[strongSwan] Strongswan Performance (IKEv1 tunnel establishment rate)
Andreas Steffen
andreas.steffen at strongswan.org
Wed Nov 16 13:37:48 CET 2011
Hi Amit,
please be aware that the source code of the IKEv1 pluto daemon is in
maintenance mode. If you want high performance then use our scalable
IKEv2 charon daemon which can make use of multiple cores and can set
up > 10'000 tunnels in couple of minutes (with public key hardware
acceleration, though).
Kind regards
Andreas
On 11/16/2011 01:04 PM, Amit Tamboli wrote:
> Hi,
>
> I am running *strongswan-4.5.2* on*Linux 2.6.35*. Underline processor is
> *quad core - 1.6 GHz *. IKE negotiation is done on 1 Gige port. For
> IKEv1 negotiation two machines are connected back to back. One machine
> acts as initiator where as other acts as responder. I am able to
> establish at *the max 13 tunnels per second* *using IKEv1*. After doing
> analysis I found that around 81 miliseconds are required to establish
> single tunnel, out of that *75 miliseconds* are taken *by do_command
> function* called from route_and_eroute function after successful
> addition of IPsec policies and SAs . Is there any way/configuration
> which will avoid this command execution?
>
> I am doing IKEv1 configuration using following commands:
> ipsec pluto --stderrlog
> ipsec whack --listen
> ipsec whack --name mycnew1 --tunnel --client 60.0.1.0/24
> <http://60.0.1.0/24> --host 70.0.0.1 --to --client 50.0.1.0/24
> <http://50.0.1.0/24> --host 10.0.0.1 --psk --dpdaction none --ike
> aes-sha1-modp1024 -- encrypt --esp aes-sha1
> ipsec whack --route --name mycnew1
>
> *Does anyone know for this kind of configuration how many IKEv1 tunnels
> are established in a second? Has anyone done IKEv1 strongswan
> performance characterization?*
> For reference following is the debug log for the for tunnel
> establishment at responder's side:
> | *received 124 bytes from 10.0.0.1:500 <http://10.0.0.1:500> on ncpeth12:1
> | 14 0a c2 61 e7 ef 8f e1 00 00 00 00 00 00 00 00
> | 01 10 02 00 00 00 00 00 00 00 00 7c 0d 00 00 38
> | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01
> | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 2a 30
> | 80 01 00 07 80 02 00 02 80 0e 00 80 80 03 00 01
> | 80 04 00 02 0d 00 00 14 88 2f e5 6d 6f d2 0d bc
> | 22 51 61 3b 2e be 5b eb 00 00 00 14 af ca d7 13
> | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
> | **parse ISAKMP Message:
> | initiator cookie:
> | 14 0a c2 61 e7 ef 8f e1
> | responder cookie:
> | 00 00 00 00 00 00 00 00
> | next payload type: ISAKMP_NEXT_SA
> | ISAKMP version: ISAKMP Version 1.0
> | exchange type: ISAKMP_XCHG_IDPROT
> | flags: none
> | message ID: 00 00 00 00
> | length: 124
> | ***parse ISAKMP Security Association Payload:
> | next payload type: ISAKMP_NEXT_VID
> | length: 56
> | DOI: ISAKMP_DOI_IPSEC
> | ***parse ISAKMP Vendor ID Payload:
> | next payload type: ISAKMP_NEXT_VID
> | length: 20
> | ***parse ISAKMP Vendor ID Payload:
> | next payload type: ISAKMP_NEXT_NONE
> | length: 20
> packet from 10.0.0.1:500 <http://10.0.0.1:500>: received Vendor ID
> payload [strongSwan]
> packet from 10.0.0.1:500 <http://10.0.0.1:500>: received Vendor ID
> payload [Dead Peer Detection]
> | ****parse IPsec DOI SIT:
> | IPsec DOI SIT: SIT_IDENTITY_ONLY
> | ****parse ISAKMP Proposal Payload:
> | next payload type: ISAKMP_NEXT_NONE
> | length: 44
> | proposal number: 0
> | protocol ID: PROTO_ISAKMP
> | SPI size: 0
> | number of transforms: 1
> | *****parse ISAKMP Transform Payload (ISAKMP):
> | next payload type: ISAKMP_NEXT_NONE
> | length: 36
> | transform number: 0
> | transform ID: KEY_IKE
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_LIFE_TYPE
> | length/value: 1
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_LIFE_DURATION
> | length/value: 10800
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_ENCRYPTION_ALGORITHM
> | length/value: 7
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_HASH_ALGORITHM
> | length/value: 2
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_KEY_LENGTH
> | length/value: 128
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_AUTHENTICATION_METHOD
> | length/value: 1
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_GROUP_DESCRIPTION
> | length/value: 2
> | preparse_isakmp_policy: peer requests PSK authentication
> | creating state object #1 at 0x100b6768
> | ICOOKIE: 14 0a c2 61 e7 ef 8f e1
> | RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
> | peer: 0a 00 00 01
> | state hash entry 2
> | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
> "mycnew1" #1: responding to Main Mode
> | **emit ISAKMP Message:
> | initiator cookie:
> | 14 0a c2 61 e7 ef 8f e1
> | responder cookie:
> | 0d a0 6f 55 e8 a4 68 e3
> | next payload type: ISAKMP_NEXT_SA
> | ISAKMP version: ISAKMP Version 1.0
> | exchange type: ISAKMP_XCHG_IDPROT
> | flags: none
> | message ID: 00 00 00 00
> | ***emit ISAKMP Security Association Payload:
> | next payload type: ISAKMP_NEXT_VID
> | DOI: ISAKMP_DOI_IPSEC
> | *****parse ISAKMP Transform Payload (ISAKMP):
> | next payload type: ISAKMP_NEXT_NONE
> | length: 36
> | transform number: 0
> | transform ID: KEY_IKE
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_LIFE_TYPE
> | length/value: 1
> | [1 is OAKLEY_LIFE_SECONDS]
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_LIFE_DURATION
> | length/value: 10800
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_ENCRYPTION_ALGORITHM
> | length/value: 7
> | [7 is AES_CBC]
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_HASH_ALGORITHM
> | length/value: 2
> | [2 is HMAC_SHA1]
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_KEY_LENGTH
> | length/value: 128
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_AUTHENTICATION_METHOD
> | length/value: 1
> | [1 is pre-shared key]
> | ******parse ISAKMP Oakley attribute:
> | af+type: OAKLEY_GROUP_DESCRIPTION
> | length/value: 2
> | [2 is MODP_1024]
> | Oakley Transform 0 accepted
> | ****emit IPsec DOI SIT:
> | IPsec DOI SIT: SIT_IDENTITY_ONLY
> | ****emit ISAKMP Proposal Payload:
> | next payload type: ISAKMP_NEXT_NONE
> | proposal number: 0
> | protocol ID: PROTO_ISAKMP
> | SPI size: 0
> | number of transforms: 1
> | *****emit ISAKMP Transform Payload (ISAKMP):
> | next payload type: ISAKMP_NEXT_NONE
> | transform number: 0
> | transform ID: KEY_IKE
> | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP)
> | attributes 80 0b 00 01 80 0c 2a 30 80 01 00 07 80 02 00 02
> | 80 0e 00 80 80 03 00 01 80 04 00 02
> | emitting length of ISAKMP Transform Payload (ISAKMP): 36
> | emitting length of ISAKMP Proposal Payload: 44
> | emitting length of ISAKMP Security Association Payload: 56
> | out_vendorid(): sending [strongSwan]
> | ***emit ISAKMP Vendor ID Payload:
> | next payload type: ISAKMP_NEXT_VID
> | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
> | V_ID 88 2f e5 6d 6f d2 0d bc 22 51 61 3b 2e be 5b eb
> | emitting length of ISAKMP Vendor ID Payload: 20
> | out_vendorid(): sending [Dead Peer Detection]
> | ***emit ISAKMP Vendor ID Payload:
> | next payload type: ISAKMP_NEXT_NONE
> | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
> | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
> | emitting length of ISAKMP Vendor ID Payload: 20
> | emitting length of ISAKMP Message: 124
> | sending 124 bytes for STATE_MAIN_R0 through ncpeth12:1 to 10.0.0.1:500
> <http://10.0.0.1:500>:
> | 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
> | 01 10 02 00 00 00 00 00 00 00 00 7c 0d 00 00 38
> | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01
> | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 2a 30
> | 80 01 00 07 80 02 00 02 80 0e 00 80 80 03 00 01
> | 80 04 00 02 0d 00 00 14 88 2f e5 6d 6f d2 0d bc
> | 22 51 61 3b 2e be 5b eb 00 00 00 14 af ca d7 13
> | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
> | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
> | next event EVENT_RETRANSMIT in 10 seconds for #1
> |
> | *received 180 bytes from 10.0.0.1:500 <http://10.0.0.1:500> on ncpeth12:1
> | 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
> | 04 10 02 00 00 00 00 00 00 00 00 b4 0a 00 00 84
> | b9 a0 77 62 c8 43 3c e0 9a 17 6b 86 8c bf c9 f8
> | bc 9f ab 18 b2 22 b2 fc c7 44 b4 f2 11 ae 60 d2
> | 3f 63 3b 75 06 4b ed 32 2a c8 8e e7 5d 09 4c e6
> | 31 62 bb aa 22 b1 b9 72 e1 fd 0e 3b 79 d5 3e 2c
> | 54 df 15 0c f9 26 16 dc af 17 ef ae 72 43 5f 3b
> | 89 05 27 5c 9a 57 86 c2 86 45 80 67 0d be 04 ab
> | 9f d3 5e 80 5c 91 c4 ab 35 32 88 86 f8 02 e9 08
> | 1a 83 f9 fe f3 11 f1 b4 94 38 f2 22 68 1a c5 0b
> | 00 00 00 14 5b 7f 47 30 f8 6e 1f fe aa 2a 2a ee
> | cb 69 bf bc
> | **parse ISAKMP Message:
> | initiator cookie:
> | 14 0a c2 61 e7 ef 8f e1
> | responder cookie:
> | 0d a0 6f 55 e8 a4 68 e3
> | next payload type: ISAKMP_NEXT_KE
> | ISAKMP version: ISAKMP Version 1.0
> | exchange type: ISAKMP_XCHG_IDPROT
> | flags: none
> | message ID: 00 00 00 00
> | length: 180
> | ICOOKIE: 14 0a c2 61 e7 ef 8f e1
> | RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
> | peer: 0a 00 00 01
> | state hash entry 2
> | state object #1 found, in STATE_MAIN_R1
> | ***parse ISAKMP Key Exchange Payload:
> | next payload type: ISAKMP_NEXT_NONCE
> | length: 132
> | ***parse ISAKMP Nonce Payload:
> | next payload type: ISAKMP_NEXT_NONE
> | length: 20
> | **emit ISAKMP Message:
> | initiator cookie:
> | 14 0a c2 61 e7 ef 8f e1
> | responder cookie:
> | 0d a0 6f 55 e8 a4 68 e3
> | next payload type: ISAKMP_NEXT_KE
> | ISAKMP version: ISAKMP Version 1.0
> | exchange type: ISAKMP_XCHG_IDPROT
> | flags: none
> | message ID: 00 00 00 00
> | DH public value received:
> | b9 a0 77 62 c8 43 3c e0 9a 17 6b 86 8c bf c9 f8
> | bc 9f ab 18 b2 22 b2 fc c7 44 b4 f2 11 ae 60 d2
> | 3f 63 3b 75 06 4b ed 32 2a c8 8e e7 5d 09 4c e6
> | 31 62 bb aa 22 b1 b9 72 e1 fd 0e 3b 79 d5 3e 2c
> | 54 df 15 0c f9 26 16 dc af 17 ef ae 72 43 5f 3b
> | 89 05 27 5c 9a 57 86 c2 86 45 80 67 0d be 04 ab
> | 9f d3 5e 80 5c 91 c4 ab 35 32 88 86 f8 02 e9 08
> | 1a 83 f9 fe f3 11 f1 b4 94 38 f2 22 68 1a c5 0b
> | size of DH secret exponent: 1023 bits
> | Public DH value sent:
> | 8a 15 e2 66 b3 b8 2d dc f9 3e 44 df 20 af e9 34
> | 83 b9 de 69 75 ea 47 15 35 0c 0a 9d b4 d7 00 b4
> | 09 c4 50 50 24 b5 ef f6 7f 08 ee d6 7e 13 83 6d
> | 50 a2 9f 4f cb 78 0f 7c 65 b9 cb dd 3d 97 86 80
> | 6e 94 fd a8 07 b4 58 a5 ec a8 71 35 de 48 f6 9a
> | 31 7e 85 42 c7 6f 77 c3 42 ce 49 e9 ca a6 9b f1
> | 44 e3 1d 69 56 8f 67 36 58 2a e5 a5 6c cd 66 2e
> | 30 3c 95 6a c1 37 63 ea 9d 3b 8a 98 b8 a4 c1 cb
> | ***emit ISAKMP Key Exchange Payload:
> | next payload type: ISAKMP_NEXT_NONCE
> | emitting 128 raw bytes of keyex value into ISAKMP Key Exchange Payload
> | keyex value 8a 15 e2 66 b3 b8 2d dc f9 3e 44 df 20 af e9 34
> | 83 b9 de 69 75 ea 47 15 35 0c 0a 9d b4 d7 00 b4
> | 09 c4 50 50 24 b5 ef f6 7f 08 ee d6 7e 13 83 6d
> | 50 a2 9f 4f cb 78 0f 7c 65 b9 cb dd 3d 97 86 80
> | 6e 94 fd a8 07 b4 58 a5 ec a8 71 35 de 48 f6 9a
> | 31 7e 85 42 c7 6f 77 c3 42 ce 49 e9 ca a6 9b f1
> | 44 e3 1d 69 56 8f 67 36 58 2a e5 a5 6c cd 66 2e
> | 30 3c 95 6a c1 37 63 ea 9d 3b 8a 98 b8 a4 c1 cb
> | emitting length of ISAKMP Key Exchange Payload: 132
> | ***emit ISAKMP Nonce Payload:
> | next payload type: ISAKMP_NEXT_NONE
> | emitting 16 raw bytes of Nr into ISAKMP Nonce Payload
> | Nr 7e b1 22 3e fb c1 32 f4 50 5b c9 64 2a 8c 63 c1
> | emitting length of ISAKMP Nonce Payload: 20
> | emitting length of ISAKMP Message: 180
> | DH shared secret:
> | 14 2d 87 3b bd 9e b7 55 d0 f6 39 c2 ab 69 2d e7
> | 38 6e 04 88 2b ae 1e 62 1c c5 92 42 93 1b a0 a8
> | 15 d0 f8 19 3e 73 54 cb 90 43 33 ba 20 c1 de 2e
> | ea 55 0f 19 35 91 6d 43 e6 80 53 11 5c a8 06 40
> | 97 7f d2 22 99 8b b5 24 71 59 25 35 f5 6a 03 2a
> | 16 77 4b 2a ef c7 c7 00 e1 8f b0 35 90 13 52 bb
> | 67 f2 3c 4c 00 f7 02 b7 40 86 62 12 dd 0f 11 db
> | 1e 83 18 50 9a fb b4 bf eb b3 fc b5 50 6d 3a eb
> | DH_i: b9 a0 77 62 c8 43 3c e0 9a 17 6b 86 8c bf c9 f8
> | bc 9f ab 18 b2 22 b2 fc c7 44 b4 f2 11 ae 60 d2
> | 3f 63 3b 75 06 4b ed 32 2a c8 8e e7 5d 09 4c e6
> | 31 62 bb aa 22 b1 b9 72 e1 fd 0e 3b 79 d5 3e 2c
> | 54 df 15 0c f9 26 16 dc af 17 ef ae 72 43 5f 3b
> | 89 05 27 5c 9a 57 86 c2 86 45 80 67 0d be 04 ab
> | 9f d3 5e 80 5c 91 c4 ab 35 32 88 86 f8 02 e9 08
> | 1a 83 f9 fe f3 11 f1 b4 94 38 f2 22 68 1a c5 0b
> | DH_r: 8a 15 e2 66 b3 b8 2d dc f9 3e 44 df 20 af e9 34
> | 83 b9 de 69 75 ea 47 15 35 0c 0a 9d b4 d7 00 b4
> | 09 c4 50 50 24 b5 ef f6 7f 08 ee d6 7e 13 83 6d
> | 50 a2 9f 4f cb 78 0f 7c 65 b9 cb dd 3d 97 86 80
> | 6e 94 fd a8 07 b4 58 a5 ec a8 71 35 de 48 f6 9a
> | 31 7e 85 42 c7 6f 77 c3 42 ce 49 e9 ca a6 9b f1
> | 44 e3 1d 69 56 8f 67 36 58 2a e5 a5 6c cd 66 2e
> | 30 3c 95 6a c1 37 63 ea 9d 3b 8a 98 b8 a4 c1 cb
> | Skeyid: 3c 1f ec c7 df ec 92 6a e1 2d 9e 8a 88 5b fa 8b
> | 99 1d 99 73
> | Skeyid_d: 2e df 82 be 84 53 11 35 25 bd a6 6e 95 94 5f 9e
> | 6e ae c2 f7
> | Skeyid_a: 0e e4 0e 65 9e 1e 74 18 05 bf 56 20 01 95 1e e1
> | d4 5c d0 3f
> | Skeyid_e: 4f 54 de 03 1e 71 36 37 84 e1 f6 95 6c 32 9b 16
> | 2f d1 9b f6
> | enc key: 4f 54 de 03 1e 71 36 37 84 e1 f6 95 6c 32 9b 16
> | IV: ff df c4 49 64 fd 0b f7 d8 67 03 91 30 e1 ae 48
> | cb 71 c1 d7
> | sending 180 bytes for STATE_MAIN_R1 through ncpeth12:1 to 10.0.0.1:500
> <http://10.0.0.1:500>:
> | 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
> | 04 10 02 00 00 00 00 00 00 00 00 b4 0a 00 00 84
> | 8a 15 e2 66 b3 b8 2d dc f9 3e 44 df 20 af e9 34
> | 83 b9 de 69 75 ea 47 15 35 0c 0a 9d b4 d7 00 b4
> | 09 c4 50 50 24 b5 ef f6 7f 08 ee d6 7e 13 83 6d
> | 50 a2 9f 4f cb 78 0f 7c 65 b9 cb dd 3d 97 86 80
> | 6e 94 fd a8 07 b4 58 a5 ec a8 71 35 de 48 f6 9a
> | 31 7e 85 42 c7 6f 77 c3 42 ce 49 e9 ca a6 9b f1
> | 44 e3 1d 69 56 8f 67 36 58 2a e5 a5 6c cd 66 2e
> | 30 3c 95 6a c1 37 63 ea 9d 3b 8a 98 b8 a4 c1 cb
> | 00 00 00 14 7e b1 22 3e fb c1 32 f4 50 5b c9 64
> | 2a 8c 63 c1
> | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
> | next event EVENT_RETRANSMIT in 10 seconds for #1
> |
> | *received 76 bytes from 10.0.0.1:500 <http://10.0.0.1:500> on ncpeth12:1
> | 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
> | 05 10 02 01 00 00 00 00 00 00 00 4c 09 e8 50 78
> | 3c 50 ad c9 7e 6e b3 05 bd 86 32 3d 59 0a 11 8f
> | a7 bc e0 78 2f 51 d1 4b 90 92 10 79 d9 29 26 ec
> | 8d 79 10 b0 35 b4 90 90 a5 f4 d4 fe
> | **parse ISAKMP Message:
> | initiator cookie:
> | 14 0a c2 61 e7 ef 8f e1
> | responder cookie:
> | 0d a0 6f 55 e8 a4 68 e3
> | next payload type: ISAKMP_NEXT_ID
> | ISAKMP version: ISAKMP Version 1.0
> | exchange type: ISAKMP_XCHG_IDPROT
> | flags: ISAKMP_FLAG_ENCRYPTION
> | message ID: 00 00 00 00
> | length: 76
> | ICOOKIE: 14 0a c2 61 e7 ef 8f e1
> | RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
> | peer: 0a 00 00 01
> | state hash entry 2
> | state object #1 found, in STATE_MAIN_R2
> | received encrypted packet from 10.0.0.1:500 <http://10.0.0.1:500>
> | decrypting 48 bytes using algorithm AES_CBC
> | decrypted:
> | 08 00 00 0c 01 00 00 00 0a 00 00 01 00 00 00 18
> | 93 94 e3 94 13 aa 78 14 fb 6b b5 df c7 22 24 8c
> | 98 0d 0b 29 00 00 00 00 00 00 00 00 00 00 00 00
> | next IV: d9 29 26 ec 8d 79 10 b0 35 b4 90 90 a5 f4 d4 fe
> | ***parse ISAKMP Identification Payload:
> | next payload type: ISAKMP_NEXT_HASH
> | length: 12
> | ID type: ID_IPV4_ADDR
> | DOI specific A: 0
> | DOI specific B: 0
> | ***parse ISAKMP Hash Payload:
> | next payload type: ISAKMP_NEXT_NONE
> | length: 24
> | removing 12 bytes of padding
> "mycnew1" #1: Peer ID is ID_IPV4_ADDR: '10.0.0.1'
> | hashing 52 bytes of SA
> | authentication succeeded
> | peer CA: %none
> | current connection is a full match -- no need to look further
> | offered CA: %none
> | **emit ISAKMP Message:
> | initiator cookie:
> | 14 0a c2 61 e7 ef 8f e1
> | responder cookie:
> | 0d a0 6f 55 e8 a4 68 e3
> | next payload type: ISAKMP_NEXT_ID
> | ISAKMP version: ISAKMP Version 1.0
> | exchange type: ISAKMP_XCHG_IDPROT
> | flags: ISAKMP_FLAG_ENCRYPTION
> | message ID: 00 00 00 00
> | ***emit ISAKMP Identification Payload (IPsec DOI):
> | next payload type: ISAKMP_NEXT_HASH
> | ID type: ID_IPV4_ADDR
> | Protocol ID: 0
> | port: 0
> | emitting 4 raw bytes of my identity into ISAKMP Identification Payload
> (IPsec DOI)
> | my identity 46 00 00 01
> | emitting length of ISAKMP Identification Payload (IPsec DOI): 12
> | hashing 52 bytes of SA
> | ***emit ISAKMP Hash Payload:
> | next payload type: ISAKMP_NEXT_NONE
> | emitting 20 raw bytes of HASH_R into ISAKMP Hash Payload
> | HASH_R 54 4e d3 f4 76 2c 9f a5 fc 1e 82 f1 95 b6 e9 02
> | ad 10 94 a8
> | emitting length of ISAKMP Hash Payload: 24
> | encrypting:
> | 08 00 00 0c 01 00 00 00 46 00 00 01 00 00 00 18
> | 54 4e d3 f4 76 2c 9f a5 fc 1e 82 f1 95 b6 e9 02
> | ad 10 94 a8
> | emitting 12 zero bytes of encryption padding into ISAKMP Message
> | encrypting using AES_CBC
> | next IV: d3 45 cb 2c 46 4c 80 8c 34 e9 8d 16 8f 3a bd 35
> | emitting length of ISAKMP Message: 76
> | last encrypted block of Phase 1:
> | d3 45 cb 2c 46 4c 80 8c 34 e9 8d 16 8f 3a bd 35
> | sending 76 bytes for STATE_MAIN_R2 through ncpeth12:1 to 10.0.0.1:500
> <http://10.0.0.1:500>:
> | 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
> | 05 10 02 01 00 00 00 00 00 00 00 4c 8b 76 10 ec
> | e5 e1 d3 08 27 35 a0 79 80 7a 0a 9b 74 28 8e 3a
> | 17 90 0d e0 ef 40 a2 38 d9 70 c1 e2 d3 45 cb 2c
> | 46 4c 80 8c 34 e9 8d 16 8f 3a bd 35
> | inserting event EVENT_SA_REPLACE, timeout in 10530 seconds for #1
> "mycnew1" #1: sent MR3, ISAKMP SA established
> | next event EVENT_REINIT_SECRET in 3588 seconds
> |
> | *received 156 bytes from 10.0.0.1:500 <http://10.0.0.1:500> on ncpeth12:1
> | 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
> | 08 10 20 01 94 34 e5 61 00 00 00 9c 88 0f dc ad
> | f5 bb 1e 92 de fe c6 fc 8b 16 8a 93 aa 31 9e 04
> | 5d 17 0c 32 c7 a1 62 20 29 50 32 01 d1 40 88 85
> | c1 0f 24 b2 0e 51 9e 65 0f fc 85 55 52 70 22 e3
> | 52 bb 64 03 e8 00 b0 29 72 7c a2 66 fd 40 da 2c
> | 34 e3 2c 0a 3f bc 4f 03 6e 50 0d ad a5 f2 e8 6e
> | 58 d4 58 a5 78 55 84 5f a3 f5 7b b0 40 71 ff eb
> | 1c 38 d2 2a 28 d2 93 a6 d0 5f 08 57 60 87 d3 b3
> | 4b 87 67 c5 c3 d1 26 93 84 11 69 a9
> | **parse ISAKMP Message:
> | initiator cookie:
> | 14 0a c2 61 e7 ef 8f e1
> | responder cookie:
> | 0d a0 6f 55 e8 a4 68 e3
> | next payload type: ISAKMP_NEXT_HASH
> | ISAKMP version: ISAKMP Version 1.0
> | exchange type: ISAKMP_XCHG_QUICK
> | flags: ISAKMP_FLAG_ENCRYPTION
> | message ID: 94 34 e5 61
> | length: 156
> | ICOOKIE: 14 0a c2 61 e7 ef 8f e1
> | RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
> | peer: 0a 00 00 01
> | state hash entry 2
> | state object not found
> | ICOOKIE: 14 0a c2 61 e7 ef 8f e1
> | RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
> | peer: 0a 00 00 01
> | state hash entry 2
> | state object #1 found, in STATE_MAIN_R3
> | last Phase 1 IV: d3 45 cb 2c 46 4c 80 8c 34 e9 8d 16 8f 3a bd 35
> | computed Phase 2 IV:
> | 22 1f 7a d9 1e f5 df 8c 60 07 6f e5 7e dc 95 23
> | c6 77 7f 00
> | received encrypted packet from 10.0.0.1:500 <http://10.0.0.1:500>
> | decrypting 128 bytes using algorithm AES_CBC
> | decrypted:
> | 01 00 00 18 9e 79 6e 6a bc 16 8d 5f d3 52 61 a2
> | d2 18 f7 e2 3a e6 4c 52 0a 00 00 34 00 00 00 01
> | 00 00 00 01 00 00 00 28 00 03 04 01 c4 51 8a 7d
> | 00 00 00 1c 00 0c 00 00 80 04 00 01 80 01 00 01
> | 80 02 0e 10 80 05 00 02 80 06 00 80 05 00 00 14
> | b5 76 c6 4b 93 54 3a 3b dc 33 f0 e0 a0 6f 2d 97
> | 05 00 00 10 04 00 00 00 32 00 01 00 ff ff ff 00
> | 00 00 00 10 04 00 00 00 3c 00 01 00 ff ff ff 00
> | next IV: 60 87 d3 b3 4b 87 67 c5 c3 d1 26 93 84 11 69 a9
> | ***parse ISAKMP Hash Payload:
> | next payload type: ISAKMP_NEXT_SA
> | length: 24
> | ***parse ISAKMP Security Association Payload:
> | next payload type: ISAKMP_NEXT_NONCE
> | length: 52
> | DOI: ISAKMP_DOI_IPSEC
> | ***parse ISAKMP Nonce Payload:
> | next payload type: ISAKMP_NEXT_ID
> | length: 20
> | ***parse ISAKMP Identification Payload (IPsec DOI):
> | next payload type: ISAKMP_NEXT_ID
> | length: 16
> | ID type: ID_IPV4_ADDR_SUBNET
> | Protocol ID: 0
> | port: 0
> | ***parse ISAKMP Identification Payload (IPsec DOI):
> | next payload type: ISAKMP_NEXT_NONE
> | length: 16
> | ID type: ID_IPV4_ADDR_SUBNET
> | Protocol ID: 0
> | port: 0
> | HASH(1) computed:
> | 9e 79 6e 6a bc 16 8d 5f d3 52 61 a2 d2 18 f7 e2
> | 3a e6 4c 52
> | peer client is subnet 50.0.1.0/24 <http://50.0.1.0/24>
> | peer client protocol/port is 0/0
> | our client is subnet 60.0.1.0/24 <http://60.0.1.0/24>
> | our client protocol/port is 0/0
> | find_client_connection starting with mycnew1
> | looking for 60.0.1.0/24:0/0 <http://60.0.1.0/24:0/0> ->
> 50.0.1.0/24:0/0 <http://50.0.1.0/24:0/0>
> | concrete checking against sr#0 60.0.1.0/24 <http://60.0.1.0/24> ->
> 50.0.1.0/24 <http://50.0.1.0/24>
> | duplicating state object #1
> | creating state object #2 at 0x100b7360
> | ICOOKIE: 14 0a c2 61 e7 ef 8f e1
> | RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
> | peer: 0a 00 00 01
> | state hash entry 2
> | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2
> | **emit ISAKMP Message:
> | initiator cookie:
> | 14 0a c2 61 e7 ef 8f e1
> | responder cookie:
> | 0d a0 6f 55 e8 a4 68 e3
> | next payload type: ISAKMP_NEXT_HASH
> | ISAKMP version: ISAKMP Version 1.0
> | exchange type: ISAKMP_XCHG_QUICK
> | flags: ISAKMP_FLAG_ENCRYPTION
> | message ID: 94 34 e5 61
> | ***emit ISAKMP Hash Payload:
> | next payload type: ISAKMP_NEXT_SA
> | emitting 20 zero bytes of HASH into ISAKMP Hash Payload
> | emitting length of ISAKMP Hash Payload: 24
> | ***emit ISAKMP Security Association Payload:
> | next payload type: ISAKMP_NEXT_NONCE
> | DOI: ISAKMP_DOI_IPSEC
> | ****parse IPsec DOI SIT:
> | IPsec DOI SIT: SIT_IDENTITY_ONLY
> | ****parse ISAKMP Proposal Payload:
> | next payload type: ISAKMP_NEXT_NONE
> | length: 40
> | proposal number: 0
> | protocol ID: PROTO_IPSEC_ESP
> | SPI size: 4
> | number of transforms: 1
> | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
> | SPI c4 51 8a 7d
> | *****parse ISAKMP Transform Payload (ESP):
> | next payload type: ISAKMP_NEXT_NONE
> | length: 28
> | transform number: 0
> | transform ID: AES_CBC
> | ******parse ISAKMP IPsec DOI attribute:
> | af+type: ENCAPSULATION_MODE
> | length/value: 1
> | [1 is ENCAPSULATION_MODE_TUNNEL]
> | ******parse ISAKMP IPsec DOI attribute:
> | af+type: SA_LIFE_TYPE
> | length/value: 1
> | [1 is SA_LIFE_TYPE_SECONDS]
> | ******parse ISAKMP IPsec DOI attribute:
> | af+type: SA_LIFE_DURATION
> | length/value: 3600
> | ******parse ISAKMP IPsec DOI attribute:
> | af+type: AUTH_ALGORITHM
> | length/value: 2
> | [2 is HMAC_SHA1]
> | ******parse ISAKMP IPsec DOI attribute:
> | af+type: KEY_LENGTH
> | length/value: 128
> | kernel_alg_esp_enc_ok(12,128): alg_id=12, alg_ivlen=8,
> alg_minbits=128, alg_maxbits=256, res=0, ret=1
> | ****emit IPsec DOI SIT:
> | IPsec DOI SIT: SIT_IDENTITY_ONLY
> | ****emit ISAKMP Proposal Payload:
> | next payload type: ISAKMP_NEXT_NONE
> | proposal number: 0
> | protocol ID: PROTO_IPSEC_ESP
> | SPI size: 4
> | number of transforms: 1
> | getting SPI for reqid {16388}
> | sending XFRM_MSG_ALLOCSPI: => 248 bytes @ 0xbfcb9790
> 0: 00 00 00 F8 00 16 00 01 00 00 00 CE 00 00 20 41 .............. A
> 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 64: 00 00 00 00 00 00 00 00 46 00 00 01 00 00 00 00 ........F.......
> 80: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
> 96: 0A 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 224: 00 00 40 04 00 02 01 00 00 00 00 00 00 00 00 00 .. at .............
> 240: C0 00 00 00 CF FF FF FF ........
> | got SPI c940edca for reqid {16388}
> | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload
> | SPI c9 40 ed ca
> | *****emit ISAKMP Transform Payload (ESP):
> | next payload type: ISAKMP_NEXT_NONE
> | transform number: 0
> | transform ID: AES_CBC
> | emitting 20 raw bytes of attributes into ISAKMP Transform Payload (ESP)
> | attributes 80 04 00 01 80 01 00 01 80 02 0e 10 80 05 00 02
> | 80 06 00 80
> | emitting length of ISAKMP Transform Payload (ESP): 28
> | emitting length of ISAKMP Proposal Payload: 40
> | emitting length of ISAKMP Security Association Payload: 52
> "mycnew1" #2: responding to Quick Mode
> | ***emit ISAKMP Nonce Payload:
> | next payload type: ISAKMP_NEXT_ID
> | emitting 16 raw bytes of Nr into ISAKMP Nonce Payload
> | Nr 0b 87 df 44 34 6e 38 ea 8d ee fb fb bb 41 60 85
> | emitting length of ISAKMP Nonce Payload: 20
> | emitting 16 raw bytes of IDci into ISAKMP Message
> | IDci 05 00 00 10 04 00 00 00 32 00 01 00 ff ff ff 00
> | emitting 16 raw bytes of IDcr into ISAKMP Message
> | IDcr 00 00 00 10 04 00 00 00 3c 00 01 00 ff ff ff 00
> | HASH(2) computed:
> | 0a fc ac 49 11 a3 83 a6 f4 cf 84 80 7b 7b 1e 63
> | 8b 55 13 07
> | kernel_alg_esp_enc_keylen(): alg_id=12, keylen=16
> | kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20
> | KEYMAT computed:
> | 95 8e 61 58 03 13 c8 42 9d cb 11 dc 57 25 67 ee
> | d4 1d e3 c7 02 ea cf 07 ca ed 81 e5 b3 b1 70 0d
> | 92 db e2 d3
> | route owner of "mycnew1" prospective erouted: self
> | install_inbound_ipsec_sa() checking if we can route
> | route owner of "mycnew1" prospective erouted: self; eroute owner: self
> | kernel_alg_esp_info():transid=12, auth=2, ei=0x1008a054, enckeylen=32,
> authkeylen=20, encryptalg=12, authalg=3
> | adding SAD entry with SPI c940edca and reqid {16388}
> | using encryption algorithm AES_CBC with key size 128
> | using integrity algorithm HMAC_SHA1_96 with key size 160
> | sending XFRM_MSG_UPDSA: => 420 bytes @ 0xbfcb9698
> 0: 00 00 01 A4 00 1A 00 05 00 00 00 CF 00 00 20 41 .............. A
> 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 64: 00 00 00 00 00 00 00 00 46 00 00 01 00 00 00 00 ........F.......
> 80: 00 00 00 00 00 00 00 00 C9 40 ED CA 32 00 00 00 ......... at ..2...
> 96: 0A 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 224: 00 00 40 04 00 02 01 20 20 00 00 00 00 00 00 00 .. at .... .......
> 240: 00 58 00 02 61 65 73 00 00 00 00 00 00 00 00 00 .X..aes.........
> 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 304: 00 00 00 00 00 00 00 80 95 8E 61 58 03 13 C8 42 ..........aX...B
> 320: 9D CB 11 DC 57 25 67 EE 00 5C 00 01 73 68 61 31 ....W%g..\..sha1
> 336: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 ................
> 400: D4 1D E3 C7 02 EA CF 07 CA ED 81 E5 B3 B1 70 0D ..............p.
> 416: 92 DB E2 D3 ....
> | encrypting:
> | 01 00 00 18 0a fc ac 49 11 a3 83 a6 f4 cf 84 80
> | 7b 7b 1e 63 8b 55 13 07 0a 00 00 34 00 00 00 01
> | 00 00 00 01 00 00 00 28 00 03 04 01 c9 40 ed ca
> | 00 00 00 1c 00 0c 00 00 80 04 00 01 80 01 00 01
> | 80 02 0e 10 80 05 00 02 80 06 00 80 05 00 00 14
> | 0b 87 df 44 34 6e 38 ea 8d ee fb fb bb 41 60 85
> | 05 00 00 10 04 00 00 00 32 00 01 00 ff ff ff 00
> | 00 00 00 10 04 00 00 00 3c 00 01 00 ff ff ff 00
> | encrypting using AES_CBC
> | next IV: b8 70 93 5c 89 2b 43 24 b5 03 dd cb 89 65 4d 5b
> | emitting length of ISAKMP Message: 156
> | sending 156 bytes for STATE_QUICK_R0 through ncpeth12:1 to
> 10.0.0.1:500 <http://10.0.0.1:500>:
> | 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
> | 08 10 20 01 94 34 e5 61 00 00 00 9c fa 94 9b 36
> | c4 3a 53 06 4c 9d 88 a5 ac b8 ac ec 1c 65 be 15
> | 5e 1e b4 29 f2 e7 16 70 16 f0 b9 b7 25 5a 73 27
> | 83 e9 c8 64 30 91 ab 4a 04 13 94 43 3c b3 cc 8f
> | 77 e8 22 cd 86 87 5d 5a 79 05 19 cc 6b 4e 59 1d
> | 72 ce ef b0 1a c6 dc 16 e0 74 77 5d bb 56 94 93
> | b0 6a 50 a9 9c 4c ca 77 00 b1 91 ca ad e5 94 10
> | 7e 7d a7 3f 70 66 82 5f a9 82 bb 83 b8 70 93 5c
> | 89 2b 43 24 b5 03 dd cb 89 65 4d 5b
> | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
> | next event EVENT_RETRANSMIT in 10 seconds for #2
> |
> | *received 60 bytes from 10.0.0.1:500 <http://10.0.0.1:500> on ncpeth12:1
> | 14 0a c2 61 e7 ef 8f e1 0d a0 6f 55 e8 a4 68 e3
> | 08 10 20 01 94 34 e5 61 00 00 00 3c 3e cb 11 6c
> | 8f ff 0c ae f5 a8 72 7f d4 b1 a7 a5 f6 cd 49 e0
> | 6c cd e8 e5 5f 2d 1e 25 44 6c 95 ec
> | **parse ISAKMP Message:
> | initiator cookie:
> | 14 0a c2 61 e7 ef 8f e1
> | responder cookie:
> | 0d a0 6f 55 e8 a4 68 e3
> | next payload type: ISAKMP_NEXT_HASH
> | ISAKMP version: ISAKMP Version 1.0
> | exchange type: ISAKMP_XCHG_QUICK
> | flags: ISAKMP_FLAG_ENCRYPTION
> | message ID: 94 34 e5 61
> | length: 60
> | ICOOKIE: 14 0a c2 61 e7 ef 8f e1
> | RCOOKIE: 0d a0 6f 55 e8 a4 68 e3
> | peer: 0a 00 00 01
> | state hash entry 2
> | state object #2 found, in STATE_QUICK_R1
> | received encrypted packet from 10.0.0.1:500 <http://10.0.0.1:500>
> | decrypting 32 bytes using algorithm AES_CBC
> | decrypted:
> | 00 00 00 18 30 2b bc 22 5c 1d 86 9c 1c 79 22 bb
> | 30 43 00 fd 11 54 dc f3 00 00 00 00 00 00 00 00
> | next IV: f6 cd 49 e0 6c cd e8 e5 5f 2d 1e 25 44 6c 95 ec
> | ***parse ISAKMP Hash Payload:
> | next payload type: ISAKMP_NEXT_NONE
> | length: 24
> | removing 8 bytes of padding
> | HASH(3) computed: 30 2b bc 22 5c 1d 86 9c 1c 79 22 bb 30 43 00 fd
> | 11 54 dc f3
> | kernel_alg_esp_enc_keylen(): alg_id=12, keylen=16
> | kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20
> | Peer KEYMAT computed:
> | 18 91 d7 31 0f 10 85 63 3b 36 b7 0f ce 2b 65 19
> | 71 7c 2f bb 38 56 b6 40 af 37 76 a6 4d 6f dc de
> | 0e ce ac d9
> | install_ipsec_sa() for #2: outbound only
> | route owner of "mycnew1" prospective erouted: self; eroute owner: self
> | kernel_alg_esp_info():transid=12, auth=2, ei=0x1008a054, enckeylen=32,
> authkeylen=20, encryptalg=12, authalg=3
> | adding SAD entry with SPI c4518a7d and reqid {16388}
> | using encryption algorithm AES_CBC with key size 128
> | using integrity algorithm HMAC_SHA1_96 with key size 160
> | sending XFRM_MSG_NEWSA: => 420 bytes @ 0xbfcb9fa8
> 0: 00 00 01 A4 00 10 00 05 00 00 00 D0 00 00 20 41 .............. A
> 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 64: 00 00 00 00 00 00 00 00 0A 00 00 01 00 00 00 00 ................
> 80: 00 00 00 00 00 00 00 00 C4 51 8A 7D 32 00 00 00 .........Q.}2...
> 96: 46 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 F...............
> 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 224: 00 00 40 04 00 02 01 20 20 00 00 00 00 00 00 00 .. at .... .......
> 240: 00 58 00 02 61 65 73 00 00 00 00 00 00 00 00 00 .X..aes.........
> 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 304: 00 00 00 00 00 00 00 80 18 91 D7 31 0F 10 85 63 ...........1...c
> 320: 3B 36 B7 0F CE 2B 65 19 00 5C 00 01 73 68 61 31 ;6...+e..\..sha1
> 336: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 A0 ................
> 400: 71 7C 2F BB 38 56 B6 40 AF 37 76 A6 4D 6F DC DE q|/.8V. at .7v.Mo..
> 416: 0E CE AC D9 ....
> | sr for #2: prospective erouted
> | route owner of "mycnew1" prospective erouted: self; eroute owner: self
> | route_and_eroute with c: mycnew1 (next: none) ero:mycnew1 esr:{(nil)}
> ro:mycnew1 rosr:{(nil)} and state: 2
> | eroute_connection replace eroute 50.0.1.0/24:0 <http://50.0.1.0/24:0>
> -> 60.0.1.0/24:0 <http://60.0.1.0/24:0> => tun.0 at 70.0.0.1:0
> <http://tun.0@70.0.0.1:0>
> | deleting policy 50.0.1.0/24 <http://50.0.1.0/24> === 60.0.1.0/24
> <http://60.0.1.0/24> in
> deleting policy 50.0.1.0/24 <http://50.0.1.0/24> === 60.0.1.0/24
> <http://60.0.1.0/24> in failed, not found
> "mycnew1" #2: ************ Time taken for del policy 0 sec:77 usec
> | adding policy 50.0.1.0/24 <http://50.0.1.0/24> === 60.0.1.0/24
> <http://60.0.1.0/24> in
> | sending XFRM_MSG_NEWPOLICY: => 252 bytes @ 0xbfcb9d18
> 0: 00 00 00 FC 00 13 00 05 00 00 00 D1 00 00 20 41 .............. A
> 16: 3C 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............
> 32: 32 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............
> 48: 00 00 00 00 00 00 00 00 00 02 18 18 00 00 00 00 ................
> 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
> 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
> 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 160: 00 00 00 00 00 00 00 00 00 00 07 43 00 00 00 00 ...........C....
> 176: 00 00 00 00 00 00 00 00 00 44 00 05 46 00 00 01 .........D..F...
> 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 208: 32 00 00 00 00 02 00 00 0A 00 00 01 00 00 00 00 2...............
> 224: 00 00 00 00 00 00 00 00 00 00 40 04 01 00 00 00 .......... at .....
> 240: FF FF FF FF FF FF FF FF FF FF FF FF ............
> "mycnew1" #2: ************ Time taken for add policy 0 sec:252 usec
> | deleting policy 50.0.1.0/24 <http://50.0.1.0/24> === 60.0.1.0/24
> <http://60.0.1.0/24> fwd
> deleting policy 50.0.1.0/24 <http://50.0.1.0/24> === 60.0.1.0/24
> <http://60.0.1.0/24> fwd failed, not found
> "mycnew1" #2: ************ Time taken for del policy 0 sec:66 usec
> | adding policy 50.0.1.0/24 <http://50.0.1.0/24> === 60.0.1.0/24
> <http://60.0.1.0/24> fwd
> | sending XFRM_MSG_NEWPOLICY: => 252 bytes @ 0xbfcb9d18
> 0: 00 00 00 FC 00 13 00 05 00 00 00 D2 00 00 20 41 .............. A
> 16: 3C 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............
> 32: 32 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............
> 48: 00 00 00 00 00 00 00 00 00 02 18 18 00 00 00 00 ................
> 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
> 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
> 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 160: 00 00 00 00 00 00 00 00 00 00 07 43 00 00 00 00 ...........C....
> 176: 02 00 00 00 00 00 00 00 00 44 00 05 46 00 00 01 .........D..F...
> 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 208: 32 00 00 00 00 02 00 00 0A 00 00 01 00 00 00 00 2...............
> 224: 00 00 00 00 00 00 00 00 00 00 40 04 01 00 00 00 .......... at .....
> 240: FF FF FF FF FF FF FF FF FF FF FF FF ............
> "mycnew1" #2: ************ Time taken for add policy 0 sec:1267 usec
> | eroute_connection replace eroute 60.0.1.0/24:0 <http://60.0.1.0/24:0>
> -> 50.0.1.0/24:0 <http://50.0.1.0/24:0> => tun.0 at 10.0.0.1:0
> <http://tun.0@10.0.0.1:0>
> | deleting policy 60.0.1.0/24 <http://60.0.1.0/24> === 50.0.1.0/24
> <http://50.0.1.0/24> out
> | sending XFRM_MSG_DELPOLICY: => 80 bytes @ 0xbfcb9d58
> 0: 00 00 00 50 00 14 00 05 00 00 00 D3 00 00 20 41 ...P.......... A
> 16: 32 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............
> 32: 3C 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............
> 48: 00 00 00 00 00 00 00 00 00 02 18 18 00 00 00 00 ................
> 64: 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
> "mycnew1" #2: ************ Time taken for del policy 0 sec:1015 usec
> | adding policy 60.0.1.0/24 <http://60.0.1.0/24> === 50.0.1.0/24
> <http://50.0.1.0/24> out
> | sending XFRM_MSG_NEWPOLICY: => 252 bytes @ 0xbfcb9d18
> 0: 00 00 00 FC 00 13 00 05 00 00 00 D4 00 00 20 41 .............. A
> 16: 32 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............
> 32: 3C 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............
> 48: 00 00 00 00 00 00 00 00 00 02 18 18 00 00 00 00 ................
> 64: 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF ................
> 80: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> 96: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
> 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 160: 00 00 00 00 00 00 00 00 00 00 07 43 00 00 00 00 ...........C....
> 176: 01 00 00 00 00 00 00 00 00 44 00 05 0A 00 00 01 .........D......
> 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 208: 32 00 00 00 00 02 00 00 46 00 00 01 00 00 00 00 2.......F.......
> 224: 00 00 00 00 00 00 00 00 00 00 40 04 01 00 00 00 .......... at .....
> 240: FF FF FF FF FF FF FF FF FF FF FF FF ............
> "mycnew1" #2: ************ Time taken for add policy 0 sec:1839 usec
> "mycnew1" #2: Time taken in route_and_eroute (firewall)0 sec:4764 usec
> | executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client'
> PLUTO_CONNECTION='mycnew1' PLUTO_NEXT_HOP='10.0.0.1'
> PLUTO_INTERFACE='ncpeth12:1' PLUTO_REQID='16388' PLUTO_ME='70.0.0.1'
> PLUTO_MY_ID='70.0.0.1' PLUTO_MY_CLIENT='60.0.1.0/24
> <http://60.0.1.0/24>' PLUTO_MY_CLIENT_NET='60.0.1.0'
> PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0'
> PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.0.0.1' PLUTO_PEER_ID='10.0.0.1'
> PLUTO_PEER_CLIENT='50.0.1.0/24 <http://50.0.1.0/24>'
> PLUTO_PEER_CLIENT_NET='50.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0'
> PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' ipsec _updown
> | route_and_eroute: firewall_notified: true
> | route_and_eroute: instance "mycnew1", setting eroute_owner
> {spd=0x100af720,sr=0x100af720} to #2 (was #0) (newest_ipsec_sa=#0)
> "mycnew1" #2: Time taken in route_and_eroute 0 sec:85145 usec
> | inI2: instance mycnew1[0], setting newest_ipsec_sa to #2 (was #0)
> (spd.eroute=#2)
> | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #2
> "mycnew1" #2: IPsec SA established {ESP=>0xc4518a7d <0xc940edca}
> | next event EVENT_SA_REPLACE in 3330 seconds for #2
>
> Thanks and Regards,
> Amit Tamboli
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list