Starting IKEv1 pluto daemon (strongSwan 4.6.2) THREADS VENDORID listening on interfaces: eth1 10.10.10.6 fe80::21c:25ff:fea9:da42 eth2 10.125.40.64 fe80::207:e9ff:fe0c:6343 virbr0 192.168.122.1 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve including NAT-Traversal patch (Version 0.6c) [disabled] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' loaded ca certificate from '/usr/local/etc/ipsec.d/cacerts/rootCaCert_0.pem' | authcert list locked by 'add_authcert' | authcert list unlocked by 'add_authcert' loaded ca certificate from '/usr/local/etc/ipsec.d/cacerts/cacert.pem' | authcert list locked by 'add_authcert' | authcert list unlocked by 'add_authcert' loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' loading ocsp certificates from '/usr/local/etc/ipsec.d/ocspcerts' Changing to directory '/usr/local/etc/ipsec.d/crls' loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' spawning 4 worker threads listening for IKE messages adding interface virbr0/virbr0 192.168.122.1:500 adding interface eth2/eth2 10.125.40.64:500 adding interface eth1/eth1 10.10.10.6:500 adding interface lo/lo 127.0.0.1:500 adding interface lo/lo ::1:500 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshard_secrets' loading secrets from "/usr/local/etc/ipsec.secrets" loaded private key from 'bts_key.pem' | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secrets' loaded CA certificate from '/usr/local/etc/ipsec.d/cacerts/cacert.pem' added ca description "rootca0" | ca info list locked by 'add_ca_info' | ca info list unlocked by 'add_ca_info' | authcert list locked by 'add_authcert' | authcert list unlocked by 'add_authcert' loaded host certificate from '/usr/local/etc/ipsec.d/certs/bts_cert.pem' id '%any' not confirmed by certificate, defaulting to 'C=IN, ST=BLR, O=Wipro Technologies, OU=RA, CN=ftm' | ref key: 0x8295918 0x8297610 cnt 0 'C=IN, ST=BLR, O=Wipro Technologies, OU=RA, CN=ftm' | certs and keys locked by 'cert_add' | certs and keys unlocked by 'cert_add' added connection description "conn100" "conn100" #1: initiating Main Mode | rejected packet: | 16 6c b3 5d 4e 15 00 2f 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 00 88 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 00 0c 00 04 | 00 01 45 b0 80 01 00 05 80 02 00 02 80 03 00 03 | 80 04 00 02 0d 00 00 14 88 2f e5 6d 6f d2 0d bc | 22 51 61 3b 2e be 5b eb 0d 00 00 0c 09 00 26 89 | df d6 b7 12 00 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 | control: | 2c 00 00 00 00 00 00 00 0b 00 00 00 6f 00 00 00 | 02 03 03 00 00 00 00 00 00 00 00 00 02 00 00 00 | 0a 0a 0a 07 00 00 00 00 00 00 00 00 | name: | 02 00 01 f4 0a 0a 0a 07 00 00 00 00 00 00 00 00 "conn100" #1: ERROR: asynchronous network error report on eth1 for message to 10.10.10.7 port 500, complainant 10.10.10.7: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)] "conn100" #1: received Vendor ID payload [strongSwan] "conn100" #1: received Vendor ID payload [XAUTH] "conn100" #1: received Vendor ID payload [Dead Peer Detection] "conn100" #1: we have a cert and are sending it upon request "conn100" #1: Peer ID is ID_DER_ASN1_DN: 'C=IN, ST=BLR, O=Wipro Technologies, OU=RA, CN=oms' | authcert list locked by 'verify_x509cert' | authcert list unlocked by 'verify_x509cert' | crl list locked by 'verify_by_crl' | crl list unlocked by 'verify_by_crl' "conn100" #1: crl not found "conn100" #1: certificate status unknown | authcert list locked by 'verify_x509cert' | authcert list unlocked by 'verify_x509cert' | ref key: 0x829a860 0x829ab00 cnt 0 'C=IN, ST=BLR, O=Wipro Technologies, OU=RA, CN=oms' | ref key: 0x829a860 0x829ab00 cnt 1 'C=IN, ST=BLR, O=Wipro Technologies, OU=RA, CN=oms' "conn100" #1: we require peer to have ID '10.10.10.7', but peer declares 'C=IN, ST=BLR, O=Wipro Technologies, OU=RA, CN=oms' Continuing "conn100" #1: ISAKMP SA established "conn100" #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+UP {using isakmp#1} | route_and_eroute with c: conn100 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 2 | inR1_outI2: instance conn100[0], setting newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) "conn100" #2: Dead Peer Detection (RFC 3706) enabled "conn100" #2: sent QI2, IPsec SA established {ESP=>0xc29abdd9 <0xc11e8f13} "conn100" #3: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+UP to replace #2 {using isakmp#1} | route_and_eroute with c: conn100 (next: none) ero:conn100 esr:{(nil)} ro:conn100 rosr:{(nil)} and state: 3 | inR1_outI2: instance conn100[0], setting newest_ipsec_sa to #3 (was #2) (spd.eroute=#3) "conn100" #3: Dead Peer Detection (RFC 3706) enabled "conn100" #3: sent QI2, IPsec SA established {ESP=>0xc96eb76e <0xc2df58a4} "conn100" #4: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+UP to replace #3 {using isakmp#1} | route_and_eroute with c: conn100 (next: none) ero:conn100 esr:{(nil)} ro:conn100 rosr:{(nil)} and state: 4 | inR1_outI2: instance conn100[0], setting newest_ipsec_sa to #4 (was #3) (spd.eroute=#4) "conn100" #4: Dead Peer Detection (RFC 3706) enabled "conn100" #4: sent QI2, IPsec SA established {ESP=>0xc1a2c0d0 <0xc9adba01} "conn100" #5: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+UP to replace #4 {using isakmp#1} | route_and_eroute with c: conn100 (next: none) ero:conn100 esr:{(nil)} ro:conn100 rosr:{(nil)} and state: 5 | inR1_outI2: instance conn100[0], setting newest_ipsec_sa to #5 (was #4) (spd.eroute=#5) "conn100" #5: Dead Peer Detection (RFC 3706) enabled "conn100" #5: sent QI2, IPsec SA established {ESP=>0xc1c20f9a <0xc9efac8d} "conn100" #6: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+UP to replace #5 {using isakmp#1} | route_and_eroute with c: conn100 (next: none) ero:conn100 esr:{(nil)} ro:conn100 rosr:{(nil)} and state: 6 | inR1_outI2: instance conn100[0], setting newest_ipsec_sa to #6 (was #5) (spd.eroute=#6) "conn100" #6: Dead Peer Detection (RFC 3706) enabled "conn100" #6: sent QI2, IPsec SA established {ESP=>0xcd1fefd2 <0xc361a998} "conn100" #7: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+UP to replace #6 {using isakmp#1} | route_and_eroute with c: conn100 (next: none) ero:conn100 esr:{(nil)} ro:conn100 rosr:{(nil)} and state: 7 | inR1_outI2: instance conn100[0], setting newest_ipsec_sa to #7 (was #6) (spd.eroute=#7) "conn100" #7: Dead Peer Detection (RFC 3706) enabled "conn100" #7: sent QI2, IPsec SA established {ESP=>0xc14e4933 <0xcf678a29} "conn100" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xc29abdd9) not found (maybe expired)