[strongSwan] Milenage implementation and EAP-AKA reauthentication in strongswan 4.3.6
DANG Hongwu
danghwbleu at gmail.com
Wed Aug 18 13:54:38 CEST 2010
Hi all,
I'm trying to test EAP-AKA authentication with radius server, with
strongswan 4.3.6 and hostapd 0.6.10.
I set up the following test environment:
Radius / HLR/Auc
|
|
|
|
H1 -------------- NUT1 =========================== NUT2
-------------- H2
EAP
Client EAP Server
It seems that the milenage implementations in hostapd and in charon are
different, so I have to migrate part of chaon's milenage implementation to
hostapd. And now when ping H2 on H1, the EAP peer is successfully
authenticated by hostapd, and SAs are negotiated. The question is that
there's no OP or OPc value in charon, I can only find a pre-defined 64-byte
long data filled with 0x5c, on which sha1 hash is performed then the hash
result is used to calculate the quintuplets. In this way, there will not be
a provider specific OP value? It seems in hostapd a pre-calculated OPc is
stored for each IMSI in some database.
Another question is the EAP-AKA re-authentication: I see the
eap-simaka-reauth plugin,and it seems this plugin could do the work of
eap-aka reauthentication. But at each time the permenant identity is sent to
radius server, even after a first full authentication and the reauth
identity is stored on peer (according to the log messages on peer). Am I
missing some configuration?
Thanks for any reply:)
Here are some configurations and screen shots:
Configurations on EAP peer
==========================
admin at saturn:~/IKEv2client_EAPAKA> cat ipsec.conf
config setup
charonstart=yes
plutostart=no
charondebug="ike 2, cfg 2"
conn %default
auto=route
keyexchange=ikev2
keyingtries=1
conn myvpn~myrule
mobike=no
left=10.23.3.103
right=10.23.3.203
leftsubnet=10.22.3.0/24
rightsubnet=10.24.3.0/24
leftprotoport=%any
rightprotoport=%any
#leftid=0111222333444555
leftid=carol at strongswan.org
rightid=10.23.3.203
type=tunnel
ike=3des-sha1-modp1024!
esp=3des-sha1-modp768!
ikelifetime=3600s
rekeymargin=360s
keylife=3600s
leftauth=eap-aka
eap_identity=0111222333444555
rightauth=secret
auto=route
rekey=yes
reauth=no
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA> cat ipsec.secrets
10.23.3.203 : PSK 0x12345678
carol at strongswan.org : EAP "Ar3etTnpAr3etTnp"
0111222333444555 : EAP "0123456789012345"
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA> cat strongswan.conf
charon {
load = openssl random pem x509 pubkey pkcs1 hmac xcbc stroke
kernel-netlink sha1 fips-prf eap-md5 eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-identity
}
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA>
Configurations on server
========================
admin at uranus:~/IKEv2server_EAPAKA> cat ipsec.conf
config setup
charonstart=yes
plutostart=no
charondebug="ike 2, cfg 2"
conn %default
auto=route
keyexchange=ikev2
keyingtries=1
conn myvpn~myrule
mobike=no
left=10.23.3.203
right=10.23.3.103
leftsubnet=10.24.3.0/24
rightsubnet=10.22.3.0/24
leftprotoport=%any
rightprotoport=%any
leftid=10.23.3.203
#rightid=0111222333444555
rightid=carol at strongswan.org
type=tunnel
ike=3des-sha1-modp1024!
esp=3des-sha1-modp768!
ikelifetime=3600s
rekeymargin=360s
keylife=3600s
leftauth=secret
rightauth=eap-radius
eap_identity=%identity
auto=route
rekey=yes
reauth=no
admin at uranus:~/IKEv2server_EAPAKA>
admin at uranus:~/IKEv2server_EAPAKA> cat /var/tmp/shells/ipsec.secrets
: PSK 0x12345678
carol at strongswan.org : EAP "Ar3etTnpAr3etTnp"
0111222333444555 : EAP "0123456789012345"
admin at uranus:~/IKEv2server_EAPAKA>
admin at uranus:~/IKEv2server_EAPAKA> cat /var/tmp/shells/strongswan.conf
charon {
load = openssl random pem x509 pubkey pkcs1 hmac xcbc stroke
kernel-netlink sha1 fips-prf eap-radius eap-md5 eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-identity
plugins {
eap-radius {
server = 10.80.2.243
secret = testSecret
}
}
}
admin at uranus:~/IKEv2server_EAPAKA>
Screen shots on peer
====================
admin at saturn:~/IKEv2client_EAPAKA> ipsec start --nofork --debug-all &
Starting strongSwan 4.3.6 IPsec [starter]...
| Loading config setup
| charonstart=yes
| plutostart=no
[snip]
[First negotiation]
admin at saturn:~/IKEv2client_EAPAKA> 03[KNL] creating acquire job for policy
10.22.3.112/32[icmp/8] === 10.24.3.114/32[icmp] with reqid {1}
11[IKE] queueing IKE_INIT task
11[IKE] queueing IKE_VENDOR task
11[IKE] queueing IKE_NATD task
11[IKE] queueing IKE_CERT_PRE task
11[IKE] queueing IKE_AUTHENTICATE task
11[IKE] queueing IKE_CERT_POST task
11[IKE] queueing IKE_CONFIG task
11[IKE] queueing IKE_AUTH_LIFETIME task
11[IKE] queueing IKE_ME task
11[IKE] queueing CHILD_CREATE task
11[IKE] activating new tasks
11[IKE] activating IKE_INIT task
11[IKE] activating IKE_VENDOR task
11[IKE] activating IKE_NATD task
11[IKE] activating IKE_CERT_PRE task
11[IKE] activating IKE_ME task
11[IKE] activating IKE_AUTHENTICATE task
11[IKE] activating IKE_CERT_POST task
11[IKE] activating IKE_CONFIG task
11[IKE] activating CHILD_CREATE task
11[IKE] activating IKE_AUTH_LIFETIME task
11[IKE] initiating IKE_SA myvpn~myrule[1] to 10.23.3.203
11[IKE] IKE_SA myvpn~myrule[1] state change: CREATED => CONNECTING
11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
11[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
12[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]
12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
12[CFG] selecting proposal:
12[CFG] proposal matches
12[CFG] received proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
12[CFG] configured proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
12[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
12[IKE] reinitiating already active tasks
12[IKE] IKE_CERT_PRE task
12[IKE] IKE_AUTHENTICATE task
12[IKE] establishing CHILD_SA myvpn~myrule{1}
12[CFG] proposing traffic selectors for us:
12[CFG] 10.22.3.0/24 (derived from 10.22.3.0/24)
12[CFG] proposing traffic selectors for other:
12[CFG] 10.24.3.0/24 (derived from 10.24.3.0/24)
12[ENC] generating IKE_AUTH request 1 [ IDi IDr SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]
12[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
13[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]
13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
13[IKE] authentication of '10.23.3.203' with pre-shared key successful
13[IKE] server requested EAP_IDENTITY, sending '0111222333444555'
13[IKE] reinitiating already active tasks
13[IKE] IKE_AUTHENTICATE task
13[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
13[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
14[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]
14[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/AKA ]
14[IKE] server requested EAP_AKA authentication
14[IKE] reinitiating already active tasks
14[IKE] IKE_AUTHENTICATE task
14[ENC] generating IKE_AUTH request 3 [ EAP/RES/AKA ]
14[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
15[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]
15[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/AKA ]
15[IKE] ignoring skippable EAP-SIM/AKA attribute AT_CHECKCODE
15[IKE] ignoring skippable EAP-SIM/AKA attribute (136)
15[IKE] received SQN invalid, sending AKA_SYNCHRONIZATION_FAILURE
15[IKE] reinitiating already active tasks
15[IKE] IKE_AUTHENTICATE task
15[ENC] generating IKE_AUTH request 4 [ EAP/RES/AKA ]
15[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
16[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]
16[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/AKA ]
16[IKE] ignoring skippable EAP-SIM/AKA attribute AT_CHECKCODE
16[IKE] ignoring skippable EAP-SIM/AKA attribute (136)
16[IKE] storing pseudonym '2011943b24e2da01afe05' for '0111222333444555'
16[IKE] storing next reauthentication identity '4c53d1e5753a665dc7268' for
'0111222333444555'
16[IKE] reinitiating already active tasks
16[IKE] IKE_AUTHENTICATE task
16[ENC] generating IKE_AUTH request 5 [ EAP/RES/AKA ]
16[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
07[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]
07[ENC] parsed IKE_AUTH response 5 [ EAP/SUCC ]
07[IKE] EAP method EAP_AKA succeeded, MSK established
07[IKE] reinitiating already active tasks
07[IKE] IKE_AUTHENTICATE task
07[IKE] authentication of 'carol at strongswan.org' (myself) with EAP
07[ENC] generating IKE_AUTH request 6 [ AUTH ]
07[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
08[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]
08[ENC] parsed IKE_AUTH response 6 [ AUTH SA TSi TSr ]
08[IKE] authentication of '10.23.3.203' with EAP successful
08[IKE] IKE_SA myvpn~myrule[1] established between 10.23.3.103[
carol at strongswan.org]...10.23.3.203[10.23.3.203]
08[IKE] IKE_SA myvpn~myrule[1] state change: CONNECTING => ESTABLISHED
08[IKE] scheduling rekeying in 3049s
08[IKE] maximum IKE_SA lifetime 3409s
08[CFG] selecting proposal:
08[CFG] proposal matches
08[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
08[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ
08[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
08[CFG] selecting traffic selectors for us:
08[CFG] config: 10.22.3.0/24, received: 10.22.3.0/24 => match: 10.22.3.0/24
08[CFG] selecting traffic selectors for other:
08[CFG] config: 10.24.3.0/24, received: 10.24.3.0/24 => match: 10.24.3.0/24
08[IKE] CHILD_SA myvpn~myrule{1} established with SPIs cab46712_i cc0ead23_o
and TS 10.22.3.0/24 === 10.24.3.0/24
08[IKE] activating new tasks
08[IKE] nothing to initiate
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA> stroke statusall
02[CFG] proposing traffic selectors for us:
02[CFG] 10.22.3.0/24 (derived from 10.22.3.0/24)
02[CFG] proposing traffic selectors for other:
02[CFG] 10.24.3.0/24 (derived from 10.24.3.0/24)
Status of IKEv2 charon daemon (strongSwan 4.3.6):
uptime: 27 seconds, since Aug 18 12:27:20 2010
worker threads: 10 idle of 16, job queue load: 1, scheduled events: 2
loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke
kernel-netlink sha1 fips-prf eap-md5 eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-identity
Listening IP addresses:
10.22.3.103
10.80.3.35
10.23.3.103
Connections:
myvpn~myrule: 10.23.3.103...10.23.3.203, vpn: myvpn
myvpn~myrule: local: [carol at strongswan.org] uses EAP_AKA authentication
with EAP identity '0111222333444555'
myvpn~myrule: remote: [10.23.3.203] uses pre-shared key authentication
myvpn~myrule: child: 10.22.3.0/24 === 10.24.3.0/24
Routed Connections:
myvpn~myrule{1}: ROUTED, TUNNEL, vpn: myvpn
myvpn~myrule{1}: 10.22.3.0/24 === 10.24.3.0/24
Security Associations:
myvpn~myrule[1]: ESTABLISHED 10.23.3.103[carol at strongswan.org
]...10.23.3.203[10.23.3.203]
myvpn~myrule[1]: vpn: myvpn
myvpn~myrule[1]: IKE SPIs: 267a926f447d7db7_i* 634aecbed3ac3a34_r Creation
time: 12 seconds ago
, rekeying in 50 minutes
myvpn~myrule[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
myvpn~myrule{1}: INSTALLED, TUNNEL, vpn: myvpn, ESP SPIs: cab46712_i
cc0ead23_o
myvpn~myrule{1}: 3DES_CBC/HMAC_SHA1_96, 1224 bytes_i, 756 bytes_o, rekeying
in 48 minutes
myvpn~myrule{1}: 10.22.3.0/24 === 10.24.3.0/24
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA> setkey -D
source=10.23.3.203 destination=10.23.3.103
protocol=esp mode=tunnel spi=3400820498(0xcab46712)
reqid=1(0x00000001)
encr-algo=3des-cbc
encr-key=d56d2f878928e489b3c1b901a608a9fdbe830333f5bd20a8
auth-algo=hmac-sha1
auth-key=91d104fe097417d112e5304cb4c92dc5e2f76c9a
replay-window=32 flags=0x10000000 state=mature seq=1 pid=1349
created=2010-08-18/12:27:35 current=2010-08-18/12:27:49
elapsed=14(s)
hard-lifetime=3600(s) expiration=2010-08-18/13:27:35
soft-lifetime=2959(s) renewal=2010-08-18/13:16:54
last-use=never
bytes-processed=1224 hard-lifebyte=0 soft-lifebyte=0
vrfid=0 xvrfid=0
source=10.23.3.103 destination=10.23.3.203
protocol=esp mode=tunnel spi=3423513891(0xcc0ead23)
reqid=1(0x00000001)
encr-algo=3des-cbc
encr-key=15f393ad893265611c6cad90a40402e0a1653e95038dbf33
auth-algo=hmac-sha1
auth-key=532b348d3f44e67fbb3634e53c25be18e62d1017
replay-window=32 flags=0x10000000 state=mature seq=0 pid=1349
created=2010-08-18/12:27:35 current=2010-08-18/12:27:49
elapsed=14(s)
hard-lifetime=3600(s) expiration=2010-08-18/13:27:35
soft-lifetime=2927(s) renewal=2010-08-18/13:16:22
last-use=never
bytes-processed=756 hard-lifebyte=0 soft-lifebyte=0
vrfid=0 xvrfid=0
admin at saturn:~/IKEv2client_EAPAKA>
[Second negotiation]
admin at saturn:~/IKEv2client_EAPAKA> stroke down myvpn~myrule
02[CFG] received stroke: terminate 'myvpn~myrule'
09[IKE] queueing IKE_DELETE task
09[IKE] activating new tasks
09[IKE] activating IKE_DELETE task
09[IKE] deleting IKE_SA myvpn~myrule[1] between 10.23.3.103[
carol at strongswan.org]...10.23.3.203[10.23.3.203]
09[IKE] IKE_SA myvpn~myrule[1] state change: ESTABLISHED => DELETING
09[IKE] sending DELETE for IKE_SA myvpn~myrule[1]
09[ENC] generating INFORMATIONAL request 7 [ D ]
09[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
deleting IKE_SA myvpn~myrule[1] between 10.23.3.103[carol at strongswan.org
]...10.23.3.203[10.23.3.203]
sending DELETE for IKE_SA myvpn~myrule[1]
generating INFORMATIONAL request 7 [ D ]
sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
11[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]
11[ENC] parsed INFORMATIONAL response 7 [ ]
11[IKE] IKE_SA deleted
11[IKE] IKE_SA myvpn~myrule[1] state change: DELETING => DESTROYING
received packet: from 10.23.3.203[500] to 10.23.3.103[500]
parsed INFORMATIONAL response 7 [ ]
IKE_SA deleted
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA> 03[KNL] creating acquire job for policy
10.22.3.112/32[icmp/8] === 10.24.3.114/32[icmp] with reqid {1}
13[IKE] queueing IKE_INIT task
13[IKE] queueing IKE_VENDOR task
13[IKE] queueing IKE_NATD task
13[IKE] queueing IKE_CERT_PRE task
13[IKE] queueing IKE_AUTHENTICATE task
13[IKE] queueing IKE_CERT_POST task
13[IKE] queueing IKE_CONFIG task
13[IKE] queueing IKE_AUTH_LIFETIME task
13[IKE] queueing IKE_ME task
13[IKE] queueing CHILD_CREATE task
13[IKE] activating new tasks
13[IKE] activating IKE_INIT task
13[IKE] activating IKE_VENDOR task
13[IKE] activating IKE_NATD task
13[IKE] activating IKE_CERT_PRE task
13[IKE] activating IKE_ME task
13[IKE] activating IKE_AUTHENTICATE task
13[IKE] activating IKE_CERT_POST task
13[IKE] activating IKE_CONFIG task
13[IKE] activating CHILD_CREATE task
13[IKE] activating IKE_AUTH_LIFETIME task
13[IKE] initiating IKE_SA myvpn~myrule[2] to 10.23.3.203
13[IKE] IKE_SA myvpn~myrule[2] state change: CREATED => CONNECTING
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
13[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
14[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]
14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
14[CFG] selecting proposal:
14[CFG] proposal matches
14[CFG] received proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
14[CFG] configured proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
14[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
14[IKE] reinitiating already active tasks
14[IKE] IKE_CERT_PRE task
14[IKE] IKE_AUTHENTICATE task
14[IKE] establishing CHILD_SA myvpn~myrule{1}
14[CFG] proposing traffic selectors for us:
14[CFG] 10.22.3.0/24 (derived from 10.22.3.0/24)
14[CFG] proposing traffic selectors for other:
14[CFG] 10.24.3.0/24 (derived from 10.24.3.0/24)
14[ENC] generating IKE_AUTH request 1 [ IDi IDr SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]
14[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
15[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]
15[ENC] parsed IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
15[IKE] authentication of '10.23.3.203' with pre-shared key successful
15[IKE] server requested EAP_IDENTITY, sending '0111222333444555'
15[IKE] reinitiating already active tasks
15[IKE] IKE_AUTHENTICATE task
15[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
15[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
16[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]
16[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/AKA ]
16[IKE] server requested EAP_AKA authentication
16[IKE] ignoring skippable EAP-SIM/AKA attribute AT_CHECKCODE
16[IKE] ignoring skippable EAP-SIM/AKA attribute (136)
16[IKE] storing pseudonym '22a79d18f795786d42bde' for '0111222333444555'
16[IKE] storing next reauthentication identity '473f81a82c5e83fe37f1f' for
'0111222333444555'
16[IKE] reinitiating already active tasks
16[IKE] IKE_AUTHENTICATE task
16[ENC] generating IKE_AUTH request 3 [ EAP/RES/AKA ]
16[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
07[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]
07[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
07[IKE] EAP method EAP_AKA succeeded, MSK established
07[IKE] reinitiating already active tasks
07[IKE] IKE_AUTHENTICATE task
07[IKE] authentication of 'carol at strongswan.org' (myself) with EAP
07[NET] sending packet: from 10.23.3.103[500] to 10.23.3.203[500]
10[NET] received packet: from 10.23.3.203[500] to 10.23.3.103[500]
10[ENC] parsed IKE_AUTH response 4 [ AUTH SA TSi TSr ]
10[IKE] authentication of '10.23.3.203' with EAP successful
10[IKE] IKE_SA myvpn~myrule[2] established between 10.23.3.103[
carol at strongswan.org]...10.23.3.203[10.23.3.203]
10[IKE] IKE_SA myvpn~myrule[2] state change: CONNECTING => ESTABLISHED
10[IKE] scheduling rekeying in 3016s
10[IKE] maximum IKE_SA lifetime 3376s
10[CFG] selecting proposal:
10[CFG] proposal matches
10[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
10[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ
10[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
10[CFG] selecting traffic selectors for us:
10[CFG] config: 10.22.3.0/24, received: 10.22.3.0/24 => match: 10.22.3.0/24
10[CFG] selecting traffic selectors for other:
10[CFG] config: 10.24.3.0/24, received: 10.24.3.0/24 => match: 10.24.3.0/24
10[IKE] CHILD_SA myvpn~myrule{1} established with SPIs c4693eef_i cae4ef40_o
and TS 10.22.3.0/24 === 10.24.3.0/24
10[IKE] activating new tasks
10[IKE] nothing to initiate
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA> stroke statusall
08[CFG] proposing traffic selectors for us:
08[CFG] 10.22.3.0/24 (derived from 10.22.3.0/24)
08[CFG] proposing traffic selectors for other:
08[CFG] 10.24.3.0/24 (derived from 10.24.3.0/24)
Status of IKEv2 charon daemon (strongSwan 4.3.6):
uptime: 73 seconds, since Aug 18 12:27:20 2010
worker threads: 10 idle of 16, job queue load: 1, scheduled events: 5
loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke
kernel-netlink sha1 fips-prf eap-md5 eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-identity
Listening IP addresses:
10.22.3.103
10.80.3.35
10.23.3.103
Connections:
myvpn~myrule: 10.23.3.103...10.23.3.203, vpn: myvpn
myvpn~myrule: local: [carol at strongswan.org] uses EAP_AKA authentication
with EAP identity '0111222333444555'
myvpn~myrule: remote: [10.23.3.203] uses pre-shared key authentication
myvpn~myrule: child: 10.22.3.0/24 === 10.24.3.0/24
Routed Connections:
myvpn~myrule{1}: ROUTED, TUNNEL, vpn: myvpn
myvpn~myrule{1}: 10.22.3.0/24 === 10.24.3.0/24
Security Associations:
myvpn~myrule[2]: ESTABLISHED 10.23.3.103[carol at strongswan.org
]...10.23.3.203[10.23.3.203]
myvpn~myrule[2]: vpn: myvpn
myvpn~myrule[2]: IKE SPIs: bdaffcc2c759148a_i* ba08a39a907da030_r Creation
time: 9 seconds ago
, rekeying in 50 minutes
myvpn~myrule[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
myvpn~myrule{1}: INSTALLED, TUNNEL, vpn: myvpn, ESP SPIs: c4693eef_i
cae4ef40_o
myvpn~myrule{1}: 3DES_CBC/HMAC_SHA1_96, 1224 bytes_i, 756 bytes_o, rekeying
in 50 minutes
myvpn~myrule{1}: 10.22.3.0/24 === 10.24.3.0/24
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA> setkey -D
source=10.23.3.203 destination=10.23.3.103
protocol=esp mode=tunnel spi=3295231727(0xc4693eef)
reqid=1(0x00000001)
encr-algo=3des-cbc
encr-key=1333c2696d0aa50f9a1cda201ec4cbe480c13ac6208dd13c
auth-algo=hmac-sha1
auth-key=ba7e6ee2193fa475d1d34163e89a3d4ae0bb6b65
replay-window=32 flags=0x10000000 state=mature seq=1 pid=1352
created=2010-08-18/12:28:24 current=2010-08-18/12:28:35
elapsed=11(s)
hard-lifetime=3600(s) expiration=2010-08-18/13:28:24
soft-lifetime=3049(s) renewal=2010-08-18/13:19:13
last-use=never
bytes-processed=1224 hard-lifebyte=0 soft-lifebyte=0
vrfid=0 xvrfid=0
source=10.23.3.103 destination=10.23.3.203
protocol=esp mode=tunnel spi=3404001088(0xcae4ef40)
reqid=1(0x00000001)
encr-algo=3des-cbc
encr-key=9d1b351dd86d6f5ef589b2214e8ed052901e34b67dae215d
auth-algo=hmac-sha1
auth-key=9cd64c16b51b3f819e6a89946a6fe8adc522cb3d
replay-window=32 flags=0x10000000 state=mature seq=0 pid=1352
created=2010-08-18/12:28:24 current=2010-08-18/12:28:35
elapsed=11(s)
hard-lifetime=3600(s) expiration=2010-08-18/13:28:24
soft-lifetime=3034(s) renewal=2010-08-18/13:18:58
last-use=never
bytes-processed=756 hard-lifebyte=0 soft-lifebyte=0
vrfid=0 xvrfid=0
admin at saturn:~/IKEv2client_EAPAKA>
admin at saturn:~/IKEv2client_EAPAKA>
Screen shots on server
======================
admin at uranus:~/IKEv2server_EAPAKA> ipsec start --nofork --debug-all &
Starting strongSwan 4.3.6 IPsec [starter]...
| Loading config setup
[First negotiation]
admin at uranus:~/IKEv2server_EAPAKA> 11[NET] received packet: from
10.23.3.103[500] to 10.23.3.203[500]
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
11[CFG] looking for an ike config for 10.23.3.203...10.23.3.103
11[CFG] candidate: 10.23.3.203...10.23.3.103, prio 12
11[CFG] found matching ike config: 10.23.3.203...10.23.3.103 with prio 12
11[IKE] 10.23.3.103 is initiating an IKE_SA
11[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
11[CFG] selecting proposal:
11[CFG] proposal matches
11[CFG] received proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
11[CFG] configured proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
11[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
11[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]
12[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]
12[ENC] parsed IKE_AUTH request 1 [ IDi IDr SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]
12[CFG] looking for peer configs matching
10.23.3.203[10.23.3.203]...10.23.3.103[carol at strongswan.org]
12[CFG] candidate "myvpn~myrule", match: 20/20/12 (me/other/ike)
12[CFG] selected peer config 'myvpn~myrule'
12[IKE] initiating EAP-Identity request
12[IKE] authentication of '10.23.3.203' (myself) with pre-shared key
12[IKE] successfully created shared key MAC
12[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
12[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]
13[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]
13[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
13[IKE] received EAP identity '0111222333444555'
13[IKE] initiating EAP_RADIUS method
13[ENC] generating IKE_AUTH response 2 [ EAP/REQ/AKA ]
13[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]
14[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]
14[ENC] parsed IKE_AUTH request 3 [ EAP/RES/AKA ]
14[ENC] generating IKE_AUTH response 3 [ EAP/REQ/AKA ]
14[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]
15[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]
15[ENC] parsed IKE_AUTH request 4 [ EAP/RES/AKA ]
15[ENC] generating IKE_AUTH response 4 [ EAP/REQ/AKA ]
15[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]
16[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]
16[ENC] parsed IKE_AUTH request 5 [ EAP/RES/AKA ]
16[IKE] EAP method EAP_AKA succeeded, MSK established
16[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ]
16[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]
07[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]
07[ENC] parsed IKE_AUTH request 6 [ AUTH ]
07[IKE] authentication of 'carol at strongswan.org' with EAP successful
07[IKE] authentication of '10.23.3.203' (myself) with EAP
07[IKE] IKE_SA myvpn~myrule[1] established between
10.23.3.203[10.23.3.203]...10.23.3.103[carol at strongswan.org]
07[IKE] IKE_SA myvpn~myrule[1] state change: CONNECTING => ESTABLISHED
07[IKE] scheduling rekeying in 2962s
07[IKE] maximum IKE_SA lifetime 3322s
07[CFG] looking for a child config for 10.24.3.114/32[icmp] 10.24.3.0/24 ===
10.22.3.112/32[icmp/8] 10.22.3.0/24
07[CFG] proposing traffic selectors for us:
07[CFG] 10.24.3.0/24 (derived from 10.24.3.0/24)
07[CFG] proposing traffic selectors for other:
07[CFG] 10.22.3.0/24 (derived from 10.22.3.0/24)
07[CFG] candidate "myvpn~myrule" with prio 7+7
07[CFG] found matching child config "myvpn~myrule" with prio 14
07[CFG] selecting proposal:
07[CFG] proposal matches
07[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
07[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ
07[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
07[CFG] selecting traffic selectors for us:
07[CFG] config: 10.24.3.0/24, received: 10.24.3.114/32[icmp] => match:
10.24.3.114/32[icmp]
07[CFG] config: 10.24.3.0/24, received: 10.24.3.0/24 => match: 10.24.3.0/24
07[CFG] selecting traffic selectors for other:
07[CFG] config: 10.22.3.0/24, received: 10.22.3.112/32[icmp/8] => match:
10.22.3.112/32[icmp/8]
07[CFG] config: 10.22.3.0/24, received: 10.22.3.0/24 => match: 10.22.3.0/24
07[IKE] CHILD_SA myvpn~myrule{2} established with SPIs cc0ead23_i cab46712_o
and TS 10.24.3.0/24 === 10.22.3.0/24
07[ENC] generating IKE_AUTH response 6 [ AUTH SA TSi TSr ]
07[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]
admin at uranus:~/IKEv2server_EAPAKA>
admin at uranus:~/IKEv2server_EAPAKA>
admin at uranus:~/IKEv2server_EAPAKA> stroke statusall
02[CFG] proposing traffic selectors for us:
02[CFG] 10.24.3.0/24 (derived from 10.24.3.0/24)
02[CFG] proposing traffic selectors for other:
02[CFG] 10.22.3.0/24 (derived from 10.22.3.0/24)
Status of IKEv2 charon daemon (strongSwan 4.3.6):
uptime: 42 seconds, since Aug 18 12:27:30 2010
worker threads: 10 idle of 16, job queue load: 1, scheduled events: 3
loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke
kernel-netlink sha1 fips-prf eap-radius eap-md5 eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-identity
Listening IP addresses:
10.24.3.203
10.80.3.36
10.23.3.203
Connections:
myvpn~myrule: 10.23.3.203...10.23.3.103, vpn: myvpn
myvpn~myrule: local: [10.23.3.203] uses pre-shared key authentication
myvpn~myrule: remote: [carol at strongswan.org] uses EAP_RADIUS
authentication with EAP identity '%any'
myvpn~myrule: child: 10.24.3.0/24 === 10.22.3.0/24
Routed Connections:
myvpn~myrule{1}: ROUTED, TUNNEL, vpn: myvpn
myvpn~myrule{1}: 10.24.3.0/24 === 10.22.3.0/24
Security Associations:
myvpn~myrule[1]: ESTABLISHED 10.23.3.203[10.23.3.203]...10.23.3.103[
carol at strongswan.org]
myvpn~myrule[1]: vpn: myvpn
myvpn~myrule[1]: IKE SPIs: 267a926f447d7db7_i 634aecbed3ac3a34_r* Creation
time: 18 seconds ago
, rekeying in 49 minutes
myvpn~myrule[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
myvpn~myrule{2}: INSTALLED, TUNNEL, vpn: myvpn, ESP SPIs: cc0ead23_i
cab46712_o
myvpn~myrule{2}: 3DES_CBC/HMAC_SHA1_96, 1224 bytes_i, 756 bytes_o, rekeying
in 52 minutes
myvpn~myrule{2}: 10.24.3.0/24 === 10.22.3.0/24
admin at uranus:~/IKEv2server_EAPAKA>
admin at uranus:~/IKEv2server_EAPAKA>
admin at uranus:~/IKEv2server_EAPAKA> setkey -D
source=10.23.3.103 destination=10.23.3.203
protocol=esp mode=tunnel spi=3423513891(0xcc0ead23)
reqid=2(0x00000002)
encr-algo=3des-cbc
encr-key=15f393ad893265611c6cad90a40402e0a1653e95038dbf33
auth-algo=hmac-sha1
auth-key=532b348d3f44e67fbb3634e53c25be18e62d1017
replay-window=32 flags=0x10000000 state=mature seq=1 pid=1348
created=2010-08-18/12:27:54 current=2010-08-18/12:28:13
elapsed=19(s)
hard-lifetime=3600(s) expiration=2010-08-18/13:27:54
soft-lifetime=3151(s) renewal=2010-08-18/13:20:25
last-use=never
bytes-processed=1224 hard-lifebyte=0 soft-lifebyte=0
vrfid=0 xvrfid=0
source=10.23.3.203 destination=10.23.3.103
protocol=esp mode=tunnel spi=3400820498(0xcab46712)
reqid=2(0x00000002)
encr-algo=3des-cbc
encr-key=d56d2f878928e489b3c1b901a608a9fdbe830333f5bd20a8
auth-algo=hmac-sha1
auth-key=91d104fe097417d112e5304cb4c92dc5e2f76c9a
replay-window=32 flags=0x10000000 state=mature seq=0 pid=1348
created=2010-08-18/12:27:54 current=2010-08-18/12:28:13
elapsed=19(s)
hard-lifetime=3600(s) expiration=2010-08-18/13:27:54
soft-lifetime=3172(s) renewal=2010-08-18/13:20:46
last-use=never
bytes-processed=756 hard-lifebyte=0 soft-lifebyte=0
vrfid=0 xvrfid=0
admin at uranus:~/IKEv2server_EAPAKA>
[Second negotiation]
admin at uranus:~/IKEv2server_EAPAKA> 11[NET] received packet: from
10.23.3.103[500] to 10.23.3.203[500]
11[ENC] parsed INFORMATIONAL request 7 [ D ]
11[IKE] received DELETE for IKE_SA myvpn~myrule[1]
11[IKE] deleting IKE_SA myvpn~myrule[1] between
10.23.3.203[10.23.3.203]...10.23.3.103[carol at strongswan.org]
11[IKE] IKE_SA myvpn~myrule[1] state change: ESTABLISHED => DELETING
11[IKE] IKE_SA deleted
11[ENC] generating INFORMATIONAL response 7 [ ]
11[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]
11[IKE] IKE_SA myvpn~myrule[1] state change: DELETING => DESTROYING
admin at uranus:~/IKEv2server_EAPAKA>
admin at uranus:~/IKEv2server_EAPAKA>
admin at uranus:~/IKEv2server_EAPAKA> 12[NET] received packet: from
10.23.3.103[500] to 10.23.3.203[500]
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
12[CFG] looking for an ike config for 10.23.3.203...10.23.3.103
12[CFG] candidate: 10.23.3.203...10.23.3.103, prio 12
12[CFG] found matching ike config: 10.23.3.203...10.23.3.103 with prio 12
12[IKE] 10.23.3.103 is initiating an IKE_SA
12[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
12[CFG] selecting proposal:
12[CFG] proposal matches
12[CFG] received proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
12[CFG] configured proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
12[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
12[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]
13[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]
13[ENC] parsed IKE_AUTH request 1 [ IDi IDr SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]
13[CFG] looking for peer configs matching
10.23.3.203[10.23.3.203]...10.23.3.103[carol at strongswan.org]
13[CFG] candidate "myvpn~myrule", match: 20/20/12 (me/other/ike)
13[CFG] selected peer config 'myvpn~myrule'
13[IKE] initiating EAP-Identity request
13[IKE] authentication of '10.23.3.203' (myself) with pre-shared key
13[IKE] successfully created shared key MAC
13[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
13[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]
14[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]
14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
14[IKE] received EAP identity '0111222333444555'
14[IKE] initiating EAP_RADIUS method
14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/AKA ]
14[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]
15[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]
15[ENC] parsed IKE_AUTH request 3 [ EAP/RES/AKA ]
15[IKE] EAP method EAP_AKA succeeded, MSK established
15[CFG] ***** auth_cfg.c:compiles: t1 = 0
15[CFG] ***** auth_cfg.c:compiles: t1 = 1
15[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
15[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]
16[NET] received packet: from 10.23.3.103[500] to 10.23.3.203[500]
16[ENC] parsed IKE_AUTH request 4 [ AUTH ]
16[IKE] authentication of 'carol at strongswan.org' with EAP successful
16[IKE] authentication of '10.23.3.203' (myself) with EAP
16[IKE] IKE_SA myvpn~myrule[2] established between
10.23.3.203[10.23.3.203]...10.23.3.103[carol at strongswan.org]
16[IKE] IKE_SA myvpn~myrule[2] state change: CONNECTING => ESTABLISHED
16[IKE] scheduling rekeying in 2910s
16[IKE] maximum IKE_SA lifetime 3270s
16[CFG] looking for a child config for 10.24.3.114/32[icmp] 10.24.3.0/24 ===
10.22.3.112/32[icmp/8] 10.22.3.0/24
16[CFG] proposing traffic selectors for us:
16[CFG] 10.24.3.0/24 (derived from 10.24.3.0/24)
16[CFG] proposing traffic selectors for other:
16[CFG] 10.22.3.0/24 (derived from 10.22.3.0/24)
16[CFG] candidate "myvpn~myrule" with prio 7+7
16[CFG] found matching child config "myvpn~myrule" with prio 14
16[CFG] selecting proposal:
16[CFG] proposal matches
16[CFG] received proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
16[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ
16[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
16[CFG] selecting traffic selectors for us:
16[CFG] config: 10.24.3.0/24, received: 10.24.3.114/32[icmp] => match:
10.24.3.114/32[icmp]
16[CFG] config: 10.24.3.0/24, received: 10.24.3.0/24 => match: 10.24.3.0/24
16[CFG] selecting traffic selectors for other:
16[CFG] config: 10.22.3.0/24, received: 10.22.3.112/32[icmp/8] => match:
10.22.3.112/32[icmp/8]
16[CFG] config: 10.22.3.0/24, received: 10.22.3.0/24 => match: 10.22.3.0/24
16[IKE] CHILD_SA myvpn~myrule{3} established with SPIs cae4ef40_i c4693eef_o
and TS 10.24.3.0/24 === 10.22.3.0/24
16[ENC] generating IKE_AUTH response 4 [ AUTH SA TSi TSr ]
16[NET] sending packet: from 10.23.3.203[500] to 10.23.3.103[500]
admin at uranus:~/IKEv2server_EAPAKA>
admin at uranus:~/IKEv2server_EAPAKA>
admin at uranus:~/IKEv2server_EAPAKA> stroke statusall
02[CFG] proposing traffic selectors for us:
02[CFG] 10.24.3.0/24 (derived from 10.24.3.0/24)
02[CFG] proposing traffic selectors for other:
02[CFG] 10.22.3.0/24 (derived from 10.22.3.0/24)
Status of IKEv2 charon daemon (strongSwan 4.3.6):
uptime: 90 seconds, since Aug 18 12:27:30 2010
worker threads: 10 idle of 16, job queue load: 1, scheduled events: 6
loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke
kernel-netlink sha1 fips-prf eap-radius eap-md5 eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-identity
Listening IP addresses:
10.24.3.203
10.80.3.36
10.23.3.203
Connections:
myvpn~myrule: 10.23.3.203...10.23.3.103, vpn: myvpn
myvpn~myrule: local: [10.23.3.203] uses pre-shared key authentication
myvpn~myrule: remote: [carol at strongswan.org] uses EAP_RADIUS
authentication with EAP identity '%any'
myvpn~myrule: child: 10.24.3.0/24 === 10.22.3.0/24
Routed Connections:
myvpn~myrule{1}: ROUTED, TUNNEL, vpn: myvpn
myvpn~myrule{1}: 10.24.3.0/24 === 10.22.3.0/24
Security Associations:
myvpn~myrule[2]: ESTABLISHED 10.23.3.203[10.23.3.203]...10.23.3.103[
carol at strongswan.org]
myvpn~myrule[2]: vpn: myvpn
myvpn~myrule[2]: IKE SPIs: bdaffcc2c759148a_i ba08a39a907da030_r* Creation
time: 16 seconds ago
, rekeying in 48 minutes
myvpn~myrule[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
myvpn~myrule{3}: INSTALLED, TUNNEL, vpn: myvpn, ESP SPIs: cae4ef40_i
c4693eef_o
myvpn~myrule{3}: 3DES_CBC/HMAC_SHA1_96, 1224 bytes_i, 756 bytes_o, rekeying
in 48 minutes
myvpn~myrule{3}: 10.24.3.0/24 === 10.22.3.0/24
admin at uranus:~/IKEv2server_EAPAKA>
admin at uranus:~/IKEv2server_EAPAKA> setkey -D
source=10.23.3.103 destination=10.23.3.203
protocol=esp mode=tunnel spi=3404001088(0xcae4ef40)
reqid=3(0x00000003)
encr-algo=3des-cbc
encr-key=9d1b351dd86d6f5ef589b2214e8ed052901e34b67dae215d
auth-algo=hmac-sha1
auth-key=9cd64c16b51b3f819e6a89946a6fe8adc522cb3d
replay-window=32 flags=0x10000000 state=mature seq=1 pid=1350
created=2010-08-18/12:28:44 current=2010-08-18/12:29:03
elapsed=19(s)
hard-lifetime=3600(s) expiration=2010-08-18/13:28:44
soft-lifetime=2945(s) renewal=2010-08-18/13:17:49
last-use=never
bytes-processed=1224 hard-lifebyte=0 soft-lifebyte=0
vrfid=0 xvrfid=0
source=10.23.3.203 destination=10.23.3.103
protocol=esp mode=tunnel spi=3295231727(0xc4693eef)
reqid=3(0x00000003)
encr-algo=3des-cbc
encr-key=1333c2696d0aa50f9a1cda201ec4cbe480c13ac6208dd13c
auth-algo=hmac-sha1
auth-key=ba7e6ee2193fa475d1d34163e89a3d4ae0bb6b65
replay-window=32 flags=0x10000000 state=mature seq=0 pid=1350
created=2010-08-18/12:28:44 current=2010-08-18/12:29:03
elapsed=19(s)
hard-lifetime=3600(s) expiration=2010-08-18/13:28:44
soft-lifetime=2929(s) renewal=2010-08-18/13:17:33
last-use=never
bytes-processed=756 hard-lifebyte=0 soft-lifebyte=0
vrfid=0 xvrfid=0
admin at uranus:~/IKEv2server_EAPAKA>
regards,
dennis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100818/7b6eeb31/attachment.html>
More information about the Users
mailing list