[strongSwan] host could not reach to the internal PC after virtual IP is assigned.
Baizhan Li
label.sr at gmail.com
Thu Jan 20 08:05:43 CET 2011
Hi:
I am using strongswan 4.5 for test. The net environment is the same
as "Test ikev2/nat-one-rw" (the only difference is that alice's IP is
10.2.0.10 and bob's IP is 10.1.0.10).
The host "alice" could setup esp-tunnel with Gateway "sun"
successfully and it's virtual IP is assigned as "10.1.0.120" by DHCP server
which is behind the Gateway sun.
But the strange thing is that after tunnel established, alice could
not visit sun's 10.1.x.x subnet. And If alice do not require virtual IP,
everything is OK. Why?
I really appreciate if someone could give me some advice. Thanks
and best regards.
1)Here is host NATed Alice's ipsec.conf file:
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn hnb
authby=pubkey
compress=no
dpdaction=none
dpddelay=30s
dpdtimeout=150s
inactivity=0
installpolicy=yes
ikelifetime=60m
#lifebytes=0
lifepackets=102400000
lifetime=30m
marginpackets=1024
#marginbytes=0
margintime=5m
mobike=no
reauth=yes
rekey=yes
rekeyfuzz=100%
type=tunnel
left=%any
leftcert=hnb.pem
leftid=hnb at percello.com
leftfirewall=yes
right=192.168.0.61
rightid=secgw at percello.com
rightsubnet=10.1.0.0/32
leftsourceip=%config
auto=start
2)Here is Gateway sun's ipsec.conf file:
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
left=192.168.0.61
leftcert=secgw.pem
leftid=secgw at percello.com
leftfirewall=yes
rekey=no
reauth=no
conn nat-t
leftsubnet=10.1.0.0/16
rightsubnet=0.0.0.0/0
right=%any
rightsourceip=%dhcp
auto=add
3) Here is Alice's log:
ipsec start --debug-all --nofork
Starting strongSwan 4.5.0 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
| Loading config setup
| crlcheckinterval=180
| strictcrlpolicy=no
| plutostart=no
| Loading conn %default
| ikelifetime=60m
| keylife=20m
| rekeymargin=3m
| keyingtries=1
| keyexchange=ikev2
| Loading conn 'hnb'
| authby=pubkey
| compress=no
| dpdaction=none
| dpddelay=30s
| dpdtimeout=150s
| inactivity=0
| installpolicy=yes
| ikelifetime=60m
| lifepackets=102400000
| lifetime=30m
| marginpackets=1024
| margintime=5m
| mobike=no
| reauth=yes
| rekey=yes
| rekeyfuzz=100%
| type=tunnel
| left=%any
| leftcert=hnb.pem
| leftid=hnb at percello.com
| leftfirewall=yes
| right=192.168.0.61
| rightid=secgw at percello.com
| rightsubnet=10.1.0.0/32
| leftsourceip=%config
| auto=start
| Found netkey IPsec stack
| Attempting to start charon...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CN, ST=ln, L=dl, O=pctl, OU=rnd,
CN=ipsec, E=ca at percello.com" from '/usr/local/etc/ipsec.d/cacerts/ipsec.pem'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loaded RSA private key from
'/usr/local/etc/ipsec.d/private/hnbkey.pem'
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[KNL] listening on interfaces:
00[KNL] eth0
00[KNL] 10.2.0.10
00[KNL] fe80::20c:29ff:fe8e:3e10
00[DMN] loaded plugins: aes des sha1 sha2 md5 pem fips-prf pkcs1 pkcs11 gmp
random pubkey x509 hmac xcbc stroke socket-default attr kernel-netlink
kernel-pfkey farp updown
00[JOB] spawning 16 worker threads
charon (3012) started after 20 ms
03[CFG] stroke message => 503 bytes @ 0xb64660c0
03[CFG] 0: F7 01 00 00 03 00 00 00 FF FF FF FF 54 01 00 00
............T...
03[CFG] 16: 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
................
03[CFG] 32: 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00
................
03[CFG] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
03[CFG] 64: 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
................
03[CFG] 80: 58 01 00 00 80 01 00 00 01 00 00 00 08 07 00 00
X...............
03[CFG] 96: 10 0E 00 00 2C 01 00 00 00 00 00 00 00 00 00 00
....,...........
03[CFG] 112: 00 00 00 00 00 00 00 00 00 80 1A 06 00 00 00 00
................
03[CFG] 128: 00 04 00 00 00 00 00 00 01 00 00 00 64 00 00 00
............d...
03[CFG] 144: 1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
03[CFG] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
03[CFG] 176: 00 00 00 00 00 00 00 00 00 00 00 00 96 01 00 00
................
03[CFG] 192: 00 00 00 00 00 00 00 00 A7 01 00 00 00 00 00 00
................
03[CFG] 208: 00 00 00 00 00 00 00 00 00 00 00 00 AF 01 00 00
................
03[CFG] 224: C6 01 00 00 F4 01 00 00 00 00 00 00 01 00 00 00
................
03[CFG] 240: 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00
................
03[CFG] 256: 00 00 00 00 00 00 00 00 00 00 00 00 CB 01 00 00
................
03[CFG] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
03[CFG] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
03[CFG] 304: DE 01 00 00 F4 01 00 00 00 00 00 00 00 00 00 00
................
03[CFG] 320: EB 01 00 00 01 00 00 00 00 00 00 00 00 00 00 00
................
03[CFG] 336: 00 00 00 00 68 6E 62 00 61 65 73 31 32 38 2D 73
....hnb.aes128-s
03[CFG] 352: 68 61 31 2D 6D 6F 64 70 32 30 34 38 2C 33 64 65
ha1-modp2048,3de
03[CFG] 368: 73 2D 73 68 61 31 2D 6D 6F 64 70 31 35 33 36 00
s-sha1-modp1536.
03[CFG] 384: 61 65 73 31 32 38 2D 73 68 61 31 2C 33 64 65 73
aes128-sha1,3des
03[CFG] 400: 2D 73 68 61 31 00 68 6E 62 40 70 65 72 63 65 6C
-sha1.hnb at percel
03[CFG] 416: 6C 6F 2E 63 6F 6D 00 68 6E 62 2E 70 65 6D 00 69
lo.com.hnb.pem.i
03[CFG] 432: 70 73 65 63 20 5F 75 70 64 6F 77 6E 20 69 70 74 psec _updown
ipt
03[CFG] 448: 61 62 6C 65 73 00 25 61 6E 79 00 73 65 63 67 77
ables.%any.secgw
03[CFG] 464: 40 70 65 72 63 65 6C 6C 6F 2E 63 6F 6D 00 31 39
@percello.com.19
03[CFG] 480: 32 2E 31 36 38 2E 30 2E 36 31 00 31 30 2E 31 2E
2.168.0.61.10.1.
03[CFG] 496: 30 2E 30 2F 33 32 00 0.0/32.
03[CFG] received stroke: add connection 'hnb'
03[CFG] conn hnb
03[CFG] left=%any
03[CFG] leftsubnet=(null)
03[CFG] leftsourceip=(null)
03[CFG] leftauth=(null)
03[CFG] leftauth2=(null)
03[CFG] leftid=hnb at percello.com
03[CFG] leftid2=(null)
03[CFG] leftcert=hnb.pem
03[CFG] leftcert2=(null)
03[CFG] leftca=(null)
03[CFG] leftca2=(null)
03[CFG] leftgroups=(null)
03[CFG] leftupdown=ipsec _updown iptables
03[CFG] right=192.168.0.61
03[CFG] rightsubnet=10.1.0.0/32
03[CFG] rightsourceip=(null)
03[CFG] rightauth=(null)
03[CFG] rightauth2=(null)
03[CFG] rightid=secgw at percello.com
03[CFG] rightid2=(null)
03[CFG] rightcert=(null)
03[CFG] rightcert2=(null)
03[CFG] rightca=(null)
03[CFG] rightca2=(null)
03[CFG] rightgroups=(null)
03[CFG] rightupdown=(null)
03[CFG] eap_identity=(null)
03[CFG] aaa_identity=(null)
03[CFG] ike=aes128-sha1-modp2048,3des-sha1-modp1536
03[CFG] esp=aes128-sha1,3des-sha1
03[CFG] mediation=no
03[CFG] mediated_by=(null)
03[CFG] me_peerid=(null)
03[CFG] left nor right host is our side, assuming left=local
03[CFG] loaded certificate "C=CN, ST=ln, L=dl, O=pctl, OU=rnd,
CN=hnb at percello.com, E=hnb at percello.com" from 'hnb.pem'
03[CFG] added configuration 'hnb'
08[CFG] stroke message => 344 bytes @ 0xb3afc160
08[CFG] 0: 58 01 00 00 00 00 00 00 FF FF FF FF 54 01 00 00
X...........T...
08[CFG] 16: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
08[CFG] 32: 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00
................
08[CFG] 48: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
................
08[CFG] 64: 00 00 00 00 00 00 00 00 01 00 00 00 58 01 00 00
............X...
08[CFG] 80: 80 01 00 00 01 00 00 00 08 07 00 00 10 0E 00 00
................
08[CFG] 96: 2C 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
,...............
08[CFG] 112: 00 00 00 00 00 80 1A 06 00 00 00 00 00 04 00 00
................
08[CFG] 128: 00 00 00 00 01 00 00 00 64 00 00 00 1E 00 00 00
........d.......
08[CFG] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
08[CFG] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
08[CFG] 176: 00 00 00 00 00 00 00 00 96 01 00 00 00 00 00 00
................
08[CFG] 192: 00 00 00 00 A7 01 00 00 00 00 00 00 00 00 00 00
................
08[CFG] 208: 00 00 00 00 00 00 00 00 AF 01 00 00 C6 01 00 00
................
08[CFG] 224: F4 01 00 00 00 00 00 00 01 00 00 00 00 00 00 00
................
08[CFG] 240: 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
................
08[CFG] 256: 00 00 00 00 00 00 00 00 CB 01 00 00 00 00 00 00
................
08[CFG] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
08[CFG] 288: 00 00 00 00 00 00 00 00 00 00 00 00 DE 01 00 00
................
08[CFG] 304: F4 01 00 00 00 00 00 00 00 00 00 00 EB 01 00 00
................
08[CFG] 320: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
................
08[CFG] 336: 68 6E 62 00 68 6E 62 00 hnb.hnb.
08[CFG] received stroke: initiate 'hnb'
08[IKE] queueing IKE_VENDOR task
08[IKE] queueing IKE_INIT task
08[IKE] queueing IKE_NATD task
08[IKE] queueing IKE_CERT_PRE task
08[IKE] queueing IKE_AUTHENTICATE task
08[IKE] queueing IKE_CERT_POST task
08[IKE] queueing IKE_CONFIG task
08[IKE] queueing IKE_AUTH_LIFETIME task
08[IKE] queueing CHILD_CREATE task
08[IKE] activating new tasks
08[IKE] activating IKE_VENDOR task
08[IKE] activating IKE_INIT task
08[IKE] activating IKE_NATD task
08[IKE] activating IKE_CERT_PRE task
08[IKE] activating IKE_AUTHENTICATE task
08[IKE] activating IKE_CERT_POST task
08[IKE] activating IKE_CONFIG task
08[IKE] activating CHILD_CREATE task
08[IKE] activating IKE_AUTH_LIFETIME task
08[IKE] initiating IKE_SA hnb[1] to 192.168.0.61
08[IKE] IKE_SA hnb[1] state change: CREATED => CONNECTING
08[IKE] natd_chunk => 22 bytes @ 0x9035d78
08[IKE] 0: D8 C6 CA 02 42 5C 08 54 00 00 00 00 00 00 00 00
....B\.T........
08[IKE] 16: C0 A8 00 3D 01 F4 ...=..
08[IKE] natd_hash => 20 bytes @ 0x9035718
08[IKE] 0: 42 8F EA C3 6E 97 9E C7 90 F0 FD 0F 19 29 66 95
B...n........)f.
08[IKE] 16: 73 64 74 86 sdt.
08[IKE] natd_chunk => 22 bytes @ 0x9036d50
08[IKE] 0: D8 C6 CA 02 42 5C 08 54 00 00 00 00 00 00 00 00
....B\.T........
08[IKE] 16: 0A 02 00 0A 01 F4 ......
08[IKE] natd_hash => 20 bytes @ 0x9035718
08[IKE] 0: 69 7F 09 A1 9A 5A D9 AF B9 8E 06 71 2C 15 52 58
i....Z.....q,.RX
08[IKE] 16: 78 8E 79 CB x.y.
08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
08[NET] sending packet: from 10.2.0.10[500] to 192.168.0.61[500]
11[NET] received packet: from 192.168.0.61[500] to 10.2.0.10[500]
11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
11[CFG] selecting proposal:
11[CFG] proposal matches
11[CFG] received proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
11[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA1_96/HMAC_SHA2_256_
128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_SHA
2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES
128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_4096/MODP_8192
/MODP_1024/MODP_1024_160
11[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
11[IKE] natd_chunk => 22 bytes @ 0x90376e8
11[IKE] 0: D8 C6 CA 02 42 5C 08 54 F3 CD 94 43 82 5A 81 21
....B\.T...C.Z.!
11[IKE] 16: 0A 02 00 0A 01 F4 ......
11[IKE] natd_hash => 20 bytes @ 0x9037758
11[IKE] 0: 6E 01 0B 0A 28 23 68 3C 78 D0 5B CA AC 41 B8 1E
n...(#h<x.[..A..
11[IKE] 16: 37 BF 76 0A 7.v.
11[IKE] natd_chunk => 22 bytes @ 0x90376e8
11[IKE] 0: D8 C6 CA 02 42 5C 08 54 F3 CD 94 43 82 5A 81 21
....B\.T...C.Z.!
11[IKE] 16: C0 A8 00 3D 01 F4 ...=..
11[IKE] natd_hash => 20 bytes @ 0x9037990
11[IKE] 0: 5C 40 16 87 54 E8 24 F9 4F 5E 10 82 47 55 DB 7B
\@..T.$.O^..GU.{
11[IKE] 16: A4 96 0D 85 ....
11[IKE] precalculated src_hash => 20 bytes @ 0x9037990
11[IKE] 0: 5C 40 16 87 54 E8 24 F9 4F 5E 10 82 47 55 DB 7B
\@..T.$.O^..GU.{
11[IKE] 16: A4 96 0D 85 ....
11[IKE] precalculated dst_hash => 20 bytes @ 0x9037758
11[IKE] 0: 6E 01 0B 0A 28 23 68 3C 78 D0 5B CA AC 41 B8 1E
n...(#h<x.[..A..
11[IKE] 16: 37 BF 76 0A 7.v.
11[IKE] received src_hash => 20 bytes @ 0x9032360
11[IKE] 0: 5C 40 16 87 54 E8 24 F9 4F 5E 10 82 47 55 DB 7B
\@..T.$.O^..GU.{
11[IKE] 16: A4 96 0D 85 ....
11[IKE] received dst_hash => 20 bytes @ 0x9032378
11[IKE] 0: 06 50 CA 1E E7 17 86 3B 6A EA 04 D9 92 B2 E2 29
.P.....;j......)
11[IKE] 16: 77 E2 7F B3 w...
11[IKE] local host is behind NAT, sending keep alives
11[IKE] received cert request for "C=CN, ST=ln, L=dl, O=pctl, OU=rnd,
CN=ipsec, E=ca at percello.com"
11[IKE] reinitiating already active tasks
11[IKE] IKE_CERT_PRE task
11[IKE] IKE_AUTHENTICATE task
11[IKE] sending cert request for "C=CN, ST=ln, L=dl, O=pctl, OU=rnd,
CN=ipsec, E=ca at percello.com"
11[IKE] IDx' => 20 bytes @ 0xb22f8fe0
11[IKE] 0: 03 00 00 00 68 6E 62 40 70 65 72 63 65 6C 6C 6F
....hnb at percello
11[IKE] 16: 2E 63 6F 6D .com
11[IKE] SK_p => 20 bytes @ 0x9037908
11[IKE] 0: 35 61 B9 5A D2 BC 3F 96 88 E0 C0 BB D7 C0 38 1F
5a.Z..?.......8.
11[IKE] 16: 8B 4D 8D E7 .M..
11[IKE] octets = message + nonce + prf(Sk_px, IDx') => 736 bytes @ 0x90385d8
11[IKE] 0: D8 C6 CA 02 42 5C 08 54 00 00 00 00 00 00 00 00
....B\.T........
11[IKE] 16: 21 20 22 08 00 00 00 00 00 00 02 AC 22 00 01 2C !
"........."..,
11[IKE] 32: 02 00 00 2C 01 01 00 04 03 00 00 0C 01 00 00 0C
...,............
11[IKE] 48: 80 0E 00 80 03 00 00 08 03 00 00 02 03 00 00 08
................
11[IKE] 64: 02 00 00 02 00 00 00 08 04 00 00 0E 02 00 00 28
...............(
11[IKE] 80: 02 01 00 04 03 00 00 08 01 00 00 03 03 00 00 08
................
11[IKE] 96: 03 00 00 02 03 00 00 08 02 00 00 02 00 00 00 08
................
11[IKE] 112: 04 00 00 05 00 00 00 D4 03 01 00 18 03 00 00 0C
................
11[IKE] 128: 01 00 00 0C 80 0E 00 80 03 00 00 0C 01 00 00 0C
................
11[IKE] 144: 80 0E 00 C0 03 00 00 0C 01 00 00 0C 80 0E 01 00
................
11[IKE] 160: 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02
................
11[IKE] 176: 03 00 00 08 03 00 00 0C 03 00 00 08 03 00 00 01
................
11[IKE] 192: 03 00 00 08 03 00 00 0D 03 00 00 08 03 00 00 0E
................
11[IKE] 208: 03 00 00 08 03 00 00 05 03 00 00 08 02 00 00 05
................
11[IKE] 224: 03 00 00 08 02 00 00 02 03 00 00 08 02 00 00 01
................
11[IKE] 240: 03 00 00 08 02 00 00 06 03 00 00 08 02 00 00 07
................
11[IKE] 256: 03 00 00 08 02 00 00 04 03 00 00 08 04 00 00 0E
................
11[IKE] 272: 03 00 00 08 04 00 00 17 03 00 00 08 04 00 00 18
................
11[IKE] 288: 03 00 00 08 04 00 00 05 03 00 00 08 04 00 00 10
................
11[IKE] 304: 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 02
................
11[IKE] 320: 00 00 00 08 04 00 00 16 28 00 01 08 00 0E 00 00
........(.......
11[IKE] 336: D8 02 DB B2 D8 1D 9D C1 6D 68 E9 0C 99 E7 E0 97
........mh......
11[IKE] 352: E5 20 16 43 B1 94 87 68 EF F2 2B 50 44 66 76 E6 .
.C...h..+PDfv.
11[IKE] 368: 00 70 56 80 63 7A 82 BB 09 2A C5 47 0E FE 5C 08
.pV.cz...*.G..\.
11[IKE] 384: 55 2D CD 40 CA 5E AB 44 DB D4 1E BC D5 7B 6D 17
U-. at .^.D.....{m.
11[IKE] 400: 62 39 81 21 B0 A9 12 B2 3F 27 74 FC 68 DB A5 F2
b9.!....?'t.h...
11[IKE] 416: 18 38 AC FA ED EF A4 72 20 FA 0B 49 21 B6 B7 CF .8.....r
..I!...
11[IKE] 432: B0 9B CE BD 2B B4 B3 D4 B0 EF B0 5E 8E A9 0C 07
....+......^....
11[IKE] 448: E9 46 31 EB C3 C8 A6 D5 9B AE F8 B0 EE 2D 5B BC
.F1..........-[.
11[IKE] 464: F0 44 80 D7 78 6F 0E D9 6B F5 1E 8A 87 5D 37 55
.D..xo..k....]7U
11[IKE] 480: 4D C8 7E 4B A0 95 55 7D BC F1 74 1F E6 C1 89 B6
M.~K..U}..t.....
11[IKE] 496: F4 64 98 8A 66 D5 4C 97 34 C3 16 D7 23 F5 0E 48
.d..f.L.4...#..H
11[IKE] 512: AA 4C 8D 05 8B 30 68 73 EE 35 15 D8 C3 BE BB B2
.L...0hs.5......
11[IKE] 528: 7F 5F B2 4D 14 C6 13 5C F6 B6 27 E5 7D 46 61 19
._.M...\..'.}Fa.
11[IKE] 544: B4 36 D7 72 9C 5D F6 5F B9 8D A2 EB 6B 44 29 E6
.6.r.]._....kD).
11[IKE] 560: C8 FE 24 3B 94 E1 37 0E 50 CB 42 6E 18 39 45 89
..$;..7.P.Bn.9E.
11[IKE] 576: 1A 6E B9 CE 5B 6B A2 DE CA 83 FF B6 F8 4C 95 15
.n..[k.......L..
11[IKE] 592: 29 00 00 24 46 09 20 75 9A CD 67 8E AA 25 13 85 )..$F.
u..g..%..
11[IKE] 608: 86 B9 1B 9F 2F 73 FF 18 B8 88 41 30 A0 19 79 3B
..../s....A0..y;
11[IKE] 624: 22 FB 87 B7 29 00 00 1C 00 00 40 04 69 7F 09 A1
"...)..... at .i...
11[IKE] 640: 9A 5A D9 AF B9 8E 06 71 2C 15 52 58 78 8E 79 CB
.Z.....q,.RXx.y.
11[IKE] 656: 00 00 00 1C 00 00 40 05 42 8F EA C3 6E 97 9E C7
...... at .B...n...
11[IKE] 672: 90 F0 FD 0F 19 29 66 95 73 64 74 86 0E 4C CD 00
.....)f.sdt..L..
11[IKE] 688: 3A 80 30 43 AB 8C 18 14 1D 94 63 80 BE 7B AB 1E
:.0C......c..{..
11[IKE] 704: 46 32 AC 1E E0 99 5B 50 30 F5 33 A0 03 64 DF 98
F2....[P0.3..d..
11[IKE] 720: FB FA 9E 04 F7 BF DF 5D 6C C7 7D 6E B7 94 13 94
.......]l.}n....
11[IKE] authentication of 'hnb at percello.com' (myself) with RSA signature
successful
11[IKE] sending end entity cert "C=CN, ST=ln, L=dl, O=pctl, OU=rnd,
CN=hnb at percello.com, E=hnb at percello.com"
11[IKE] establishing CHILD_SA hnb
11[CFG] proposing traffic selectors for us:
11[CFG] dynamic (derived from dynamic)
11[CFG] proposing traffic selectors for other:
11[CFG] 10.1.0.0/32 (derived from 10.1.0.0/32)
11[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP(ADDR)
SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
11[NET] sending packet: from 10.2.0.10[4500] to 192.168.0.61[4500]
13[NET] received packet: from 192.168.0.61[4500] to 10.2.0.10[4500]
13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR) SA TSi TSr ]
13[IKE] received end entity cert "C=CN, ST=ln, L=dl, O=pctl, OU=rnd,
CN=secgw at percello.com, E=secgw at percello.com"
13[IKE] IDx' => 22 bytes @ 0xb12f7020
13[IKE] 0: 03 00 00 00 73 65 63 67 77 40 70 65 72 63 65 6C
....secgw at percel
13[IKE] 16: 6C 6F 2E 63 6F 6D lo.com
13[IKE] SK_p => 20 bytes @ 0x9037630
13[IKE] 0: 05 E2 47 31 7F E1 CC 73 22 C5 00 08 C1 DB 12 F2
..G1...s".......
13[IKE] 16: A4 FF 1A EC ....
13[IKE] octets = message + nonce + prf(Sk_px, IDx') => 517 bytes @ 0x90359d8
13[IKE] 0: D8 C6 CA 02 42 5C 08 54 F3 CD 94 43 82 5A 81 21
....B\.T...C.Z.!
13[IKE] 16: 21 20 22 20 00 00 00 00 00 00 01 D1 22 00 00 30 ! "
........"..0
13[IKE] 32: 00 00 00 2C 01 01 00 04 03 00 00 0C 01 00 00 0C
...,............
13[IKE] 48: 80 0E 00 80 03 00 00 08 03 00 00 02 03 00 00 08
................
13[IKE] 64: 02 00 00 02 00 00 00 08 04 00 00 0E 28 00 01 08
............(...
13[IKE] 80: 00 0E 00 00 86 02 37 3B 4B 41 0D CC 67 78 E7 83
......7;KA..gx..
13[IKE] 96: 9C 36 DA C8 78 F1 5A AE 8C AB 3D 9E F0 B3 EC 29
.6..x.Z...=....)
13[IKE] 112: CE 24 1A 37 E4 94 E3 D6 C9 C1 FD 3D 35 7E 0A 97
.$.7.......=5~..
13[IKE] 128: CC D4 E4 9E 2D 36 24 E9 CD F7 D9 E6 AB A6 9D 9F
....-6$.........
13[IKE] 144: 92 DE 40 7A 44 45 1A F6 4C 7E 93 25 7B 7F 13 12
.. at zDE..L~.%{...
13[IKE] 160: 51 6B 9C A3 B4 AF C8 F1 E3 DB AA 7D 85 9F FD 57
Qk.........}...W
13[IKE] 176: CB D6 61 C7 DB B1 3E 41 34 10 FD 01 BB D9 E6 80
..a...>A4.......
13[IKE] 192: DF 01 EB 6A CC 1E 0D CB 1C 1B C0 90 B2 D1 85 F0
...j............
13[IKE] 208: 30 E1 6A 76 44 4E 0E 12 C7 C1 13 A5 F2 E6 05 88
0.jvDN..........
13[IKE] 224: 95 B1 C8 8B A2 6B 8B 81 86 49 D9 72 32 29 59 F2
.....k...I.r2)Y.
13[IKE] 240: 39 F9 E3 56 96 F0 E2 E5 E0 38 A5 7B 35 F0 07 46
9..V.....8.{5..F
13[IKE] 256: 53 B4 03 13 6E E2 DB 16 71 0C B3 D1 54 59 A5 18
S...n...q...TY..
13[IKE] 272: 12 46 C4 36 67 8E 4B 27 28 4B 7A 7E 1D 8A 76 9F
.F.6g.K'(Kz~..v.
13[IKE] 288: 77 99 D9 08 5F 36 21 F9 AD 40 9C A1 8A FA 48 C3
w..._6!.. at ....H.
13[IKE] 304: 59 C1 DD 97 D2 2B B9 B3 E5 C2 27 63 A6 C5 60 E9
Y....+....'c..`.
13[IKE] 320: A7 35 98 73 74 3A B6 08 A7 D5 30 4B D2 D9 51 79
.5.st:....0K..Qy
13[IKE] 336: 0D C8 44 68 29 00 00 24 0E 4C CD 00 3A 80 30 43
..Dh)..$.L..:.0C
13[IKE] 352: AB 8C 18 14 1D 94 63 80 BE 7B AB 1E 46 32 AC 1E
......c..{..F2..
13[IKE] 368: E0 99 5B 50 30 F5 33 A0 29 00 00 1C 00 00 40 04
..[P0.3.)..... at .
13[IKE] 384: 5C 40 16 87 54 E8 24 F9 4F 5E 10 82 47 55 DB 7B
\@..T.$.O^..GU.{
13[IKE] 400: A4 96 0D 85 26 00 00 1C 00 00 40 05 06 50 CA 1E
....&..... at ..P..
13[IKE] 416: E7 17 86 3B 6A EA 04 D9 92 B2 E2 29 77 E2 7F B3
...;j......)w...
13[IKE] 432: 29 00 00 19 04 FB A2 A3 7E 22 4E C1 04 83 AA C5
).......~"N.....
13[IKE] 448: 97 E0 CF 88 94 03 BB D8 C4 00 00 00 08 00 00 40
...............@
13[IKE] 464: 14 46 09 20 75 9A CD 67 8E AA 25 13 85 86 B9 1B .F.
u..g..%.....
13[IKE] 480: 9F 2F 73 FF 18 B8 88 41 30 A0 19 79 3B 22 FB 87
./s....A0..y;"..
13[IKE] 496: B7 33 0B 57 16 E9 F9 EB BD 4F 16 7C 25 F6 3E 2F
.3.W.....O.|%.>/
13[IKE] 512: D1 5A 47 2C 60 .ZG,`
13[CFG] using certificate "C=CN, ST=ln, L=dl, O=pctl, OU=rnd,
CN=secgw at percello.com, E=secgw at percello.com"
13[CFG] using trusted ca certificate "C=CN, ST=ln, L=dl, O=pctl, OU=rnd,
CN=ipsec, E=ca at percello.com"
13[CFG] reached self-signed root ca with a path length of 0
13[IKE] authentication of 'secgw at percello.com' with RSA signature successful
13[IKE] IKE_SA hnb[1] established between
10.2.0.10[hnb at percello.com]...192.168.0.61[secgw at percello.com]
13[IKE] IKE_SA hnb[1] state change: CONNECTING => ESTABLISHED
13[IKE] scheduling reauthentication in 3174s
13[IKE] maximum IKE_SA lifetime 3474s
13[IKE] processing INTERNAL_IP4_ADDRESS attribute
13[IKE] installing new virtual IP 10.1.0.120
13[CFG] selecting proposal:
13[CFG] proposal matches
13[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
13[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_
96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
13[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
13[CFG] selecting traffic selectors for us:
13[CFG] config: 10.1.0.120/32, received: 0.0.0.0/0 => match: 10.1.0.120/32
13[CFG] selecting traffic selectors for other:
13[CFG] config: 10.1.0.0/32, received: 10.1.0.0/32 => match: 10.1.0.0/32
13[IKE] CHILD_SA hnb{1} established with SPIs cd15012c_i c9f2481c_o and TS
10.1.0.120/32 === 10.1.0.0/32
13[IKE] activating new tasks
13[IKE] nothing to initiate
4)Here is Alice's ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.0):
uptime: 2 minutes, since Jan 20 14:58:04 2011
malloc: sbrk 135168, mmap 0, used 86688, free 48480
worker threads: 8 idle of 16, job queue load: 0, scheduled events: 3
loaded plugins: aes des sha1 sha2 md5 pem fips-prf pkcs1 pkcs11 gmp random
pubkey x509 hmac xcbc stroke socket-default attr kernel-netlink kernel-pfkey
farp updown
Listening IP addresses:
10.2.0.10
Connections:
hnb: %any...192.168.0.61
hnb: local: [hnb at percello.com] uses public key authentication
hnb: cert: "C=CN, ST=ln, L=dl, O=pctl, OU=rnd,
CN=hnb at percello.com, E=hnb at percello.com"
hnb: remote: [secgw at percello.com] uses any authentication
hnb: child: dynamic === 10.1.0.0/32
Security Associations:
hnb[1]: ESTABLISHED 2 minutes ago,
10.2.0.10[hnb at percello.com]...192.168.0.61[secgw at percello.com]
hnb[1]: IKE SPIs: 54085c4202cac6d8_i* 21815a824394cdf3_r, public
key reauthentication in 50 minutes
hnb[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
hnb{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cd15012c_i c9f2481c_o
hnb{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 19 minutes
hnb{1}: 10.1.0.120/32 === 10.1.0.0/32
5) Here is Alice's ip route list
10.2.0.0/16 dev eth0 proto kernel scope link src 10.2.0.10
10.1.0.0/16 via 10.2.0.1 dev eth0
169.254.0.0/16 dev eth0 scope link metric 1000
default via 10.2.0.1 dev eth0
According to the 5), it seems that the subnet 10.1.0.0 is not route to
192.168.0.61(the gateway sun's IP). Why?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110120/88003497/attachment.html>
More information about the Users
mailing list