[strongSwan] certificate status is not available

Farivar Tanha, Bijan (Bijan) bijan.farivar_tanha at alcatel-lucent.com
Tue Nov 30 09:44:02 CET 2010


Hi Andreas,

Thanks for your reply!

you can find attached the required certificates.

ClientRootCertificate -> Myroot1
ClientCertificate -> MyBTS1
PrivateCertificate -> MyBTS1_key

ServerRootCertificate -> Myroot2
ServerCertificate -> MyServer_cer

Thanks in advance,
Bijan

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: Dienstag, 30. November 2010 09:09
To: Farivar Tanha, Bijan (Bijan)
Subject: Re: [strongSwan] certificate status is not available

Hello Bijan,

could you send me the

"C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent,
CN=192.168.20.254, CN=JN11AEB36ADD, CN=rsa-key, CN=SSG320M., CN=JUNIPER"

certificate so that I can have a look at the DER encoding of the
distinguished name.

Regards

Andreas

  On 11/25/2010 09:12 AM, Farivar Tanha, Bijan (Bijan) wrote:
> Hi Andreas,
>
> Thanks for your reply!
>
> I fixed the issue of the missing '.' (full stop) character at the end.
>
> But still have the same problem with *constraint check failed.*
>
> using certificate "C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent,
> CN=192.168.20.254, CN=JN11AEB36ADD, CN=rsa-key, CN=SSG320M., CN=JUNIPER"
>
> using trusted ca certificate "C=DE, O=Alcatel-Lucent, OU=Wireless,
> CN=JuniperRoot"
>
> checking certificate status of "C=DE, ST=Germany, L=Stuttgart,
> O=Alcatel-Lucent, CN=192.168.20.254, CN=JN11AEB36ADD, CN=rsa-key,
> CN=SSG320M., CN=JUNIPER"
>
> ocsp check skipped, no ocsp found
>
> certificate status is not available
>
> authentication of 'SSG320M.' with RSA signature successful
>
> *constraint check failed: identity*'C=DE, ST=Germany, L=Stuttgart,
> O=Alcatel-Lucent, CN=192.168.20.254, CN=JN11AEB36ADD, CN=rsa-key,
> CN=SSG320M., CN=JUNIPER' required
>
> selected peer config 'net-net' inacceptable
>
> no alternative config found
>
> Do you have an idea/hint?
>
> Thanks in advance,
>
> Bijan
>
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Dienstag, 23. November 2010 17:32
> To: Farivar Tanha, Bijan (Bijan)
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] certificate status is not available
>
> Hello Bijan,
>
> in rightid you define CN=SSG320M
>
> whereas the certificate says CN=SSG320M.
>
> which has an additional '.' (full stop) character at the end.
>
> Regards
>
> Andreas
>
> On 23.11.2010 09:37, Farivar Tanha, Bijan (Bijan) wrote:
>
>>  Hello,
>
>>
>
>>  If I check in the client's logs then after the below message the whole
>
>>  tunnel is removed from strongSwan.
>
>>
>
>>  Nov 18 11:52:55 destgd0h003661 charon: 07[CFG] constraint check failed:
>
>>  identity 'C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent, OU=Wireless,
>
>>  CN=JN11AEB36ADD, CN=rsa-key, , CN=JUNIPER' required
>
>>
>
>>  I think the identity is wrongly configured on the strongSwan client.
>
>>  I can see the rigthid configured as :-->
>
>>
>
>>  rightid=C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent, OU=Wireless,
>
>>  CN=JN11AEB36ADD,CN=rsa-key, CN=SSG320M, CN=JUNIPER
>
>>
>
>>  Can somebody explain me how have to be configured the leftid and rightid
>
>>  according to the certificates information below?
>
>>
>
>>  Bijan
>
>>  ---------------------------------------------------
>
> Nov 24 14:33:28 destgd0h003661 ipsec_starter[5696]: Starting strongSwan
> 4.3.4 IPsec [starter]...
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[DMN] Starting IKEv2 charon
> daemon (strongSwan 4.3.4)
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[KNL] listening on interfaces:
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[KNL] eth1
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[KNL] 192.168.20.51
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[KNL] fe80::217:3fff:fed0:772c
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[KNL] eth0
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[KNL] 149.204.17.51
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[KNL] fe80::224:81ff:fe1d:d4fa
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[CFG] loading ca certificates
> from '/etc/ipsec.d/cacerts'
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[LIB] loaded certificate file
> '/etc/ipsec.d/cacerts/Myroot2.pem'
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[CFG] loading aa certificates
> from '/etc/ipsec.d/aacerts'
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[CFG] loading crls from
> '/etc/ipsec.d/crls'
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[LIB] loaded crl file
> '/etc/ipsec.d/crls/crl_Myroot1.pem'
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[LIB] loaded crl file
> '/etc/ipsec.d/crls/crl_Myroot2.pem'
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[CFG] loading secrets from
> '/etc/ipsec.secrets'
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[CFG] loaded EAP secret for
> 192.168.20.51 192.168.20.254
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[CFG] secret: 74:65:73:74
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[CFG] loaded private key file
> '/etc/ipsec.d/private/MyBTS1_key.pem'
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[DMN] loaded plugins: curl ldap
> aes des sha1 sha2 md5 fips-prf random x509 pubkey openssl gcrypt xcbc
> hmac gmp kernel-netlink stroke updown attr resolv-conf
>
> Nov 24 14:33:28 destgd0h003661 charon: 01[JOB] spawning 16 worker threads
>
> Nov 24 14:33:28 destgd0h003661 ipsec_starter[5716]: charon (5717)
> started after 20 ms
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] stroke message => 272
> bytes @ 0xb5830160
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 0: 10 01 7F B7 0C 00 00
> 00 FF FF FF FF 01 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 16: 98 72 C2 BF 6B 86 06
> 08 A0 89 01 00 60 A6 06 08 .r..k.......`...
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 32: 98 72 C2 BF 77 72 C2
> BF 00 34 7F B7 35 37 31 36 .r..wr...4..5716
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 48: 08 00 00 00 74 86 06
> 08 10 00 00 00 08 00 00 00 ....t...........
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 64: F4 3F 7F B7 58 86 06
> 08 00 00 00 00 A0 53 7F B7 .?..X........S..
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 80: 50 26 70 B7 13 68 70
> B7 C0 2F 7F B7 02 00 00 00 P&p..hp../......
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 96: C0 41 06 08 08 20 00
> 00 F4 3F 7F B7 60 86 06 08 .A... ...?..`...
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 112: 13 68 70 B7 80 13 00
> 00 E8 56 7F B7 C0 76 69 B7 .hp......V...vi.
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 128: 03 39 70 B7 90 2C 06
> 08 00 00 00 00 F4 3F 7F B7 .9p..,.......?..
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 144: 58 A9 01 00 A8 86 06
> 08 90 2C 06 08 F4 3F 7F B7 X........,...?..
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 160: A0 53 7F B7 00 00 00
> 00 C0 76 69 B7 DD 9F 70 B7 .S.......vi...p.
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 176: 00 00 00 00 F4 3F 7F
> B7 F4 3F 7F B7 A0 53 7F B7 .....?...?...S..
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 192: 90 2C 06 08 C0 76 69
> B7 DD 9F 70 B7 C0 76 69 B7 .,...vi...p..vi.
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 208: F4 3F 7F B7 F4 3F 7F
> B7 14 00 00 00 77 69 76 B7 .?...?......wiv.
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 224: 60 86 06 08 60 86 06
> 08 4A 00 00 00 00 40 00 00 `...`...J.... at ..
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 240: 00 34 7F B7 E0 39 7F
> B7 02 00 00 00 1C 00 00 00 .4...9..........
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] 256: 21 00 00 00 0E 00 00
> 00 18 00 00 00 0A 00 00 00 !...............
>
> Nov 24 14:33:28 destgd0h003661 charon: 05[CFG] crl caching to
> /etc/ipsec.d/crls enabled
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] stroke message => 289
> bytes @ 0xb382c150
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 0: 21 01 7F B7 09 00 00
> 00 FF FF FF FF 10 01 00 00 !...............
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 16: 15 01 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 32: 00 00 00 00 00 00 00
> 00 00 34 7F B7 35 37 31 36 .........4..5716
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 48: 08 00 00 00 74 86 06
> 08 10 00 00 00 08 00 00 00 ....t...........
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 64: F4 3F 7F B7 58 86 06
> 08 00 00 00 00 A0 53 7F B7 .?..X........S..
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 80: 50 26 70 B7 13 68 70
> B7 C0 2F 7F B7 02 00 00 00 P&p..hp../......
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 96: C0 41 06 08 08 20 00
> 00 F4 3F 7F B7 60 86 06 08 .A... ...?..`...
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 112: 13 68 70 B7 80 13 00
> 00 E8 56 7F B7 C0 76 69 B7 .hp......V...vi.
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 128: 03 39 70 B7 90 2C 06
> 08 00 00 00 00 F4 3F 7F B7 .9p..,.......?..
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 144: 58 A9 01 00 A8 86 06
> 08 90 2C 06 08 F4 3F 7F B7 X........,...?..
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 160: A0 53 7F B7 00 00 00
> 00 C0 76 69 B7 DD 9F 70 B7 .S.......vi...p.
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 176: 00 00 00 00 F4 3F 7F
> B7 F4 3F 7F B7 A0 53 7F B7 .....?...?...S..
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 192: 90 2C 06 08 C0 76 69
> B7 DD 9F 70 B7 C0 76 69 B7 .,...vi...p..vi.
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 208: F4 3F 7F B7 F4 3F 7F
> B7 14 00 00 00 77 69 76 B7 .?...?......wiv.
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 224: 60 86 06 08 60 86 06
> 08 4A 00 00 00 00 40 00 00 `...`...J.... at ..
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 240: 00 34 7F B7 E0 39 7F
> B7 02 00 00 00 1C 00 00 00 .4...9..........
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 256: 21 00 00 00 0E 00 00
> 00 18 00 00 00 0A 00 00 00 !...............
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 272: 73 77 61 6E 00 4D 79
> 72 6F 6F 74 32 2E 70 65 6D swan.Myroot2.pem
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] 288: 00 .
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] received stroke: add ca
> 'swan'
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] ca swan
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] cacert=Myroot2.pem
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] crluri=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] crluri2=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] ocspuri=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] ocspuri2=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] certuribase=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[LIB] loaded certificate file
> '/etc/ipsec.d/cacerts/Myroot2.pem'
>
> Nov 24 14:33:28 destgd0h003661 charon: 09[CFG] added ca 'swan'
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] stroke message => 555
> bytes @ 0xb282a040
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 0: 2B 02 00 00 03 00 00
> 00 FF FF FF FF 10 01 00 00 +...............
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 16: 01 00 00 00 03 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 32: 00 00 00 00 02 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 48: 00 00 00 00 00 00 00
> 00 01 00 00 00 01 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 64: 01 00 00 00 18 01 00
> 00 2C 01 00 00 00 00 00 00 ........,.......
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 80: D0 70 00 00 80 70 00
> 00 80 16 00 00 01 00 00 00 .p...p..........
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 96: 64 00 00 00 3C 00 00
> 00 03 00 00 00 00 00 00 00 d...<...........
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 112: 00 00 00 00 00 00 00
> 00 40 01 00 00 00 00 00 00 ........ at .......
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 128: 47 01 00 00 00 00 00
> 00 00 00 00 00 73 01 00 00 G...........s...
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 144: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 160: 00 00 00 00 7E 01 00
> 00 00 00 00 00 01 00 00 00 ....~...........
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 176: 00 00 00 00 01 00 00
> 00 00 00 00 00 01 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 192: 00 00 00 00 8C 01 00
> 00 00 00 00 00 93 01 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 208: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 224: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 240: 0C 02 00 00 00 00 00
> 00 00 00 00 00 1B 02 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 256: 01 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 272: 6E 65 74 2D 6E 65 74
> 00 33 64 65 73 2D 73 68 61 net-net.3des-sha
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 288: 31 2D 6D 6F 64 70 31
> 30 32 34 21 00 33 64 65 73 1-modp1024!.3des
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 304: 2D 73 68 61 31 2D 6D
> 6F 64 70 31 30 32 34 21 00 -sha1-modp1024!.
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 320: 72 73 61 73 69 67 00
> 43 4E 3D 53 57 41 4E 2C 20 rsasig.CN=SWAN,
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 336: 4F 55 3D 57 69 72 65
> 6C 65 73 73 2C 4F 3D 41 6C OU=Wireless,O=Al
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 352: 63 61 74 65 6C 2D 4C
> 75 63 65 6E 74 2C 20 43 3D catel-Lucent, C=
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 368: 44 45 00 4D 79 42 54
> 53 31 2E 70 65 6D 00 31 39 DE.MyBTS1.pem.19
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 384: 32 2E 31 36 38 2E 32
> 30 2E 35 31 00 72 73 61 73 2.168.20.51.rsas
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 400: 69 67 00 43 3D 44 45
> 2C 20 53 54 3D 47 65 72 6D ig.C=DE, ST=Germ
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 416: 61 6E 79 2C 20 4C 3D
> 53 74 75 74 74 67 61 72 74 any, L=Stuttgart
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 432: 2C 20 4F 3D 41 6C 63
> 61 74 65 6C 2D 4C 75 63 65 , O=Alcatel-Luce
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 448: 6E 74 2C 20 43 4E 3D
> 31 39 32 2E 31 36 38 2E 32 nt, CN=192.168.2
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 464: 30 2E 32 35 34 2C 20
> 43 4E 3D 4A 4E 31 31 41 45 0.254, CN=JN11AE
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 480: 42 33 36 41 44 44 2C
> 20 43 4E 3D 72 73 61 2D 6B B36ADD, CN=rsa-k
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 496: 65 79 2C 20 43 4E 3D
> 53 53 47 33 32 30 4D 2E 2C ey, CN=SSG320M.,
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 512: 20 43 4E 3D 4A 55 4E
> 49 50 45 52 00 31 39 32 2E CN=JUNIPER.192.
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 528: 31 36 38 2E 32 30 2E
> 32 35 34 00 31 39 32 2E 31 168.20.254.192.1
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] 544: 36 38 2E 33 30 2E 30
> 2F 32 34 00 68.30.0/24.
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] received stroke: add
> connection 'net-net'
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] conn net-net
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] left=192.168.20.51
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] leftsubnet=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] leftsourceip=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] leftauth=rsasig
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] leftauth2=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] leftid=CN=SWAN,
> OU=Wireless,O=Alcatel-Lucent, C=DE
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] leftid2=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] leftcert=MyBTS1.pem
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] leftcert2=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] leftca=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] leftca2=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] leftgroups=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] leftupdown=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] right=192.168.20.254
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] rightsubnet=192.168.30.0/24
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] rightsourceip=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] rightauth=rsasig
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] rightauth2=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] rightid=C=DE, ST=Germany,
> L=Stuttgart, O=Alcatel-Lucent, CN=192.168.20.254, CN=JN11AEB36ADD,
> CN=rsa-key, CN=SSG320M., CN=JUNIPER
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] rightid2=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] rightcert=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] rightcert2=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] rightca=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] rightca2=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] rightgroups=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] rightupdown=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] eap_identity=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] ike=3des-sha1-modp1024!
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] esp=3des-sha1-modp1024!
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] mediation=no
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] mediated_by=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] me_peerid=(null)
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[KNL] getting interface name
> for 192.168.20.254
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[KNL] 192.168.20.254 is not a
> local address
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[KNL] getting interface name
> for 192.168.20.51
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[KNL] 192.168.20.51 is on
> interface eth1
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[LIB] loaded certificate file
> '/etc/ipsec.d/certs/MyBTS1.pem'
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] peerid CN=SWAN,
> OU=Wireless, O=Alcatel-Lucent, C=DE not confirmed by certificate,
> defaulting to subject DN: C=DE, O=Alcatel-Lucent, OU=Wireless, CN=SWAN
>
> Nov 24 14:33:28 destgd0h003661 charon: 11[CFG] added configuration 'net-net'
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] stroke message => 280
> bytes @ 0xb1828150
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 0: 18 01 00 00 00 00 00
> 00 FF FF FF FF 10 01 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 16: 00 00 00 00 02 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 32: 00 00 00 00 00 00 00
> 00 01 00 00 00 01 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 48: 01 00 00 00 18 01 00
> 00 2C 01 00 00 00 00 00 00 ........,.......
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 64: D0 70 00 00 80 70 00
> 00 80 16 00 00 01 00 00 00 .p...p..........
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 80: 64 00 00 00 3C 00 00
> 00 03 00 00 00 00 00 00 00 d...<...........
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 96: 00 00 00 00 00 00 00
> 00 40 01 00 00 00 00 00 00 ........ at .......
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 112: 47 01 00 00 00 00 00
> 00 00 00 00 00 73 01 00 00 G...........s...
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 128: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 144: 00 00 00 00 7E 01 00
> 00 00 00 00 00 01 00 00 00 ....~...........
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 160: 00 00 00 00 01 00 00
> 00 00 00 00 00 01 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 176: 00 00 00 00 8C 01 00
> 00 00 00 00 00 93 01 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 192: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 208: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 224: 0C 02 00 00 00 00 00
> 00 00 00 00 00 1B 02 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 240: 01 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 256: 6E 65 74 2D 6E 65 74
> 00 33 64 65 73 2D 73 68 61 net-net.3des-sha
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] 272: 6E 65 74 2D 6E 65 74
> 00 net-net.
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[CFG] received stroke: initiate
> 'net-net'
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] queueing IKE_INIT task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] queueing IKE_NATD task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] queueing IKE_CERT_PRE task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] queueing IKE_AUTHENTICATE
> task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] queueing IKE_CERT_POST task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] queueing IKE_CONFIG task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] queueing
> IKE_AUTH_LIFETIME task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] queueing CHILD_CREATE task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] activating new tasks
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] activating IKE_INIT task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] activating IKE_NATD task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] activating IKE_CERT_PRE task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] activating
> IKE_AUTHENTICATE task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] activating IKE_CERT_POST task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] activating IKE_CONFIG task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] activating CHILD_CREATE task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] activating
> IKE_AUTH_LIFETIME task
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] initiating IKE_SA
> net-net[1] to 192.168.20.254
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] initiating IKE_SA
> net-net[1] to 192.168.20.254
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] IKE_SA net-net[1] state
> change: CREATED => CONNECTING
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] natd_chunk => 22 bytes @
> 0x80a9e98
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] 0: 93 52 26 01 B7 31 66
> 71 00 00 00 00 00 00 00 00 .R&..1fq........
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] 16: C0 A8 14 FE 01 F4 ......
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] natd_hash => 20 bytes @
> 0x80a9410
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] 0: 71 C6 30 04 A1 FA 98
> FE 24 1E 11 22 42 AC 65 A1 q.0.....$.."B.e.
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] 16: 1A EC 82 58 ...X
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] natd_chunk => 22 bytes @
> 0x80a9e98
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] 0: 93 52 26 01 B7 31 66
> 71 00 00 00 00 00 00 00 00 .R&..1fq........
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] 16: C0 A8 14 33 01 F4 ...3..
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] natd_hash => 20 bytes @
> 0x80a9410
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] 0: A4 A0 04 F6 78 99 C3
> 7F 3E 3A 80 31 F3 3F 55 18 ....x...>:.1.?U.
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[IKE] 16: 5D 5F 6D E6 ]_m.
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[ENC] generating IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> Nov 24 14:33:28 destgd0h003661 charon: 13[NET] sending packet: from
> 192.168.20.51[500] to 192.168.20.254[500]
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[NET] received packet: from
> 192.168.20.254[500] to 192.168.20.51[500]
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[ENC] parsed IKE_SA_INIT
> response 0 [ SA KE No CERTREQ ]
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[CFG] selecting proposal:
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[CFG] proposal matches
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[CFG] received proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[CFG] configured proposals:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[CFG] selected proposal:
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] shared Diffie Hellman
> secret => 128 bytes @ 0x80ab250
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 27 AD A5 B9 7D 16 3B
> 6A 00 39 21 8C B4 98 7F 88 '...}.;j.9!.....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: 87 CD AB 75 11 31 93
> 04 D5 23 D3 77 DA 01 98 52 ...u.1...#.w...R
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 32: 36 5E B7 EE B5 5E 48
> AF 85 4E 2D 06 F9 C0 6F 00 6^...^H..N-...o.
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 48: 47 C6 52 6D 6F BB C2
> 4F 5F C6 F8 05 87 2E 60 49 G.Rmo..O_.....`I
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 64: 26 8B 6E 51 25 C4 EC
> 90 D6 59 C7 7C BB A0 9C 51 &.nQ%....Y.|...Q
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 80: C4 22 70 B5 1B B6 DD
> 90 EF E7 34 3D 38 15 0D 17 ."p.......4=8...
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 96: F6 88 B3 C2 A2 52 69
> 36 8A B0 53 F9 F8 62 9D 28 .....Ri6..S..b.(
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 112: B7 27 CB BC 52 92 7B
> FF 13 FE FB 78 DE 84 01 E6 .'..R.{....x....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] SKEYSEED => 20 bytes @
> 0x80a9990
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: FB EB CC 05 58 9C 56
> A1 75 F0 D1 14 7A 6E D3 AC ....X.V.u...zn..
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: 8D 34 78 79 .4xy
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] Sk_d secret => 20 bytes @
> 0x80a9990
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 54 B5 55 C6 27 59 64
> 9E 06 5C C8 B1 9C EA 68 7F T.U.'Yd..\....h.
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: C9 9A 34 B1 ..4.
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] Sk_ai secret => 20 bytes
> @ 0x80a9dc8
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: B4 04 82 5D C7 E3 39
> 2D 40 03 B9 E0 CA A2 10 23 ...]..9- at ......#
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: 95 22 2A 55 ."*U
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] Sk_ar secret => 20 bytes
> @ 0x80a9dc8
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 11 5D 08 64 6A 38 2C
> 30 EF F2 3B EB 5A 54 51 C8 .].dj8,0..;.ZTQ.
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: FA 3B 80 2C .;.,
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] Sk_ei secret => 24 bytes
> @ 0x80a9da8
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: A7 4A BE 1E 9B F8 B8
> AC 3D 01 7F 3E 3E 2D CA 43 .J......=..>>-.C
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: 45 13 EB 65 F8 49 D1
> 19 E..e.I..
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] Sk_er secret => 24 bytes
> @ 0x80a9da8
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 7D F4 CF B8 EE 66 FF
> 26 03 71 BC AE 72 D6 4E 68 }....f.&.q..r.Nh
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: 3B 25 59 26 7A 28 0D
> 19 ;%Y&z(..
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] Sk_pi secret => 20 bytes
> @ 0x80a5a58
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 49 1E 4C A9 05 71 B2
> 0C 25 07 D9 45 28 E1 C9 E6 I.L..q..%..E(...
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: 5C E0 EC F7 \...
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] Sk_pr secret => 20 bytes
> @ 0x80a9da8
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: F2 0B 2A 90 79 B8 F1
> 5B F2 95 D8 C8 63 66 EC 27 ..*.y..[....cf.'
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: 16 13 20 D3 .. .
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] natd_chunk => 22 bytes @
> 0x80a9dc0
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 93 52 26 01 B7 31 66
> 71 74 9B 21 82 98 91 18 9E .R&..1fqt.!.....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: C0 A8 14 33 01 F4 ...3..
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] natd_hash => 20 bytes @
> 0x80a9ba8
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 39 74 D4 22 F2 44 C0
> EB B8 52 73 8C B1 D9 D8 EA 9t.".D...Rs.....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: A9 BA 58 94 ..X.
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] natd_chunk => 22 bytes @
> 0x80a9dc0
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 93 52 26 01 B7 31 66
> 71 74 9B 21 82 98 91 18 9E .R&..1fqt.!.....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: C0 A8 14 FE 01 F4 ......
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] natd_hash => 20 bytes @
> 0x80a9de0
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 3B 6E C1 F6 55 BB 22
> D7 44 68 AC 88 90 50 50 7E ;n..U.".Dh...PP~
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: 88 86 CE 17 ....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] precalculated src_hash =>
> 20 bytes @ 0x80a9de0
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 3B 6E C1 F6 55 BB 22
> D7 44 68 AC 88 90 50 50 7E ;n..U.".Dh...PP~
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: 88 86 CE 17 ....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] precalculated dst_hash =>
> 20 bytes @ 0x80a9ba8
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 39 74 D4 22 F2 44 C0
> EB B8 52 73 8C B1 D9 D8 EA 9t.".D...Rs.....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: A9 BA 58 94 ..X.
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] received cert request for
> unknown ca with keyid
> 12:b9:6f:ae:3c:15:64:e2:f1:16:5f:e9:be:e3:3a:ca:03:65:af:c5
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] reinitiating already
> active tasks
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] IKE_CERT_PRE task
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] IKE_AUTHENTICATE task
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] sending cert request for
> "C=DE, O=Alcatel-Lucent, OU=Wireless, CN=JuniperRoot"
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] sending cert request for
> "C=DE, O=Alcatel-Lucent, OU=Wireless, CN=SWAN"
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] IDx' => 78 bytes @ 0xb0025040
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 09 00 00 00 30 48 31
> 0B 30 09 06 03 55 04 06 13 ....0H1.0...U...
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: 02 44 45 31 17 30 15
> 06 03 55 04 0A 13 0E 41 6C .DE1.0...U....Al
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 32: 63 61 74 65 6C 2D 4C
> 75 63 65 6E 74 31 11 30 0F catel-Lucent1.0.
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 48: 06 03 55 04 0B 13 08
> 57 69 72 65 6C 65 73 73 31 ..U....Wireless1
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 64: 0D 30 0B 06 03 55 04
> 03 13 04 53 57 41 4E .0...U....SWAN
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] SK_p => 20 bytes @ 0x80a5a58
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 49 1E 4C A9 05 71 B2
> 0C 25 07 D9 45 28 E1 C9 E6 I.L..q..%..E(...
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: 5C E0 EC F7 \...
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] octets = message + nonce
> + prf(Sk_px, IDx') => 352 bytes @ 0x80ab9f8
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 0: 93 52 26 01 B7 31 66
> 71 00 00 00 00 00 00 00 00 .R&..1fq........
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 16: 21 20 22 08 00 00 00
> 00 00 00 01 2C 22 00 00 2C ! "........,"..,
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 32: 00 00 00 28 01 01 00
> 04 03 00 00 08 01 00 00 03 ...(............
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 48: 03 00 00 08 03 00 00
> 02 03 00 00 08 02 00 00 02 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 64: 00 00 00 08 04 00 00
> 02 28 00 00 88 00 02 00 00 ........(.......
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 80: 18 32 09 38 62 64 B6
> DD 43 E1 2F D7 FC 40 93 E1 .2.8bd..C./.. at ..
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 96: E6 43 E1 19 CF 17 64
> 21 F7 E8 65 A1 C6 90 E6 95 .C....d!..e.....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 112: 7A 90 E3 F9 8A C5 CF
> 61 1E 55 C4 DE 26 EB 86 D0 z......a.U..&...
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 128: 5C AA 63 B4 D2 93 5D
> DD 48 61 D2 E2 92 1C C0 70 \.c...].Ha.....p
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 144: A8 64 E6 8E 47 DB 20
> 20 39 7C 8C 27 0E 9A 4E A0 .d..G. 9|.'..N.
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 160: D7 08 A6 75 42 58 DF
> 88 01 71 CE DF 1D F5 73 15 ...uBX...q....s.
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 176: D8 40 69 69 5F 5D 03
> 2F FE 06 B3 3D B4 5A 81 86 . at ii_]./...=.Z..
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 192: 74 C5 E4 E6 DA C6 1D
> 93 72 A0 1B DC 68 12 41 AF t.......r...h.A.
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 208: 29 00 00 24 43 2B BC
> F3 E5 57 E9 04 97 1E A1 FD )..$C+...W......
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 224: 73 13 50 7A DE 86 4B
> 00 B5 83 A3 29 43 24 4C 53 s.Pz..K....)C$LS
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 240: 1B D0 5C 1C 29 00 00
> 1C 00 00 40 04 A4 A0 04 F6 ..\.)..... at .....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 256: 78 99 C3 7F 3E 3A 80
> 31 F3 3F 55 18 5D 5F 6D E6 x...>:.1.?U.]_m.
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 272: 00 00 00 1C 00 00 40
> 05 71 C6 30 04 A1 FA 98 FE ...... at .q.0.....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 288: 24 1E 11 22 42 AC 65
> A1 1A EC 82 58 DF 13 1F 80 $.."B.e....X....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 304: 59 F1 6A 0C 09 ED E9
> DD AF 51 1A 82 D7 8A AB 56 Y.j......Q.....V
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 320: 81 68 9C 5D 91 33 0D
> 0B 60 CE BA CD F1 0D 37 62 .h.].3..`.....7b
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] 336: 62 47 2A 1D 4C CD F5
> FD 3F 96 60 D1 10 59 D6 E6 bG*.L...?.`..Y..
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] authentication of 'C=DE,
> O=Alcatel-Lucent, OU=Wireless, CN=SWAN' (myself) with RSA signature
> successful
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] sending end entity cert
> "C=DE, O=Alcatel-Lucent, OU=Wireless, CN=SWAN"
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] establishing CHILD_SA net-net
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[IKE] establishing CHILD_SA net-net
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[CFG] proposing traffic
> selectors for us:
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[CFG] dynamic (derived from
> dynamic)
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[CFG] proposing traffic
> selectors for other:
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[CFG] 192.168.30.0/24 (derived
> from 192.168.30.0/24)
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] getting SPI for reqid {1}
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] sending
> XFRM_MSG_ALLOCSPI: => 244 bytes @ 0xb0024cfc
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 0: F4 00 00 00 16 00 01
> 00 C9 00 00 00 55 16 00 00 ............U...
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 16: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 32: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 48: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 64: 00 00 00 00 00 00 00
> 00 C0 A8 14 33 00 00 00 00 ...........3....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 80: 00 00 00 00 00 00 00
> 00 00 00 00 00 32 00 00 00 ............2...
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 96: C0 A8 14 FE 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 112: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 128: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 144: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 160: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 176: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 192: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 208: 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 224: 01 00 00 00 02 00 01
> 00 00 00 00 00 00 00 00 C0 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] 240: FF FF FF CF ....
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[KNL] got SPI c1bec055 for
> reqid {1}
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[ENC] generating IKE_AUTH
> request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr ]
>
> Nov 24 14:33:28 destgd0h003661 charon: 16[NET] sending packet: from
> 192.168.20.51[500] to 192.168.20.254[500]
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[NET] received packet: from
> 192.168.20.254[500] to 192.168.20.51[500]
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[ENC] parsed IKE_AUTH response
> 1 [ IDr CERT AUTH SA N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) TSi TSr ]
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] received end entity cert
> "C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent, CN=192.168.20.254,
> CN=JN11AEB36ADD, CN=rsa-key, CN=SSG320M., CN=JUNIPER"
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED notify
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] received
> NON_FIRST_FRAGMENTS_ALSO notify
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] IDx' => 12 bytes @ 0xaf8240b0
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 0: 02 00 00 00 53 53 47
> 33 32 30 4D 2E ....SSG320M.
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] SK_p => 20 bytes @ 0x80a9da8
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 0: F2 0B 2A 90 79 B8 F1
> 5B F2 95 D8 C8 63 66 EC 27 ..*.y..[....cf.'
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 16: 16 13 20 D3 .. .
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] octets = message + nonce
> + prf(Sk_px, IDx') => 321 bytes @ 0x80af190
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 0: 93 52 26 01 B7 31 66
> 71 74 9B 21 82 98 91 18 9E .R&..1fqt.!.....
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 16: 21 20 22 20 00 00 00
> 00 00 00 01 0D 22 00 00 2C ! " ........"..,
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 32: 00 00 00 28 01 01 00
> 04 03 00 00 08 01 00 00 03 ...(............
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 48: 03 00 00 08 02 00 00
> 02 03 00 00 08 03 00 00 02 ................
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 64: 00 00 00 08 04 00 00
> 02 28 00 00 88 00 02 00 00 ........(.......
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 80: CC C7 B6 B7 2A F6 42
> FD 6A C1 B1 1D 95 8E 5F 63 ....*.B.j....._c
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 96: 29 83 09 78 34 8F 46
> 38 D0 4A 33 C1 EE 18 B0 F3 )..x4.F8.J3.....
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 112: 6D 41 FD F0 8F 9B 23
> 4E 63 D5 4C 9E D4 A7 52 06 mA....#Nc.L...R.
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 128: FA 40 CE 6C 43 D3 24
> 37 D7 18 CD B3 D3 E0 BB C5 . at .lC.$7........
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 144: 70 33 8F 2E BE 96 93
> 1E 6D B6 02 0F 9D BF 65 7F p3......m.....e.
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 160: 61 07 CC 52 7A 9F 20
> 9C 32 03 18 82 92 55 11 22 a..Rz. .2....U."
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 176: 48 D1 77 A4 81 47 C3
> E2 93 95 9A 9B F3 C6 F1 4D H.w..G.........M
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 192: 01 05 FF D3 AA 74 84
> 15 53 A8 B9 E2 63 36 E0 BD .....t..S...c6..
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 208: 26 00 00 24 DF 13 1F
> 80 59 F1 6A 0C 09 ED E9 DD &..$....Y.j.....
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 224: AF 51 1A 82 D7 8A AB
> 56 81 68 9C 5D 91 33 0D 0B .Q.....V.h.].3..
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 240: 60 CE BA CD 00 00 00
> 19 04 12 B9 6F AE 3C 15 64 `..........o.<.d
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 256: E2 F1 16 5F E9 BE E3
> 3A CA 03 65 AF C5 43 2B BC ..._...:..e..C+.
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 272: F3 E5 57 E9 04 97 1E
> A1 FD 73 13 50 7A DE 86 4B ..W......s.Pz..K
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 288: 00 B5 83 A3 29 43 24
> 4C 53 1B D0 5C 1C 06 B1 37 ....)C$LS..\...7
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 304: 22 AB 86 E5 C1 90 C0
> 1C 7C 96 00 11 A3 C1 47 1C ".......|.....G.
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] 320: 5F _
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[CFG] using certificate "C=DE,
> ST=Germany, L=Stuttgart, O=Alcatel-Lucent, CN=192.168.20.254,
> CN=JN11AEB36ADD, CN=rsa-key, CN=SSG320M., CN=JUNIPER"
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[CFG] using trusted ca
> certificate "C=DE, O=Alcatel-Lucent, OU=Wireless, CN=JuniperRoot"
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[CFG] checking certificate
> status of "C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent,
> CN=192.168.20.254, CN=JN11AEB36ADD, CN=rsa-key, CN=SSG320M., CN=JUNIPER"
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[CFG] ocsp check skipped, no
> ocsp found
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[CFG] certificate status is not
> available
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] authentication of
> 'SSG320M.' with RSA signature successful
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[CFG] constraint check failed:
> identity 'C=DE, ST=Germany, L=Stuttgart, O=Alcatel-Lucent,
> CN=192.168.20.254, CN=JN11AEB36ADD, CN=rsa-key, CN=SSG320M., CN=JUNIPER'
> required
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[CFG] selected peer config
> 'net-net' inacceptable
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[CFG] no alternative config found
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[KNL] deleting SAD entry with
> SPI c1bec055
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[KNL] sending XFRM_MSG_DELSA:
> => 40 bytes @ 0xaf823d7c
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[KNL] 0: 28 00 00 00 11 00 05
> 00 CA 00 00 00 55 16 00 00 (...........U...
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[KNL] 16: C0 A8 14 33 00 00 00
> 00 00 00 00 00 00 00 00 00 ...3............
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[KNL] 32: C1 BE C0 55 02 00 00
> 00 ...U....
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[KNL] received netlink error:
> Invalid argument (22)
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[KNL] unable to delete SAD
> entry with SPI c1bec055
>
> Nov 24 14:33:28 destgd0h003661 charon: 17[IKE] IKE_SA net-net[1] state
> change: CONNECTING => DESTROYING
>
> Nov 24 14:33:58 destgd0h003661 charon: 03[KNL] received a XFRM_MSG_EXPIRE
>
> Nov 24 14:33:58 destgd0h003661 charon: 03[KNL] creating delete job for
> ESP CHILD_SA with SPI c1bec055 and reqid {1}
>
> Nov 24 14:33:58 destgd0h003661 charon: 17[JOB] CHILD_SA with reqid 1 not
> found for delete
>
> Nov 24 14:34:12 destgd0h003661 su: (to root) ksim on /dev/pts/1
>


--
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IPSEC_CERTIFICATE_22112010.zip
Type: application/x-zip-compressed
Size: 31356 bytes
Desc: IPSEC_CERTIFICATE_22112010.zip
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101130/6d44c5f8/attachment.bin>


More information about the Users mailing list