[strongSwan] Strongswan Performance (IKEv1 tunnel establishment rate)
Amit Tamboli
amit.tamboli at gmail.com
Wed Nov 16 13:04:18 CET 2011
Hi,
I am running *strongswan-4.5.2* on* Linux 2.6.35*. Underline processor is *quad
core - 1.6 GHz *. IKE negotiation is done on 1 Gige port. For IKEv1
negotiation two machines are connected back to back. One machine acts as
initiator where as other acts as responder. I am able to establish at *the
max 13 tunnels per second* *using IKEv1*. After doing analysis I found that
around 81 miliseconds are required to establish single tunnel, out of that *75
miliseconds* are taken *by do_command function* called from
route_and_eroute function after successful addition of IPsec policies and
SAs . Is there any way/configuration which will avoid this command
execution?
I am doing IKEv1 configuration using following commands:
ipsec pluto --stderrlog
ipsec whack --listen
ipsec whack --name mycnew1 --tunnel --client 60.0.1.0/24 --host
70.0.0.1 --to --client 50.0.1.0/24 --host 10.0.0.1 --psk --dpdaction none
--ike aes-sha1-modp1024 -- encrypt --esp aes-sha1
ipsec whack --route --name mycnew1
*Does anyone know for this kind of configuration how many IKEv1 tunnels are
established in a second? Has anyone done IKEv1 strongswan performance
characterization?*
For reference following is the debug log for the for tunnel establishment
at responder's side:
| *received 124 bytes from 10.0.0.1:500 on ncpeth12:1
| 14 0a c2 61 e7 ef 8f e1 00 00 00 00 00 00 00 00
| 01 10 02 00 00 00 00 00 00 00 00 7c 0d 00 00 38
| 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01
| 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 2a 30
| 80 01 00 07 80 02 00 02 80 0e 00 80 80 03 00 01
| 80 04 00 02 0d 00 00 14 88 2f e5 6d 6f d2 0d bc
| 22 51 61 3b 2e be 5b eb 00 00 00 14 af ca d7 13
| 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
| **parse ISAKMP Message:
| initiator cookie:
| 14 0a c2 61 e7 ef 8f e1
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| length: 124
| ***parse ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 56
| DOI: ISAKMP_DOI_IPSEC
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 20
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 20
packet from 10.0.0.1:500: received Vendor ID payload [strongSwan]
packet from 10.0.0.1:500: received Vendor ID payload [Dead Peer Detection]
| ****parse IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 44
| proposal number: 0
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 1
| *****parse ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| length: 36
| transform number: 0
| transform ID: KEY_IKE
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_TYPE
| length/value: 1
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_DURATION
| length/value: 10800
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_ENCRYPTION_ALGORITHM
| length/value: 7
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_HASH_ALGORITHM
| length/value: 2
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_KEY_LENGTH
| length/value: 128
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_AUTHENTICATION_METHOD
| length/value: 1
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_GROUP_DESCRIPTION
| length/value: 2
| preparse_isakmp_policy: peer requests PSK authentication
| creating state object #1 at 0x100b6768
| ICOOKIE: 14 0a c2 61 e7 ef 8f e1
| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
| peer: 0a 00 00 01
| state hash entry 2
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
"mycnew1" #1: responding to Main Mode
| **emit ISAKMP Message:
| initiator cookie:
| 14 0a c2 61 e7 ef 8f e1
| responder cookie:
| 0d a0 6f 55 e8 a4 68 e3
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| ***emit ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| DOI: ISAKMP_DOI_IPSEC
| *****parse ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| length: 36
| transform number: 0
| transform ID: KEY_IKE
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_TYPE
| length/value: 1
| [1 is OAKLEY_LIFE_SECONDS]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_DURATION
| length/value: 10800
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_ENCRYPTION_ALGORITHM
| length/value: 7
| [7 is AES_CBC]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_HASH_ALGORITHM
| length/value: 2
| [2 is HMAC_SHA1]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_KEY_LENGTH
| length/value: 128
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_AUTHENTICATION_METHOD
| length/value: 1
| [1 is pre-shared key]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_GROUP_DESCRIPTION
| length/value: 2
| [2 is MODP_1024]
| Oakley Transform 0 accepted
| ****emit IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****emit ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| proposal number: 0
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 1
| *****emit ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| transform number: 0
| transform ID: KEY_IKE
| emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP)
| attributes 80 0b 00 01 80 0c 2a 30 80 01 00 07 80 02 00 02
| 80 0e 00 80 80 03 00 01 80 04 00 02
| emitting length of ISAKMP Transform Payload (ISAKMP): 36
| emitting length of ISAKMP Proposal Payload: 44
| emitting length of ISAKMP Security Association Payload: 56
| out_vendorid(): sending [strongSwan]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 88 2f e5 6d 6f d2 0d bc 22 51 61 3b 2e be 5b eb
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [Dead Peer Detection]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
| emitting length of ISAKMP Vendor ID Payload: 20
| emitting length of ISAKMP Message: 124
| sending 124 bytes for STATE_MAIN_R0 through ncpeth12:1 to 10.0.0.1:500:
| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
| 01 10 02 00 00 00 00 00 00 00 00 7c 0d 00 00 38
| 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01
| 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 2a 30
| 80 01 00 07 80 02 00 02 80 0e 00 80 80 03 00 01
| 80 04 00 02 0d 00 00 14 88 2f e5 6d 6f d2 0d bc
| 22 51 61 3b 2e be 5b eb 00 00 00 14 af ca d7 13
| 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
| next event EVENT_RETRANSMIT in 10 seconds for #1
|
| *received 180 bytes from 10.0.0.1:500 on ncpeth12:1
| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
| 04 10 02 00 00 00 00 00 00 00 00 b4 0a 00 00 84
| b9 a0 77 62 c8 43 3c e0 9a 17 6b 86 8c bf c9 f8
| bc 9f ab 18 b2 22 b2 fc c7 44 b4 f2 11 ae 60 d2
| 3f 63 3b 75 06 4b ed 32 2a c8 8e e7 5d 09 4c e6
| 31 62 bb aa 22 b1 b9 72 e1 fd 0e 3b 79 d5 3e 2c
| 54 df 15 0c f9 26 16 dc af 17 ef ae 72 43 5f 3b
| 89 05 27 5c 9a 57 86 c2 86 45 80 67 0d be 04 ab
| 9f d3 5e 80 5c 91 c4 ab 35 32 88 86 f8 02 e9 08
| 1a 83 f9 fe f3 11 f1 b4 94 38 f2 22 68 1a c5 0b
| 00 00 00 14 5b 7f 47 30 f8 6e 1f fe aa 2a 2a ee
| cb 69 bf bc
| **parse ISAKMP Message:
| initiator cookie:
| 14 0a c2 61 e7 ef 8f e1
| responder cookie:
| 0d a0 6f 55 e8 a4 68 e3
| next payload type: ISAKMP_NEXT_KE
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| length: 180
| ICOOKIE: 14 0a c2 61 e7 ef 8f e1
| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
| peer: 0a 00 00 01
| state hash entry 2
| state object #1 found, in STATE_MAIN_R1
| ***parse ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONCE
| length: 132
| ***parse ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 20
| **emit ISAKMP Message:
| initiator cookie:
| 14 0a c2 61 e7 ef 8f e1
| responder cookie:
| 0d a0 6f 55 e8 a4 68 e3
| next payload type: ISAKMP_NEXT_KE
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| DH public value received:
| b9 a0 77 62 c8 43 3c e0 9a 17 6b 86 8c bf c9 f8
| bc 9f ab 18 b2 22 b2 fc c7 44 b4 f2 11 ae 60 d2
| 3f 63 3b 75 06 4b ed 32 2a c8 8e e7 5d 09 4c e6
| 31 62 bb aa 22 b1 b9 72 e1 fd 0e 3b 79 d5 3e 2c
| 54 df 15 0c f9 26 16 dc af 17 ef ae 72 43 5f 3b
| 89 05 27 5c 9a 57 86 c2 86 45 80 67 0d be 04 ab
| 9f d3 5e 80 5c 91 c4 ab 35 32 88 86 f8 02 e9 08
| 1a 83 f9 fe f3 11 f1 b4 94 38 f2 22 68 1a c5 0b
| size of DH secret exponent: 1023 bits
| Public DH value sent:
| 8a 15 e2 66 b3 b8 2d dc f9 3e 44 df 20 af e9 34
| 83 b9 de 69 75 ea 47 15 35 0c 0a 9d b4 d7 00 b4
| 09 c4 50 50 24 b5 ef f6 7f 08 ee d6 7e 13 83 6d
| 50 a2 9f 4f cb 78 0f 7c 65 b9 cb dd 3d 97 86 80
| 6e 94 fd a8 07 b4 58 a5 ec a8 71 35 de 48 f6 9a
| 31 7e 85 42 c7 6f 77 c3 42 ce 49 e9 ca a6 9b f1
| 44 e3 1d 69 56 8f 67 36 58 2a e5 a5 6c cd 66 2e
| 30 3c 95 6a c1 37 63 ea 9d 3b 8a 98 b8 a4 c1 cb
| ***emit ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONCE
| emitting 128 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value 8a 15 e2 66 b3 b8 2d dc f9 3e 44 df 20 af e9 34
| 83 b9 de 69 75 ea 47 15 35 0c 0a 9d b4 d7 00 b4
| 09 c4 50 50 24 b5 ef f6 7f 08 ee d6 7e 13 83 6d
| 50 a2 9f 4f cb 78 0f 7c 65 b9 cb dd 3d 97 86 80
| 6e 94 fd a8 07 b4 58 a5 ec a8 71 35 de 48 f6 9a
| 31 7e 85 42 c7 6f 77 c3 42 ce 49 e9 ca a6 9b f1
| 44 e3 1d 69 56 8f 67 36 58 2a e5 a5 6c cd 66 2e
| 30 3c 95 6a c1 37 63 ea 9d 3b 8a 98 b8 a4 c1 cb
| emitting length of ISAKMP Key Exchange Payload: 132
| ***emit ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of Nr into ISAKMP Nonce Payload
| Nr 7e b1 22 3e fb c1 32 f4 50 5b c9 64 2a 8c 63 c1
| emitting length of ISAKMP Nonce Payload: 20
| emitting length of ISAKMP Message: 180
| DH shared secret:
| 14 2d 87 3b bd 9e b7 55 d0 f6 39 c2 ab 69 2d e7
| 38 6e 04 88 2b ae 1e 62 1c c5 92 42 93 1b a0 a8
| 15 d0 f8 19 3e 73 54 cb 90 43 33 ba 20 c1 de 2e
| ea 55 0f 19 35 91 6d 43 e6 80 53 11 5c a8 06 40
| 97 7f d2 22 99 8b b5 24 71 59 25 35 f5 6a 03 2a
| 16 77 4b 2a ef c7 c7 00 e1 8f b0 35 90 13 52 bb
| 67 f2 3c 4c 00 f7 02 b7 40 86 62 12 dd 0f 11 db
| 1e 83 18 50 9a fb b4 bf eb b3 fc b5 50 6d 3a eb
| DH_i: b9 a0 77 62 c8 43 3c e0 9a 17 6b 86 8c bf c9 f8
| bc 9f ab 18 b2 22 b2 fc c7 44 b4 f2 11 ae 60 d2
| 3f 63 3b 75 06 4b ed 32 2a c8 8e e7 5d 09 4c e6
| 31 62 bb aa 22 b1 b9 72 e1 fd 0e 3b 79 d5 3e 2c
| 54 df 15 0c f9 26 16 dc af 17 ef ae 72 43 5f 3b
| 89 05 27 5c 9a 57 86 c2 86 45 80 67 0d be 04 ab
| 9f d3 5e 80 5c 91 c4 ab 35 32 88 86 f8 02 e9 08
| 1a 83 f9 fe f3 11 f1 b4 94 38 f2 22 68 1a c5 0b
| DH_r: 8a 15 e2 66 b3 b8 2d dc f9 3e 44 df 20 af e9 34
| 83 b9 de 69 75 ea 47 15 35 0c 0a 9d b4 d7 00 b4
| 09 c4 50 50 24 b5 ef f6 7f 08 ee d6 7e 13 83 6d
| 50 a2 9f 4f cb 78 0f 7c 65 b9 cb dd 3d 97 86 80
| 6e 94 fd a8 07 b4 58 a5 ec a8 71 35 de 48 f6 9a
| 31 7e 85 42 c7 6f 77 c3 42 ce 49 e9 ca a6 9b f1
| 44 e3 1d 69 56 8f 67 36 58 2a e5 a5 6c cd 66 2e
| 30 3c 95 6a c1 37 63 ea 9d 3b 8a 98 b8 a4 c1 cb
| Skeyid: 3c 1f ec c7 df ec 92 6a e1 2d 9e 8a 88 5b fa 8b
| 99 1d 99 73
| Skeyid_d: 2e df 82 be 84 53 11 35 25 bd a6 6e 95 94 5f 9e
| 6e ae c2 f7
| Skeyid_a: 0e e4 0e 65 9e 1e 74 18 05 bf 56 20 01 95 1e e1
| d4 5c d0 3f
| Skeyid_e: 4f 54 de 03 1e 71 36 37 84 e1 f6 95 6c 32 9b 16
| 2f d1 9b f6
| enc key: 4f 54 de 03 1e 71 36 37 84 e1 f6 95 6c 32 9b 16
| IV: ff df c4 49 64 fd 0b f7 d8 67 03 91 30 e1 ae 48
| cb 71 c1 d7
| sending 180 bytes for STATE_MAIN_R1 through ncpeth12:1 to 10.0.0.1:500:
| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
| 04 10 02 00 00 00 00 00 00 00 00 b4 0a 00 00 84
| 8a 15 e2 66 b3 b8 2d dc f9 3e 44 df 20 af e9 34
| 83 b9 de 69 75 ea 47 15 35 0c 0a 9d b4 d7 00 b4
| 09 c4 50 50 24 b5 ef f6 7f 08 ee d6 7e 13 83 6d
| 50 a2 9f 4f cb 78 0f 7c 65 b9 cb dd 3d 97 86 80
| 6e 94 fd a8 07 b4 58 a5 ec a8 71 35 de 48 f6 9a
| 31 7e 85 42 c7 6f 77 c3 42 ce 49 e9 ca a6 9b f1
| 44 e3 1d 69 56 8f 67 36 58 2a e5 a5 6c cd 66 2e
| 30 3c 95 6a c1 37 63 ea 9d 3b 8a 98 b8 a4 c1 cb
| 00 00 00 14 7e b1 22 3e fb c1 32 f4 50 5b c9 64
| 2a 8c 63 c1
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
| next event EVENT_RETRANSMIT in 10 seconds for #1
|
| *received 76 bytes from 10.0.0.1:500 on ncpeth12:1
| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
| 05 10 02 01 00 00 00 00 00 00 00 4c 09 e8 50 78
| 3c 50 ad c9 7e 6e b3 05 bd 86 32 3d 59 0a 11 8f
| a7 bc e0 78 2f 51 d1 4b 90 92 10 79 d9 29 26 ec
| 8d 79 10 b0 35 b4 90 90 a5 f4 d4 fe
| **parse ISAKMP Message:
| initiator cookie:
| 14 0a c2 61 e7 ef 8f e1
| responder cookie:
| 0d a0 6f 55 e8 a4 68 e3
| next payload type: ISAKMP_NEXT_ID
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_IDPROT
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 00 00 00 00
| length: 76
| ICOOKIE: 14 0a c2 61 e7 ef 8f e1
| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
| peer: 0a 00 00 01
| state hash entry 2
| state object #1 found, in STATE_MAIN_R2
| received encrypted packet from 10.0.0.1:500
| decrypting 48 bytes using algorithm AES_CBC
| decrypted:
| 08 00 00 0c 01 00 00 00 0a 00 00 01 00 00 00 18
| 93 94 e3 94 13 aa 78 14 fb 6b b5 df c7 22 24 8c
| 98 0d 0b 29 00 00 00 00 00 00 00 00 00 00 00 00
| next IV: d9 29 26 ec 8d 79 10 b0 35 b4 90 90 a5 f4 d4 fe
| ***parse ISAKMP Identification Payload:
| next payload type: ISAKMP_NEXT_HASH
| length: 12
| ID type: ID_IPV4_ADDR
| DOI specific A: 0
| DOI specific B: 0
| ***parse ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 24
| removing 12 bytes of padding
"mycnew1" #1: Peer ID is ID_IPV4_ADDR: '10.0.0.1'
| hashing 52 bytes of SA
| authentication succeeded
| peer CA: %none
| current connection is a full match -- no need to look further
| offered CA: %none
| **emit ISAKMP Message:
| initiator cookie:
| 14 0a c2 61 e7 ef 8f e1
| responder cookie:
| 0d a0 6f 55 e8 a4 68 e3
| next payload type: ISAKMP_NEXT_ID
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_IDPROT
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 00 00 00 00
| ***emit ISAKMP Identification Payload (IPsec DOI):
| next payload type: ISAKMP_NEXT_HASH
| ID type: ID_IPV4_ADDR
| Protocol ID: 0
| port: 0
| emitting 4 raw bytes of my identity into ISAKMP Identification Payload
(IPsec DOI)
| my identity 46 00 00 01
| emitting length of ISAKMP Identification Payload (IPsec DOI): 12
| hashing 52 bytes of SA
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 20 raw bytes of HASH_R into ISAKMP Hash Payload
| HASH_R 54 4e d3 f4 76 2c 9f a5 fc 1e 82 f1 95 b6 e9 02
| ad 10 94 a8
| emitting length of ISAKMP Hash Payload: 24
| encrypting:
| 08 00 00 0c 01 00 00 00 46 00 00 01 00 00 00 18
| 54 4e d3 f4 76 2c 9f a5 fc 1e 82 f1 95 b6 e9 02
| ad 10 94 a8
| emitting 12 zero bytes of encryption padding into ISAKMP Message
| encrypting using AES_CBC
| next IV: d3 45 cb 2c 46 4c 80 8c 34 e9 8d 16 8f 3a bd 35
| emitting length of ISAKMP Message: 76
| last encrypted block of Phase 1:
| d3 45 cb 2c 46 4c 80 8c 34 e9 8d 16 8f 3a bd 35
| sending 76 bytes for STATE_MAIN_R2 through ncpeth12:1 to 10.0.0.1:500:
| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
| 05 10 02 01 00 00 00 00 00 00 00 4c 8b 76 10 ec
| e5 e1 d3 08 27 35 a0 79 80 7a 0a 9b 74 28 8e 3a
| 17 90 0d e0 ef 40 a2 38 d9 70 c1 e2 d3 45 cb 2c
| 46 4c 80 8c 34 e9 8d 16 8f 3a bd 35
| inserting event EVENT_SA_REPLACE, timeout in 10530 seconds for #1
"mycnew1" #1: sent MR3, ISAKMP SA established
| next event EVENT_REINIT_SECRET in 3588 seconds
|
| *received 156 bytes from 10.0.0.1:500 on ncpeth12:1
| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
| 08 10 20 01 94 34 e5 61 00 00 00 9c 88 0f dc ad
| f5 bb 1e 92 de fe c6 fc 8b 16 8a 93 aa 31 9e 04
| 5d 17 0c 32 c7 a1 62 20 29 50 32 01 d1 40 88 85
| c1 0f 24 b2 0e 51 9e 65 0f fc 85 55 52 70 22 e3
| 52 bb 64 03 e8 00 b0 29 72 7c a2 66 fd 40 da 2c
| 34 e3 2c 0a 3f bc 4f 03 6e 50 0d ad a5 f2 e8 6e
| 58 d4 58 a5 78 55 84 5f a3 f5 7b b0 40 71 ff eb
| 1c 38 d2 2a 28 d2 93 a6 d0 5f 08 57 60 87 d3 b3
| 4b 87 67 c5 c3 d1 26 93 84 11 69 a9
| **parse ISAKMP Message:
| initiator cookie:
| 14 0a c2 61 e7 ef 8f e1
| responder cookie:
| 0d a0 6f 55 e8 a4 68 e3
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_QUICK
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 94 34 e5 61
| length: 156
| ICOOKIE: 14 0a c2 61 e7 ef 8f e1
| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
| peer: 0a 00 00 01
| state hash entry 2
| state object not found
| ICOOKIE: 14 0a c2 61 e7 ef 8f e1
| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
| peer: 0a 00 00 01
| state hash entry 2
| state object #1 found, in STATE_MAIN_R3
| last Phase 1 IV: d3 45 cb 2c 46 4c 80 8c 34 e9 8d 16 8f 3a bd 35
| computed Phase 2 IV:
| 22 1f 7a d9 1e f5 df 8c 60 07 6f e5 7e dc 95 23
| c6 77 7f 00
| received encrypted packet from 10.0.0.1:500
| decrypting 128 bytes using algorithm AES_CBC
| decrypted:
| 01 00 00 18 9e 79 6e 6a bc 16 8d 5f d3 52 61 a2
| d2 18 f7 e2 3a e6 4c 52 0a 00 00 34 00 00 00 01
| 00 00 00 01 00 00 00 28 00 03 04 01 c4 51 8a 7d
| 00 00 00 1c 00 0c 00 00 80 04 00 01 80 01 00 01
| 80 02 0e 10 80 05 00 02 80 06 00 80 05 00 00 14
| b5 76 c6 4b 93 54 3a 3b dc 33 f0 e0 a0 6f 2d 97
| 05 00 00 10 04 00 00 00 32 00 01 00 ff ff ff 00
| 00 00 00 10 04 00 00 00 3c 00 01 00 ff ff ff 00
| next IV: 60 87 d3 b3 4b 87 67 c5 c3 d1 26 93 84 11 69 a9
| ***parse ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_SA
| length: 24
| ***parse ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_NONCE
| length: 52
| DOI: ISAKMP_DOI_IPSEC
| ***parse ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_ID
| length: 20
| ***parse ISAKMP Identification Payload (IPsec DOI):
| next payload type: ISAKMP_NEXT_ID
| length: 16
| ID type: ID_IPV4_ADDR_SUBNET
| Protocol ID: 0
| port: 0
| ***parse ISAKMP Identification Payload (IPsec DOI):
| next payload type: ISAKMP_NEXT_NONE
| length: 16
| ID type: ID_IPV4_ADDR_SUBNET
| Protocol ID: 0
| port: 0
| HASH(1) computed:
| 9e 79 6e 6a bc 16 8d 5f d3 52 61 a2 d2 18 f7 e2
| 3a e6 4c 52
| peer client is subnet 50.0.1.0/24
| peer client protocol/port is 0/0
| our client is subnet 60.0.1.0/24
| our client protocol/port is 0/0
| find_client_connection starting with mycnew1
| looking for 60.0.1.0/24:0/0 -> 50.0.1.0/24:0/0
| concrete checking against sr#0 60.0.1.0/24 -> 50.0.1.0/24
| duplicating state object #1
| creating state object #2 at 0x100b7360
| ICOOKIE: 14 0a c2 61 e7 ef 8f e1
| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
| peer: 0a 00 00 01
| state hash entry 2
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2
| **emit ISAKMP Message:
| initiator cookie:
| 14 0a c2 61 e7 ef 8f e1
| responder cookie:
| 0d a0 6f 55 e8 a4 68 e3
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_QUICK
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 94 34 e5 61
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_SA
| emitting 20 zero bytes of HASH into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| ***emit ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_NONCE
| DOI: ISAKMP_DOI_IPSEC
| ****parse IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 40
| proposal number: 0
| protocol ID: PROTO_IPSEC_ESP
| SPI size: 4
| number of transforms: 1
| parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
| SPI c4 51 8a 7d
| *****parse ISAKMP Transform Payload (ESP):
| next payload type: ISAKMP_NEXT_NONE
| length: 28
| transform number: 0
| transform ID: AES_CBC
| ******parse ISAKMP IPsec DOI attribute:
| af+type: ENCAPSULATION_MODE
| length/value: 1
| [1 is ENCAPSULATION_MODE_TUNNEL]
| ******parse ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_TYPE
| length/value: 1
| [1 is SA_LIFE_TYPE_SECONDS]
| ******parse ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_DURATION
| length/value: 3600
| ******parse ISAKMP IPsec DOI attribute:
| af+type: AUTH_ALGORITHM
| length/value: 2
| [2 is HMAC_SHA1]
| ******parse ISAKMP IPsec DOI attribute:
| af+type: KEY_LENGTH
| length/value: 128
| kernel_alg_esp_enc_ok(12,128): alg_id=12, alg_ivlen=8, alg_minbits=128,
alg_maxbits=256, res=0, ret=1
| ****emit IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****emit ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| proposal number: 0
| protocol ID: PROTO_IPSEC_ESP
| SPI size: 4
| number of transforms: 1
| getting SPI for reqid {16388}
| sending XFRM_MSG_ALLOCSPI: => 248 bytes @ 0xbfcb9790
0: 00 00 00 F8 00 16 00 01 00 00 00 CE 00 00 20 41 .............. A
16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
64: 00 00 00 00 00 00 00 00 46 00 00 01 00 00 00 00 ........F.......
80: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
96: 0A 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................
112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
224: 00 00 40 04 00 02 01 00 00 00 00 00 00 00 00 00 .. at .............
240: C0 00 00 00 CF FF FF FF ........
| got SPI c940edca for reqid {16388}
| emitting 4 raw bytes of SPI into ISAKMP Proposal Payload
| SPI c9 40 ed ca
| *****emit ISAKMP Transform Payload (ESP):
| next payload type: ISAKMP_NEXT_NONE
| transform number: 0
| transform ID: AES_CBC
| emitting 20 raw bytes of attributes into ISAKMP Transform Payload (ESP)
| attributes 80 04 00 01 80 01 00 01 80 02 0e 10 80 05 00 02
| 80 06 00 80
| emitting length of ISAKMP Transform Payload (ESP): 28
| emitting length of ISAKMP Proposal Payload: 40
| emitting length of ISAKMP Security Association Payload: 52
"mycnew1" #2: responding to Quick Mode
| ***emit ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_ID
| emitting 16 raw bytes of Nr into ISAKMP Nonce Payload
| Nr 0b 87 df 44 34 6e 38 ea 8d ee fb fb bb 41 60 85
| emitting length of ISAKMP Nonce Payload: 20
| emitting 16 raw bytes of IDci into ISAKMP Message
| IDci 05 00 00 10 04 00 00 00 32 00 01 00 ff ff ff 00
| emitting 16 raw bytes of IDcr into ISAKMP Message
| IDcr 00 00 00 10 04 00 00 00 3c 00 01 00 ff ff ff 00
| HASH(2) computed:
| 0a fc ac 49 11 a3 83 a6 f4 cf 84 80 7b 7b 1e 63
| 8b 55 13 07
| kernel_alg_esp_enc_keylen(): alg_id=12, keylen=16
| kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20
| KEYMAT computed:
| 95 8e 61 58 03 13 c8 42 9d cb 11 dc 57 25 67 ee
| d4 1d e3 c7 02 ea cf 07 ca ed 81 e5 b3 b1 70 0d
| 92 db e2 d3
| route owner of "mycnew1" prospective erouted: self
| install_inbound_ipsec_sa() checking if we can route
| route owner of "mycnew1" prospective erouted: self; eroute owner: self
| kernel_alg_esp_info():transid=12, auth=2, ei=0x1008a054, enckeylen=32,
authkeylen=20, encryptalg=12, authalg=3
| adding SAD entry with SPI c940edca and reqid {16388}
| using encryption algorithm AES_CBC with key size 128
| using integrity algorithm HMAC_SHA1_96 with key size 160
| sending XFRM_MSG_UPDSA: => 420 bytes @ 0xbfcb9698
0: 00 00 01 A4 00 1A 00 05 00 00 00 CF 00 00 20 41 .............. A
16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
64: 00 00 00 00 00 00 00 00 46 00 00 01 00 00 00 00 ........F.......
80: 00 00 00 00 00 00 00 00 C9 40 ED CA 32 00 00 00 ......... at ..2...
96: 0A 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................
112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
224: 00 00 40 04 00 02 01 20 20 00 00 00 00 00 00 00 .. at .... .......
240: 00 58 00 02 61 65 73 00 00 00 00 00 00 00 00 00 .X..aes.........
256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
304: 00 00 00 00 00 00 00 80 95 8E 61 58 03 13 C8 42 ..........aX...B
320: 9D CB 11 DC 57 25 67 EE 00 5C 00 01 73 68 61 31 ....W%g..\..sha1
336: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 ................
400: D4 1D E3 C7 02 EA CF 07 CA ED 81 E5 B3 B1 70 0D ..............p.
416: 92 DB E2 D3 ....
| encrypting:
| 01 00 00 18 0a fc ac 49 11 a3 83 a6 f4 cf 84 80
| 7b 7b 1e 63 8b 55 13 07 0a 00 00 34 00 00 00 01
| 00 00 00 01 00 00 00 28 00 03 04 01 c9 40 ed ca
| 00 00 00 1c 00 0c 00 00 80 04 00 01 80 01 00 01
| 80 02 0e 10 80 05 00 02 80 06 00 80 05 00 00 14
| 0b 87 df 44 34 6e 38 ea 8d ee fb fb bb 41 60 85
| 05 00 00 10 04 00 00 00 32 00 01 00 ff ff ff 00
| 00 00 00 10 04 00 00 00 3c 00 01 00 ff ff ff 00
| encrypting using AES_CBC
| next IV: b8 70 93 5c 89 2b 43 24 b5 03 dd cb 89 65 4d 5b
| emitting length of ISAKMP Message: 156
| sending 156 bytes for STATE_QUICK_R0 through ncpeth12:1 to 10.0.0.1:500:
| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
| 08 10 20 01 94 34 e5 61 00 00 00 9c fa 94 9b 36
| c4 3a 53 06 4c 9d 88 a5 ac b8 ac ec 1c 65 be 15
| 5e 1e b4 29 f2 e7 16 70 16 f0 b9 b7 25 5a 73 27
| 83 e9 c8 64 30 91 ab 4a 04 13 94 43 3c b3 cc 8f
| 77 e8 22 cd 86 87 5d 5a 79 05 19 cc 6b 4e 59 1d
| 72 ce ef b0 1a c6 dc 16 e0 74 77 5d bb 56 94 93
| b0 6a 50 a9 9c 4c ca 77 00 b1 91 ca ad e5 94 10
| 7e 7d a7 3f 70 66 82 5f a9 82 bb 83 b8 70 93 5c
| 89 2b 43 24 b5 03 dd cb 89 65 4d 5b
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
| next event EVENT_RETRANSMIT in 10 seconds for #2
|
| *received 60 bytes from 10.0.0.1:500 on ncpeth12:1
| 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
| 08 10 20 01 94 34 e5 61 00 00 00 3c 3e cb 11 6c
| 8f ff 0c ae f5 a8 72 7f d4 b1 a7 a5 f6 cd 49 e0
| 6c cd e8 e5 5f 2d 1e 25 44 6c 95 ec
| **parse ISAKMP Message:
| initiator cookie:
| 14 0a c2 61 e7 ef 8f e1
| responder cookie:
| 0d a0 6f 55 e8 a4 68 e3
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_QUICK
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 94 34 e5 61
| length: 60
| ICOOKIE: 14 0a c2 61 e7 ef 8f e1
| RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
| peer: 0a 00 00 01
| state hash entry 2
| state object #2 found, in STATE_QUICK_R1
| received encrypted packet from 10.0.0.1:500
| decrypting 32 bytes using algorithm AES_CBC
| decrypted:
| 00 00 00 18 30 2b bc 22 5c 1d 86 9c 1c 79 22 bb
| 30 43 00 fd 11 54 dc f3 00 00 00 00 00 00 00 00
| next IV: f6 cd 49 e0 6c cd e8 e5 5f 2d 1e 25 44 6c 95 ec
| ***parse ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 24
| removing 8 bytes of padding
| HASH(3) computed: 30 2b bc 22 5c 1d 86 9c 1c 79 22 bb 30 43 00 fd
| 11 54 dc f3
| kernel_alg_esp_enc_keylen(): alg_id=12, keylen=16
| kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20
| Peer KEYMAT computed:
| 18 91 d7 31 0f 10 85 63 3b 36 b7 0f ce 2b 65 19
| 71 7c 2f bb 38 56 b6 40 af 37 76 a6 4d 6f dc de
| 0e ce ac d9
| install_ipsec_sa() for #2: outbound only
| route owner of "mycnew1" prospective erouted: self; eroute owner: self
| kernel_alg_esp_info():transid=12, auth=2, ei=0x1008a054, enckeylen=32,
authkeylen=20, encryptalg=12, authalg=3
| adding SAD entry with SPI c4518a7d and reqid {16388}
| using encryption algorithm AES_CBC with key size 128
| using integrity algorithm HMAC_SHA1_96 with key size 160
| sending XFRM_MSG_NEWSA: => 420 bytes @ 0xbfcb9fa8
0: 00 00 01 A4 00 10 00 05 00 00 00 D0 00 00 20 41 .............. A
16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
64: 00 00 00 00 00 00 00 00 0A 00 00 01 00 00 00 00 ................
80: 00 00 00 00 00 00 00 00 C4 51 8A 7D 32 00 00 00 .........Q.}2...
96: 46 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 F...............
112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
224: 00 00 40 04 00 02 01 20 20 00 00 00 00 00 00 00 .. at .... .......
240: 00 58 00 02 61 65 73 00 00 00 00 00 00 00 00 00 .X..aes.........
256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
304: 00 00 00 00 00 00 00 80 18 91 D7 31 0F 10 85 63 ...........1...c
320: 3B 36 B7 0F CE 2B 65 19 00 5C 00 01 73 68 61 31 ;6...+e..\..sha1
336: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 ................
400: 71 7C 2F BB 38 56 B6 40 AF 37 76 A6 4D 6F DC DE q|/.8V. at .7v.Mo..
416: 0E CE AC D9 ....
| sr for #2: prospective erouted
| route owner of "mycnew1" prospective erouted: self; eroute owner: self
| route_and_eroute with c: mycnew1 (next: none) ero:mycnew1 esr:{(nil)}
ro:mycnew1 rosr:{(nil)} and state: 2
| eroute_connection replace eroute 50.0.1.0/24:0 -> 60.0.1.0/24:0 =>
tun.0 at 70.0.0.1:0
| deleting policy 50.0.1.0/24 === 60.0.1.0/24 in
deleting policy 50.0.1.0/24 === 60.0.1.0/24 in failed, not found
"mycnew1" #2: ************ Time taken for del policy 0 sec:77 usec
| adding policy 50.0.1.0/24 === 60.0.1.0/24 in
| sending XFRM_MSG_NEWPOLICY: => 252 bytes @ 0xbfcb9d18
0: 00 00 00 FC 00 13 00 05 00 00 00 D1 00 00 20 41 .............. A
16: 3C 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............
32: 32 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............
48: 00 00 00 00 00 00 00 00 00 02 18 18 00 00 00 00 ................
64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
160: 00 00 00 00 00 00 00 00 00 00 07 43 00 00 00 00 ...........C....
176: 00 00 00 00 00 00 00 00 00 44 00 05 46 00 00 01 .........D..F...
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
208: 32 00 00 00 00 02 00 00 0A 00 00 01 00 00 00 00 2...............
224: 00 00 00 00 00 00 00 00 00 00 40 04 01 00 00 00 .......... at .....
240: FF FF FF FF FF FF FF FF FF FF FF FF ............
"mycnew1" #2: ************ Time taken for add policy 0 sec:252 usec
| deleting policy 50.0.1.0/24 === 60.0.1.0/24 fwd
deleting policy 50.0.1.0/24 === 60.0.1.0/24 fwd failed, not found
"mycnew1" #2: ************ Time taken for del policy 0 sec:66 usec
| adding policy 50.0.1.0/24 === 60.0.1.0/24 fwd
| sending XFRM_MSG_NEWPOLICY: => 252 bytes @ 0xbfcb9d18
0: 00 00 00 FC 00 13 00 05 00 00 00 D2 00 00 20 41 .............. A
16: 3C 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............
32: 32 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............
48: 00 00 00 00 00 00 00 00 00 02 18 18 00 00 00 00 ................
64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
160: 00 00 00 00 00 00 00 00 00 00 07 43 00 00 00 00 ...........C....
176: 02 00 00 00 00 00 00 00 00 44 00 05 46 00 00 01 .........D..F...
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
208: 32 00 00 00 00 02 00 00 0A 00 00 01 00 00 00 00 2...............
224: 00 00 00 00 00 00 00 00 00 00 40 04 01 00 00 00 .......... at .....
240: FF FF FF FF FF FF FF FF FF FF FF FF ............
"mycnew1" #2: ************ Time taken for add policy 0 sec:1267 usec
| eroute_connection replace eroute 60.0.1.0/24:0 -> 50.0.1.0/24:0 =>
tun.0 at 10.0.0.1:0
| deleting policy 60.0.1.0/24 === 50.0.1.0/24 out
| sending XFRM_MSG_DELPOLICY: => 80 bytes @ 0xbfcb9d58
0: 00 00 00 50 00 14 00 05 00 00 00 D3 00 00 20 41 ...P.......... A
16: 32 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............
32: 3C 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............
48: 00 00 00 00 00 00 00 00 00 02 18 18 00 00 00 00 ................
64: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
"mycnew1" #2: ************ Time taken for del policy 0 sec:1015 usec
| adding policy 60.0.1.0/24 === 50.0.1.0/24 out
| sending XFRM_MSG_NEWPOLICY: => 252 bytes @ 0xbfcb9d18
0: 00 00 00 FC 00 13 00 05 00 00 00 D4 00 00 20 41 .............. A
16: 32 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............
32: 3C 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............
48: 00 00 00 00 00 00 00 00 00 02 18 18 00 00 00 00 ................
64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
160: 00 00 00 00 00 00 00 00 00 00 07 43 00 00 00 00 ...........C....
176: 01 00 00 00 00 00 00 00 00 44 00 05 0A 00 00 01 .........D......
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
208: 32 00 00 00 00 02 00 00 46 00 00 01 00 00 00 00 2.......F.......
224: 00 00 00 00 00 00 00 00 00 00 40 04 01 00 00 00 .......... at .....
240: FF FF FF FF FF FF FF FF FF FF FF FF ............
"mycnew1" #2: ************ Time taken for add policy 0 sec:1839 usec
"mycnew1" #2: Time taken in route_and_eroute (firewall)0 sec:4764 usec
| executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client'
PLUTO_CONNECTION='mycnew1' PLUTO_NEXT_HOP='10.0.0.1'
PLUTO_INTERFACE='ncpeth12:1' PLUTO_REQID='16388' PLUTO_ME='70.0.0.1'
PLUTO_MY_ID='70.0.0.1' PLUTO_MY_CLIENT='60.0.1.0/24'
PLUTO_MY_CLIENT_NET='60.0.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.0.0.1'
PLUTO_PEER_ID='10.0.0.1' PLUTO_PEER_CLIENT='50.0.1.0/24'
PLUTO_PEER_CLIENT_NET='50.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' ipsec _updown
| route_and_eroute: firewall_notified: true
| route_and_eroute: instance "mycnew1", setting eroute_owner
{spd=0x100af720,sr=0x100af720} to #2 (was #0) (newest_ipsec_sa=#0)
"mycnew1" #2: Time taken in route_and_eroute 0 sec:85145 usec
| inI2: instance mycnew1[0], setting newest_ipsec_sa to #2 (was #0)
(spd.eroute=#2)
| inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #2
"mycnew1" #2: IPsec SA established {ESP=>0xc4518a7d <0xc940edca}
| next event EVENT_SA_REPLACE in 3330 seconds for #2
Thanks and Regards,
Amit Tamboli
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111116/e84cdd35/attachment.html>
More information about the Users
mailing list