<div>Hi,</div><div><br></div><div>I am running <strong>strongswan-4.5.2</strong> on<strong> Linux 2.6.35</strong>. Underline processor is <strong>quad core - 1.6 GHz </strong>. IKE negotiation is done on 1 Gige port. For IKEv1 negotiation two machines are
connected
back to back. One machine acts as initiator where as other acts as responder. I am able to establish at <strong>the max 13 tunnels per second</strong> <strong>using IKEv1</strong>. After doing analysis I found that around 81 miliseconds are required to establish single tunnel, out of that <strong>75 miliseconds</strong> are taken <strong>by do_command function</strong> called from route_and_eroute function after successful addition of IPsec policies and SAs . Is there any way/configuration which will avoid this command execution? </div>
<div><br></div><div>I am doing IKEv1 configuration using following commands:</div><div> ipsec pluto --stderrlog<br> ipsec whack --listen<br></div><div> ipsec whack --name mycnew1 --tunnel --client <a href="http://60.0.1.0/24">60.0.1.0/24</a> --host 70.0.0.1 --to --client <a href="http://50.0.1.0/24">50.0.1.0/24</a> --host 10.0.0.1 --psk --dpdaction none --ike aes-sha1-modp1024 -- encrypt --esp aes-sha1</div>
<div> ipsec whack --route --name mycnew1</div><div><br></div><div><strong>Does anyone know for this kind of configuration how many IKEv1 tunnels are established in a second? Has anyone done IKEv1 strongswan performance characterization?</strong></div>
<div> </div><div>For reference following is the debug log for the for tunnel establishment at responder's side:</div><div>| *received 124 bytes from <a href="http://10.0.0.1:500">10.0.0.1:500</a> on ncpeth12:1<br>| 14 0a c2 61 e7 ef 8f e1 00 00 00 00 00 00 00 00<br>
| 01 10 02 00 00 00 00 00 00 00 00 7c 0d 00 00 38<br>| 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01<br>| 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 2a 30<br>| 80 01 00 07 80 02 00 02 80 0e 00 80 80 03 00 01<br>
| 80 04 00 02 0d 00 00 14 88 2f e5 6d 6f d2 0d bc<br>| 22 51 61 3b 2e be 5b eb 00 00 00 14 af ca d7 13<br>| 68 a1 f1 c9 6b 86 96 fc 77 57 01 00<br>| **parse ISAKMP Message:<br>| initiator cookie:<br>| 14 0a c2 61 e7 ef 8f e1<br>
| responder cookie:<br>| 00 00 00 00 00 00 00 00<br>| next payload type: ISAKMP_NEXT_SA<br>| ISAKMP version: ISAKMP Version 1.0<br>| exchange type: ISAKMP_XCHG_IDPROT<br>| flags: none<br>| message ID: 00 00 00 00<br>
| length: 124<br>| ***parse ISAKMP Security Association Payload:<br>| next payload type: ISAKMP_NEXT_VID<br>| length: 56<br>| DOI: ISAKMP_DOI_IPSEC<br>| ***parse ISAKMP Vendor ID Payload:<br>| next payload type: ISAKMP_NEXT_VID<br>
| length: 20<br>| ***parse ISAKMP Vendor ID Payload:<br>| next payload type: ISAKMP_NEXT_NONE<br>| length: 20<br>packet from <a href="http://10.0.0.1:500">10.0.0.1:500</a>: received Vendor ID payload [strongSwan]<br>
packet from <a href="http://10.0.0.1:500">10.0.0.1:500</a>: received Vendor ID payload [Dead Peer Detection]<br>| ****parse IPsec DOI SIT:<br>| IPsec DOI SIT: SIT_IDENTITY_ONLY<br>| ****parse ISAKMP Proposal Payload:<br>
| next payload type: ISAKMP_NEXT_NONE<br>| length: 44<br>| proposal number: 0<br>| protocol ID: PROTO_ISAKMP<br>| SPI size: 0<br>| number of transforms: 1<br>| *****parse ISAKMP Transform Payload (ISAKMP):<br>
| next payload type: ISAKMP_NEXT_NONE<br>| length: 36<br>| transform number: 0<br>| transform ID: KEY_IKE<br>| ******parse ISAKMP Oakley attribute:<br>| af+type: OAKLEY_LIFE_TYPE<br>| length/value: 1<br>
| ******parse ISAKMP Oakley attribute:<br>| af+type: OAKLEY_LIFE_DURATION<br>| length/value: 10800<br>| ******parse ISAKMP Oakley attribute:<br>| af+type: OAKLEY_ENCRYPTION_ALGORITHM<br>| length/value: 7<br>| ******parse ISAKMP Oakley attribute:<br>
| af+type: OAKLEY_HASH_ALGORITHM<br>| length/value: 2<br>| ******parse ISAKMP Oakley attribute:<br>| af+type: OAKLEY_KEY_LENGTH<br>| length/value: 128<br>| ******parse ISAKMP Oakley attribute:<br>| af+type: OAKLEY_AUTHENTICATION_METHOD<br>
| length/value: 1<br>| ******parse ISAKMP Oakley attribute:<br>| af+type: OAKLEY_GROUP_DESCRIPTION<br>| length/value: 2<br>| preparse_isakmp_policy: peer requests PSK authentication<br>| creating state object #1 at 0x100b6768<br>
| ICOOKIE: 14 0a c2 61 e7 ef 8f e1<br>| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3<br>| peer: 0a 00 00 01<br>| state hash entry 2<br>| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1<br>"mycnew1" #1: responding to Main Mode<br>
| **emit ISAKMP Message:<br>| initiator cookie:<br>| 14 0a c2 61 e7 ef 8f e1<br>| responder cookie:<br>| 0d a0 6f 55 e8 a4 68 e3<br>| next payload type: ISAKMP_NEXT_SA<br>| ISAKMP version: ISAKMP Version 1.0<br>
| exchange type: ISAKMP_XCHG_IDPROT<br>| flags: none<br>| message ID: 00 00 00 00<br>| ***emit ISAKMP Security Association Payload:<br>| next payload type: ISAKMP_NEXT_VID<br>| DOI: ISAKMP_DOI_IPSEC<br>| *****parse ISAKMP Transform Payload (ISAKMP):<br>
| next payload type: ISAKMP_NEXT_NONE<br>| length: 36<br>| transform number: 0<br>| transform ID: KEY_IKE<br>| ******parse ISAKMP Oakley attribute:<br>| af+type: OAKLEY_LIFE_TYPE<br>| length/value: 1<br>
| [1 is OAKLEY_LIFE_SECONDS]<br>| ******parse ISAKMP Oakley attribute:<br>| af+type: OAKLEY_LIFE_DURATION<br>| length/value: 10800<br>| ******parse ISAKMP Oakley attribute:<br>| af+type: OAKLEY_ENCRYPTION_ALGORITHM<br>
| length/value: 7<br>| [7 is AES_CBC]<br>| ******parse ISAKMP Oakley attribute:<br>| af+type: OAKLEY_HASH_ALGORITHM<br>| length/value: 2<br>| [2 is HMAC_SHA1]<br>| ******parse ISAKMP Oakley attribute:<br>| af+type: OAKLEY_KEY_LENGTH<br>
| length/value: 128<br>| ******parse ISAKMP Oakley attribute:<br>| af+type: OAKLEY_AUTHENTICATION_METHOD<br>| length/value: 1<br>| [1 is pre-shared key]<br>| ******parse ISAKMP Oakley attribute:<br>| af+type: OAKLEY_GROUP_DESCRIPTION<br>
| length/value: 2<br>| [2 is MODP_1024]<br>| Oakley Transform 0 accepted<br>| ****emit IPsec DOI SIT:<br>| IPsec DOI SIT: SIT_IDENTITY_ONLY<br>| ****emit ISAKMP Proposal Payload:<br>| next payload type: ISAKMP_NEXT_NONE<br>
| proposal number: 0<br>| protocol ID: PROTO_ISAKMP<br>| SPI size: 0<br>| number of transforms: 1<br>| *****emit ISAKMP Transform Payload (ISAKMP):<br>| next payload type: ISAKMP_NEXT_NONE<br>| transform number: 0<br>
| transform ID: KEY_IKE<br>| emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP)<br>| attributes 80 0b 00 01 80 0c 2a 30 80 01 00 07 80 02 00 02<br>| 80 0e 00 80 80 03 00 01 80 04 00 02<br>
| emitting length of ISAKMP Transform Payload (ISAKMP): 36<br>| emitting length of ISAKMP Proposal Payload: 44<br>| emitting length of ISAKMP Security Association Payload: 56<br>| out_vendorid(): sending [strongSwan]<br>| ***emit ISAKMP Vendor ID Payload:<br>
| next payload type: ISAKMP_NEXT_VID<br>| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload<br>| V_ID 88 2f e5 6d 6f d2 0d bc 22 51 61 3b 2e be 5b eb<br>| emitting length of ISAKMP Vendor ID Payload: 20<br>
| out_vendorid(): sending [Dead Peer Detection]<br>| ***emit ISAKMP Vendor ID Payload:<br>| next payload type: ISAKMP_NEXT_NONE<br>| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload<br>| V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00<br>
| emitting length of ISAKMP Vendor ID Payload: 20<br>| emitting length of ISAKMP Message: 124<br>| sending 124 bytes for STATE_MAIN_R0 through ncpeth12:1 to <a href="http://10.0.0.1:500">10.0.0.1:500</a>:<br>| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3<br>
| 01 10 02 00 00 00 00 00 00 00 00 7c 0d 00 00 38<br>| 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01<br>| 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 2a 30<br>| 80 01 00 07 80 02 00 02 80 0e 00 80 80 03 00 01<br>
| 80 04 00 02 0d 00 00 14 88 2f e5 6d 6f d2 0d bc<br>| 22 51 61 3b 2e be 5b eb 00 00 00 14 af ca d7 13<br>| 68 a1 f1 c9 6b 86 96 fc 77 57 01 00<br>| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1<br>
| next event EVENT_RETRANSMIT in 10 seconds for #1<br>|<br>| *received 180 bytes from <a href="http://10.0.0.1:500">10.0.0.1:500</a> on ncpeth12:1<br>| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3<br>| 04 10 02 00 00 00 00 00 00 00 00 b4 0a 00 00 84<br>
| b9 a0 77 62 c8 43 3c e0 9a 17 6b 86 8c bf c9 f8<br>| bc 9f ab 18 b2 22 b2 fc c7 44 b4 f2 11 ae 60 d2<br>| 3f 63 3b 75 06 4b ed 32 2a c8 8e e7 5d 09 4c e6<br>| 31 62 bb aa 22 b1 b9 72 e1 fd 0e 3b 79 d5 3e 2c<br>
| 54 df 15 0c f9 26 16 dc af 17 ef ae 72 43 5f 3b<br>| 89 05 27 5c 9a 57 86 c2 86 45 80 67 0d be 04 ab<br>| 9f d3 5e 80 5c 91 c4 ab 35 32 88 86 f8 02 e9 08<br>| 1a 83 f9 fe f3 11 f1 b4 94 38 f2 22 68 1a c5 0b<br>
| 00 00 00 14 5b 7f 47 30 f8 6e 1f fe aa 2a 2a ee<br>| cb 69 bf bc<br>| **parse ISAKMP Message:<br>| initiator cookie:<br>| 14 0a c2 61 e7 ef 8f e1<br>| responder cookie:<br>| 0d a0 6f 55 e8 a4 68 e3<br>
| next payload type: ISAKMP_NEXT_KE<br>| ISAKMP version: ISAKMP Version 1.0<br>| exchange type: ISAKMP_XCHG_IDPROT<br>| flags: none<br>| message ID: 00 00 00 00<br>| length: 180<br>| ICOOKIE: 14 0a c2 61 e7 ef 8f e1<br>
| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3<br>| peer: 0a 00 00 01<br>| state hash entry 2<br>| state object #1 found, in STATE_MAIN_R1<br>| ***parse ISAKMP Key Exchange Payload:<br>| next payload type: ISAKMP_NEXT_NONCE<br>
| length: 132<br>| ***parse ISAKMP Nonce Payload:<br>| next payload type: ISAKMP_NEXT_NONE<br>| length: 20<br>| **emit ISAKMP Message:<br>| initiator cookie:<br>| 14 0a c2 61 e7 ef 8f e1<br>| responder cookie:<br>
| 0d a0 6f 55 e8 a4 68 e3<br>| next payload type: ISAKMP_NEXT_KE<br>| ISAKMP version: ISAKMP Version 1.0<br>| exchange type: ISAKMP_XCHG_IDPROT<br>| flags: none<br>| message ID: 00 00 00 00<br>| DH public value received:<br>
| b9 a0 77 62 c8 43 3c e0 9a 17 6b 86 8c bf c9 f8<br>| bc 9f ab 18 b2 22 b2 fc c7 44 b4 f2 11 ae 60 d2<br>| 3f 63 3b 75 06 4b ed 32 2a c8 8e e7 5d 09 4c e6<br>| 31 62 bb aa 22 b1 b9 72 e1 fd 0e 3b 79 d5 3e 2c<br>
| 54 df 15 0c f9 26 16 dc af 17 ef ae 72 43 5f 3b<br>| 89 05 27 5c 9a 57 86 c2 86 45 80 67 0d be 04 ab<br>| 9f d3 5e 80 5c 91 c4 ab 35 32 88 86 f8 02 e9 08<br>| 1a 83 f9 fe f3 11 f1 b4 94 38 f2 22 68 1a c5 0b<br>
| size of DH secret exponent: 1023 bits<br>| Public DH value sent:<br>| 8a 15 e2 66 b3 b8 2d dc f9 3e 44 df 20 af e9 34<br>| 83 b9 de 69 75 ea 47 15 35 0c 0a 9d b4 d7 00 b4<br>| 09 c4 50 50 24 b5 ef f6 7f 08 ee d6 7e 13 83 6d<br>
| 50 a2 9f 4f cb 78 0f 7c 65 b9 cb dd 3d 97 86 80<br>| 6e 94 fd a8 07 b4 58 a5 ec a8 71 35 de 48 f6 9a<br>| 31 7e 85 42 c7 6f 77 c3 42 ce 49 e9 ca a6 9b f1<br>| 44 e3 1d 69 56 8f 67 36 58 2a e5 a5 6c cd 66 2e<br>
| 30 3c 95 6a c1 37 63 ea 9d 3b 8a 98 b8 a4 c1 cb<br>| ***emit ISAKMP Key Exchange Payload:<br>| next payload type: ISAKMP_NEXT_NONCE<br>| emitting 128 raw bytes of keyex value into ISAKMP Key Exchange Payload<br>
| keyex value 8a 15 e2 66 b3 b8 2d dc f9 3e 44 df 20 af e9 34<br>| 83 b9 de 69 75 ea 47 15 35 0c 0a 9d b4 d7 00 b4<br>| 09 c4 50 50 24 b5 ef f6 7f 08 ee d6 7e 13 83 6d<br>| 50 a2 9f 4f cb 78 0f 7c 65 b9 cb dd 3d 97 86 80<br>
| 6e 94 fd a8 07 b4 58 a5 ec a8 71 35 de 48 f6 9a<br>| 31 7e 85 42 c7 6f 77 c3 42 ce 49 e9 ca a6 9b f1<br>| 44 e3 1d 69 56 8f 67 36 58 2a e5 a5 6c cd 66 2e<br>| 30 3c 95 6a c1 37 63 ea 9d 3b 8a 98 b8 a4 c1 cb<br>
| emitting length of ISAKMP Key Exchange Payload: 132<br>| ***emit ISAKMP Nonce Payload:<br>| next payload type: ISAKMP_NEXT_NONE<br>| emitting 16 raw bytes of Nr into ISAKMP Nonce Payload<br>| Nr 7e b1 22 3e fb c1 32 f4 50 5b c9 64 2a 8c 63 c1<br>
| emitting length of ISAKMP Nonce Payload: 20<br>| emitting length of ISAKMP Message: 180<br>| DH shared secret:<br>| 14 2d 87 3b bd 9e b7 55 d0 f6 39 c2 ab 69 2d e7<br>| 38 6e 04 88 2b ae 1e 62 1c c5 92 42 93 1b a0 a8<br>
| 15 d0 f8 19 3e 73 54 cb 90 43 33 ba 20 c1 de 2e<br>| ea 55 0f 19 35 91 6d 43 e6 80 53 11 5c a8 06 40<br>| 97 7f d2 22 99 8b b5 24 71 59 25 35 f5 6a 03 2a<br>| 16 77 4b 2a ef c7 c7 00 e1 8f b0 35 90 13 52 bb<br>
| 67 f2 3c 4c 00 f7 02 b7 40 86 62 12 dd 0f 11 db<br>| 1e 83 18 50 9a fb b4 bf eb b3 fc b5 50 6d 3a eb<br>| DH_i: b9 a0 77 62 c8 43 3c e0 9a 17 6b 86 8c bf c9 f8<br>| bc 9f ab 18 b2 22 b2 fc c7 44 b4 f2 11 ae 60 d2<br>
| 3f 63 3b 75 06 4b ed 32 2a c8 8e e7 5d 09 4c e6<br>| 31 62 bb aa 22 b1 b9 72 e1 fd 0e 3b 79 d5 3e 2c<br>| 54 df 15 0c f9 26 16 dc af 17 ef ae 72 43 5f 3b<br>| 89 05 27 5c 9a 57 86 c2 86 45 80 67 0d be 04 ab<br>
| 9f d3 5e 80 5c 91 c4 ab 35 32 88 86 f8 02 e9 08<br>| 1a 83 f9 fe f3 11 f1 b4 94 38 f2 22 68 1a c5 0b<br>| DH_r: 8a 15 e2 66 b3 b8 2d dc f9 3e 44 df 20 af e9 34<br>| 83 b9 de 69 75 ea 47 15 35 0c 0a 9d b4 d7 00 b4<br>
| 09 c4 50 50 24 b5 ef f6 7f 08 ee d6 7e 13 83 6d<br>| 50 a2 9f 4f cb 78 0f 7c 65 b9 cb dd 3d 97 86 80<br>| 6e 94 fd a8 07 b4 58 a5 ec a8 71 35 de 48 f6 9a<br>| 31 7e 85 42 c7 6f 77 c3 42 ce 49 e9 ca a6 9b f1<br>
| 44 e3 1d 69 56 8f 67 36 58 2a e5 a5 6c cd 66 2e<br>| 30 3c 95 6a c1 37 63 ea 9d 3b 8a 98 b8 a4 c1 cb<br>| Skeyid: 3c 1f ec c7 df ec 92 6a e1 2d 9e 8a 88 5b fa 8b<br>| 99 1d 99 73<br>| Skeyid_d: 2e df 82 be 84 53 11 35 25 bd a6 6e 95 94 5f 9e<br>
| 6e ae c2 f7<br>| Skeyid_a: 0e e4 0e 65 9e 1e 74 18 05 bf 56 20 01 95 1e e1<br>| d4 5c d0 3f<br>| Skeyid_e: 4f 54 de 03 1e 71 36 37 84 e1 f6 95 6c 32 9b 16<br>| 2f d1 9b f6<br>| enc key: 4f 54 de 03 1e 71 36 37 84 e1 f6 95 6c 32 9b 16<br>
| IV: ff df c4 49 64 fd 0b f7 d8 67 03 91 30 e1 ae 48<br>| cb 71 c1 d7<br>| sending 180 bytes for STATE_MAIN_R1 through ncpeth12:1 to <a href="http://10.0.0.1:500">10.0.0.1:500</a>:<br>| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3<br>
| 04 10 02 00 00 00 00 00 00 00 00 b4 0a 00 00 84<br>| 8a 15 e2 66 b3 b8 2d dc f9 3e 44 df 20 af e9 34<br>| 83 b9 de 69 75 ea 47 15 35 0c 0a 9d b4 d7 00 b4<br>| 09 c4 50 50 24 b5 ef f6 7f 08 ee d6 7e 13 83 6d<br>
| 50 a2 9f 4f cb 78 0f 7c 65 b9 cb dd 3d 97 86 80<br>| 6e 94 fd a8 07 b4 58 a5 ec a8 71 35 de 48 f6 9a<br>| 31 7e 85 42 c7 6f 77 c3 42 ce 49 e9 ca a6 9b f1<br>| 44 e3 1d 69 56 8f 67 36 58 2a e5 a5 6c cd 66 2e<br>
| 30 3c 95 6a c1 37 63 ea 9d 3b 8a 98 b8 a4 c1 cb<br>| 00 00 00 14 7e b1 22 3e fb c1 32 f4 50 5b c9 64<br>| 2a 8c 63 c1<br>| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1<br>| next event EVENT_RETRANSMIT in 10 seconds for #1<br>
|<br>| *received 76 bytes from <a href="http://10.0.0.1:500">10.0.0.1:500</a> on ncpeth12:1<br>| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3<br>| 05 10 02 01 00 00 00 00 00 00 00 4c 09 e8 50 78<br>| 3c 50 ad c9 7e 6e b3 05 bd 86 32 3d 59 0a 11 8f<br>
| a7 bc e0 78 2f 51 d1 4b 90 92 10 79 d9 29 26 ec<br>| 8d 79 10 b0 35 b4 90 90 a5 f4 d4 fe<br>| **parse ISAKMP Message:<br>| initiator cookie:<br>| 14 0a c2 61 e7 ef 8f e1<br>| responder cookie:<br>| 0d a0 6f 55 e8 a4 68 e3<br>
| next payload type: ISAKMP_NEXT_ID<br>| ISAKMP version: ISAKMP Version 1.0<br>| exchange type: ISAKMP_XCHG_IDPROT<br>| flags: ISAKMP_FLAG_ENCRYPTION<br>| message ID: 00 00 00 00<br>| length: 76<br>| ICOOKIE: 14 0a c2 61 e7 ef 8f e1<br>
| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3<br>| peer: 0a 00 00 01<br>| state hash entry 2<br>| state object #1 found, in STATE_MAIN_R2<br>| received encrypted packet from <a href="http://10.0.0.1:500">10.0.0.1:500</a><br>| decrypting 48 bytes using algorithm AES_CBC<br>
| decrypted:<br>| 08 00 00 0c 01 00 00 00 0a 00 00 01 00 00 00 18<br>| 93 94 e3 94 13 aa 78 14 fb 6b b5 df c7 22 24 8c<br>| 98 0d 0b 29 00 00 00 00 00 00 00 00 00 00 00 00<br>| next IV: d9 29 26 ec 8d 79 10 b0 35 b4 90 90 a5 f4 d4 fe<br>
| ***parse ISAKMP Identification Payload:<br>| next payload type: ISAKMP_NEXT_HASH<br>| length: 12<br>| ID type: ID_IPV4_ADDR<br>| DOI specific A: 0<br>| DOI specific B: 0<br>| ***parse ISAKMP Hash Payload:<br>
| next payload type: ISAKMP_NEXT_NONE<br>| length: 24<br>| removing 12 bytes of padding<br>"mycnew1" #1: Peer ID is ID_IPV4_ADDR: '10.0.0.1'<br>| hashing 52 bytes of SA<br>| authentication succeeded<br>
| peer CA: %none<br>| current connection is a full match -- no need to look further<br>| offered CA: %none<br>| **emit ISAKMP Message:<br>| initiator cookie:<br>| 14 0a c2 61 e7 ef 8f e1<br>| responder cookie:<br>
| 0d a0 6f 55 e8 a4 68 e3<br>| next payload type: ISAKMP_NEXT_ID<br>| ISAKMP version: ISAKMP Version 1.0<br>| exchange type: ISAKMP_XCHG_IDPROT<br>| flags: ISAKMP_FLAG_ENCRYPTION<br>| message ID: 00 00 00 00<br>
| ***emit ISAKMP Identification Payload (IPsec DOI):<br>| next payload type: ISAKMP_NEXT_HASH<br>| ID type: ID_IPV4_ADDR<br>| Protocol ID: 0<br>| port: 0<br>| emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI)<br>
| my identity 46 00 00 01<br>| emitting length of ISAKMP Identification Payload (IPsec DOI): 12<br>| hashing 52 bytes of SA<br>| ***emit ISAKMP Hash Payload:<br>| next payload type: ISAKMP_NEXT_NONE<br>| emitting 20 raw bytes of HASH_R into ISAKMP Hash Payload<br>
| HASH_R 54 4e d3 f4 76 2c 9f a5 fc 1e 82 f1 95 b6 e9 02<br>| ad 10 94 a8<br>| emitting length of ISAKMP Hash Payload: 24<br>| encrypting:<br>| 08 00 00 0c 01 00 00 00 46 00 00 01 00 00 00 18<br>| 54 4e d3 f4 76 2c 9f a5 fc 1e 82 f1 95 b6 e9 02<br>
| ad 10 94 a8<br>| emitting 12 zero bytes of encryption padding into ISAKMP Message<br>| encrypting using AES_CBC<br>| next IV: d3 45 cb 2c 46 4c 80 8c 34 e9 8d 16 8f 3a bd 35<br>| emitting length of ISAKMP Message: 76<br>
| last encrypted block of Phase 1:<br>| d3 45 cb 2c 46 4c 80 8c 34 e9 8d 16 8f 3a bd 35<br>| sending 76 bytes for STATE_MAIN_R2 through ncpeth12:1 to <a href="http://10.0.0.1:500">10.0.0.1:500</a>:<br>| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3<br>
| 05 10 02 01 00 00 00 00 00 00 00 4c 8b 76 10 ec<br>| e5 e1 d3 08 27 35 a0 79 80 7a 0a 9b 74 28 8e 3a<br>| 17 90 0d e0 ef 40 a2 38 d9 70 c1 e2 d3 45 cb 2c<br>| 46 4c 80 8c 34 e9 8d 16 8f 3a bd 35<br>| inserting event EVENT_SA_REPLACE, timeout in 10530 seconds for #1<br>
"mycnew1" #1: sent MR3, ISAKMP SA established<br>| next event EVENT_REINIT_SECRET in 3588 seconds<br>|<br>| *received 156 bytes from <a href="http://10.0.0.1:500">10.0.0.1:500</a> on ncpeth12:1<br>| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3<br>
| 08 10 20 01 94 34 e5 61 00 00 00 9c 88 0f dc ad<br>| f5 bb 1e 92 de fe c6 fc 8b 16 8a 93 aa 31 9e 04<br>| 5d 17 0c 32 c7 a1 62 20 29 50 32 01 d1 40 88 85<br>| c1 0f 24 b2 0e 51 9e 65 0f fc 85 55 52 70 22 e3<br>
| 52 bb 64 03 e8 00 b0 29 72 7c a2 66 fd 40 da 2c<br>| 34 e3 2c 0a 3f bc 4f 03 6e 50 0d ad a5 f2 e8 6e<br>| 58 d4 58 a5 78 55 84 5f a3 f5 7b b0 40 71 ff eb<br>| 1c 38 d2 2a 28 d2 93 a6 d0 5f 08 57 60 87 d3 b3<br>
| 4b 87 67 c5 c3 d1 26 93 84 11 69 a9<br>| **parse ISAKMP Message:<br>| initiator cookie:<br>| 14 0a c2 61 e7 ef 8f e1<br>| responder cookie:<br>| 0d a0 6f 55 e8 a4 68 e3<br>| next payload type: ISAKMP_NEXT_HASH<br>
| ISAKMP version: ISAKMP Version 1.0<br>| exchange type: ISAKMP_XCHG_QUICK<br>| flags: ISAKMP_FLAG_ENCRYPTION<br>| message ID: 94 34 e5 61<br>| length: 156<br>| ICOOKIE: 14 0a c2 61 e7 ef 8f e1<br>| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3<br>
| peer: 0a 00 00 01<br>| state hash entry 2<br>| state object not found<br>| ICOOKIE: 14 0a c2 61 e7 ef 8f e1<br>| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3<br>| peer: 0a 00 00 01<br>| state hash entry 2<br>| state object #1 found, in STATE_MAIN_R3<br>
| last Phase 1 IV: d3 45 cb 2c 46 4c 80 8c 34 e9 8d 16 8f 3a bd 35<br>| computed Phase 2 IV:<br>| 22 1f 7a d9 1e f5 df 8c 60 07 6f e5 7e dc 95 23<br>| c6 77 7f 00<br>| received encrypted packet from <a href="http://10.0.0.1:500">10.0.0.1:500</a><br>
| decrypting 128 bytes using algorithm AES_CBC<br>| decrypted:<br>| 01 00 00 18 9e 79 6e 6a bc 16 8d 5f d3 52 61 a2<br>| d2 18 f7 e2 3a e6 4c 52 0a 00 00 34 00 00 00 01<br>| 00 00 00 01 00 00 00 28 00 03 04 01 c4 51 8a 7d<br>
| 00 00 00 1c 00 0c 00 00 80 04 00 01 80 01 00 01<br>| 80 02 0e 10 80 05 00 02 80 06 00 80 05 00 00 14<br>| b5 76 c6 4b 93 54 3a 3b dc 33 f0 e0 a0 6f 2d 97<br>| 05 00 00 10 04 00 00 00 32 00 01 00 ff ff ff 00<br>
| 00 00 00 10 04 00 00 00 3c 00 01 00 ff ff ff 00<br>| next IV: 60 87 d3 b3 4b 87 67 c5 c3 d1 26 93 84 11 69 a9<br>| ***parse ISAKMP Hash Payload:<br>| next payload type: ISAKMP_NEXT_SA<br>| length: 24<br>| ***parse ISAKMP Security Association Payload:<br>
| next payload type: ISAKMP_NEXT_NONCE<br>| length: 52<br>| DOI: ISAKMP_DOI_IPSEC<br>| ***parse ISAKMP Nonce Payload:<br>| next payload type: ISAKMP_NEXT_ID<br>| length: 20<br>| ***parse ISAKMP Identification Payload (IPsec DOI):<br>
| next payload type: ISAKMP_NEXT_ID<br>| length: 16<br>| ID type: ID_IPV4_ADDR_SUBNET<br>| Protocol ID: 0<br>| port: 0<br>| ***parse ISAKMP Identification Payload (IPsec DOI):<br>| next payload type: ISAKMP_NEXT_NONE<br>
| length: 16<br>| ID type: ID_IPV4_ADDR_SUBNET<br>| Protocol ID: 0<br>| port: 0<br>| HASH(1) computed:<br>| 9e 79 6e 6a bc 16 8d 5f d3 52 61 a2 d2 18 f7 e2<br>| 3a e6 4c 52<br>| peer client is subnet <a href="http://50.0.1.0/24">50.0.1.0/24</a><br>
| peer client protocol/port is 0/0<br>| our client is subnet <a href="http://60.0.1.0/24">60.0.1.0/24</a><br>| our client protocol/port is 0/0<br>| find_client_connection starting with mycnew1<br>| looking for <a href="http://60.0.1.0/24:0/0">60.0.1.0/24:0/0</a> -> <a href="http://50.0.1.0/24:0/0">50.0.1.0/24:0/0</a><br>
| concrete checking against sr#0 <a href="http://60.0.1.0/24">60.0.1.0/24</a> -> <a href="http://50.0.1.0/24">50.0.1.0/24</a><br>| duplicating state object #1<br>| creating state object #2 at 0x100b7360<br>| ICOOKIE: 14 0a c2 61 e7 ef 8f e1<br>
| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3<br>| peer: 0a 00 00 01<br>| state hash entry 2<br>| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2<br>| **emit ISAKMP Message:<br>| initiator cookie:<br>| 14 0a c2 61 e7 ef 8f e1<br>
| responder cookie:<br>| 0d a0 6f 55 e8 a4 68 e3<br>| next payload type: ISAKMP_NEXT_HASH<br>| ISAKMP version: ISAKMP Version 1.0<br>| exchange type: ISAKMP_XCHG_QUICK<br>| flags: ISAKMP_FLAG_ENCRYPTION<br>
| message ID: 94 34 e5 61<br>| ***emit ISAKMP Hash Payload:<br>| next payload type: ISAKMP_NEXT_SA<br>| emitting 20 zero bytes of HASH into ISAKMP Hash Payload<br>| emitting length of ISAKMP Hash Payload: 24<br>| ***emit ISAKMP Security Association Payload:<br>
| next payload type: ISAKMP_NEXT_NONCE<br>| DOI: ISAKMP_DOI_IPSEC<br>| ****parse IPsec DOI SIT:<br>| IPsec DOI SIT: SIT_IDENTITY_ONLY<br>| ****parse ISAKMP Proposal Payload:<br>| next payload type: ISAKMP_NEXT_NONE<br>
| length: 40<br>| proposal number: 0<br>| protocol ID: PROTO_IPSEC_ESP<br>| SPI size: 4<br>| number of transforms: 1<br>| parsing 4 raw bytes of ISAKMP Proposal Payload into SPI<br>| SPI c4 51 8a 7d<br>| *****parse ISAKMP Transform Payload (ESP):<br>
| next payload type: ISAKMP_NEXT_NONE<br>| length: 28<br>| transform number: 0<br>| transform ID: AES_CBC<br>| ******parse ISAKMP IPsec DOI attribute:<br>| af+type: ENCAPSULATION_MODE<br>| length/value: 1<br>
| [1 is ENCAPSULATION_MODE_TUNNEL]<br>| ******parse ISAKMP IPsec DOI attribute:<br>| af+type: SA_LIFE_TYPE<br>| length/value: 1<br>| [1 is SA_LIFE_TYPE_SECONDS]<br>| ******parse ISAKMP IPsec DOI attribute:<br>
| af+type: SA_LIFE_DURATION<br>| length/value: 3600<br>| ******parse ISAKMP IPsec DOI attribute:<br>| af+type: AUTH_ALGORITHM<br>| length/value: 2<br>| [2 is HMAC_SHA1]<br>| ******parse ISAKMP IPsec DOI attribute:<br>
| af+type: KEY_LENGTH<br>| length/value: 128<br>| kernel_alg_esp_enc_ok(12,128): alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1<br>| ****emit IPsec DOI SIT:<br>| IPsec DOI SIT: SIT_IDENTITY_ONLY<br>
| ****emit ISAKMP Proposal Payload:<br>| next payload type: ISAKMP_NEXT_NONE<br>| proposal number: 0<br>| protocol ID: PROTO_IPSEC_ESP<br>| SPI size: 4<br>| number of transforms: 1<br>| getting SPI for reqid {16388}<br>
| sending XFRM_MSG_ALLOCSPI: => 248 bytes @ 0xbfcb9790<br> 0: 00 00 00 F8 00 16 00 01 00 00 00 CE 00 00 20 41 .............. A<br> 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 64: 00 00 00 00 00 00 00 00 46 00 00 01 00 00 00 00 ........F.......<br> 80: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...<br>
96: 0A 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 224: 00 00 40 04 00 02 01 00 00 00 00 00 00 00 00 00 ..@.............<br>
240: C0 00 00 00 CF FF FF FF ........<br>| got SPI c940edca for reqid {16388}<br>| emitting 4 raw bytes of SPI into ISAKMP Proposal Payload<br>| SPI c9 40 ed ca<br>| *****emit ISAKMP Transform Payload (ESP):<br>
| next payload type: ISAKMP_NEXT_NONE<br>| transform number: 0<br>| transform ID: AES_CBC<br>| emitting 20 raw bytes of attributes into ISAKMP Transform Payload (ESP)<br>| attributes 80 04 00 01 80 01 00 01 80 02 0e 10 80 05 00 02<br>
| 80 06 00 80<br>| emitting length of ISAKMP Transform Payload (ESP): 28<br>| emitting length of ISAKMP Proposal Payload: 40<br>| emitting length of ISAKMP Security Association Payload: 52<br>"mycnew1" #2: responding to Quick Mode<br>
| ***emit ISAKMP Nonce Payload:<br>| next payload type: ISAKMP_NEXT_ID<br>| emitting 16 raw bytes of Nr into ISAKMP Nonce Payload<br>| Nr 0b 87 df 44 34 6e 38 ea 8d ee fb fb bb 41 60 85<br>| emitting length of ISAKMP Nonce Payload: 20<br>
| emitting 16 raw bytes of IDci into ISAKMP Message<br>| IDci 05 00 00 10 04 00 00 00 32 00 01 00 ff ff ff 00<br>| emitting 16 raw bytes of IDcr into ISAKMP Message<br>| IDcr 00 00 00 10 04 00 00 00 3c 00 01 00 ff ff ff 00<br>
| HASH(2) computed:<br>| 0a fc ac 49 11 a3 83 a6 f4 cf 84 80 7b 7b 1e 63<br>| 8b 55 13 07<br>| kernel_alg_esp_enc_keylen(): alg_id=12, keylen=16<br>| kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20<br>
| KEYMAT computed:<br>| 95 8e 61 58 03 13 c8 42 9d cb 11 dc 57 25 67 ee<br>| d4 1d e3 c7 02 ea cf 07 ca ed 81 e5 b3 b1 70 0d<br>| 92 db e2 d3<br>| route owner of "mycnew1" prospective erouted: self<br>
| install_inbound_ipsec_sa() checking if we can route<br>| route owner of "mycnew1" prospective erouted: self; eroute owner: self<br>| kernel_alg_esp_info():transid=12, auth=2, ei=0x1008a054, enckeylen=32, authkeylen=20, encryptalg=12, authalg=3<br>
| adding SAD entry with SPI c940edca and reqid {16388}<br>| using encryption algorithm AES_CBC with key size 128<br>| using integrity algorithm HMAC_SHA1_96 with key size 160<br>| sending XFRM_MSG_UPDSA: => 420 bytes @ 0xbfcb9698<br>
0: 00 00 01 A4 00 1A 00 05 00 00 00 CF 00 00 20 41 .............. A<br> 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 64: 00 00 00 00 00 00 00 00 46 00 00 01 00 00 00 00 ........F.......<br> 80: 00 00 00 00 00 00 00 00 C9 40 ED CA 32 00 00 00 .........@..2...<br>
96: 0A 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................<br> 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................<br>
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 224: 00 00 40 04 00 02 01 20 20 00 00 00 00 00 00 00 ..@.... .......<br>
240: 00 58 00 02 61 65 73 00 00 00 00 00 00 00 00 00 .X..aes.........<br> 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 304: 00 00 00 00 00 00 00 80 95 8E 61 58 03 13 C8 42 ..........aX...B<br> 320: 9D CB 11 DC 57 25 67 EE 00 5C 00 01 73 68 61 31 ....W%g..\..sha1<br>
336: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 ................<br> 400: D4 1D E3 C7 02 EA CF 07 CA ED 81 E5 B3 B1 70 0D ..............p.<br> 416: 92 DB E2 D3 ....<br>| encrypting:<br>
| 01 00 00 18 0a fc ac 49 11 a3 83 a6 f4 cf 84 80<br>| 7b 7b 1e 63 8b 55 13 07 0a 00 00 34 00 00 00 01<br>| 00 00 00 01 00 00 00 28 00 03 04 01 c9 40 ed ca<br>| 00 00 00 1c 00 0c 00 00 80 04 00 01 80 01 00 01<br>
| 80 02 0e 10 80 05 00 02 80 06 00 80 05 00 00 14<br>| 0b 87 df 44 34 6e 38 ea 8d ee fb fb bb 41 60 85<br>| 05 00 00 10 04 00 00 00 32 00 01 00 ff ff ff 00<br>| 00 00 00 10 04 00 00 00 3c 00 01 00 ff ff ff 00<br>
| encrypting using AES_CBC<br>| next IV: b8 70 93 5c 89 2b 43 24 b5 03 dd cb 89 65 4d 5b<br>| emitting length of ISAKMP Message: 156<br>| sending 156 bytes for STATE_QUICK_R0 through ncpeth12:1 to <a href="http://10.0.0.1:500">10.0.0.1:500</a>:<br>
| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3<br>| 08 10 20 01 94 34 e5 61 00 00 00 9c fa 94 9b 36<br>| c4 3a 53 06 4c 9d 88 a5 ac b8 ac ec 1c 65 be 15<br>| 5e 1e b4 29 f2 e7 16 70 16 f0 b9 b7 25 5a 73 27<br>
| 83 e9 c8 64 30 91 ab 4a 04 13 94 43 3c b3 cc 8f<br>| 77 e8 22 cd 86 87 5d 5a 79 05 19 cc 6b 4e 59 1d<br>| 72 ce ef b0 1a c6 dc 16 e0 74 77 5d bb 56 94 93<br>| b0 6a 50 a9 9c 4c ca 77 00 b1 91 ca ad e5 94 10<br>
| 7e 7d a7 3f 70 66 82 5f a9 82 bb 83 b8 70 93 5c<br>| 89 2b 43 24 b5 03 dd cb 89 65 4d 5b<br>| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2<br>| next event EVENT_RETRANSMIT in 10 seconds for #2<br>
|<br>| *received 60 bytes from <a href="http://10.0.0.1:500">10.0.0.1:500</a> on ncpeth12:1<br>| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3<br>| 08 10 20 01 94 34 e5 61 00 00 00 3c 3e cb 11 6c<br>| 8f ff 0c ae f5 a8 72 7f d4 b1 a7 a5 f6 cd 49 e0<br>
| 6c cd e8 e5 5f 2d 1e 25 44 6c 95 ec<br>| **parse ISAKMP Message:<br>| initiator cookie:<br>| 14 0a c2 61 e7 ef 8f e1<br>| responder cookie:<br>| 0d a0 6f 55 e8 a4 68 e3<br>| next payload type: ISAKMP_NEXT_HASH<br>
| ISAKMP version: ISAKMP Version 1.0<br>| exchange type: ISAKMP_XCHG_QUICK<br>| flags: ISAKMP_FLAG_ENCRYPTION<br>| message ID: 94 34 e5 61<br>| length: 60<br>| ICOOKIE: 14 0a c2 61 e7 ef 8f e1<br>| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3<br>
| peer: 0a 00 00 01<br>| state hash entry 2<br>| state object #2 found, in STATE_QUICK_R1<br>| received encrypted packet from <a href="http://10.0.0.1:500">10.0.0.1:500</a><br>| decrypting 32 bytes using algorithm AES_CBC<br>
| decrypted:<br>| 00 00 00 18 30 2b bc 22 5c 1d 86 9c 1c 79 22 bb<br>| 30 43 00 fd 11 54 dc f3 00 00 00 00 00 00 00 00<br>| next IV: f6 cd 49 e0 6c cd e8 e5 5f 2d 1e 25 44 6c 95 ec<br>| ***parse ISAKMP Hash Payload:<br>
| next payload type: ISAKMP_NEXT_NONE<br>| length: 24<br>| removing 8 bytes of padding<br>| HASH(3) computed: 30 2b bc 22 5c 1d 86 9c 1c 79 22 bb 30 43 00 fd<br>| 11 54 dc f3<br>| kernel_alg_esp_enc_keylen(): alg_id=12, keylen=16<br>
| kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20<br>| Peer KEYMAT computed:<br>| 18 91 d7 31 0f 10 85 63 3b 36 b7 0f ce 2b 65 19<br>| 71 7c 2f bb 38 56 b6 40 af 37 76 a6 4d 6f dc de<br>| 0e ce ac d9<br>
| install_ipsec_sa() for #2: outbound only<br>| route owner of "mycnew1" prospective erouted: self; eroute owner: self<br>| kernel_alg_esp_info():transid=12, auth=2, ei=0x1008a054, enckeylen=32, authkeylen=20, encryptalg=12, authalg=3<br>
| adding SAD entry with SPI c4518a7d and reqid {16388}<br>| using encryption algorithm AES_CBC with key size 128<br>| using integrity algorithm HMAC_SHA1_96 with key size 160<br>| sending XFRM_MSG_NEWSA: => 420 bytes @ 0xbfcb9fa8<br>
0: 00 00 01 A4 00 10 00 05 00 00 00 D0 00 00 20 41 .............. A<br> 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 64: 00 00 00 00 00 00 00 00 0A 00 00 01 00 00 00 00 ................<br> 80: 00 00 00 00 00 00 00 00 C4 51 8A 7D 32 00 00 00 .........Q.}2...<br>
96: 46 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 F...............<br> 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................<br> 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................<br>
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 224: 00 00 40 04 00 02 01 20 20 00 00 00 00 00 00 00 ..@.... .......<br>
240: 00 58 00 02 61 65 73 00 00 00 00 00 00 00 00 00 .X..aes.........<br> 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 304: 00 00 00 00 00 00 00 80 18 91 D7 31 0F 10 85 63 ...........1...c<br> 320: 3B 36 B7 0F CE 2B 65 19 00 5C 00 01 73 68 61 31 ;6...+e..\..sha1<br>
336: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 ................<br> 400: 71 7C 2F BB 38 56 B6 40 AF 37 76 A6 4D 6F DC DE q|/.8V.@.7v.Mo..<br> 416: 0E CE AC D9 ....<br>| sr for #2: prospective erouted<br>
| route owner of "mycnew1" prospective erouted: self; eroute owner: self<br>| route_and_eroute with c: mycnew1 (next: none) ero:mycnew1 esr:{(nil)} ro:mycnew1 rosr:{(nil)} and state: 2<br>| eroute_connection replace eroute <a href="http://50.0.1.0/24:0">50.0.1.0/24:0</a> -> <a href="http://60.0.1.0/24:0">60.0.1.0/24:0</a> => <a href="http://tun.0@70.0.0.1:0">tun.0@70.0.0.1:0</a><br>
| deleting policy <a href="http://50.0.1.0/24">50.0.1.0/24</a> === <a href="http://60.0.1.0/24">60.0.1.0/24</a> in<br>deleting policy <a href="http://50.0.1.0/24">50.0.1.0/24</a> === <a href="http://60.0.1.0/24">60.0.1.0/24</a> in failed, not found<br>
"mycnew1" #2: ************ Time taken for del policy 0 sec:77 usec<br>| adding policy <a href="http://50.0.1.0/24">50.0.1.0/24</a> === <a href="http://60.0.1.0/24">60.0.1.0/24</a> in<br>| sending XFRM_MSG_NEWPOLICY: => 252 bytes @ 0xbfcb9d18<br>
0: 00 00 00 FC 00 13 00 05 00 00 00 D1 00 00 20 41 .............. A<br> 16: 3C 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............<br> 32: 32 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............<br>
48: 00 00 00 00 00 00 00 00 00 02 18 18 00 00 00 00 ................<br> 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................<br> 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................<br>
96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................<br> 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 160: 00 00 00 00 00 00 00 00 00 00 07 43 00 00 00 00 ...........C....<br> 176: 00 00 00 00 00 00 00 00 00 44 00 05 46 00 00 01 .........D..F...<br>
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 208: 32 00 00 00 00 02 00 00 0A 00 00 01 00 00 00 00 2...............<br> 224: 00 00 00 00 00 00 00 00 00 00 40 04 01 00 00 00 ..........@.....<br>
240: FF FF FF FF FF FF FF FF FF FF FF FF ............<br>"mycnew1" #2: ************ Time taken for add policy 0 sec:252 usec<br>| deleting policy <a href="http://50.0.1.0/24">50.0.1.0/24</a> === <a href="http://60.0.1.0/24">60.0.1.0/24</a> fwd<br>
deleting policy <a href="http://50.0.1.0/24">50.0.1.0/24</a> === <a href="http://60.0.1.0/24">60.0.1.0/24</a> fwd failed, not found<br>"mycnew1" #2: ************ Time taken for del policy 0 sec:66 usec<br>| adding policy <a href="http://50.0.1.0/24">50.0.1.0/24</a> === <a href="http://60.0.1.0/24">60.0.1.0/24</a> fwd<br>
| sending XFRM_MSG_NEWPOLICY: => 252 bytes @ 0xbfcb9d18<br> 0: 00 00 00 FC 00 13 00 05 00 00 00 D2 00 00 20 41 .............. A<br> 16: 3C 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............<br> 32: 32 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............<br>
48: 00 00 00 00 00 00 00 00 00 02 18 18 00 00 00 00 ................<br> 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................<br> 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................<br>
96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................<br> 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 160: 00 00 00 00 00 00 00 00 00 00 07 43 00 00 00 00 ...........C....<br> 176: 02 00 00 00 00 00 00 00 00 44 00 05 46 00 00 01 .........D..F...<br>
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 208: 32 00 00 00 00 02 00 00 0A 00 00 01 00 00 00 00 2...............<br> 224: 00 00 00 00 00 00 00 00 00 00 40 04 01 00 00 00 ..........@.....<br>
240: FF FF FF FF FF FF FF FF FF FF FF FF ............<br>"mycnew1" #2: ************ Time taken for add policy 0 sec:1267 usec<br>| eroute_connection replace eroute <a href="http://60.0.1.0/24:0">60.0.1.0/24:0</a> -> <a href="http://50.0.1.0/24:0">50.0.1.0/24:0</a> => <a href="http://tun.0@10.0.0.1:0">tun.0@10.0.0.1:0</a><br>
| deleting policy <a href="http://60.0.1.0/24">60.0.1.0/24</a> === <a href="http://50.0.1.0/24">50.0.1.0/24</a> out<br>| sending XFRM_MSG_DELPOLICY: => 80 bytes @ 0xbfcb9d58<br> 0: 00 00 00 50 00 14 00 05 00 00 00 D3 00 00 20 41 ...P.......... A<br>
16: 32 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............<br> 32: 3C 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............<br> 48: 00 00 00 00 00 00 00 00 00 02 18 18 00 00 00 00 ................<br>
64: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................<br>"mycnew1" #2: ************ Time taken for del policy 0 sec:1015 usec<br>| adding policy <a href="http://60.0.1.0/24">60.0.1.0/24</a> === <a href="http://50.0.1.0/24">50.0.1.0/24</a> out<br>
| sending XFRM_MSG_NEWPOLICY: => 252 bytes @ 0xbfcb9d18<br> 0: 00 00 00 FC 00 13 00 05 00 00 00 D4 00 00 20 41 .............. A<br> 16: 32 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............<br> 32: 3C 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............<br>
48: 00 00 00 00 00 00 00 00 00 02 18 18 00 00 00 00 ................<br> 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................<br> 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................<br>
96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................<br> 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br>
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 160: 00 00 00 00 00 00 00 00 00 00 07 43 00 00 00 00 ...........C....<br> 176: 01 00 00 00 00 00 00 00 00 44 00 05 0A 00 00 01 .........D......<br>
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br> 208: 32 00 00 00 00 02 00 00 46 00 00 01 00 00 00 00 2.......F.......<br> 224: 00 00 00 00 00 00 00 00 00 00 40 04 01 00 00 00 ..........@.....<br>
240: FF FF FF FF FF FF FF FF FF FF FF FF ............<br>"mycnew1" #2: ************ Time taken for add policy 0 sec:1839 usec<br>"mycnew1" #2: Time taken in route_and_eroute (firewall)0 sec:4764 usec<br>
| executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='mycnew1' PLUTO_NEXT_HOP='10.0.0.1' PLUTO_INTERFACE='ncpeth12:1' PLUTO_REQID='16388' PLUTO_ME='70.0.0.1' PLUTO_MY_ID='70.0.0.1' PLUTO_MY_CLIENT='<a href="http://60.0.1.0/24">60.0.1.0/24</a>' PLUTO_MY_CLIENT_NET='60.0.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.0.0.1' PLUTO_PEER_ID='10.0.0.1' PLUTO_PEER_CLIENT='<a href="http://50.0.1.0/24">50.0.1.0/24</a>' PLUTO_PEER_CLIENT_NET='50.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' ipsec _updown<br>
| route_and_eroute: firewall_notified: true<br>| route_and_eroute: instance "mycnew1", setting eroute_owner {spd=0x100af720,sr=0x100af720} to #2 (was #0) (newest_ipsec_sa=#0)<br>"mycnew1" #2: Time taken in route_and_eroute 0 sec:85145 usec<br>
| inI2: instance mycnew1[0], setting newest_ipsec_sa to #2 (was #0) (spd.eroute=#2)<br>| inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #2<br>"mycnew1" #2: IPsec SA established {ESP=>0xc4518a7d <0xc940edca}<br>
| next event EVENT_SA_REPLACE in 3330 seconds for #2</div><div><br></div><div>Thanks and Regards,</div><div>Amit Tamboli</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div>