[strongSwan] certificate status is not available

Andreas Steffen andreas.steffen at strongswan.org
Tue Nov 30 09:44:05 CET 2010


Hello Laurence,

as I wrote to Bijan, I would need the certificate for closer
inspection of the DER encoding of the distingushed name.

Regards

Andreas

On 11/30/2010 08:56 AM, Groebl, Laurence (Laurence) wrote:
> Hello Andreas,
> thanks for the reply.
>
> we fixed the issue of the missing '.' (full stop) character at the end.
>
> However it's still not working, it seems we have a problem in the
> net-net configuration "selected peer config 'net-net' inacceptable".
> Could you please help us finding the error?
>
> Thanks for your support,
>
> Best regards,
>
> Laurence & Bijan
>
> -------
>
> ipsec_starter[28203]: Starting strongSwan 4.3.4 IPsec [starter]...
>
> charon: 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.4)
>
> charon: 01[KNL] listening on interfaces:
>
> charon: 01[KNL]eth1
>
> charon: 01[KNL]192.168.20.51
>
> charon: 01[KNL]fe80::217:3fff:fed0:772c
>
> charon: 01[KNL]eth0
>
> charon: 01[KNL]149.204.17.51
>
> charon: 01[KNL]fe80::224:81ff:fe1d:d4fa
>
> charon: 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>
> charon: 01[LIB]loaded certificate file '/etc/ipsec.d/cacerts/Myroot2.pem'
>
> charon: 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>
> charon: 01[CFG] loading ocsp signer certificates from
> '/etc/ipsec.d/ocspcerts'
>
> charon: 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
>
> charon: 01[CFG] loading crls from '/etc/ipsec.d/crls'
>
> charon: 01[LIB]loaded crl file '/etc/ipsec.d/crls/crl_Myroot1.pem'
>
> charon: 01[LIB]loaded crl file '/etc/ipsec.d/crls/crl_Myroot2.pem'
>
> charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'
>
> charon: 01[CFG]loaded private key file '/etc/ipsec.d/private/MyBTS1_key.pem'
>
> charon: 01[DMN] loaded plugins: curl ldap aes des sha1 sha2 md5 fips-prf
> random x509 pubkey openssl gcrypt xcbc hmac gmp kernel-netlink stroke
> updown attr resolv-conf
>
> charon: 01[JOB] spawning 16 worker threads
>
> ipsec_starter[28222]: charon (28223) started after 20 ms
>
> charon: 05[CFG] stroke message => 272 bytes @ 0xb5945160
>
> charon: 05[CFG]0: 10 01 78 B7 0C 00 00 00 FF FF FF FF 01 00 00
> 00..x.............
>
> charon: 05[CFG]16: 98 6C EB BF 6B 86 06 08 A0 89 01 00 60 A6 06
> 08.l..k.......`...
>
> charon: 05[CFG]32: 98 6C EB BF 77 6C EB BF 00 44 78 32 38 32 32
> 32.l..wl...Dx28222
>
> charon: 05[CFG]48: 08 00 00 00 74 86 06 08 10 00 00 00 08 00 00
> 00....t...........
>
> charon: 05[CFG]64: F4 4F 78 B7 58 86 06 08 00 00 00 00 A0 63 78
> B7.Ox.X........cx.
>
> charon: 05[CFG]80: 50 36 69 B7 13 78 69 B7 C0 3F 78 B7 02 00 00
> 00P6i..xi..?x.....
>
> charon: 05[CFG]96: C0 41 06 08 08 20 00 00 F4 4F 78 B7 60 86 06 08.A...
> ...Ox.`...
>
> charon: 05[CFG]112: 13 78 69 B7 B8 15 00 00 F0 66 78 B7 C0 86 62
> B7.xi......fx...b.
>
> charon: 05[CFG]128: 03 49 69 B7 58 2A 06 08 00 00 00 00 F4 4F 78
> B7.Ii.X*.......Ox.
>
> charon: 05[CFG]144: 50 A9 01 00 B0 86 06 08 58 2A 06 08 F4 4F 78
> B7P.......X*...Ox.
>
> charon: 05[CFG]160: A0 63 78 B7 00 00 00 00 C0 86 62 B7 DD AF 69
> B7.cx.......b...i.
>
> charon: 05[CFG]176: 00 00 00 00 F4 4F 78 B7 F4 4F 78 B7 A0 63 78
> B7.....Ox..Ox..cx.
>
> charon: 05[CFG]192: 58 2A 06 08 C0 86 62 B7 DD AF 69 B7 C0 86 62
> B7X*....b...i...b.
>
> charon: 05[CFG]208: F4 4F 78 B7 F4 4F 78 B7 14 00 00 00 77 79 6F
> B7.Ox..Ox.....wyo.
>
> charon: 05[CFG]224: 60 86 06 08 60 86 06 08 4C 00 00 00 00 40 00
> 00`...`...L.... at ..
>
> charon: 05[CFG]240: 00 44 78 B7 E0 49 78 B7 02 00 00 00 24 00 00
> 00.Dx..Ix.....$...
>
> charon: 05[CFG]256: 01 00 00 00 10 00 00 00 19 00 00 00 0A 00 00
> 00................
>
> charon: 05[CFG] crl caching to /etc/ipsec.d/crls enabled
>
> charon: 08[CFG] stroke message => 399 bytes @ 0xb41420e0
>
> charon: 08[CFG]0: 8F 01 00 00 03 00 00 00 FF FF FF FF 10 01 00
> 00................
>
> charon: 08[CFG]16: 01 00 00 00 03 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 08[CFG]32: 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 08[CFG]48: 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00
> 00................
>
> charon: 08[CFG]64: 01 00 00 00 18 01 00 00 2C 01 00 00 00 00 00
> 00........,.......
>
> charon: 08[CFG]80: D0 70 00 00 80 70 00 00 80 16 00 00 01 00 00
> 00.p...p..........
>
> charon: 08[CFG]96: 64 00 00 00 3C 00 00 00 03 00 00 00 00 00 00
> 00d...<...........
>
> charon: 08[CFG]112: 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00
> 00........ at .......
>
> charon: 08[CFG]128: 00 00 00 00 00 00 00 00 00 00 00 00 47 01 00
> 00............G...
>
> charon: 08[CFG]144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 08[CFG]160: 00 00 00 00 52 01 00 00 00 00 00 00 01 00 00
> 00....R...........
>
> charon: 08[CFG]176: 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00
> 00................
>
> charon: 08[CFG]192: 00 00 00 00 60 01 00 00 00 00 00 00 67 01 00
> 00....`.......g...
>
> charon: 08[CFG]208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 08[CFG]224: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 08[CFG]240: 70 01 00 00 00 00 00 00 00 00 00 00 7F 01 00
> 00p...............
>
> charon: 08[CFG]256: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 08[CFG]272: 6E 65 74 2D 6E 65 74 00 33 64 65 73 2D 73 68
> 61net-net.3des-sha
>
> charon: 08[CFG]288: 31 2D 6D 6F 64 70 31 30 32 34 21 00 33 64 65
> 731-modp1024!.3des
>
> charon: 08[CFG]304: 2D 73 68 61 31 2D 6D 6F 64 70 31 30 32 34 21
> 00-sha1-modp1024!.
>
> charon: 08[CFG]320: 72 73 61 73 69 67 00 4D 79 42 54 53 31 2E 70
> 65rsasig.MyBTS1.pe
>
> charon: 08[CFG]336: 6D 00 31 39 32 2E 31 36 38 2E 32 30 2E 35 31
> 00m.192.168.20.51.
>
> charon: 08[CFG]352: 72 73 61 73 69 67 00 53 53 47 33 32 30 4D 2E
> 00rsasig.SSG320M..
>
> charon: 08[CFG]368: 31 39 32 2E 31 36 38 2E 32 30 2E 32 35 34 00
> 31192.168.20.254.1
>
> charon: 08[CFG]384: 39 32 2E 31 36 38 2E 33 30 2E 30 2F 32 34
> 0092.168.30.0/24.
>
> charon: 08[CFG] received stroke: add connection 'net-net'
>
> charon: 08[CFG] conn net-net
>
> charon: 08[CFG]left=192.168.20.51
>
> charon: 08[CFG]leftsubnet=(null)
>
> charon: 08[CFG]leftsourceip=(null)
>
> charon: 08[CFG]leftauth=rsasig
>
> charon: 08[CFG]leftauth2=(null)
>
> charon: 08[CFG] leftid=(null)
>
> charon: 08[CFG]leftid2=(null)
>
> charon: 08[CFG]leftcert=MyBTS1.pem
>
> charon: 08[CFG]leftcert2=(null)
>
> charon: 08[CFG]leftca=(null)
>
> charon: 08[CFG]leftca2=(null)
>
> charon: 08[CFG]leftgroups=(null)
>
> charon: 08[CFG]leftupdown=(null)
>
> charon: 08[CFG]right=192.168.20.254
>
> charon: 08[CFG]rightsubnet=192.168.30.0/24
>
> charon: 08[CFG]rightsourceip=(null)
>
> charon: 08[CFG]rightauth=rsasig
>
> charon: 08[CFG]rightauth2=(null)
>
> charon: 08[CFG]rightid=SSG320M.
>
> charon: 08[CFG]rightid2=(null)
>
> charon: 08[CFG]rightcert=(null)
>
> charon: 08[CFG]rightcert2=(null)
>
> charon: 08[CFG]rightca=(null)
>
> charon: 08[CFG]rightca2=(null)
>
> charon: 08[CFG]rightgroups=(null)
>
> charon: 08[CFG]rightupdown=(null)
>
> charon: 08[CFG]eap_identity=(null)
>
> charon: 08[CFG]ike=3des-sha1-modp1024!
>
> charon: 08[CFG]esp=3des-sha1-modp1024!
>
> charon: 08[CFG]mediation=no
>
> charon: 08[CFG]mediated_by=(null)
>
> charon: 08[CFG]me_peerid=(null)
>
> charon: 08[KNL] getting interface name for 192.168.20.254
>
> charon: 08[KNL] 192.168.20.254 is not a local address
>
> charon: 08[KNL] getting interface name for 192.168.20.51
>
> charon: 08[KNL] 192.168.20.51 is on interface eth1
>
> charon: 08[LIB]loaded certificate file '/etc/ipsec.d/certs/MyBTS1.pem'
>
> charon: 08[CFG]peerid 192.168.20.51 not confirmed by certificate,
> defaulting to subject DN: C=DE, O=Alcatel-Lucent, OU=Wireless, CN=SWAN
>
> charon: 08[CFG] added configuration 'net-net'
>
> charon: 10[CFG] stroke message => 280 bytes @ 0xb3140150
>
> charon: 10[CFG]0: 18 01 00 00 00 00 00 00 FF FF FF FF 10 01 00
> 00................
>
> charon: 10[CFG]16: 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 10[CFG]32: 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00
> 00................
>
> charon: 10[CFG]48: 01 00 00 00 18 01 00 00 2C 01 00 00 00 00 00
> 00........,.......
>
> charon: 10[CFG]64: D0 70 00 00 80 70 00 00 80 16 00 00 01 00 00
> 00.p...p..........
>
> charon: 10[CFG]80: 64 00 00 00 3C 00 00 00 03 00 00 00 00 00 00
> 00d...<...........
>
> charon: 10[CFG]96: 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00
> 00........ at .......
>
> charon: 10[CFG]112: 00 00 00 00 00 00 00 00 00 00 00 00 47 01 00
> 00............G...
>
> charon: 10[CFG]128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 10[CFG]144: 00 00 00 00 52 01 00 00 00 00 00 00 01 00 00
> 00....R...........
>
> charon: 10[CFG]160: 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00
> 00................
>
> charon: 10[CFG]176: 00 00 00 00 60 01 00 00 00 00 00 00 67 01 00
> 00....`.......g...
>
> charon: 10[CFG]192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 10[CFG]208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 10[CFG]224: 70 01 00 00 00 00 00 00 00 00 00 00 7F 01 00
> 00p...............
>
> charon: 10[CFG]240: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 10[CFG]256: 6E 65 74 2D 6E 65 74 00 33 64 65 73 2D 73 68
> 61net-net.3des-sha
>
> charon: 10[CFG]272: 6E 65 74 2D 6E 65 74 00net-net.
>
> charon: 10[CFG] received stroke: initiate 'net-net'
>
> charon: 10[IKE] queueing IKE_INIT task
>
> charon: 10[IKE] queueing IKE_NATD task
>
> charon: 10[IKE] queueing IKE_CERT_PRE task
>
> charon: 10[IKE] queueing IKE_AUTHENTICATE task
>
> charon: 10[IKE] queueing IKE_CERT_POST task
>
> charon: 10[IKE] queueing IKE_CONFIG task
>
> charon: 10[IKE] queueing IKE_AUTH_LIFETIME task
>
> charon: 10[IKE] queueing CHILD_CREATE task
>
> charon: 10[IKE] activating new tasks
>
> charon: 10[IKE]activating IKE_INIT task
>
> charon: 10[IKE]activating IKE_NATD task
>
> charon: 10[IKE]activating IKE_CERT_PRE task
>
> charon: 10[IKE]activating IKE_AUTHENTICATE task
>
> charon: 10[IKE]activating IKE_CERT_POST task
>
> charon: 10[IKE]activating IKE_CONFIG task
>
> charon: 10[IKE]activating CHILD_CREATE task
>
> charon: 10[IKE]activating IKE_AUTH_LIFETIME task
>
> charon: 10[IKE] initiating IKE_SA net-net[1] to 192.168.20.254
>
> charon: 10[IKE] initiating IKE_SA net-net[1] to 192.168.20.254
>
> charon: 10[IKE] IKE_SA net-net[1] state change: CREATED => CONNECTING
>
> charon: 10[IKE] natd_chunk => 22 bytes @ 0x80a9b08
>
> [...]
>
> charon: 10[IKE] natd_hash => 20 bytes @ 0x80a8af8
>
> [...]
>
> charon: 10[IKE] natd_chunk => 22 bytes @ 0x80a9b08
>
> [...]
>
> charon: 10[IKE] natd_hash => 20 bytes @ 0x80a8af8
>
> [...]
>
> charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
>
> charon: 10[NET] sending packet: from 192.168.20.51[500] to
> 192.168.20.254[500]
>
> charon: 14[NET] received packet: from 192.168.20.254[500] to
> 192.168.20.51[500]
>
> charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
>
> charon: 14[CFG] selecting proposal:
>
> charon: 14[CFG]proposal matches
>
> charon: 14[CFG] received proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>
> charon: 14[CFG] configured proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>
> charon: 14[CFG] selected proposal:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>
> charon: 14[IKE] shared Diffie Hellman secret => 128 bytes @ 0x80aaf10
>
> charon: 14[IKE]0: 6A 1F DA 68 36 7B B2 25 B5 1B 82 DC 93 B5 E6
> 37j..h6{.%.......7
>
> charon: 14[IKE]16: BF 35 D4 69 9E 39 04 B8 C3 C6 10 54 D8 6F 89
> 6A.5.i.9.....T.o.j
>
> charon: 14[IKE]32: 21 97 99 41 C7 9A DE 19 2B 6E 20 5B 8A C4 F4
> 23!..A....+n [...#
>
> charon: 14[IKE]48: 07 26 7C 5A D7 9E CC C9 D6 B8 49 2C 76 1F 97
> 96.&|Z......I,v...
>
> charon: 14[IKE]64: A1 DE 62 D2 E7 29 76 0F CA 8D CB 7F AB 54 E3
> F3..b..)v......T..
>
> charon: 14[IKE]80: 3A A6 99 A6 4A 00 24 0E DF B5 04 E1 16 CF FF
> 96:...J.$.........
>
> charon: 14[IKE]96: 93 8C 37 8A DD 7D F7 AD 1A 88 C1 5F D3 FB 29
> 5D..7..}....._..)]
>
> charon: 14[IKE]112: F5 77 AB 45 96 0B 2E 4E C6 74 36 73 87 A7 72
> 32.w.E...N.t6s..r2
>
> charon: 14[IKE] SKEYSEED => 20 bytes @ 0x80a9bf0
>
> charon: 14[IKE]0: 66 76 89 78 63 67 D7 E1 73 C7 51 CF 4C 19 F3
> 9Ffv.xcg..s.Q.L...
>
> charon: 14[IKE]16: B1 94 6B 5A..kZ
>
> charon: 14[IKE] Sk_d secret => 20 bytes @ 0x80a9bf0
>
> [...]
>
> charon: 14[IKE] Sk_ai secret => 20 bytes @ 0x80a9568
>
> [...]
>
> charon: 14[IKE] Sk_ar secret => 20 bytes @ 0x80a9568
>
> [...]
>
> charon: 14[IKE] Sk_ei secret => 24 bytes @ 0x80a58f0
>
> [...]
>
> charon: 14[IKE] Sk_er secret => 24 bytes @ 0x80a58f0
>
> [...]
>
> charon: 14[IKE] Sk_pi secret => 20 bytes @ 0x80ab130
>
> [...]
>
> charon: 14[IKE] Sk_pr secret => 20 bytes @ 0x80a58f0
>
> [...]
>
> charon: 14[IKE] natd_chunk => 22 bytes @ 0x80a9a38
>
> [...]
>
> charon: 14[IKE] natd_hash => 20 bytes @ 0x80a9818
>
> [...]
>
> charon: 14[IKE] natd_chunk => 22 bytes @ 0x80a9a38
>
> [...]
>
> charon: 14[IKE] natd_hash => 20 bytes @ 0x80aaf88
>
> [...]
>
> charon: 14[IKE] precalculated src_hash => 20 bytes @ 0x80aaf88
>
> [...]
>
> charon: 14[IKE] precalculated dst_hash => 20 bytes @ 0x80a9818
>
> [...]
>
> charon: 14[IKE] received cert request for unknown ca with keyid
> 12:b9:6f:ae:3c:15:64:e2:f1:16:5f:e9:be:e3:3a:ca:03:65:af:c5
>
> charon: 14[IKE] reinitiating already active tasks
>
> charon: 14[IKE]IKE_CERT_PRE task
>
> charon: 14[IKE]IKE_AUTHENTICATE task
>
> charon: 14[IKE] sending cert request for "C=DE, O=Alcatel-Lucent,
> OU=Wireless, CN=JuniperRoot"
>
> charon: 14[IKE] sending cert request for "C=DE, O=Alcatel-Lucent,
> OU=Wireless, CN=SWAN"
>
> charon: 14[IKE] IDx' => 78 bytes @ 0xb113c040
>
> charon: 14[IKE]0: 09 00 00 00 30 48 31 0B 30 09 06 03 55 04 06
> 13....0H1.0...U...
>
> charon: 14[IKE]16: 02 44 45 31 17 30 15 06 03 55 04 0A 13 0E 41
> 6C.DE1.0...U....Al
>
> charon: 14[IKE]32: 63 61 74 65 6C 2D 4C 75 63 65 6E 74 31 11 30
> 0Fcatel-Lucent1.0.
>
> charon: 14[IKE]48: 06 03 55 04 0B 13 08 57 69 72 65 6C 65 73 73
> 31..U....Wireless1
>
> charon: 14[IKE]64: 0D 30 0B 06 03 55 04 03 13 04 53 57 41 4E.0...U....SWAN
>
> charon: 14[IKE] SK_p => 20 bytes @ 0x80ab130
>
> [...]
>
> charon: 14[IKE] octets = message + nonce + prf(Sk_px, IDx') => 352 bytes
> @ 0x80aa830
>
> charon: 14[IKE]0: 97 A7 A7 71 4F A1 D1 A0 00 00 00 00 00 00 00
> 00...qO...........
>
> charon: 14[IKE]16: 21 20 22 08 00 00 00 00 00 00 01 2C 22 00 00 2C!
> "........,"..,
>
> charon: 14[IKE]32: 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00
> 03...(............
>
> charon: 14[IKE]48: 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00
> 02................
>
> charon: 14[IKE]64: 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00
> 00........(.......
>
> charon: 14[IKE]80: 5E 84 A5 38 A5 CF 89 C5 14 91 C9 0F 33 E3 58
> 55^..8........3.XU
>
> charon: 14[IKE]96: 15 7F 86 72 BB D1 F1 1B 2A 3F 7D 86 B2 EF D3
> F6...r....*?}.....
>
> charon: 14[IKE]112: DB 9A D6 C6 0B A0 C2 08 84 C3 F8 9D 64 A4 2E
> 05............d...
>
> charon: 14[IKE]128: 79 AE C3 ED E2 D9 7C 61 30 AC 22 76 B3 F2 33
> 0Fy.....|a0."v..3.
>
> charon: 14[IKE]144: 6D FB 9A A9 3C BF BB 2A 68 6D 58 A9 40 56 CD
> A3m...<..*hmX. at V..
>
> charon: 14[IKE]160: 1D 26 B0 42 A2 4F AA 80 6B 69 D2 39 92 D2 FB
> CB.&.B.O..ki.9....
>
> charon: 14[IKE]176: 20 AE 3C 97 7C DA 5F 26 79 C0 CE 5C DF AD A9
> 2E.<.|._&y..\....
>
> charon: 14[IKE]192: 52 49 52 07 F8 3F 42 19 64 AA 04 12 9B C4 82
> 2BRIR..?B.d......+
>
> charon: 14[IKE]208: 29 00 00 24 7C FB 5D EA CB 7A 33 43 6A A4 B8
> 1F)..$|.]..z3Cj...
>
> charon: 14[IKE]224: AA 34 97 43 68 E4 0E 97 69 7B EA D2 53 D8 57
> 17.4.Ch...i{..S.W.
>
> charon: 14[IKE]240: 15 B6 FE AE 29 00 00 1C 00 00 40 04 07 71 78
> C1....)..... at ..qx.
>
> charon: 14[IKE]256: C7 62 8B 12 21 84 00 C9 DE 9D EE 45 AE EA 8A
> A7.b..!......E....
>
> charon: 14[IKE]272: 00 00 00 1C 00 00 40 05 EF ED 1A 4E 48 95 05
> A8...... at ....NH...
>
> charon: 14[IKE]288: AA C7 F9 09 73 66 34 F9 E0 DC A2 46 5A EC 23
> 7C....sf4....FZ.#|
>
> charon: 14[IKE]304: 2E C2 BF EE C1 96 BB 6E 56 CE 3F 76 31 5E 2F
> FE.......nV.?v1^/.
>
> charon: 14[IKE]320: A8 67 6E 49 E6 20 DA 03 7E FB D3 DA 8B C8 D1 7A.gnI.
> ..~......z
>
> charon: 14[IKE]336: BD C5 10 1E 10 DA 9A 3C 04 5E 99 C6 7E AC 6D
> FA.......<.^..~.m.
>
> charon: 14[IKE] authentication of 'C=DE, O=Alcatel-Lucent, OU=Wireless,
> CN=SWAN' (myself) with RSA signature successful
>
> charon: 14[IKE] sending end entity cert "C=DE, O=Alcatel-Lucent,
> OU=Wireless, CN=SWAN"
>
> charon: 14[IKE] establishing CHILD_SA net-net
>
> charon: 14[IKE] establishing CHILD_SA net-net
>
> charon: 14[CFG] proposing traffic selectors for us:
>
> charon: 14[CFG]dynamic (derived from dynamic)
>
> charon: 14[CFG] proposing traffic selectors for other:
>
> charon: 14[CFG]192.168.30.0/24 (derived from 192.168.30.0/24)
>
> charon: 14[KNL] getting SPI for reqid {1}
>
> charon: 14[KNL] sending XFRM_MSG_ALLOCSPI: => 244 bytes @ 0xb113bcfc
>
> charon: 14[KNL]0: F4 00 00 00 16 00 01 00 C9 00 00 00 3F 6E 00
> 00............?n..
>
> charon: 14[KNL]16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 14[KNL]32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 14[KNL]48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 14[KNL]64: 00 00 00 00 00 00 00 00 C0 A8 14 33 00 00 00
> 00...........3....
>
> charon: 14[KNL]80: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00
> 00............2...
>
> charon: 14[KNL]96: C0 A8 14 FE 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 14[KNL]112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 14[KNL]128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 14[KNL]144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 14[KNL]160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 14[KNL]176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 14[KNL]192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 14[KNL]208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00................
>
> charon: 14[KNL]224: 01 00 00 00 02 00 01 00 00 00 00 00 00 00 00
> C0................
>
> charon: 14[KNL]240: FF FF FF CF....
>
> charon: 14[KNL] got SPI cc514bb7 for reqid {1}
>
> charon: 14[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr
> AUTH CP SA TSi TSr ]
>
> charon: 14[NET] sending packet: from 192.168.20.51[500] to
> 192.168.20.254[500]
>
> charon: 15[NET] received packet: from 192.168.20.254[500] to
> 192.168.20.51[500]
>
> charon: 15[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP SA
> N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) TSi TSr ]
>
> charon: 15[IKE] received end entity cert "C=DE, ST=Germany, L=Stuttgart,
> O=Alcatel-Lucent, CN=192.168.20.254, CN=JN11AEB36ADD, CN=rsa-key,
> CN=SSG320M., CN=JUNIPER"
>
> charon: 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED notify
>
> charon: 15[IKE] received NON_FIRST_FRAGMENTS_ALSO notify
>
> charon: 15[IKE] IDx' => 12 bytes @ 0xb093b0b0
>
> charon: 15[IKE]0: 02 00 00 00 53 53 47 33 32 30 4D 2E....SSG320M.
>
> charon: 15[IKE] SK_p => 20 bytes @ 0x80a58f0
>
> [...]
>
> charon: 15[IKE] octets = message + nonce + prf(Sk_px, IDx') => 321 bytes
> @ 0x80af038
>
> charon: 15[IKE]0: 97 A7 A7 71 4F A1 D1 A0 C6 07 61 F6 90 51 A6
> BB...qO.....a..Q..
>
> charon: 15[IKE]16: 21 20 22 20 00 00 00 00 00 00 01 0D 22 00 00 2C! "
> ........"..,
>
> charon: 15[IKE]32: 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00
> 03...(............
>
> charon: 15[IKE]48: 03 00 00 08 02 00 00 02 03 00 00 08 03 00 00
> 02................
>
> charon: 15[IKE]64: 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00
> 00........(.......
>
> charon: 15[IKE]80: AE 6E 04 03 6F 30 88 9C FC BE 50 CA 59 B3 93
> 64.n..o0....P.Y..d
>
> charon: 15[IKE]96: 4A 0C 74 6C 4E 69 2D 85 4A FA 78 7E 7E 09 79
> 2EJ.tlNi-.J.x~~.y.
>
> charon: 15[IKE]112: C2 B3 8E 5F 1E 23 6D A1 41 20 7D 50 79 7F 52
> 80..._.#m.A }Py.R.
>
> charon: 15[IKE]128: F3 E2 F6 1D 73 15 9B F4 08 8E A6 B1 55 05 25
> A8....s.......U.%.
>
> charon: 15[IKE]144: 01 CC 30 33 37 C0 DE 4B 75 C3 57 99 00 93 24
> 76..037..Ku.W...$v
>
> charon: 15[IKE]160: D0 55 33 CC F8 60 51 8E 5B 17 2B E8 D8 67 A2
> EA.U3..`Q.[.+..g..
>
> charon: 15[IKE]176: 05 CB 6E AE 55 F0 3B 79 6E 11 57 B8 02 07 01
> 86..n.U.;yn.W.....
>
> charon: 15[IKE]192: 8C 95 2A 4D 3C BF 87 78 A8 2F 07 55 7A A9 5E
> 33..*M<..x./.Uz.^3
>
> charon: 15[IKE]208: 26 00 00 24 5A EC 23 7C 2E C2 BF EE C1 96 BB
> 6E&..$Z.#|.......n
>
> charon: 15[IKE]224: 56 CE 3F 76 31 5E 2F FE A8 67 6E 49 E6 20 DA
> 03V.?v1^/..gnI. ..
>
> charon: 15[IKE]240: 7E FB D3 DA 00 00 00 19 04 12 B9 6F AE 3C 15
> 64~..........o.<.d
>
> charon: 15[IKE]256: E2 F1 16 5F E9 BE E3 3A CA 03 65 AF C5 7C FB
> 5D..._...:..e..|.]
>
> charon: 15[IKE]272: EA CB 7A 33 43 6A A4 B8 1F AA 34 97 43 68 E4
> 0E..z3Cj....4.Ch..
>
> charon: 15[IKE]288: 97 69 7B EA D2 53 D8 57 17 15 B6 FE AE 0F CC
> 32.i{..S.W.......2
>
> charon: 15[IKE]304: 56 F5 80 93 1D 1F B9 42 6B 32 BC 18 8B FE 82
> 27V......Bk2.....'
>
> charon: 15[IKE]320: A8.
>
> charon: 15[CFG]using certificate "C=DE, ST=Germany, L=Stuttgart,
> O=Alcatel-Lucent, CN=192.168.20.254, CN=JN11AEB36ADD, CN=rsa-key,
> CN=SSG320M., CN=JUNIPER"
>
> charon: 15[CFG]using trusted ca certificate "C=DE, O=Alcatel-Lucent,
> OU=Wireless, CN=JuniperRoot"
>
> charon: 15[CFG] checking certificate status of "C=DE, ST=Germany,
> L=Stuttgart, O=Alcatel-Lucent, CN=192.168.20.254, CN=JN11AEB36ADD,
> CN=rsa-key, CN=SSG320M., CN=JUNIPER"
>
> charon: 15[CFG] ocsp check skipped, no ocsp found
>
> charon: 15[CFG] certificate status is not available
>
> charon: 15[IKE] authentication of 'SSG320M.' with RSA signature successful
>
> charon: 15[CFG] constraint check failed: RULE_CRL_VALIDATION is SKIPPED,
> but requires at least GOOD
>
> charon: 15[CFG] selected peer config 'net-net' inacceptable
>
> charon: 15[CFG] no alternative config found
>
> charon: 15[KNL] deleting SAD entry with SPI cc514bb7
>
> charon: 15[KNL] sending XFRM_MSG_DELSA: => 40 bytes @ 0xb093ad7c
>
> charon: 15[KNL]0: 28 00 00 00 11 00 05 00 CA 00 00 00 3F 6E 00
> 00(...........?n..
>
> charon: 15[KNL] 16: C0 A8 14 33 00 00 00 00 00 00 00 00 00 00 00
> 00...3............
>
> charon: 15[KNL]32: CC 51 4B B7 02 00 00 00.QK.....
>
> charon: 15[KNL] received netlink error: Invalid argument (22)
>
> charon: 15[KNL] unable to delete SAD entry with SPI cc514bb7
>
> charon: 15[IKE] IKE_SA net-net[1] state change: CONNECTING => DESTROYING
>
> charon: 03[KNL] received a XFRM_MSG_EXPIRE
>
> charon: 03[KNL] creating delete job for ESP CHILD_SA with SPI cc514bb7
> and reqid {1}
>
> charon: 16[JOB] CHILD_SA with reqid 1 not found for delete
>
> su: (to root) ksim on /dev/pts/4
>


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list