[strongSwan] deleting duplicate IKE_SA for peer due to uniqueness policy
Tito
f.disclosure at gmail.com
Fri Mar 12 15:13:18 CET 2010
Hi I had strongswan working gread on openSuSe 11.1 and today i made an
upgrade of one my servers to openSuSe 11.2. the funny thing is that I
can connect from my home to that server and the connection will be
established, but when i connect from my work place i can not even
authenticate. At my home i am usually getting the IP address
192.168.20.101 which is the first IP in the subnet but at my work place
the server is trying to assign new IP address 192.168.20.102, although
the client is the same laptop Windows7 which gives me the "Error 1931:
the context has expired and can no longer be used". I have found this in
the mailing list
http://www.mail-archive.com/users@lists.strongswan.org/msg01196.html
<http://www.mail-archive.com/users@lists.strongswan.org/msg01196.html>but it
is not giving any solution. What i am doing wrong? What I am missing?
PS: I have not set nay hooks. UDP port 4500 and 500 are opened tough YAST!
Linux clients-pools 2.6.31.12-0.1-default #1 SMP 2010-01-27 08:20:11
+0100 i686 i686 i386 GNU/Linux
config setup
crlcheckinterval=180
plutostart=no
charondebug="cfg 4"
strictcrlpolicy=no
charonstart=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
left=server.sytes.net
leftcert=maikaCert.pem
leftid=maika at server.sytes.net
leftfirewall=yes
conn nat-t
leftsubnet=192.168.25.0/24
right=%any
rightsubnet=192.168.20.0/24
rightsourceip=192.168.20.100/26
auto=add
auth=esp
clients-pools:/var/log # ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.3.4):
uptime: 2 minutes, since Mar 12 15:44:23 2010
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 6
loaded plugins: curl ldap aes des sha1 sha2 md5 fips-prf random x509
pubkey openssl gcrypt xcbc hmac gmp kernel-netlink stroke updown attr
resolv-conf
Virtual IP pools (size/online/offline):
nat-t: 63/0/1
Listening IP addresses:
192.168.25.1
192.168.20.1
78.130.X.X
Connections:
nat-t: 78.130.X.X...%any
nat-t: local: [C=BG, ST=Plovdivska, O=Tnet, OU=Maika,
CN=server.sytes.net] uses public key authentication
nat-t: cert: "C=BG, ST=Plovdivska, O=Tnet, OU=Maika,
CN=server.sytes.net"
nat-t: remote: [%any] uses any authentication
nat-t: child: 192.168.25.0/24 === 192.168.20.0/24
Security Associations:
nat-t[3]: ESTABLISHED 117 seconds ago, 78.130.X.X[C=BG,
ST=Plovdivska, O=Tnet, OU=Maika, CN=server.sytes.net]...62.X.X.X[C=BG,
ST=Plovdivska, O=Tnet, OU=Tito, CN=server.sytes.net]
nat-t[3]: IKE SPIs: dea01c32130fd81d_i 6f4451b7b94b395f_r*,
public key reauthentication in 54 minutes
nat-t[3]: IKE proposal:
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
nat-t{3}: INSTALLED, TUNNEL, ESP in UDP SPIs: c3c43851_i 726625ac_o
nat-t{3}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 13 minutes
nat-t{3}: 192.168.25.0/24 === 192.168.20.0/24
clients-pools:/var/log # ipsec listall
List of X.509 End Entity Certificates:
altNames: server.sytes.net
subject: "C=BG, ST=Plovdivska, O=Tnet, OU=Tito, CN=server.sytes.net"
issuer: "C=BG, ST=Plovdivska, L=Plovdiv, O=Tnet, OU=Server,
CN=server.sytes.net"
serial: 01
validity: not before Mar 12 15:09:01 2010, ok
not after Mar 09 15:09:01 2020, ok
pubkey: RSA 2048 bits
keyid: fc:a7:c0:9a:d4:5c:e0:d4:0d:1d:65:d4:8e:be:14:b1:18:d1:66:78
subjkey: cc:f4:55:a2:72:70:7b:13:6f:e6:f3:dd:19:7b:b5:42:b5:3f:4f:8e
authkey: 35:34:24:d8:2a:f8:c9:bd:e7:d7:a3:26:cc:84:34:6b:cc:8a:d1:0d
altNames: server.sytes.net
subject: "C=BG, ST=Plovdivska, O=Tnet, OU=Maika, CN=server.sytes.net"
issuer: "C=BG, ST=Plovdivska, L=Plovdiv, O=Tnet, OU=Server,
CN=server.sytes.net"
serial: 00
validity: not before Mar 12 15:07:43 2010, ok
not after Mar 09 15:07:43 2020, ok
pubkey: RSA 2048 bits, has private key
keyid: 29:5b:dd:59:e8:34:23:d4:e7:24:ec:92:a0:4e:77:ef:e0:17:93:43
subjkey: 64:3f:de:17:7b:f4:1f:2d:95:6f:7b:db:07:6b:bc:ac:36:98:7e:8a
authkey: 35:34:24:d8:2a:f8:c9:bd:e7:d7:a3:26:cc:84:34:6b:cc:8a:d1:0d
List of X.509 CA Certificates:
subject: "C=BG, ST=Plovdivska, L=Plovdiv, O=Tnet, OU=Server,
CN=server.sytes.net"
issuer: "C=BG, ST=Plovdivska, L=Plovdiv, O=Tnet, OU=Server,
CN=server.sytes.net"
serial: 00:a9:90:2b:d2:bf:c5:c0:25
validity: not before Mar 12 15:06:29 2010, ok
not after Apr 11 16:06:29 2010, ok (expires in 29 days)
pubkey: RSA 2048 bits
keyid: 4e:18:95:94:34:b7:0e:3f:51:94:22:21:88:5f:16:9d:f0:72:98:3c
subjkey: 35:34:24:d8:2a:f8:c9:bd:e7:d7:a3:26:cc:84:34:6b:cc:8a:d1:0d
authkey: 35:34:24:d8:2a:f8:c9:bd:e7:d7:a3:26:cc:84:34:6b:cc:8a:d1:0d
List of registered IKEv2 Algorithms:
encryption: AES_CBC 3DES_CBC DES_CBC DES_ECB CAMELLIA_CBC RC5_CBC
IDEA_CBC CAST_CBC BLOWFISH_CBC NULL SERPENT_CBC TWOFISH_CBC
integrity: AES_XCBC_96 HMAC_SHA1_96 HMAC_SHA1_128 HMAC_SHA1_160
HMAC_SHA2_256_128 HMAC_MD5_96 HMAC_MD5_128 HMAC_SHA2_384_192
HMAC_SHA2_512_256
hasher: HASH_SHA1 HASH_SHA224 HASH_SHA256 HASH_SHA384 HASH_SHA512
HASH_MD5 HASH_MD2 HASH_MD4
prf: PRF_KEYED_SHA1 PRF_FIPS_SHA1_160 PRF_AES128_XCBC
PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384
PRF_HMAC_SHA2_512
dh-group: ECP_192 ECP_224 ECP_256 ECP_384 ECP_521 MODP_2048
MODP_1536 MODP_3072 MODP_4096 MODP_6144 MODP_8192 MODP_1024 MODP_768
Mar 12 15:45:20 clients-pools charon: 11[IKE] retransmit 2 of request
with message ID 0
Mar 12 15:45:20 clients-pools charon: 11[NET] sending packet: from
78.130.X.X[4500] to 62.X.X.X[26716]
Mar 12 15:45:20 clients-pools charon: 12[NET] received packet: from
62.X.X.X[26517] to 78.130.X.X[500]
Mar 12 15:45:20 clients-pools charon: 12[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 12 15:45:20 clients-pools charon: 12[CFG] looking for an ike config
for 78.130.X.X...62.X.X.X
Mar 12 15:45:20 clients-pools charon: 12[CFG] candidate:
78.130.X.X...%any, prio 5
Mar 12 15:45:20 clients-pools charon: 12[CFG] found matching ike config:
78.130.X.X...%any with prio 5
Mar 12 15:45:20 clients-pools charon: 12[IKE] 62.X.X.X is initiating an
IKE_SA
Mar 12 15:45:20 clients-pools charon: 12[IKE] 62.X.X.X is initiating an
IKE_SA
Mar 12 15:45:20 clients-pools charon: 12[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 12[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 12[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 12[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 12[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 12[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 12[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 12[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 12[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 12[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 12[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 12[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 12[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 12[CFG] no acceptable
DIFFIE_HELLMAN_GROUP found
Mar 12 15:45:20 clients-pools charon: 12[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 12[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 12[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 12[CFG] no acceptable
INTEGRITY_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 12[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 12[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 12[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 12[CFG] no acceptable
INTEGRITY_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 12[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 12[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 12[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 12[CFG] proposal matches
Mar 12 15:45:20 clients-pools charon: 12[CFG] received proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Mar 12 15:45:20 clients-pools charon: 12[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/ECP_192/ECP_224/ECP_256/ECP_384/ECP_521/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
Mar 12 15:45:20 clients-pools charon: 12[CFG] selected proposal:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 12 15:45:20 clients-pools charon: 12[IKE] remote host is behind NAT
Mar 12 15:45:20 clients-pools charon: 12[IKE] sending cert request for
"C=BG, ST=Plovdivska, L=Plovdiv, O=Tnet, OU=Server, CN=server.sytes.net"
Mar 12 15:45:20 clients-pools charon: 12[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 12 15:45:20 clients-pools charon: 12[NET] sending packet: from
78.130.X.X[500] to 62.X.X.X[26517]
Mar 12 15:45:20 clients-pools charon: 13[NET] received packet: from
62.X.X.X[26716] to 78.130.X.X[4500]
Mar 12 15:45:20 clients-pools charon: 13[ENC] unknown attribute type
INTERNAL_IP4_SERVER
Mar 12 15:45:20 clients-pools charon: 13[ENC] parsed IKE_AUTH request 1
[ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP SA TSi TSr ]
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
ce:5f:bc:70:e3:29:0c:45:37:04:6b:c2:8a:ea:b9:78:3d:4e:60:2d
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
"C=BG, ST=Plovdivska, L=Plovdiv, O=Tnet, OU=Server, CN=server.sytes.net"
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
a8:e3:02:96:70:a6:8b:57:eb:ec:ef:cc:29:4e:91:74:9a:d4:92:38
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
6d:aa:9b:09:87:c4:d0:d4:22:ed:40:07:37:4d:19:f1:91:ff:de:d3
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
7e:95:9f:ed:82:8e:2a:ed:c3:7c:0d:05:46:31:ef:53:97:cd:48:49
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
00:ad:d9:a3:f6:79:f6:6e:74:a9:7f:33:3d:81:17:d7:4c:cf:33:de
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
a8:48:b4:24:2f:c6:ea:24:a0:d7:8e:3c:b9:3c:5c:78:d7:98:33:e4
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
07:15:28:6d:70:73:aa:b2:8a:7c:0f:86:ce:38:93:00:38:05:8a:b1
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
2c:a3:49:a1:c0:1e:45:94:66:c1:c3:e1:b4:16:f2:d0:56:7d:8e:3f
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
c1:6a:1c:66:d8:07:63:ef:ef:73:6a:97:db:18:a2:91:fd:38:ed:34
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
50:f9:b1:7f:7f:d6:e4:60:85:dc:1b:ae:e4:2c:e7:35:b8:aa:57:c0
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
dc:ef:ba:c1:19:ae:1c:a0:e8:44:16:0b:e2:5d:6b:2a:88:0e:03:9f
Mar 12 15:45:20 clients-pools charon: 13[IKE] received cert request for
unknown ca with keyid
2c:a3:49:a1:c0:1e:45:94:66:c1:c3:e1:b4:16:f2:d0:56:7d:8e:3f
Mar 12 15:45:20 clients-pools charon: 13[IKE] received end entity cert
"C=BG, ST=Plovdivska, O=Tnet, OU=Tito, CN=server.sytes.net"
Mar 12 15:45:20 clients-pools charon: 13[CFG] looking for peer configs
matching 78.130.X.X[%any]...62.X.X.X[C=BG, ST=Plovdivska, O=Tnet,
OU=Tito, CN=server.sytes.net]
Mar 12 15:45:20 clients-pools charon: 13[CFG] candidate "nat-t",
match: 1/1/5 (me/other/ike)
Mar 12 15:45:20 clients-pools charon: 13[CFG] selected peer config 'nat-t'
Mar 12 15:45:20 clients-pools charon: 13[CFG] using certificate "C=BG,
ST=Plovdivska, O=Tnet, OU=Tito, CN=server.sytes.net"
Mar 12 15:45:20 clients-pools charon: 13[CFG] using trusted ca
certificate "C=BG, ST=Plovdivska, L=Plovdiv, O=Tnet, OU=Server,
CN=server.sytes.net"
Mar 12 15:45:20 clients-pools charon: 13[CFG] checking certificate
status of "C=BG, ST=Plovdivska, O=Tnet, OU=Tito, CN=server.sytes.net"
Mar 12 15:45:20 clients-pools charon: 13[CFG] ocsp check skipped, no
ocsp found
Mar 12 15:45:20 clients-pools charon: 13[CFG] certificate status is not
available
Mar 12 15:45:20 clients-pools charon: 13[IKE] authentication of 'C=BG,
ST=Plovdivska, O=Tnet, OU=Tito, CN=server.sytes.net' with RSA signature
successful
Mar 12 15:45:20 clients-pools charon: 13[IKE] peer supports MOBIKE
Mar 12 15:45:20 clients-pools charon: 13[IKE] authentication of 'C=BG,
ST=Plovdivska, O=Tnet, OU=Maika, CN=server.sytes.net' (myself) with RSA
signature successful
Mar 12 15:45:20 clients-pools charon: 13[IKE] deleting duplicate IKE_SA
for peer 'C=BG, ST=Plovdivska, O=Tnet, OU=Tito, CN=server.sytes.net' due
to uniqueness policy
Mar 12 15:45:20 clients-pools charon: 13[IKE] deleting IKE_SA nat-t[2]
between 78.130.X.X[C=BG, ST=Plovdivska, O=Tnet, OU=Maika,
CN=server.sytes.net]...62.X.X.X[C=BG, ST=Plovdivska, O=Tnet, OU=Tito,
CN=server.sytes.net]
Mar 12 15:45:20 clients-pools charon: 13[IKE] deleting IKE_SA nat-t[2]
between 78.130.X.X[C=BG, ST=Plovdivska, O=Tnet, OU=Maika,
CN=server.sytes.net]...62.X.X.X[C=BG, ST=Plovdivska, O=Tnet, OU=Tito,
CN=server.sytes.net]
Mar 12 15:45:20 clients-pools charon: 13[IKE] sending DELETE for IKE_SA
nat-t[2]
Mar 12 15:45:20 clients-pools charon: 13[ENC] generating INFORMATIONAL
request 0 [ D ]
Mar 12 15:45:20 clients-pools charon: 13[NET] sending packet: from
78.130.X.X[4500] to 62.X.X.X[26716]
Mar 12 15:45:20 clients-pools charon: 13[IKE] scheduling
reauthentication in 3404s
Mar 12 15:45:20 clients-pools charon: 13[IKE] maximum IKE_SA lifetime 3584s
Mar 12 15:45:20 clients-pools charon: 13[IKE] IKE_SA nat-t[3]
established between 78.130.X.X[C=BG, ST=Plovdivska, O=Tnet, OU=Maika,
CN=server.sytes.net]...62.X.X.X[C=BG, ST=Plovdivska, O=Tnet, OU=Tito,
CN=server.sytes.net]
Mar 12 15:45:20 clients-pools charon: 13[IKE] IKE_SA nat-t[3]
established between 78.130.X.X[C=BG, ST=Plovdivska, O=Tnet, OU=Maika,
CN=server.sytes.net]...62.X.X.X[C=BG, ST=Plovdivska, O=Tnet, OU=Tito,
CN=server.sytes.net]
Mar 12 15:45:20 clients-pools charon: 13[IKE] sending end entity cert
"C=BG, ST=Plovdivska, O=Tnet, OU=Maika, CN=server.sytes.net"
Mar 12 15:45:20 clients-pools charon: 13[IKE] peer requested virtual IP %any
Mar 12 15:45:20 clients-pools charon: 13[CFG] assigning new lease to
'C=BG, ST=Plovdivska, O=Tnet, OU=Tito, CN=server.sytes.net'
Mar 12 15:45:20 clients-pools charon: 13[IKE] assigning virtual IP
192.168.20.103 to peer
Mar 12 15:45:20 clients-pools charon: 13[CFG] looking for a child config
for 0.0.0.0/0 === 0.0.0.0/0
Mar 12 15:45:20 clients-pools charon: 13[CFG] proposing traffic
selectors for us:
Mar 12 15:45:20 clients-pools charon: 13[CFG] 192.168.25.0/24 (derived
from 192.168.25.0/24)
Mar 12 15:45:20 clients-pools charon: 13[CFG] proposing traffic
selectors for other:
Mar 12 15:45:20 clients-pools charon: 13[CFG] 192.168.20.0/24 (derived
from 192.168.20.0/24)
Mar 12 15:45:20 clients-pools charon: 13[CFG] candidate "nat-t" with
prio 1+1
Mar 12 15:45:20 clients-pools charon: 13[CFG] found matching child
config "nat-t" with prio 2
Mar 12 15:45:20 clients-pools charon: 13[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 13[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 13[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 13[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 13[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 13[CFG] no acceptable
ENCRYPTION_ALGORITHM found
Mar 12 15:45:20 clients-pools charon: 13[CFG] selecting proposal:
Mar 12 15:45:20 clients-pools charon: 13[CFG] proposal matches
Mar 12 15:45:20 clients-pools charon: 13[CFG] received proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Mar 12 15:45:20 clients-pools charon: 13[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Mar 12 15:45:20 clients-pools charon: 13[CFG] selected proposal:
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Mar 12 15:45:20 clients-pools charon: 13[CFG] selecting traffic
selectors for us:
Mar 12 15:45:20 clients-pools charon: 13[CFG] config: 192.168.25.0/24,
received: 0.0.0.0/0 => match: 192.168.25.0/24
Mar 12 15:45:20 clients-pools charon: 13[CFG] selecting traffic
selectors for other:
Mar 12 15:45:20 clients-pools charon: 13[CFG] config: 192.168.20.0/24,
received: 0.0.0.0/0 => match: 192.168.20.0/24
Mar 12 15:45:21 clients-pools vpn: + C=BG, ST=Plovdivska, O=Tnet,
OU=Tito, CN=server.sytes.net 192.168.20.0/24 == 62.X.X.X -- 78.130.X.X
== 192.168.25.0/24
Mar 12 15:45:21 clients-pools charon: 13[IKE] CHILD_SA nat-t{3}
established with SPIs c3c43851_i 726625ac_o and TS 192.168.25.0/24 ===
192.168.20.0/24
Mar 12 15:45:21 clients-pools charon: 13[IKE] CHILD_SA nat-t{3}
established with SPIs c3c43851_i 726625ac_o and TS 192.168.25.0/24 ===
192.168.20.0/24
Mar 12 15:45:21 clients-pools charon: 13[ENC] generating IKE_AUTH
response 1 [ IDr CERT AUTH CP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Mar 12 15:45:21 clients-pools charon: 13[NET] sending packet: from
78.130.X.X[4500] to 62.X.X.X[26716]
Mar 12 15:45:22 clients-pools charon: 14[NET] received packet: from
62.X.X.X[26716] to 78.130.X.X[4500]
Mar 12 15:45:22 clients-pools charon: 14[ENC] unknown attribute type
INTERNAL_IP4_SERVER
Mar 12 15:45:22 clients-pools charon: 14[ENC] parsed IKE_AUTH request 1
[ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP SA TSi TSr ]
Mar 12 15:45:22 clients-pools charon: 14[IKE] received retransmit of
request with ID 1, retransmitting response
Mar 12 15:45:22 clients-pools charon: 14[NET] sending packet: from
78.130.X.X[4500] to 62.X.X.X[26716]
Mar 12 15:45:24 clients-pools charon: 15[NET] received packet: from
62.X.X.X[26716] to 78.130.X.X[4500]
Mar 12 15:45:24 clients-pools charon: 15[ENC] unknown attribute type
INTERNAL_IP4_SERVER
Mar 12 15:45:24 clients-pools charon: 15[ENC] parsed IKE_AUTH request 1
[ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CP SA TSi TSr ]
Mar 12 15:45:24 clients-pools charon: 15[IKE] received retransmit of
request with ID 1, retransmitting response
Mar 12 15:45:24 clients-pools charon: 15[NET] sending packet: from
78.130.X.X[4500] to 62.X.X.X[26716]
Mar 12 15:45:24 clients-pools charon: 16[IKE] retransmit 1 of request
with message ID 0
Mar 12 15:45:24 clients-pools charon: 16[NET] sending packet: from
78.130.X.X[4500] to 62.X.X.X[26716]
Mar 12 15:45:26 clients-pools charon: 07[NET] received packet: from
62.X.X.X[26716] to 78.130.X.X[4500]
Mar 12 15:45:26 clients-pools charon: 07[ENC] DELETE verification failed
Mar 12 15:45:26 clients-pools charon: 07[ENC] encrypted payload could
not be decrypted and parsed
Mar 12 15:45:26 clients-pools charon: 07[ENC] could not decrypt payloads
Mar 12 15:45:26 clients-pools charon: 07[IKE] message parsing failed
Mar 12 15:45:26 clients-pools charon: 07[ENC] generating INFORMATIONAL
response 1 [ N(INVAL_SYN) ]
Mar 12 15:45:26 clients-pools charon: 07[NET] sending packet: from
78.130.X.X[4500] to 62.X.X.X[26716]
Mar 12 15:45:26 clients-pools charon: 07[IKE] INFORMATIONAL request with
message ID 1 processing failed
Mar 12 15:45:26 clients-pools charon: 04[NET] received packet: from
62.X.X.X[26716] to 78.130.X.X[4500]
Mar 12 15:45:26 clients-pools charon: 04[ENC] parsed INFORMATIONAL
request 2 [ N((12345)) ]
Mar 12 15:45:26 clients-pools charon: 04[ENC] generating INFORMATIONAL
response 2 [ ]
Mar 12 15:45:26 clients-pools charon: 04[NET] sending packet: from
78.130.X.X[4500] to 62.X.X.X[26716]
Mar 12 15:45:32 clients-pools charon: 09[IKE] retransmit 2 of request
with message ID 0
Mar 12 15:45:32 clients-pools charon: 09[NET] sending packet: from
78.130.X.X[4500] to 62.X.X.X[26716]
Mar 12 15:45:33 clients-pools charon: 10[IKE] retransmit 3 of request
with message ID 0
Mar 12 15:45:33 clients-pools charon: 10[NET] sending packet: from
78.130.X.X[4500] to 62.X.X.X[26716]
Mar 12 15:45:38 clients-pools charon: 11[JOB] deleting half open IKE_SA
after timeout
Mar 12 15:45:38 clients-pools vpn: - C=BG, ST=Plovdivska, O=Tnet,
OU=Tito, CN=server.sytes.net 192.168.20.0/24 == 62.X.X.X -- 78.130.X.X
== 192.168.25.0/24
Mar 12 15:45:38 clients-pools charon: 11[CFG] lease 192.168.20.102 by
'C=BG, ST=Plovdivska, O=Tnet, OU=Tito, CN=server.sytes.net' went offline
Mar 12 15:45:38 clients-pools charon: 12[IKE] destroying IKE_SA in state
DELETING without notification
Mar 12 15:45:38 clients-pools vpn: - C=BG, ST=Plovdivska, O=Tnet,
OU=Tito, CN=server.sytes.net 192.168.20.0/24 == 62.X.X.X -- 78.130.X.X
== 192.168.25.0/24
Mar 12 15:45:38 clients-pools charon: 12[CFG] releasing address to pool
'nat-t' failed
More information about the Users
mailing list