[strongSwan] xauth & rekeying issue with charon 5.0.2 and pluto 4.6

richter at ecos.de richter at ecos.de
Mon Nov 12 15:17:55 CET 2012


Hi,

I have a rekeying issue for a connection that is setup with main mode, software certificate authentication and xauth secondary authentication.

Pluto 4.6 acts as server and Charon 5.0.2 as client.

I have set the ikelifetime to 5m, so it's a little faster to debug.

While pluto completes the rekeying, Charon stucks on half way (see the logs below).

Any ideas what's wrong?

Thanks & Regards

Gerald




Nov 12 14:56:55 ThinClient charon: 05[IKE] initiating Main Mode IKE_SA Ipsec zu bb53[6] to 10.11.11.53 
Nov 12 14:56:55 ThinClient charon: 05[CFG] nm ike_state_change, my sa = yes, state = 1 
Nov 12 14:56:55 ThinClient charon: 05[ENC] generating ID_PROT request 0 [ SA V V V V ] 
Nov 12 14:56:55 ThinClient charon: 05[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] 
Nov 12 14:56:56 ThinClient charon: 03[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:56:56 ThinClient charon: 03[ENC] parsed ID_PROT response 0 [ SA V V V V V ] 
Nov 12 14:56:56 ThinClient charon: 03[IKE] received strongSwan vendor ID 
Nov 12 14:56:56 ThinClient charon: 03[IKE] received Cisco Unity vendor ID 
Nov 12 14:56:56 ThinClient charon: 03[IKE] received XAuth vendor ID 
Nov 12 14:56:56 ThinClient charon: 03[IKE] received DPD vendor ID 
Nov 12 14:56:56 ThinClient charon: 03[IKE] received NAT-T (RFC 3947) vendor ID 
Nov 12 14:56:56 ThinClient charon: 03[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ] 
Nov 12 14:56:56 ThinClient charon: 03[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] 
Nov 12 14:56:56 ThinClient charon: 14[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:56:56 ThinClient charon: 14[ENC] parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] 
Nov 12 14:56:56 ThinClient charon: 14[IKE] ignoring certificate request without data 
Nov 12 14:56:56 ThinClient charon: 14[IKE] sending cert request for "E=camaster at mvnet.de, C=DE, ST=M-V, L=Schwerin, O=PKI, OU=DVZ M-V GmbH, CN=PCA2006" 
Nov 12 14:56:56 ThinClient charon: 14[IKE] sending cert request for "C=DE, O=DVZ M-V GmbH, CN=CA102008" 
Nov 12 14:56:56 ThinClient charon: 14[IKE] sending cert request for "C=DE, O=DATEV eG, CN=CA DATEV INT 01" 
Nov 12 14:56:56 ThinClient charon: 14[IKE] sending cert request for "C=DE, O=Zertifizierungsstelle E:Secure, CN=CA E:SECURE 6" 
Nov 12 14:56:56 ThinClient charon: 14[IKE] sending cert request for "DC=de, DC=demo, OU=Zertifikate, OU=SSLVPN Demo, CN=CA ECOS Demo" 
Nov 12 14:56:56 ThinClient charon: 14[IKE] sending cert request for "C=DE, ST=M-V, L=Schwerin, O=PKI, OU=DVZ M-V GmbH, CN=CA052006, E=camaster at mvnet.de" 
Nov 12 14:56:56 ThinClient charon: 14[IKE] sending cert request for "DC=test, DC=testuml, OU=Zertifikate, CN=ca test" 
Nov 12 14:56:56 ThinClient charon: 14[CFG] get_private_by_cert  public = 7c:84:9a:9f:49:75:35:f8:a2:77:49:7f:ff:2a:52:f4:3f:d5:00:64 
Nov 12 14:56:56 ThinClient charon: 14[CFG] private_key_has_fingerprint  FALSE current = 06:66:14:4a:a6:db:d1:12:df:f5:2f:9b:a5:26:e1:28:92:ee:fb:00  fingerpr
Nov 12 14:56:56 ThinClient charon: 14[CFG] private_key_has_fingerprint  TRUE current = 7c:84:9a:9f:49:75:35:f8:a2:77:49:7f:ff:2a:52:f4:3f:d5:00:64  fingerpri
Nov 12 14:56:56 ThinClient charon: 14[IKE] authentication of 'DC=test, DC=testuml, OU=Benutzer, OU=Ipsec Benutzer, CN=ipseccert' (myself) successful 
Nov 12 14:56:56 ThinClient charon: 14[IKE] sending end entity cert "DC=test, DC=testuml, OU=Benutzer, OU=Ipsec Benutzer, CN=ipseccert" 
Nov 12 14:56:56 ThinClient charon: 14[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ ] 
Nov 12 14:56:56 ThinClient charon: 14[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] 
Nov 12 14:56:56 ThinClient charon: 02[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:56:56 ThinClient charon: 02[ENC] parsed ID_PROT response 0 [ ID CERT SIG ] 
Nov 12 14:56:56 ThinClient charon: 02[IKE] received end entity cert "DC=test, DC=testuml, OU=Zertifikate, CN=ipsec cert" 
Nov 12 14:56:56 ThinClient charon: 02[CFG]   using certificate "DC=test, DC=testuml, OU=Zertifikate, CN=ipsec cert" 
Nov 12 14:56:56 ThinClient charon: 02[CFG]   using trusted ca certificate "DC=test, DC=testuml, OU=Zertifikate, CN=ca test" 
Nov 12 14:56:56 ThinClient charon: 02[CFG] checking certificate status of "DC=test, DC=testuml, OU=Zertifikate, CN=ipsec cert" 
Nov 12 14:56:56 ThinClient charon: 02[CFG] certificate status is not available 
Nov 12 14:56:56 ThinClient charon: 02[CFG]   reached self-signed root ca with a path length of 0 
Nov 12 14:56:56 ThinClient charon: 02[IKE] authentication of 'DC=test, DC=testuml, OU=Zertifikate, CN=ipsec cert' with RSA successful 
Nov 12 14:56:56 ThinClient charon: 01[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:56:56 ThinClient charon: 01[ENC] parsed TRANSACTION request 1488310923 [ HASH CP ] 
Nov 12 14:56:56 ThinClient charon: 01[ENC] generating TRANSACTION response 1488310923 [ HASH CP ] 
Nov 12 14:56:56 ThinClient charon: 01[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] 
Nov 12 14:56:56 ThinClient charon: 13[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:56:56 ThinClient charon: 13[ENC] parsed TRANSACTION request 2053778663 [ HASH CP ]
ov 12 14:56:56 ThinClient charon: 13[IKE] XAuth authentication of 'richter3' (myself) successful 
Nov 12 14:56:56 ThinClient charon: 13[IKE] IKE_SA Ipsec zu bb53[6] established between 10.14.11.213[DC=test, DC=testuml, OU=Benutzer, OU=Ipsec Benutzer, CN=i
Nov 12 14:56:56 ThinClient charon: 13[IKE] scheduling reauthentication in 92s 
Nov 12 14:56:56 ThinClient charon: 13[IKE] maximum IKE_SA lifetime 212s 
Nov 12 14:56:56 ThinClient charon: 13[CFG] nm ike_state_change, my sa = yes, state = 2 
Nov 12 14:56:56 ThinClient charon: 13[ENC] generating TRANSACTION response 2053778663 [ HASH CP ] 
Nov 12 14:56:56 ThinClient charon: 13[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] 
Nov 12 14:56:56 ThinClient charon: 13[ENC] generating TRANSACTION request 2528279185 [ HASH CP ] 
Nov 12 14:56:56 ThinClient charon: 13[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] 
Nov 12 14:56:56 ThinClient charon: 16[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:56:56 ThinClient charon: 16[ENC] parsed TRANSACTION response 2528279185 [ HASH CP ] 
Nov 12 14:56:56 ThinClient charon: 16[IKE] installing DNS server 10.11.12.1 via resolvconf 
Nov 12 14:56:56 ThinClient charon: 16[IKE] installing new virtual IP 10.11.99.2 
Nov 12 14:56:57 ThinClient charon: 16[ENC] generating QUICK_MODE request 457155588 [ HASH SA No KE ID ID ] 
Nov 12 14:56:57 ThinClient charon: 16[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] 
Nov 12 14:56:57 ThinClient charon: 15[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:56:57 ThinClient charon: 15[ENC] parsed QUICK_MODE response 457155588 [ HASH SA No KE ID ID ] 
Nov 12 14:56:57 ThinClient charon: 15[CFG] nm child_state_change, my sa = yes, state = 2 
Nov 12 14:56:57 ThinClient charon: 15[CFG] nm child_state_change, my sa = yes, state = 3 
Nov 12 14:56:57 ThinClient charon: 15[IKE] CHILD_SA Ipsec zu bb53{4} established with SPIs c270d929_i cb7c8081_o and TS 10.11.99.2/32 === 10.11.99.0/24  
Nov 12 14:56:57 ThinClient charon: 15[CFG] nm child_updown, my sa = yes, up 
Nov 12 14:56:57 ThinClient charon: 15[ENC] generating QUICK_MODE request 457155588 [ HASH ] 
Nov 12 14:56:57 ThinClient charon: 15[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] 
Nov 12 14:57:03 ThinClient charon: 16[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:57:03 ThinClient charon: 16[ENC] parsed INFORMATIONAL_V1 request 1177115487 [ HASH N(DPD) ] 
Nov 12 14:57:03 ThinClient charon: 16[ENC] generating INFORMATIONAL_V1 request 3644654542 [ HASH N(DPD_ACK) ] 
Nov 12 14:57:03 ThinClient charon: 16[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] 
Nov 12 14:57:13 ThinClient charon: 03[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:57:13 ThinClient charon: 03[ENC] parsed INFORMATIONAL_V1 request 2464019944 [ HASH N(DPD) ] 
Nov 12 14:57:13 ThinClient charon: 03[ENC] generating INFORMATIONAL_V1 request 3422220081 [ HASH N(DPD_ACK) ] 
Nov 12 14:57:13 ThinClient charon: 03[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] 
Nov 12 14:57:23 ThinClient charon: 13[IKE] sending DPD request 
Nov 12 14:57:23 ThinClient charon: 13[ENC] generating INFORMATIONAL_V1 request 53821446 [ HASH N(DPD) ]
....
Nov 12 14:58:28 ThinClient charon: 16[IKE] reauthenticating IKE_SA Ipsec zu bb53[6] 
Nov 12 14:58:28 ThinClient charon: 16[IKE] installing new virtual IP 10.11.99.2 
Nov 12 14:58:28 ThinClient charon: 16[IKE] initiating Main Mode IKE_SA Ipsec zu bb53[7] to 10.11.11.53 
Nov 12 14:58:28 ThinClient charon: 16[ENC] generating ID_PROT request 0 [ SA V V V V ] 
Nov 12 14:58:28 ThinClient charon: 16[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] 
Nov 12 14:58:28 ThinClient charon: 15[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:58:28 ThinClient charon: 15[ENC] parsed ID_PROT response 0 [ SA V V V V V ] 
Nov 12 14:58:28 ThinClient charon: 15[IKE] received strongSwan vendor ID 
Nov 12 14:58:28 ThinClient charon: 15[IKE] received Cisco Unity vendor ID 
Nov 12 14:58:28 ThinClient charon: 15[IKE] received XAuth vendor ID 
Nov 12 14:58:28 ThinClient charon: 15[IKE] received DPD vendor ID 
Nov 12 14:58:28 ThinClient charon: 15[IKE] received NAT-T (RFC 3947) vendor ID 
Nov 12 14:58:28 ThinClient charon: 15[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ] 
Nov 12 14:58:28 ThinClient charon: 15[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] 
Nov 12 14:58:29 ThinClient charon: 03[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:58:29 ThinClient charon: 03[ENC] parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] 
Nov 12 14:58:29 ThinClient charon: 03[IKE] ignoring certificate request without data 
Nov 12 14:58:29 ThinClient charon: 03[IKE] sending cert request for "E=camaster at mvnet.de, C=DE, ST=M-V, L=Schwerin, O=PKI, OU=DVZ M-V GmbH, CN=PCA2006" 
Nov 12 14:58:29 ThinClient charon: 03[IKE] sending cert request for "C=DE, O=DVZ M-V GmbH, CN=CA102008" 
Nov 12 14:58:29 ThinClient charon: 03[IKE] sending cert request for "C=DE, O=DATEV eG, CN=CA DATEV INT 01" 
Nov 12 14:58:29 ThinClient charon: 03[IKE] sending cert request for "C=DE, O=Zertifizierungsstelle E:Secure, CN=CA E:SECURE 6" 
Nov 12 14:58:29 ThinClient charon: 03[IKE] sending cert request for "DC=de, DC=demo, OU=Zertifikate, OU=SSLVPN Demo, CN=CA ECOS Demo" 
Nov 12 14:58:29 ThinClient charon: 03[IKE] sending cert request for "C=DE, ST=M-V, L=Schwerin, O=PKI, OU=DVZ M-V GmbH, CN=CA052006, E=camaster at mvnet.de" 
Nov 12 14:58:29 ThinClient charon: 03[IKE] sending cert request for "DC=test, DC=testuml, OU=Zertifikate, CN=ca test" 
Nov 12 14:58:29 ThinClient charon: 03[CFG] get_private_by_cert  public = 7c:84:9a:9f:49:75:35:f8:a2:77:49:7f:ff:2a:52:f4:3f:d5:00:64 
Nov 12 14:58:29 ThinClient charon: 03[CFG] private_key_has_fingerprint  FALSE current = 06:66:14:4a:a6:db:d1:12:df:f5:2f:9b:a5:26:e1:28:92:ee:fb:00  fingerpr
Nov 12 14:58:29 ThinClient charon: 03[CFG] private_key_has_fingerprint  TRUE current = 7c:84:9a:9f:49:75:35:f8:a2:77:49:7f:ff:2a:52:f4:3f:d5:00:64  fingerpri
Nov 12 14:58:29 ThinClient charon: 03[IKE] authentication of 'DC=test, DC=testuml, OU=Benutzer, OU=Ipsec Benutzer, CN=ipseccert' (myself) successful 
Nov 12 14:58:29 ThinClient charon: 03[IKE] sending end entity cert "DC=test, DC=testuml, OU=Benutzer, OU=Ipsec Benutzer, CN=ipseccert" 
Nov 12 14:58:29 ThinClient charon: 03[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ ] 
Nov 12 14:58:29 ThinClient charon: 03[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] 
Nov 12 14:58:29 ThinClient charon: 14[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:58:29 ThinClient charon: 14[ENC] parsed ID_PROT response 0 [ ID CERT SIG ] 
Nov 12 14:58:29 ThinClient charon: 14[IKE] received end entity cert "DC=test, DC=testuml, OU=Zertifikate, CN=ipsec cert" 
Nov 12 14:58:29 ThinClient charon: 14[CFG]   using certificate "DC=test, DC=testuml, OU=Zertifikate, CN=ipsec cert" 
Nov 12 14:58:29 ThinClient charon: 14[CFG]   using trusted ca certificate "DC=test, DC=testuml, OU=Zertifikate, CN=ca test" 
Nov 12 14:58:29 ThinClient charon: 14[CFG] checking certificate status of "DC=test, DC=testuml, OU=Zertifikate, CN=ipsec cert" 
Nov 12 14:58:29 ThinClient charon: 14[CFG] certificate status is not available 
Nov 12 14:58:29 ThinClient charon: 14[CFG]   reached self-signed root ca with a path length of 0 
Nov 12 14:58:29 ThinClient charon: 14[IKE] authentication of 'DC=test, DC=testuml, OU=Zertifikate, CN=ipsec cert' with RSA successful 
Nov 12 14:58:33 ThinClient charon: 16[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:58:33 ThinClient charon: 16[ENC] parsed INFORMATIONAL_V1 request 606203659 [ HASH N(DPD) ] 
Nov 12 14:58:33 ThinClient charon: 03[IKE] sending DPD request 
Nov 12 14:58:43 ThinClient charon: 14[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:58:43 ThinClient charon: 14[ENC] parsed INFORMATIONAL_V1 request 4185063012 [ HASH N(DPD) ] 
Nov 12 14:58:43 ThinClient charon: 01[IKE] sending DPD request 
Nov 12 14:58:53 ThinClient charon: 03[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:58:53 ThinClient charon: 03[ENC] parsed INFORMATIONAL_V1 request 3679076023 [ HASH N(DPD) ] 
Nov 12 14:58:53 ThinClient charon: 02[IKE] sending DPD request 
Nov 12 14:59:03 ThinClient charon: 01[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:59:03 ThinClient charon: 01[ENC] parsed INFORMATIONAL_V1 request 2810910974 [ HASH N(DPD) ] 
Nov 12 14:59:03 ThinClient charon: 13[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:59:03 ThinClient charon: 13[ENC] parsed INFORMATIONAL_V1 request 2419136272 [ HASH D ]
Nov 12 14:59:03 ThinClient charon: 13[IKE] received DELETE for ESP CHILD_SA with SPI cb7c8081 
Nov 12 14:59:03 ThinClient charon: 13[IKE] closing CHILD_SA Ipsec zu bb53{4} with SPIs c270d929_i (0 bytes) cb7c8081_o (0 bytes) and TS 10.11.99.2/32 === 10.
Nov 12 14:59:03 ThinClient charon: 15[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:59:03 ThinClient charon: 13[CFG] nm child_updown, my sa = no, down 
Nov 12 14:59:03 ThinClient charon: 15[ENC] parsed INFORMATIONAL_V1 request 620663622 [ HASH D ] 
Nov 12 14:59:03 ThinClient charon: 15[IKE] received DELETE for IKE_SA Ipsec zu bb53[6] 
Nov 12 14:59:03 ThinClient charon: 15[IKE] deleting IKE_SA Ipsec zu bb53[6] between 10.14.11.213[DC=test, DC=testuml, OU=Benutzer, OU=Ipsec Benutzer, CN=ipse
Nov 12 14:59:03 ThinClient charon: 16[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] 
Nov 12 14:59:03 ThinClient charon: 16[ENC] parsed INFORMATIONAL_V1 request 2443116413 [ HASH D ] 
Nov 12 14:59:03 ThinClient charon: 16[IKE] received DELETE for IKE_SA Ipsec zu bb53[7] 
Nov 12 14:59:03 ThinClient charon: 16[IKE] deleting IKE_SA Ipsec zu bb53[7] between 10.14.11.213[DC=test, DC=testuml, OU=Benutzer, OU=Ipsec Benutzer, CN=ipse




Nov 12 14:57:03 bb53 pluto[5852]: packet from 10.14.11.213:47202: received Vendor ID payload [strongSwan]
Nov 12 14:57:03 bb53 pluto[5852]: packet from 10.14.11.213:47202: received Vendor ID payload [XAUTH]
Nov 12 14:57:03 bb53 pluto[5852]: packet from 10.14.11.213:47202: received Vendor ID payload [RFC 3947]
Nov 12 14:57:03 bb53 pluto[5852]: packet from 10.14.11.213:47202: received Vendor ID payload [Dead Peer Detection]
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: responding to Main Mode from unknown peer 10.14.11.213:472
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: NAT-Traversal: Result using RFC 3947: no NAT detected
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: Peer ID is ID_DER_ASN1_DN: 'DC=test, DC=testuml, OU=Benutz
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: crl not found
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: certificate status unknown
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: we have a cert and are sending it 
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: sent MR3, ISAKMP SA established
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: sending XAUTH request
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: parsing XAUTH reply
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: get_xauth_secret user=richter3 server=DC=test, DC=testuml,
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: extended authentication was successful
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: sending XAUTH status
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: parsing XAUTH ack
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: received XAUTH ack, established
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: parsing ModeCfg request
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: peer requested virtual IP %any
Nov 12 14:57:03 bb53 pluto[5852]: reassigning offline lease to 'richter3' 
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: assigning virtual IP 10.11.99.2 to peer
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: sending ModeCfg reply
Nov 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: sent ModeCfg reply, established
Nov 12 14:57:04 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #10: responding to Quick Mode
Nov 12 14:57:04 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #10: Dead Peer Detection (RFC 3706) enabled
Nov 12 14:57:04 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #10: IPsec SA established {ESP=>0xc270d929 <0xcb7c8081}
Nov 12 14:58:35 bb53 pluto[5852]: packet from 10.14.11.213:47202: received Vendor ID payload [strongSwan]
Nov 12 14:58:35 bb53 pluto[5852]: packet from 10.14.11.213:47202: received Vendor ID payload [XAUTH]
Nov 12 14:58:35 bb53 pluto[5852]: packet from 10.14.11.213:47202: received Vendor ID payload [RFC 3947]
Nov 12 14:58:35 bb53 pluto[5852]: packet from 10.14.11.213:47202: received Vendor ID payload [Dead Peer Detection]
Nov 12 14:58:35 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: responding to Main Mode from unknown peer 10.14.11.213:47
Nov 12 14:58:36 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: NAT-Traversal: Result using RFC 3947: no NAT detected
Nov 12 14:58:36 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: Peer ID is ID_DER_ASN1_DN: 'DC=test, DC=testuml, OU=Benut
Nov 12 14:58:36 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: crl not found
Nov 12 14:58:36 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: certificate status unknown
Nov 12 14:58:36 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: we have a cert and are sending it 
Nov 12 14:58:36 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: sent MR3, ISAKMP SA established
Nov 12 14:59:10 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: DPD: No response from peer - declaring peer dead
Nov 12 14:59:10 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: DPD: Terminating all SAs using this connection
Nov 12 14:59:10 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert" #10: deleting state (STATE_QUICK_R2)
Nov 12 14:59:10 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert" #11: deleting state (STATE_MAIN_R3)
Nov 12 14:59:10 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert" #9: deleting state (STATE_MODE_CFG_R1)
Nov 12 14:59:10 bb53 pluto[5852]: DPD: Clearing connection "v_ipsec_xauth_server_cert__ipseccert"
Nov 12 14:59:10 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202: deleting connection "v_ipsec_xauth_server_cert__ipseccert" in
Nov 12 14:59:10 bb53 pluto[5852]: lease 10.11.99.2 by 'richter3' went offline






More information about the Users mailing list