br>        leftprotoport=%any<br>
        rightprotoport=%any<br>        #leftid=0111222333444555<br>        leftid=<a href="mailto:carol@strongswan.org">carol@strongswan.org</a><br>        rightid=10.23.3.203<br>        type=tunnel<br>        ike=3des-sha1-modp1024!<br>
        esp=3des-sha1-modp768!<br>        ikelifetime=3600s<br>        rekeymargin=360s<br>        keylife=3600s<br>        leftauth=eap-aka<br>        eap_identity=0111222333444555<br>        rightauth=secret<br>        auto=route<br>
        rekey=yes<br>        reauth=no<br>admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA> cat ipsec.secrets<br>10.23.3.203 : PSK 0x12345678<br><a href="mailto:carol@strongswan.org">carol@strongswan.org</a> : EAP "Ar3etTnpAr3etTnp"<br>
0111222333444555     : EAP "0123456789012345"<br>admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA> cat strongswan.conf<br>charon {<br><br>  load = openssl random pem x509 pubkey pkcs1 hmac xcbc stroke kernel-netlink sha1 fips-prf eap-md5 eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-identity<br>
 <br>  }<br>admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA><br><br><br><br><br>Configurations on server<br>========================<br>admin@uranus:~/IKEv2server_EAPAKA> cat ipsec.conf<br>
<br>config setup<br>        charonstart=yes<br>        plutostart=no<br>        charondebug="ike 2, cfg 2"<br><br>conn %default<br>        auto=route<br>        keyexchange=ikev2<br>        keyingtries=1<br><br>
conn myvpn~myrule<br>        mobike=no<br>        left=10.23.3.203<br>        right=10.23.3.103<br>        leftsubnet=<a href="http://10.24.3.0/24">10.24.3.0/24</a><br>        rightsubnet=<a href="http://10.22.3.0/24">10.22.3.0/24</a><br>
        leftprotoport=%any<br>        rightprotoport=%any<br>        leftid=10.23.3.203<br>        #rightid=0111222333444555<br>        rightid=<a href="mailto:carol@strongswan.org">carol@strongswan.org</a><br>        type=tunnel<br>
        ike=3des-sha1-modp1024!<br>        esp=3des-sha1-modp768!<br>        ikelifetime=3600s<br>        rekeymargin=360s<br>        keylife=3600s<br>        leftauth=secret<br>        rightauth=eap-radius<br>        eap_identity=%identity<br>
        auto=route<br>        rekey=yes<br>        reauth=no<br>admin@uranus:~/IKEv2server_EAPAKA><br>admin@uranus:~/IKEv2server_EAPAKA> cat /var/tmp/shells/ipsec.secrets<br>: PSK 0x12345678<br><a href="mailto:carol@strongswan.org">carol@strongswan.org</a> : EAP "Ar3etTnpAr3etTnp"<br>
0111222333444555     : EAP "0123456789012345"<br>admin@uranus:~/IKEv2server_EAPAKA><br>admin@uranus:~/IKEv2server_EAPAKA> cat /var/tmp/shells/strongswan.conf<br>charon {<br><br>  load = openssl random pem x509 pubkey pkcs1 hmac xcbc stroke kernel-netlink sha1 fips-prf eap-radius eap-md5 eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-identity<br>
 <br>  plugins {<br>    eap-radius {<br>      server = 10.80.2.243<br>      secret = testSecret<br>    }<br>  }<br>}<br><br>admin@uranus:~/IKEv2server_EAPAKA><br><br><br><br><br>Screen shots on peer<br>====================<br>
<br>admin@saturn:~/IKEv2client_EAPAKA> ipsec start --nofork --debug-all &<br>Starting strongSwan 4.3.6 IPsec [starter]...<br>| Loading config setup<br>|   charonstart=yes<br>|   plutostart=no<br><br>[snip]<br><br>[First negotiation]<br>
admin@saturn:~/IKEv2client_EAPAKA> 03[KNL] creating acquire job for policy <a href="http://10.22.3.112/32[icmp/8]">10.22.3.112/32[icmp/8]</a> === <a href="http://10.24.3.114/32[icmp]">10.24.3.114/32[icmp]</a> with reqid {1}<br>
11[IKE] queueing IKE_INIT task<br>11[IKE] queueing IKE_VENDOR task<br>11[IKE] queueing IKE_NATD task<br>11[IKE] queueing IKE_CERT_PRE task<br>11[IKE] queueing IKE_AUTHENTICATE task<br>11[IKE] queueing IKE_CERT_POST task<br>
11[IKE] queueing IKE_CONFIG task<br>11[IKE] queueing IKE_AUTH_LIFETIME task<br>11[IKE] queueing IKE_ME task<br>11[IKE] queueing CHILD_CREATE task<br>11[IKE] activating new tasks<br>11[IKE]   activating IKE_INIT task<br>11[IKE]   activating IKE_VENDOR task<br>
11[IKE]   activating IKE_NATD task<br>11[IKE]   activating IKE_CERT_PRE task<br>11[IKE]   activating IKE_ME task<br>11[IKE]   activating IKE_AUTHENTICATE task<br>11[IKE]   activating IKE_CERT_POST task<br>11[IKE]   activating IKE_CONFIG task<br>
11[IKE]   activating CHILD_CREATE task<br>11[IKE]   activating IKE_AUTH_LIFETIME task<br>11[IKE] initiating IKE_SA myvpn~myrule[1] to 10.23.3.203<br>11[IKE] IKE_SA myvpn~myrule[1] state change: CREATED => CONNECTING<br>
11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>11[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>12[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>
12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>12[CFG] selecting proposal:<br>12[CFG]   proposal matches<br>12[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
12[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>12[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>12[IKE] reinitiating already active tasks<br>12[IKE]   IKE_CERT_PRE task<br>
12[IKE]   IKE_AUTHENTICATE task<br>12[IKE] establishing CHILD_SA myvpn~myrule{1}<br>12[CFG] proposing traffic selectors for us:<br>12[CFG]  <a href="http://10.22.3.0/24">10.22.3.0/24</a> (derived from <a href="http://10.22.3.0/24">10.22.3.0/24</a>)<br>
12[CFG] proposing traffic selectors for other:<br>12[CFG]  <a href="http://10.24.3.0/24">10.24.3.0/24</a> (derived from <a href="http://10.24.3.0/24">10.24.3.0/24</a>)<br>12[ENC] generating IKE_AUTH request 1 [ IDi IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>
12[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>13[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]<br>13[IKE] authentication of '10.23.3.203' with pre-shared key successful<br>
13[IKE] server requested EAP_IDENTITY, sending '0111222333444555'<br>13[IKE] reinitiating already active tasks<br>13[IKE]   IKE_AUTHENTICATE task<br>13[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]<br>13[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>
14[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>14[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/AKA ]<br>14[IKE] server requested EAP_AKA authentication<br>14[IKE] reinitiating already active tasks<br>14[IKE]   IKE_AUTHENTICATE task<br>
14[ENC] generating IKE_AUTH request 3 [ EAP/RES/AKA ]<br>14[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>15[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/AKA ]<br>
15[IKE] ignoring skippable EAP-SIM/AKA attribute AT_CHECKCODE<br>15[IKE] ignoring skippable EAP-SIM/AKA attribute (136)<br>15[IKE] received SQN invalid, sending AKA_SYNCHRONIZATION_FAILURE<br>15[IKE] reinitiating already active tasks<br>
15[IKE]   IKE_AUTHENTICATE task<br>15[ENC] generating IKE_AUTH request 4 [ EAP/RES/AKA ]<br>15[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>16[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>
16[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/AKA ]<br>16[IKE] ignoring skippable EAP-SIM/AKA attribute AT_CHECKCODE<br>16[IKE] ignoring skippable EAP-SIM/AKA attribute (136)<br>16[IKE] storing pseudonym '2011943b24e2da01afe05' for '0111222333444555'<br>
16[IKE] storing next reauthentication identity '4c53d1e5753a665dc7268' for '0111222333444555'<br>16[IKE] reinitiating already active tasks<br>16[IKE]   IKE_AUTHENTICATE task<br>16[ENC] generating IKE_AUTH request 5 [ EAP/RES/AKA ]<br>
16[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>07[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>07[ENC] parsed IKE_AUTH response 5 [ EAP/SUCC ]<br>07[IKE] EAP method EAP_AKA succeeded, MSK established<br>
07[IKE] reinitiating already active tasks<br>07[IKE]   IKE_AUTHENTICATE task<br>07[IKE] authentication of '<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>' (myself) with EAP<br>07[ENC] generating IKE_AUTH request 6 [ AUTH ]<br>
07[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>08[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>08[ENC] parsed IKE_AUTH response 6 [ AUTH SA TSi TSr ]<br>08[IKE] authentication of '10.23.3.203' with EAP successful<br>
08[IKE] IKE_SA myvpn~myrule[1] established between 10.23.3.103[<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>]...10.23.3.203[10.23.3.203]<br>08[IKE] IKE_SA myvpn~myrule[1] state change: CONNECTING => ESTABLISHED<br>
08[IKE] scheduling rekeying in 3049s<br>08[IKE] maximum IKE_SA lifetime 3409s<br>08[CFG] selecting proposal:<br>08[CFG]   proposal matches<br>08[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ<br>08[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ<br>
08[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ<br>08[CFG] selecting traffic selectors for us:<br>08[CFG]  config: <a href="http://10.22.3.0/24">10.22.3.0/24</a>, received: <a href="http://10.22.3.0/24">10.22.3.0/24</a> => match: <a href="http://10.22.3.0/24">10.22.3.0/24</a><br>
08[CFG] selecting traffic selectors for other:<br>08[CFG]  config: <a href="http://10.24.3.0/24">10.24.3.0/24</a>, received: <a href="http://10.24.3.0/24">10.24.3.0/24</a> => match: <a href="http://10.24.3.0/24">10.24.3.0/24</a><br>
08[IKE] CHILD_SA myvpn~myrule{1} established with SPIs cab46712_i cc0ead23_o and TS <a href="http://10.22.3.0/24">10.22.3.0/24</a> === <a href="http://10.24.3.0/24">10.24.3.0/24</a><br>08[IKE] activating new tasks<br>08[IKE] nothing to initiate<br>
<br>admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA> stroke statusall<br>02[CFG] proposing traffic selectors for us:<br>02[CFG]  <a href="http://10.22.3.0/24">10.22.3.0/24</a> (derived from <a href="http://10.22.3.0/24">10.22.3.0/24</a>)<br>
02[CFG] proposing traffic selectors for other:<br>02[CFG]  <a href="http://10.24.3.0/24">10.24.3.0/24</a> (derived from <a href="http://10.24.3.0/24">10.24.3.0/24</a>)<br>Status of IKEv2 charon daemon (strongSwan 4.3.6):<br>
  uptime: 27 seconds, since Aug 18 12:27:20 2010<br>  worker threads: 10 idle of 16, job queue load: 1, scheduled events: 2<br>  loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke kernel-netlink sha1 fips-prf eap-md5 eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-identity<br>
Listening IP addresses:<br>  10.22.3.103<br>  10.80.3.35<br>  10.23.3.103<br>Connections:<br>myvpn~myrule:  10.23.3.103...10.23.3.203, vpn: myvpn<br>myvpn~myrule:   local:  [<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>] uses EAP_AKA authentication with EAP identity '0111222333444555'<br>
myvpn~myrule:   remote: [10.23.3.203] uses pre-shared key authentication<br>myvpn~myrule:   child:  <a href="http://10.22.3.0/24">10.22.3.0/24</a> === <a href="http://10.24.3.0/24">10.24.3.0/24</a><br>Routed Connections:<br>
myvpn~myrule{1}:  ROUTED, TUNNEL, vpn: myvpn<br>myvpn~myrule{1}:   <a href="http://10.22.3.0/24">10.22.3.0/24</a> === <a href="http://10.24.3.0/24">10.24.3.0/24</a><br>Security Associations:<br>myvpn~myrule[1]: ESTABLISHED 10.23.3.103[<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>]...10.23.3.203[10.23.3.203]<br>
myvpn~myrule[1]: vpn: myvpn<br>myvpn~myrule[1]: IKE SPIs: 267a926f447d7db7_i* 634aecbed3ac3a34_r Creation time: 12 seconds ago<br>, rekeying in 50 minutes<br>myvpn~myrule[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
myvpn~myrule{1}:  INSTALLED, TUNNEL, vpn: myvpn, ESP SPIs: cab46712_i cc0ead23_o<br>myvpn~myrule{1}:  3DES_CBC/HMAC_SHA1_96, 1224 bytes_i, 756 bytes_o, rekeying in 48 minutes<br>myvpn~myrule{1}:   <a href="http://10.22.3.0/24">10.22.3.0/24</a> === <a href="http://10.24.3.0/24">10.24.3.0/24</a><br>
admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA> setkey -D<br>source=10.23.3.203 destination=10.23.3.103<br>        protocol=esp mode=tunnel spi=3400820498(0xcab46712) reqid=1(0x00000001)<br>
        encr-algo=3des-cbc<br>        encr-key=d56d2f878928e489b3c1b901a608a9fdbe830333f5bd20a8<br>        auth-algo=hmac-sha1<br>        auth-key=91d104fe097417d112e5304cb4c92dc5e2f76c9a<br>        replay-window=32 flags=0x10000000 state=mature seq=1 pid=1349<br>
        created=2010-08-18/12:27:35 current=2010-08-18/12:27:49 elapsed=14(s)<br>        hard-lifetime=3600(s) expiration=2010-08-18/13:27:35<br>        soft-lifetime=2959(s) renewal=2010-08-18/13:16:54<br>        last-use=never<br>
        bytes-processed=1224 hard-lifebyte=0 soft-lifebyte=0<br>        vrfid=0 xvrfid=0<br>source=10.23.3.103 destination=10.23.3.203<br>        protocol=esp mode=tunnel spi=3423513891(0xcc0ead23) reqid=1(0x00000001)<br>
        encr-algo=3des-cbc<br>        encr-key=15f393ad893265611c6cad90a40402e0a1653e95038dbf33<br>        auth-algo=hmac-sha1<br>        auth-key=532b348d3f44e67fbb3634e53c25be18e62d1017<br>        replay-window=32 flags=0x10000000 state=mature seq=0 pid=1349<br>
        created=2010-08-18/12:27:35 current=2010-08-18/12:27:49 elapsed=14(s)<br>        hard-lifetime=3600(s) expiration=2010-08-18/13:27:35<br>        soft-lifetime=2927(s) renewal=2010-08-18/13:16:22<br>        last-use=never<br>
        bytes-processed=756 hard-lifebyte=0 soft-lifebyte=0<br>        vrfid=0 xvrfid=0<br>admin@saturn:~/IKEv2client_EAPAKA><br><br><br><br>[Second negotiation]<br>admin@saturn:~/IKEv2client_EAPAKA> stroke down myvpn~myrule<br>
02[CFG] received stroke: terminate 'myvpn~myrule'<br>09[IKE] queueing IKE_DELETE task<br>09[IKE] activating new tasks<br>09[IKE]   activating IKE_DELETE task<br>09[IKE] deleting IKE_SA myvpn~myrule[1] between 10.23.3.103[<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>]...10.23.3.203[10.23.3.203]<br>
09[IKE] IKE_SA myvpn~myrule[1] state change: ESTABLISHED => DELETING<br>09[IKE] sending DELETE for IKE_SA myvpn~myrule[1]<br>09[ENC] generating INFORMATIONAL request 7 [ D ]<br>09[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>
deleting IKE_SA myvpn~myrule[1] between 10.23.3.103[<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>]...10.23.3.203[10.23.3.203]<br>sending DELETE for IKE_SA myvpn~myrule[1]<br>generating INFORMATIONAL request 7 [ D ]<br>
sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>11[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>11[ENC] parsed INFORMATIONAL response 7 [ ]<br>11[IKE] IKE_SA deleted<br>11[IKE] IKE_SA myvpn~myrule[1] state change: DELETING => DESTROYING<br>
received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>parsed INFORMATIONAL response 7 [ ]<br>IKE_SA deleted<br>admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA><br>
admin@saturn:~/IKEv2client_EAPAKA> 03[KNL] creating acquire job for policy <a href="http://10.22.3.112/32[icmp/8]">10.22.3.112/32[icmp/8]</a> === <a href="http://10.24.3.114/32[icmp]">10.24.3.114/32[icmp]</a> with reqid {1}<br>
13[IKE] queueing IKE_INIT task<br>13[IKE] queueing IKE_VENDOR task<br>13[IKE] queueing IKE_NATD task<br>13[IKE] queueing IKE_CERT_PRE task<br>13[IKE] queueing IKE_AUTHENTICATE task<br>13[IKE] queueing IKE_CERT_POST task<br>
13[IKE] queueing IKE_CONFIG task<br>13[IKE] queueing IKE_AUTH_LIFETIME task<br>13[IKE] queueing IKE_ME task<br>13[IKE] queueing CHILD_CREATE task<br>13[IKE] activating new tasks<br>13[IKE]   activating IKE_INIT task<br>13[IKE]   activating IKE_VENDOR task<br>
13[IKE]   activating IKE_NATD task<br>13[IKE]   activating IKE_CERT_PRE task<br>13[IKE]   activating IKE_ME task<br>13[IKE]   activating IKE_AUTHENTICATE task<br>13[IKE]   activating IKE_CERT_POST task<br>13[IKE]   activating IKE_CONFIG task<br>
13[IKE]   activating CHILD_CREATE task<br>13[IKE]   activating IKE_AUTH_LIFETIME task<br>13[IKE] initiating IKE_SA myvpn~myrule[2] to 10.23.3.203<br>13[IKE] IKE_SA myvpn~myrule[2] state change: CREATED => CONNECTING<br>
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>13[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>14[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>
14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>14[CFG] selecting proposal:<br>14[CFG]   proposal matches<br>14[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
14[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>14[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>14[IKE] reinitiating already active tasks<br>14[IKE]   IKE_CERT_PRE task<br>
14[IKE]   IKE_AUTHENTICATE task<br>14[IKE] establishing CHILD_SA myvpn~myrule{1}<br>14[CFG] proposing traffic selectors for us:<br>14[CFG]  <a href="http://10.22.3.0/24">10.22.3.0/24</a> (derived from <a href="http://10.22.3.0/24">10.22.3.0/24</a>)<br>
14[CFG] proposing traffic selectors for other:<br>14[CFG]  <a href="http://10.24.3.0/24">10.24.3.0/24</a> (derived from <a href="http://10.24.3.0/24">10.24.3.0/24</a>)<br>14[ENC] generating IKE_AUTH request 1 [ IDi IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>
14[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>15[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>15[ENC] parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]<br>15[IKE] authentication of '10.23.3.203' with pre-shared key successful<br>
15[IKE] server requested EAP_IDENTITY, sending '0111222333444555'<br>15[IKE] reinitiating already active tasks<br>15[IKE]   IKE_AUTHENTICATE task<br>15[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]<br>15[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>
16[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>16[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/AKA ]<br>16[IKE] server requested EAP_AKA authentication<br>16[IKE] ignoring skippable EAP-SIM/AKA attribute AT_CHECKCODE<br>
16[IKE] ignoring skippable EAP-SIM/AKA attribute (136)<br>16[IKE] storing pseudonym '22a79d18f795786d42bde' for '0111222333444555'<br>16[IKE] storing next reauthentication identity '473f81a82c5e83fe37f1f' for '0111222333444555'<br>
16[IKE] reinitiating already active tasks<br>16[IKE]   IKE_AUTHENTICATE task<br>16[ENC] generating IKE_AUTH request 3 [ EAP/RES/AKA ]<br>16[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>07[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>
07[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]<br>07[IKE] EAP method EAP_AKA succeeded, MSK established<br>07[IKE] reinitiating already active tasks<br>07[IKE]   IKE_AUTHENTICATE task<br>07[IKE] authentication of '<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>' (myself) with EAP<br>
07[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>10[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>10[ENC] parsed IKE_AUTH response 4 [ AUTH SA TSi TSr ]<br>10[IKE] authentication of '10.23.3.203' with EAP successful<br>
10[IKE] IKE_SA myvpn~myrule[2] established between 10.23.3.103[<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>]...10.23.3.203[10.23.3.203]<br>10[IKE] IKE_SA myvpn~myrule[2] state change: CONNECTING => ESTABLISHED<br>
10[IKE] scheduling rekeying in 3016s<br>10[IKE] maximum IKE_SA lifetime 3376s<br>10[CFG] selecting proposal:<br>10[CFG]   proposal matches<br>10[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ<br>10[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ<br>
10[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ<br>10[CFG] selecting traffic selectors for us:<br>10[CFG]  config: <a href="http://10.22.3.0/24">10.22.3.0/24</a>, received: <a href="http://10.22.3.0/24">10.22.3.0/24</a> => match: <a href="http://10.22.3.0/24">10.22.3.0/24</a><br>
10[CFG] selecting traffic selectors for other:<br>10[CFG]  config: <a href="http://10.24.3.0/24">10.24.3.0/24</a>, received: <a href="http://10.24.3.0/24">10.24.3.0/24</a> => match: <a href="http://10.24.3.0/24">10.24.3.0/24</a><br>
10[IKE] CHILD_SA myvpn~myrule{1} established with SPIs c4693eef_i cae4ef40_o and TS <a href="http://10.22.3.0/24">10.22.3.0/24</a> === <a href="http://10.24.3.0/24">10.24.3.0/24</a><br>10[IKE] activating new tasks<br>10[IKE] nothing to initiate<br>
admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA> stroke statusall<br>08[CFG] proposing traffic selectors for us:<br>08[CFG]  <a href="http://10.22.3.0/24">10.22.3.0/24</a> (derived from <a href="http://10.22.3.0/24">10.22.3.0/24</a>)<br>
08[CFG] proposing traffic selectors for other:<br>08[CFG]  <a href="http://10.24.3.0/24">10.24.3.0/24</a> (derived from <a href="http://10.24.3.0/24">10.24.3.0/24</a>)<br>Status of IKEv2 charon daemon (strongSwan 4.3.6):<br>
  uptime: 73 seconds, since Aug 18 12:27:20 2010<br>  worker threads: 10 idle of 16, job queue load: 1, scheduled events: 5<br>  loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke kernel-netlink sha1 fips-prf eap-md5 eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-identity<br>
Listening IP addresses:<br>  10.22.3.103<br>  10.80.3.35<br>  10.23.3.103<br>Connections:<br>myvpn~myrule:  10.23.3.103...10.23.3.203, vpn: myvpn<br>myvpn~myrule:   local:  [<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>] uses EAP_AKA authentication with EAP identity '0111222333444555'<br>
myvpn~myrule:   remote: [10.23.3.203] uses pre-shared key authentication<br>myvpn~myrule:   child:  <a href="http://10.22.3.0/24">10.22.3.0/24</a> === <a href="http://10.24.3.0/24">10.24.3.0/24</a><br>Routed Connections:<br>
myvpn~myrule{1}:  ROUTED, TUNNEL, vpn: myvpn<br>myvpn~myrule{1}:   <a href="http://10.22.3.0/24">10.22.3.0/24</a> === <a href="http://10.24.3.0/24">10.24.3.0/24</a><br>Security Associations:<br>myvpn~myrule[2]: ESTABLISHED 10.23.3.103[<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>]...10.23.3.203[10.23.3.203]<br>
myvpn~myrule[2]: vpn: myvpn<br>myvpn~myrule[2]: IKE SPIs: bdaffcc2c759148a_i* ba08a39a907da030_r Creation time: 9 seconds ago<br>, rekeying in 50 minutes<br>myvpn~myrule[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
myvpn~myrule{1}:  INSTALLED, TUNNEL, vpn: myvpn, ESP SPIs: c4693eef_i cae4ef40_o<br>myvpn~myrule{1}:  3DES_CBC/HMAC_SHA1_96, 1224 bytes_i, 756 bytes_o, rekeying in 50 minutes<br>myvpn~myrule{1}:   <a href="http://10.22.3.0/24">10.22.3.0/24</a> === <a href="http://10.24.3.0/24">10.24.3.0/24</a><br>
admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA> setkey -D<br>source=10.23.3.203 destination=10.23.3.103<br>        protocol=esp mode=tunnel spi=3295231727(0xc4693eef) reqid=1(0x00000001)<br>
        encr-algo=3des-cbc<br>        encr-key=1333c2696d0aa50f9a1cda201ec4cbe480c13ac6208dd13c<br>        auth-algo=hmac-sha1<br>        auth-key=ba7e6ee2193fa475d1d34163e89a3d4ae0bb6b65<br>        replay-window=32 flags=0x10000000 state=mature seq=1 pid=1352<br>
        created=2010-08-18/12:28:24 current=2010-08-18/12:28:35 elapsed=11(s)<br>        hard-lifetime=3600(s) expiration=2010-08-18/13:28:24<br>        soft-lifetime=3049(s) renewal=2010-08-18/13:19:13<br>        last-use=never<br>
        bytes-processed=1224 hard-lifebyte=0 soft-lifebyte=0<br>        vrfid=0 xvrfid=0<br>source=10.23.3.103 destination=10.23.3.203<br>        protocol=esp mode=tunnel spi=3404001088(0xcae4ef40) reqid=1(0x00000001)<br>
        encr-algo=3des-cbc<br>        encr-key=9d1b351dd86d6f5ef589b2214e8ed052901e34b67dae215d<br>        auth-algo=hmac-sha1<br>        auth-key=9cd64c16b51b3f819e6a89946a6fe8adc522cb3d<br>        replay-window=32 flags=0x10000000 state=mature seq=0 pid=1352<br>
        created=2010-08-18/12:28:24 current=2010-08-18/12:28:35 elapsed=11(s)<br>        hard-lifetime=3600(s) expiration=2010-08-18/13:28:24<br>        soft-lifetime=3034(s) renewal=2010-08-18/13:18:58<br>        last-use=never<br>
        bytes-processed=756 hard-lifebyte=0 soft-lifebyte=0<br>        vrfid=0 xvrfid=0<br>admin@saturn:~/IKEv2client_EAPAKA><br>admin@saturn:~/IKEv2client_EAPAKA><br><br><br><br><br><br><br>Screen shots on server<br>
======================<br><br>admin@uranus:~/IKEv2server_EAPAKA> ipsec start --nofork --debug-all &<br>Starting strongSwan 4.3.6 IPsec [starter]...<br>| Loading config setup<br><br><br>[First negotiation]<br>admin@uranus:~/IKEv2server_EAPAKA> 11[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>11[CFG] looking for an ike config for 10.23.3.203...10.23.3.103<br>11[CFG]   candidate: 10.23.3.203...10.23.3.103, prio 12<br>11[CFG] found matching ike config: 10.23.3.203...10.23.3.103 with prio 12<br>
11[IKE] 10.23.3.103 is initiating an IKE_SA<br>11[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING<br>11[CFG] selecting proposal:<br>11[CFG]   proposal matches<br>11[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
11[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>11[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
11[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>12[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>12[ENC] parsed IKE_AUTH request 1 [ IDi IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>
12[CFG] looking for peer configs matching 10.23.3.203[10.23.3.203]...10.23.3.103[<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>]<br>12[CFG]   candidate "myvpn~myrule", match: 20/20/12 (me/other/ike)<br>
12[CFG] selected peer config 'myvpn~myrule'<br>12[IKE] initiating EAP-Identity request<br>12[IKE] authentication of '10.23.3.203' (myself) with pre-shared key<br>12[IKE] successfully created shared key MAC<br>
12[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]<br>12[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>13[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>13[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]<br>
13[IKE] received EAP identity '0111222333444555'<br>13[IKE] initiating EAP_RADIUS method<br>13[ENC] generating IKE_AUTH response 2 [ EAP/REQ/AKA ]<br>13[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>
14[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>14[ENC] parsed IKE_AUTH request 3 [ EAP/RES/AKA ]<br>14[ENC] generating IKE_AUTH response 3 [ EAP/REQ/AKA ]<br>14[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>
15[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>15[ENC] parsed IKE_AUTH request 4 [ EAP/RES/AKA ]<br>15[ENC] generating IKE_AUTH response 4 [ EAP/REQ/AKA ]<br>15[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>
16[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>16[ENC] parsed IKE_AUTH request 5 [ EAP/RES/AKA ]<br>16[IKE] EAP method EAP_AKA succeeded, MSK established<br>16[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ]<br>
16[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>07[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>07[ENC] parsed IKE_AUTH request 6 [ AUTH ]<br>07[IKE] authentication of '<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>' with EAP successful<br>
07[IKE] authentication of '10.23.3.203' (myself) with EAP<br>07[IKE] IKE_SA myvpn~myrule[1] established between 10.23.3.203[10.23.3.203]...10.23.3.103[<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>]<br>
07[IKE] IKE_SA myvpn~myrule[1] state change: CONNECTING => ESTABLISHED<br>07[IKE] scheduling rekeying in 2962s<br>07[IKE] maximum IKE_SA lifetime 3322s<br>07[CFG] looking for a child config for <a href="http://10.24.3.114/32[icmp]">10.24.3.114/32[icmp]</a> <a href="http://10.24.3.0/24">10.24.3.0/24</a> === <a href="http://10.22.3.112/32[icmp/8]">10.22.3.112/32[icmp/8]</a> <a href="http://10.22.3.0/24">10.22.3.0/24</a> <br>
07[CFG] proposing traffic selectors for us:<br>07[CFG]  <a href="http://10.24.3.0/24">10.24.3.0/24</a> (derived from <a href="http://10.24.3.0/24">10.24.3.0/24</a>)<br>07[CFG] proposing traffic selectors for other:<br>07[CFG]  <a href="http://10.22.3.0/24">10.22.3.0/24</a> (derived from <a href="http://10.22.3.0/24">10.22.3.0/24</a>)<br>
07[CFG]   candidate "myvpn~myrule" with prio 7+7<br>07[CFG] found matching child config "myvpn~myrule" with prio 14<br>07[CFG] selecting proposal:<br>07[CFG]   proposal matches<br>07[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ<br>
07[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ<br>07[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ<br>07[CFG] selecting traffic selectors for us:<br>07[CFG]  config: <a href="http://10.24.3.0/24">10.24.3.0/24</a>, received: <a href="http://10.24.3.114/32[icmp]">10.24.3.114/32[icmp]</a> => match: <a href="http://10.24.3.114/32[icmp]">10.24.3.114/32[icmp]</a><br>
07[CFG]  config: <a href="http://10.24.3.0/24">10.24.3.0/24</a>, received: <a href="http://10.24.3.0/24">10.24.3.0/24</a> => match: <a href="http://10.24.3.0/24">10.24.3.0/24</a><br>07[CFG] selecting traffic selectors for other:<br>
07[CFG]  config: <a href="http://10.22.3.0/24">10.22.3.0/24</a>, received: <a href="http://10.22.3.112/32[icmp/8]">10.22.3.112/32[icmp/8]</a> => match: <a href="http://10.22.3.112/32[icmp/8]">10.22.3.112/32[icmp/8]</a><br>
07[CFG]  config: <a href="http://10.22.3.0/24">10.22.3.0/24</a>, received: <a href="http://10.22.3.0/24">10.22.3.0/24</a> => match: <a href="http://10.22.3.0/24">10.22.3.0/24</a><br>07[IKE] CHILD_SA myvpn~myrule{2} established with SPIs cc0ead23_i cab46712_o and TS <a href="http://10.24.3.0/24">10.24.3.0/24</a> === <a href="http://10.22.3.0/24">10.22.3.0/24</a> <br>
07[ENC] generating IKE_AUTH response 6 [ AUTH SA TSi TSr ]<br>07[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]<br><br>admin@uranus:~/IKEv2server_EAPAKA> <br>admin@uranus:~/IKEv2server_EAPAKA> <br>admin@uranus:~/IKEv2server_EAPAKA> stroke statusall<br>
02[CFG] proposing traffic selectors for us:<br>02[CFG]  <a href="http://10.24.3.0/24">10.24.3.0/24</a> (derived from <a href="http://10.24.3.0/24">10.24.3.0/24</a>)<br>02[CFG] proposing traffic selectors for other:<br>02[CFG]  <a href="http://10.22.3.0/24">10.22.3.0/24</a> (derived from <a href="http://10.22.3.0/24">10.22.3.0/24</a>)<br>
Status of IKEv2 charon daemon (strongSwan 4.3.6):<br>  uptime: 42 seconds, since Aug 18 12:27:30 2010<br>  worker threads: 10 idle of 16, job queue load: 1, scheduled events: 3<br>  loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke kernel-netlink sha1 fips-prf eap-radius eap-md5 eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-identity <br>
Listening IP addresses:<br>  10.24.3.203<br>  10.80.3.36<br>  10.23.3.203<br>Connections:<br>myvpn~myrule:  10.23.3.203...10.23.3.103, vpn: myvpn<br>myvpn~myrule:   local:  [10.23.3.203] uses pre-shared key authentication<br>
myvpn~myrule:   remote: [<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>] uses EAP_RADIUS authentication with EAP identity '%any'<br>myvpn~myrule:   child:  <a href="http://10.24.3.0/24">10.24.3.0/24</a> === <a href="http://10.22.3.0/24">10.22.3.0/24</a> <br>
Routed Connections:<br>myvpn~myrule{1}:  ROUTED, TUNNEL, vpn: myvpn<br>myvpn~myrule{1}:   <a href="http://10.24.3.0/24">10.24.3.0/24</a> === <a href="http://10.22.3.0/24">10.22.3.0/24</a> <br>Security Associations:<br>myvpn~myrule[1]: ESTABLISHED 10.23.3.203[10.23.3.203]...10.23.3.103[<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>]<br>
myvpn~myrule[1]: vpn: myvpn<br>myvpn~myrule[1]: IKE SPIs: 267a926f447d7db7_i 634aecbed3ac3a34_r* Creation time: 18 seconds ago<br>, rekeying in 49 minutes<br>myvpn~myrule[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
myvpn~myrule{2}:  INSTALLED, TUNNEL, vpn: myvpn, ESP SPIs: cc0ead23_i cab46712_o<br>myvpn~myrule{2}:  3DES_CBC/HMAC_SHA1_96, 1224 bytes_i, 756 bytes_o, rekeying in 52 minutes<br>myvpn~myrule{2}:   <a href="http://10.24.3.0/24">10.24.3.0/24</a> === <a href="http://10.22.3.0/24">10.22.3.0/24</a> <br>
admin@uranus:~/IKEv2server_EAPAKA> <br>admin@uranus:~/IKEv2server_EAPAKA> <br>admin@uranus:~/IKEv2server_EAPAKA> setkey -D<br>source=10.23.3.103 destination=10.23.3.203 <br>        protocol=esp mode=tunnel spi=3423513891(0xcc0ead23) reqid=2(0x00000002)<br>
        encr-algo=3des-cbc <br>        encr-key=15f393ad893265611c6cad90a40402e0a1653e95038dbf33<br>        auth-algo=hmac-sha1 <br>        auth-key=532b348d3f44e67fbb3634e53c25be18e62d1017<br>        replay-window=32 flags=0x10000000 state=mature seq=1 pid=1348<br>
        created=2010-08-18/12:27:54 current=2010-08-18/12:28:13 elapsed=19(s)<br>        hard-lifetime=3600(s) expiration=2010-08-18/13:27:54<br>        soft-lifetime=3151(s) renewal=2010-08-18/13:20:25<br>        last-use=never<br>
        bytes-processed=1224 hard-lifebyte=0 soft-lifebyte=0<br>        vrfid=0 xvrfid=0<br>source=10.23.3.203 destination=10.23.3.103 <br>        protocol=esp mode=tunnel spi=3400820498(0xcab46712) reqid=2(0x00000002)<br>
        encr-algo=3des-cbc <br>        encr-key=d56d2f878928e489b3c1b901a608a9fdbe830333f5bd20a8<br>        auth-algo=hmac-sha1 <br>        auth-key=91d104fe097417d112e5304cb4c92dc5e2f76c9a<br>        replay-window=32 flags=0x10000000 state=mature seq=0 pid=1348<br>
        created=2010-08-18/12:27:54 current=2010-08-18/12:28:13 elapsed=19(s)<br>        hard-lifetime=3600(s) expiration=2010-08-18/13:27:54<br>        soft-lifetime=3172(s) renewal=2010-08-18/13:20:46<br>        last-use=never<br>
        bytes-processed=756 hard-lifebyte=0 soft-lifebyte=0<br>        vrfid=0 xvrfid=0<br>admin@uranus:~/IKEv2server_EAPAKA> <br><br><br><br>[Second negotiation]<br>admin@uranus:~/IKEv2server_EAPAKA> 11[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>
11[ENC] parsed INFORMATIONAL request 7 [ D ]<br>11[IKE] received DELETE for IKE_SA myvpn~myrule[1]<br>11[IKE] deleting IKE_SA myvpn~myrule[1] between 10.23.3.203[10.23.3.203]...10.23.3.103[<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>]<br>
11[IKE] IKE_SA myvpn~myrule[1] state change: ESTABLISHED => DELETING<br>11[IKE] IKE_SA deleted<br>11[ENC] generating INFORMATIONAL response 7 [ ]<br>11[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>
11[IKE] IKE_SA myvpn~myrule[1] state change: DELETING => DESTROYING<br>admin@uranus:~/IKEv2server_EAPAKA> <br>admin@uranus:~/IKEv2server_EAPAKA> <br>admin@uranus:~/IKEv2server_EAPAKA> 12[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>12[CFG] looking for an ike config for 10.23.3.203...10.23.3.103<br>12[CFG]   candidate: 10.23.3.203...10.23.3.103, prio 12<br>12[CFG] found matching ike config: 10.23.3.203...10.23.3.103 with prio 12<br>
12[IKE] 10.23.3.103 is initiating an IKE_SA<br>12[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING<br>12[CFG] selecting proposal:<br>12[CFG]   proposal matches<br>12[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
12[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>12[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
12[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>13[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>13[ENC] parsed IKE_AUTH request 1 [ IDi IDr SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>
13[CFG] looking for peer configs matching 10.23.3.203[10.23.3.203]...10.23.3.103[<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>]<br>13[CFG]   candidate "myvpn~myrule", match: 20/20/12 (me/other/ike)<br>
13[CFG] selected peer config 'myvpn~myrule'<br>13[IKE] initiating EAP-Identity request<br>13[IKE] authentication of '10.23.3.203' (myself) with pre-shared key<br>13[IKE] successfully created shared key MAC<br>
13[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]<br>13[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>14[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]<br>
14[IKE] received EAP identity '0111222333444555'<br>14[IKE] initiating EAP_RADIUS method<br>14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/AKA ]<br>14[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>
15[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>15[ENC] parsed IKE_AUTH request 3 [ EAP/RES/AKA ]<br>15[IKE] EAP method EAP_AKA succeeded, MSK established<br>15[CFG]  ***** auth_cfg.c:compiles: t1 = 0<br>
15[CFG]  ***** auth_cfg.c:compiles: t1 = 1<br>15[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]<br>15[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>16[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]<br>
16[ENC] parsed IKE_AUTH request 4 [ AUTH ]<br>16[IKE] authentication of '<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>' with EAP successful<br>16[IKE] authentication of '10.23.3.203' (myself) with EAP<br>
16[IKE] IKE_SA myvpn~myrule[2] established between 10.23.3.203[10.23.3.203]...10.23.3.103[<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>]<br>16[IKE] IKE_SA myvpn~myrule[2] state change: CONNECTING => ESTABLISHED<br>
16[IKE] scheduling rekeying in 2910s<br>16[IKE] maximum IKE_SA lifetime 3270s<br>16[CFG] looking for a child config for <a href="http://10.24.3.114/32[icmp]">10.24.3.114/32[icmp]</a> <a href="http://10.24.3.0/24">10.24.3.0/24</a> === <a href="http://10.22.3.112/32[icmp/8]">10.22.3.112/32[icmp/8]</a> <a href="http://10.22.3.0/24">10.22.3.0/24</a> <br>
16[CFG] proposing traffic selectors for us:<br>16[CFG]  <a href="http://10.24.3.0/24">10.24.3.0/24</a> (derived from <a href="http://10.24.3.0/24">10.24.3.0/24</a>)<br>16[CFG] proposing traffic selectors for other:<br>16[CFG]  <a href="http://10.22.3.0/24">10.22.3.0/24</a> (derived from <a href="http://10.22.3.0/24">10.22.3.0/24</a>)<br>
16[CFG]   candidate "myvpn~myrule" with prio 7+7<br>16[CFG] found matching child config "myvpn~myrule" with prio 14<br>16[CFG] selecting proposal:<br>16[CFG]   proposal matches<br>16[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ<br>
16[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ<br>16[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ<br>16[CFG] selecting traffic selectors for us:<br>16[CFG]  config: <a href="http://10.24.3.0/24">10.24.3.0/24</a>, received: <a href="http://10.24.3.114/32[icmp]">10.24.3.114/32[icmp]</a> => match: <a href="http://10.24.3.114/32[icmp]">10.24.3.114/32[icmp]</a><br>
16[CFG]  config: <a href="http://10.24.3.0/24">10.24.3.0/24</a>, received: <a href="http://10.24.3.0/24">10.24.3.0/24</a> => match: <a href="http://10.24.3.0/24">10.24.3.0/24</a><br>16[CFG] selecting traffic selectors for other:<br>
16[CFG]  config: <a href="http://10.22.3.0/24">10.22.3.0/24</a>, received: <a href="http://10.22.3.112/32[icmp/8]">10.22.3.112/32[icmp/8]</a> => match: <a href="http://10.22.3.112/32[icmp/8]">10.22.3.112/32[icmp/8]</a><br>
16[CFG]  config: <a href="http://10.22.3.0/24">10.22.3.0/24</a>, received: <a href="http://10.22.3.0/24">10.22.3.0/24</a> => match: <a href="http://10.22.3.0/24">10.22.3.0/24</a><br>16[IKE] CHILD_SA myvpn~myrule{3} established with SPIs cae4ef40_i c4693eef_o and TS <a href="http://10.24.3.0/24">10.24.3.0/24</a> === <a href="http://10.22.3.0/24">10.22.3.0/24</a> <br>
16[ENC] generating IKE_AUTH response 4 [ AUTH SA TSi TSr ]<br>16[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]<br>admin@uranus:~/IKEv2server_EAPAKA> <br>admin@uranus:~/IKEv2server_EAPAKA> <br>admin@uranus:~/IKEv2server_EAPAKA> stroke statusall<br>
02[CFG] proposing traffic selectors for us:<br>02[CFG]  <a href="http://10.24.3.0/24">10.24.3.0/24</a> (derived from <a href="http://10.24.3.0/24">10.24.3.0/24</a>)<br>02[CFG] proposing traffic selectors for other:<br>02[CFG]  <a href="http://10.22.3.0/24">10.22.3.0/24</a> (derived from <a href="http://10.22.3.0/24">10.22.3.0/24</a>)<br>
Status of IKEv2 charon daemon (strongSwan 4.3.6):<br>  uptime: 90 seconds, since Aug 18 12:27:30 2010<br>  worker threads: 10 idle of 16, job queue load: 1, scheduled events: 6<br>  loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke kernel-netlink sha1 fips-prf eap-radius eap-md5 eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-identity <br>
Listening IP addresses:<br>  10.24.3.203<br>  10.80.3.36<br>  10.23.3.203<br>Connections:<br>myvpn~myrule:  10.23.3.203...10.23.3.103, vpn: myvpn<br>myvpn~myrule:   local:  [10.23.3.203] uses pre-shared key authentication<br>
myvpn~myrule:   remote: [<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>] uses EAP_RADIUS authentication with EAP identity '%any'<br>myvpn~myrule:   child:  <a href="http://10.24.3.0/24">10.24.3.0/24</a> === <a href="http://10.22.3.0/24">10.22.3.0/24</a> <br>
Routed Connections:<br>myvpn~myrule{1}:  ROUTED, TUNNEL, vpn: myvpn<br>myvpn~myrule{1}:   <a href="http://10.24.3.0/24">10.24.3.0/24</a> === <a href="http://10.22.3.0/24">10.22.3.0/24</a> <br>Security Associations:<br>myvpn~myrule[2]: ESTABLISHED 10.23.3.203[10.23.3.203]...10.23.3.103[<a href="mailto:carol@strongswan.org">carol@strongswan.org</a>]<br>
myvpn~myrule[2]: vpn: myvpn<br>myvpn~myrule[2]: IKE SPIs: bdaffcc2c759148a_i ba08a39a907da030_r* Creation time: 16 seconds ago<br>, rekeying in 48 minutes<br>myvpn~myrule[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>
myvpn~myrule{3}:  INSTALLED, TUNNEL, vpn: myvpn, ESP SPIs: cae4ef40_i c4693eef_o<br>myvpn~myrule{3}:  3DES_CBC/HMAC_SHA1_96, 1224 bytes_i, 756 bytes_o, rekeying in 48 minutes<br>myvpn~myrule{3}:   <a href="http://10.24.3.0/24">10.24.3.0/24</a> === <a href="http://10.22.3.0/24">10.22.3.0/24</a> <br>
admin@uranus:~/IKEv2server_EAPAKA> <br>admin@uranus:~/IKEv2server_EAPAKA> setkey -D<br>source=10.23.3.103 destination=10.23.3.203 <br>        protocol=esp mode=tunnel spi=3404001088(0xcae4ef40) reqid=3(0x00000003)<br>
        encr-algo=3des-cbc <br>        encr-key=9d1b351dd86d6f5ef589b2214e8ed052901e34b67dae215d<br>        auth-algo=hmac-sha1 <br>        auth-key=9cd64c16b51b3f819e6a89946a6fe8adc522cb3d<br>        replay-window=32 flags=0x10000000 state=mature seq=1 pid=1350<br>
        created=2010-08-18/12:28:44 current=2010-08-18/12:29:03 elapsed=19(s)<br>        hard-lifetime=3600(s) expiration=2010-08-18/13:28:44<br>        soft-lifetime=2945(s) renewal=2010-08-18/13:17:49<br>        last-use=never<br>
        bytes-processed=1224 hard-lifebyte=0 soft-lifebyte=0<br>        vrfid=0 xvrfid=0<br>source=10.23.3.203 destination=10.23.3.103 <br>        protocol=esp mode=tunnel spi=3295231727(0xc4693eef) reqid=3(0x00000003)<br>
        encr-algo=3des-cbc <br>        encr-key=1333c2696d0aa50f9a1cda201ec4cbe480c13ac6208dd13c<br>        auth-algo=hmac-sha1 <br>        auth-key=ba7e6ee2193fa475d1d34163e89a3d4ae0bb6b65<br>        replay-window=32 flags=0x10000000 state=mature seq=0 pid=1350<br>
        created=2010-08-18/12:28:44 current=2010-08-18/12:29:03 elapsed=19(s)<br>        hard-lifetime=3600(s) expiration=2010-08-18/13:28:44<br>        soft-lifetime=2929(s) renewal=2010-08-18/13:17:33<br>        last-use=never<br>
        bytes-processed=756 hard-lifebyte=0 soft-lifebyte=0<br>        vrfid=0 xvrfid=0<br>admin@uranus:~/IKEv2server_EAPAKA> <br><br><br><br>regards,<br>dennis<br><br>