[strongSwan] xauth & rekeying issue with charon 5.0.2 and pluto 4.6

richter at ecos.de richter at ecos.de
Tue Nov 13 09:08:12 CET 2012


Hi,

I have done some further testing and configured a connection without xauth (only certificate authentication).

When a rekeying is initiated from the server (pluto), the client (charon) seems to handle this as a new connection, instead as a rekeying. I get the following message:

deleting duplicate IKE_SA for peer 'DC=test, DC=testuml, OU=Zertifikate, CN=ipsec cert' due to uniqueness policy

>From my understanding this should not happen during an ike rekey?

If I add " uniqueids = no" to the ipsec.conf, it works, but this was never necessary in the past.

Also I don't think this the correct fix.

I have a similar issue, which Charon connecting to a Cisco ASA.

All connections using IKEv1.

How does Charon distinguish between a new connection and a rekeying the is initiated by the other side?

Gerald


> -----Original Message-----
> From: users-bounces+richter=ecos.de at lists.strongswan.org [mailto:users-
> bounces+richter=ecos.de at lists.strongswan.org] On Behalf Of Gerald Richter
> - ECOS
> Sent: Monday, November 12, 2012 3:18 PM
> To: users at lists.strongswan.org
> Subject: [strongSwan] xauth & rekeying issue with charon 5.0.2 and pluto 4.6
> 
> Hi,
> 
> I have a rekeying issue for a connection that is setup with main mode,
> software certificate authentication and xauth secondary authentication.
> 
> Pluto 4.6 acts as server and Charon 5.0.2 as client.
> 
> I have set the ikelifetime to 5m, so it's a little faster to debug.
> 
> While pluto completes the rekeying, Charon stucks on half way (see the logs
> below).
> 
> Any ideas what's wrong?
> 
> Thanks & Regards
> 
> Gerald
> 
> 
> 
> 
> Nov 12 14:56:55 ThinClient charon: 05[IKE] initiating Main Mode IKE_SA Ipsec
> zu bb53[6] to 10.11.11.53 Nov 12 14:56:55 ThinClient charon: 05[CFG] nm
> ike_state_change, my sa = yes, state = 1 Nov 12 14:56:55 ThinClient charon:
> 05[ENC] generating ID_PROT request 0 [ SA V V V V ] Nov 12 14:56:55
> ThinClient charon: 05[NET] sending packet: from 10.14.11.213[47202] to
> 10.11.11.53[500] Nov 12 14:56:56 ThinClient charon: 03[NET] received packet:
> from 10.11.11.53[500] to 10.14.11.213[47202] Nov 12 14:56:56 ThinClient
> charon: 03[ENC] parsed ID_PROT response 0 [ SA V V V V V ] Nov 12 14:56:56
> ThinClient charon: 03[IKE] received strongSwan vendor ID Nov 12 14:56:56
> ThinClient charon: 03[IKE] received Cisco Unity vendor ID Nov 12 14:56:56
> ThinClient charon: 03[IKE] received XAuth vendor ID Nov 12 14:56:56
> ThinClient charon: 03[IKE] received DPD vendor ID Nov 12 14:56:56 ThinClient
> charon: 03[IKE] received NAT-T (RFC 3947) vendor ID Nov 12 14:56:56
> ThinClient charon: 03[ENC] generating ID_PROT request 0 [ KE No NAT-D
> NAT-D ] Nov 12 14:56:56 ThinClient charon: 03[NET] sending packet: from
> 10.14.11.213[47202] to 10.11.11.53[500] Nov 12 14:56:56 ThinClient charon:
> 14[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] Nov
> 12 14:56:56 ThinClient charon: 14[ENC] parsed ID_PROT response 0 [ KE No
> CERTREQ NAT-D NAT-D ] Nov 12 14:56:56 ThinClient charon: 14[IKE] ignoring
> certificate request without data Nov 12 14:56:56 ThinClient charon: 14[IKE]
> sending cert request for "E=camaster at mvnet.de, C=DE, ST=M-V,
> L=Schwerin, O=PKI, OU=DVZ M-V GmbH, CN=PCA2006"
> Nov 12 14:56:56 ThinClient charon: 14[IKE] sending cert request for "C=DE,
> O=DVZ M-V GmbH, CN=CA102008"
> Nov 12 14:56:56 ThinClient charon: 14[IKE] sending cert request for "C=DE,
> O=DATEV eG, CN=CA DATEV INT 01"
> Nov 12 14:56:56 ThinClient charon: 14[IKE] sending cert request for "C=DE,
> O=Zertifizierungsstelle E:Secure, CN=CA E:SECURE 6"
> Nov 12 14:56:56 ThinClient charon: 14[IKE] sending cert request for "DC=de,
> DC=demo, OU=Zertifikate, OU=SSLVPN Demo, CN=CA ECOS Demo"
> Nov 12 14:56:56 ThinClient charon: 14[IKE] sending cert request for "C=DE,
> ST=M-V, L=Schwerin, O=PKI, OU=DVZ M-V GmbH, CN=CA052006,
> E=camaster at mvnet.de"
> Nov 12 14:56:56 ThinClient charon: 14[IKE] sending cert request for "DC=test,
> DC=testuml, OU=Zertifikate, CN=ca test"
> Nov 12 14:56:56 ThinClient charon: 14[CFG] get_private_by_cert  public =
> 7c:84:9a:9f:49:75:35:f8:a2:77:49:7f:ff:2a:52:f4:3f:d5:00:64
> Nov 12 14:56:56 ThinClient charon: 14[CFG] private_key_has_fingerprint
> FALSE current = 06:66:14:4a:a6:db:d1:12:df:f5:2f:9b:a5:26:e1:28:92:ee:fb:00
> fingerpr Nov 12 14:56:56 ThinClient charon: 14[CFG]
> private_key_has_fingerprint  TRUE current =
> 7c:84:9a:9f:49:75:35:f8:a2:77:49:7f:ff:2a:52:f4:3f:d5:00:64  fingerpri Nov 12
> 14:56:56 ThinClient charon: 14[IKE] authentication of 'DC=test, DC=testuml,
> OU=Benutzer, OU=Ipsec Benutzer, CN=ipseccert' (myself) successful Nov 12
> 14:56:56 ThinClient charon: 14[IKE] sending end entity cert "DC=test,
> DC=testuml, OU=Benutzer, OU=Ipsec Benutzer, CN=ipseccert"
> Nov 12 14:56:56 ThinClient charon: 14[ENC] generating ID_PROT request 0 [
> ID CERT SIG CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ
> CERTREQ ] Nov 12 14:56:56 ThinClient charon: 14[NET] sending packet: from
> 10.14.11.213[47202] to 10.11.11.53[500] Nov 12 14:56:56 ThinClient charon:
> 02[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] Nov
> 12 14:56:56 ThinClient charon: 02[ENC] parsed ID_PROT response 0 [ ID CERT
> SIG ] Nov 12 14:56:56 ThinClient charon: 02[IKE] received end entity cert
> "DC=test, DC=testuml, OU=Zertifikate, CN=ipsec cert"
> Nov 12 14:56:56 ThinClient charon: 02[CFG]   using certificate "DC=test,
> DC=testuml, OU=Zertifikate, CN=ipsec cert"
> Nov 12 14:56:56 ThinClient charon: 02[CFG]   using trusted ca certificate
> "DC=test, DC=testuml, OU=Zertifikate, CN=ca test"
> Nov 12 14:56:56 ThinClient charon: 02[CFG] checking certificate status of
> "DC=test, DC=testuml, OU=Zertifikate, CN=ipsec cert"
> Nov 12 14:56:56 ThinClient charon: 02[CFG] certificate status is not available
> Nov 12 14:56:56 ThinClient charon: 02[CFG]   reached self-signed root ca with
> a path length of 0
> Nov 12 14:56:56 ThinClient charon: 02[IKE] authentication of 'DC=test,
> DC=testuml, OU=Zertifikate, CN=ipsec cert' with RSA successful Nov 12
> 14:56:56 ThinClient charon: 01[NET] received packet: from 10.11.11.53[500] to
> 10.14.11.213[47202] Nov 12 14:56:56 ThinClient charon: 01[ENC] parsed
> TRANSACTION request 1488310923 [ HASH CP ] Nov 12 14:56:56 ThinClient
> charon: 01[ENC] generating TRANSACTION response 1488310923 [ HASH CP ]
> Nov 12 14:56:56 ThinClient charon: 01[NET] sending packet: from
> 10.14.11.213[47202] to 10.11.11.53[500] Nov 12 14:56:56 ThinClient charon:
> 13[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] Nov
> 12 14:56:56 ThinClient charon: 13[ENC] parsed TRANSACTION request
> 2053778663 [ HASH CP ] ov 12 14:56:56 ThinClient charon: 13[IKE] XAuth
> authentication of 'richter3' (myself) successful Nov 12 14:56:56 ThinClient
> charon: 13[IKE] IKE_SA Ipsec zu bb53[6] established between
> 10.14.11.213[DC=test, DC=testuml, OU=Benutzer, OU=Ipsec Benutzer, CN=i
> Nov 12 14:56:56 ThinClient charon: 13[IKE] scheduling reauthentication in 92s
> Nov 12 14:56:56 ThinClient charon: 13[IKE] maximum IKE_SA lifetime 212s
> Nov 12 14:56:56 ThinClient charon: 13[CFG] nm ike_state_change, my sa =
> yes, state = 2 Nov 12 14:56:56 ThinClient charon: 13[ENC] generating
> TRANSACTION response 2053778663 [ HASH CP ] Nov 12 14:56:56 ThinClient
> charon: 13[NET] sending packet: from 10.14.11.213[47202] to 10.11.11.53[500]
> Nov 12 14:56:56 ThinClient charon: 13[ENC] generating TRANSACTION
> request 2528279185 [ HASH CP ] Nov 12 14:56:56 ThinClient charon: 13[NET]
> sending packet: from 10.14.11.213[47202] to 10.11.11.53[500] Nov 12 14:56:56
> ThinClient charon: 16[NET] received packet: from 10.11.11.53[500] to
> 10.14.11.213[47202] Nov 12 14:56:56 ThinClient charon: 16[ENC] parsed
> TRANSACTION response 2528279185 [ HASH CP ] Nov 12 14:56:56 ThinClient
> charon: 16[IKE] installing DNS server 10.11.12.1 via resolvconf Nov 12 14:56:56
> ThinClient charon: 16[IKE] installing new virtual IP 10.11.99.2 Nov 12 14:56:57
> ThinClient charon: 16[ENC] generating QUICK_MODE request 457155588 [
> HASH SA No KE ID ID ] Nov 12 14:56:57 ThinClient charon: 16[NET] sending
> packet: from 10.14.11.213[47202] to 10.11.11.53[500] Nov 12 14:56:57
> ThinClient charon: 15[NET] received packet: from 10.11.11.53[500] to
> 10.14.11.213[47202] Nov 12 14:56:57 ThinClient charon: 15[ENC] parsed
> QUICK_MODE response 457155588 [ HASH SA No KE ID ID ] Nov 12 14:56:57
> ThinClient charon: 15[CFG] nm child_state_change, my sa = yes, state = 2
> Nov 12 14:56:57 ThinClient charon: 15[CFG] nm child_state_change, my sa =
> yes, state = 3 Nov 12 14:56:57 ThinClient charon: 15[IKE] CHILD_SA Ipsec zu
> bb53{4} established with SPIs c270d929_i cb7c8081_o and TS 10.11.99.2/32
> === 10.11.99.0/24 Nov 12 14:56:57 ThinClient charon: 15[CFG] nm
> child_updown, my sa = yes, up Nov 12 14:56:57 ThinClient charon: 15[ENC]
> generating QUICK_MODE request 457155588 [ HASH ] Nov 12 14:56:57
> ThinClient charon: 15[NET] sending packet: from 10.14.11.213[47202] to
> 10.11.11.53[500] Nov 12 14:57:03 ThinClient charon: 16[NET] received packet:
> from 10.11.11.53[500] to 10.14.11.213[47202] Nov 12 14:57:03 ThinClient
> charon: 16[ENC] parsed INFORMATIONAL_V1 request 1177115487 [ HASH
> N(DPD) ] Nov 12 14:57:03 ThinClient charon: 16[ENC] generating
> INFORMATIONAL_V1 request 3644654542 [ HASH N(DPD_ACK) ] Nov 12
> 14:57:03 ThinClient charon: 16[NET] sending packet: from 10.14.11.213[47202]
> to 10.11.11.53[500] Nov 12 14:57:13 ThinClient charon: 03[NET] received
> packet: from 10.11.11.53[500] to 10.14.11.213[47202] Nov 12 14:57:13
> ThinClient charon: 03[ENC] parsed INFORMATIONAL_V1 request 2464019944
> [ HASH N(DPD) ] Nov 12 14:57:13 ThinClient charon: 03[ENC] generating
> INFORMATIONAL_V1 request 3422220081 [ HASH N(DPD_ACK) ] Nov 12
> 14:57:13 ThinClient charon: 03[NET] sending packet: from 10.14.11.213[47202]
> to 10.11.11.53[500] Nov 12 14:57:23 ThinClient charon: 13[IKE] sending DPD
> request Nov 12 14:57:23 ThinClient charon: 13[ENC] generating
> INFORMATIONAL_V1 request 53821446 [ HASH N(DPD) ] ....
> Nov 12 14:58:28 ThinClient charon: 16[IKE] reauthenticating IKE_SA Ipsec zu
> bb53[6] Nov 12 14:58:28 ThinClient charon: 16[IKE] installing new virtual IP
> 10.11.99.2 Nov 12 14:58:28 ThinClient charon: 16[IKE] initiating Main Mode
> IKE_SA Ipsec zu bb53[7] to 10.11.11.53 Nov 12 14:58:28 ThinClient charon:
> 16[ENC] generating ID_PROT request 0 [ SA V V V V ] Nov 12 14:58:28
> ThinClient charon: 16[NET] sending packet: from 10.14.11.213[47202] to
> 10.11.11.53[500] Nov 12 14:58:28 ThinClient charon: 15[NET] received packet:
> from 10.11.11.53[500] to 10.14.11.213[47202] Nov 12 14:58:28 ThinClient
> charon: 15[ENC] parsed ID_PROT response 0 [ SA V V V V V ] Nov 12 14:58:28
> ThinClient charon: 15[IKE] received strongSwan vendor ID Nov 12 14:58:28
> ThinClient charon: 15[IKE] received Cisco Unity vendor ID Nov 12 14:58:28
> ThinClient charon: 15[IKE] received XAuth vendor ID Nov 12 14:58:28
> ThinClient charon: 15[IKE] received DPD vendor ID Nov 12 14:58:28 ThinClient
> charon: 15[IKE] received NAT-T (RFC 3947) vendor ID Nov 12 14:58:28
> ThinClient charon: 15[ENC] generating ID_PROT request 0 [ KE No NAT-D
> NAT-D ] Nov 12 14:58:28 ThinClient charon: 15[NET] sending packet: from
> 10.14.11.213[47202] to 10.11.11.53[500] Nov 12 14:58:29 ThinClient charon:
> 03[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] Nov
> 12 14:58:29 ThinClient charon: 03[ENC] parsed ID_PROT response 0 [ KE No
> CERTREQ NAT-D NAT-D ] Nov 12 14:58:29 ThinClient charon: 03[IKE] ignoring
> certificate request without data Nov 12 14:58:29 ThinClient charon: 03[IKE]
> sending cert request for "E=camaster at mvnet.de, C=DE, ST=M-V,
> L=Schwerin, O=PKI, OU=DVZ M-V GmbH, CN=PCA2006"
> Nov 12 14:58:29 ThinClient charon: 03[IKE] sending cert request for "C=DE,
> O=DVZ M-V GmbH, CN=CA102008"
> Nov 12 14:58:29 ThinClient charon: 03[IKE] sending cert request for "C=DE,
> O=DATEV eG, CN=CA DATEV INT 01"
> Nov 12 14:58:29 ThinClient charon: 03[IKE] sending cert request for "C=DE,
> O=Zertifizierungsstelle E:Secure, CN=CA E:SECURE 6"
> Nov 12 14:58:29 ThinClient charon: 03[IKE] sending cert request for "DC=de,
> DC=demo, OU=Zertifikate, OU=SSLVPN Demo, CN=CA ECOS Demo"
> Nov 12 14:58:29 ThinClient charon: 03[IKE] sending cert request for "C=DE,
> ST=M-V, L=Schwerin, O=PKI, OU=DVZ M-V GmbH, CN=CA052006,
> E=camaster at mvnet.de"
> Nov 12 14:58:29 ThinClient charon: 03[IKE] sending cert request for "DC=test,
> DC=testuml, OU=Zertifikate, CN=ca test"
> Nov 12 14:58:29 ThinClient charon: 03[CFG] get_private_by_cert  public =
> 7c:84:9a:9f:49:75:35:f8:a2:77:49:7f:ff:2a:52:f4:3f:d5:00:64
> Nov 12 14:58:29 ThinClient charon: 03[CFG] private_key_has_fingerprint
> FALSE current = 06:66:14:4a:a6:db:d1:12:df:f5:2f:9b:a5:26:e1:28:92:ee:fb:00
> fingerpr Nov 12 14:58:29 ThinClient charon: 03[CFG]
> private_key_has_fingerprint  TRUE current =
> 7c:84:9a:9f:49:75:35:f8:a2:77:49:7f:ff:2a:52:f4:3f:d5:00:64  fingerpri Nov 12
> 14:58:29 ThinClient charon: 03[IKE] authentication of 'DC=test, DC=testuml,
> OU=Benutzer, OU=Ipsec Benutzer, CN=ipseccert' (myself) successful Nov 12
> 14:58:29 ThinClient charon: 03[IKE] sending end entity cert "DC=test,
> DC=testuml, OU=Benutzer, OU=Ipsec Benutzer, CN=ipseccert"
> Nov 12 14:58:29 ThinClient charon: 03[ENC] generating ID_PROT request 0 [
> ID CERT SIG CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ
> CERTREQ ] Nov 12 14:58:29 ThinClient charon: 03[NET] sending packet: from
> 10.14.11.213[47202] to 10.11.11.53[500] Nov 12 14:58:29 ThinClient charon:
> 14[NET] received packet: from 10.11.11.53[500] to 10.14.11.213[47202] Nov
> 12 14:58:29 ThinClient charon: 14[ENC] parsed ID_PROT response 0 [ ID CERT
> SIG ] Nov 12 14:58:29 ThinClient charon: 14[IKE] received end entity cert
> "DC=test, DC=testuml, OU=Zertifikate, CN=ipsec cert"
> Nov 12 14:58:29 ThinClient charon: 14[CFG]   using certificate "DC=test,
> DC=testuml, OU=Zertifikate, CN=ipsec cert"
> Nov 12 14:58:29 ThinClient charon: 14[CFG]   using trusted ca certificate
> "DC=test, DC=testuml, OU=Zertifikate, CN=ca test"
> Nov 12 14:58:29 ThinClient charon: 14[CFG] checking certificate status of
> "DC=test, DC=testuml, OU=Zertifikate, CN=ipsec cert"
> Nov 12 14:58:29 ThinClient charon: 14[CFG] certificate status is not available
> Nov 12 14:58:29 ThinClient charon: 14[CFG]   reached self-signed root ca with
> a path length of 0
> Nov 12 14:58:29 ThinClient charon: 14[IKE] authentication of 'DC=test,
> DC=testuml, OU=Zertifikate, CN=ipsec cert' with RSA successful Nov 12
> 14:58:33 ThinClient charon: 16[NET] received packet: from 10.11.11.53[500] to
> 10.14.11.213[47202] Nov 12 14:58:33 ThinClient charon: 16[ENC] parsed
> INFORMATIONAL_V1 request 606203659 [ HASH N(DPD) ] Nov 12 14:58:33
> ThinClient charon: 03[IKE] sending DPD request Nov 12 14:58:43 ThinClient
> charon: 14[NET] received packet: from 10.11.11.53[500] to
> 10.14.11.213[47202] Nov 12 14:58:43 ThinClient charon: 14[ENC] parsed
> INFORMATIONAL_V1 request 4185063012 [ HASH N(DPD) ] Nov 12 14:58:43
> ThinClient charon: 01[IKE] sending DPD request Nov 12 14:58:53 ThinClient
> charon: 03[NET] received packet: from 10.11.11.53[500] to
> 10.14.11.213[47202] Nov 12 14:58:53 ThinClient charon: 03[ENC] parsed
> INFORMATIONAL_V1 request 3679076023 [ HASH N(DPD) ] Nov 12 14:58:53
> ThinClient charon: 02[IKE] sending DPD request Nov 12 14:59:03 ThinClient
> charon: 01[NET] received packet: from 10.11.11.53[500] to
> 10.14.11.213[47202] Nov 12 14:59:03 ThinClient charon: 01[ENC] parsed
> INFORMATIONAL_V1 request 2810910974 [ HASH N(DPD) ] Nov 12 14:59:03
> ThinClient charon: 13[NET] received packet: from 10.11.11.53[500] to
> 10.14.11.213[47202] Nov 12 14:59:03 ThinClient charon: 13[ENC] parsed
> INFORMATIONAL_V1 request 2419136272 [ HASH D ] Nov 12 14:59:03
> ThinClient charon: 13[IKE] received DELETE for ESP CHILD_SA with SPI
> cb7c8081 Nov 12 14:59:03 ThinClient charon: 13[IKE] closing CHILD_SA Ipsec
> zu bb53{4} with SPIs c270d929_i (0 bytes) cb7c8081_o (0 bytes) and TS
> 10.11.99.2/32 === 10.
> Nov 12 14:59:03 ThinClient charon: 15[NET] received packet: from
> 10.11.11.53[500] to 10.14.11.213[47202] Nov 12 14:59:03 ThinClient charon:
> 13[CFG] nm child_updown, my sa = no, down Nov 12 14:59:03 ThinClient
> charon: 15[ENC] parsed INFORMATIONAL_V1 request 620663622 [ HASH D ]
> Nov 12 14:59:03 ThinClient charon: 15[IKE] received DELETE for IKE_SA Ipsec
> zu bb53[6] Nov 12 14:59:03 ThinClient charon: 15[IKE] deleting IKE_SA Ipsec
> zu bb53[6] between 10.14.11.213[DC=test, DC=testuml, OU=Benutzer,
> OU=Ipsec Benutzer, CN=ipse Nov 12 14:59:03 ThinClient charon: 16[NET]
> received packet: from 10.11.11.53[500] to 10.14.11.213[47202] Nov 12
> 14:59:03 ThinClient charon: 16[ENC] parsed INFORMATIONAL_V1 request
> 2443116413 [ HASH D ] Nov 12 14:59:03 ThinClient charon: 16[IKE] received
> DELETE for IKE_SA Ipsec zu bb53[7] Nov 12 14:59:03 ThinClient charon: 16[IKE]
> deleting IKE_SA Ipsec zu bb53[7] between 10.14.11.213[DC=test,
> DC=testuml, OU=Benutzer, OU=Ipsec Benutzer, CN=ipse
> 
> 
> 
> 
> Nov 12 14:57:03 bb53 pluto[5852]: packet from 10.14.11.213:47202: received
> Vendor ID payload [strongSwan] Nov 12 14:57:03 bb53 pluto[5852]: packet
> from 10.14.11.213:47202: received Vendor ID payload [XAUTH] Nov 12
> 14:57:03 bb53 pluto[5852]: packet from 10.14.11.213:47202: received Vendor
> ID payload [RFC 3947] Nov 12 14:57:03 bb53 pluto[5852]: packet from
> 10.14.11.213:47202: received Vendor ID payload [Dead Peer Detection] Nov
> 12 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3]
> 10.14.11.213:47202 #9: responding to Main Mode from unknown peer
> 10.14.11.213:472 Nov 12 14:57:03 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: NAT-
> Traversal: Result using RFC 3947: no NAT detected Nov 12 14:57:03 bb53
> pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202
> #9: Peer ID is ID_DER_ASN1_DN: 'DC=test, DC=testuml, OU=Benutz Nov 12
> 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3]
> 10.14.11.213:47202 #9: crl not found Nov 12 14:57:03 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9:
> certificate status unknown Nov 12 14:57:03 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: we have
> a cert and are sending it Nov 12 14:57:03 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: sent
> MR3, ISAKMP SA established Nov 12 14:57:03 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: sending
> XAUTH request Nov 12 14:57:03 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: parsing
> XAUTH reply Nov 12 14:57:03 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9:
> get_xauth_secret user=richter3 server=DC=test, DC=testuml, Nov 12
> 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3]
> 10.14.11.213:47202 #9: extended authentication was successful Nov 12
> 14:57:03 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3]
> 10.14.11.213:47202 #9: sending XAUTH status Nov 12 14:57:03 bb53
> pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202
> #9: parsing XAUTH ack Nov 12 14:57:03 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: received
> XAUTH ack, established Nov 12 14:57:03 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: parsing
> ModeCfg request Nov 12 14:57:03 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: peer
> requested virtual IP %any Nov 12 14:57:03 bb53 pluto[5852]: reassigning
> offline lease to 'richter3'
> Nov 12 14:57:03 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: assigning
> virtual IP 10.11.99.2 to peer Nov 12 14:57:03 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: sending
> ModeCfg reply Nov 12 14:57:03 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #9: sent
> ModeCfg reply, established Nov 12 14:57:04 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #10:
> responding to Quick Mode Nov 12 14:57:04 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #10: Dead
> Peer Detection (RFC 3706) enabled Nov 12 14:57:04 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #10: IPsec SA
> established {ESP=>0xc270d929 <0xcb7c8081} Nov 12 14:58:35 bb53
> pluto[5852]: packet from 10.14.11.213:47202: received Vendor ID payload
> [strongSwan] Nov 12 14:58:35 bb53 pluto[5852]: packet from
> 10.14.11.213:47202: received Vendor ID payload [XAUTH] Nov 12 14:58:35
> bb53 pluto[5852]: packet from 10.14.11.213:47202: received Vendor ID
> payload [RFC 3947] Nov 12 14:58:35 bb53 pluto[5852]: packet from
> 10.14.11.213:47202: received Vendor ID payload [Dead Peer Detection] Nov
> 12 14:58:35 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3]
> 10.14.11.213:47202 #11: responding to Main Mode from unknown peer
> 10.14.11.213:47 Nov 12 14:58:36 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: NAT-
> Traversal: Result using RFC 3947: no NAT detected Nov 12 14:58:36 bb53
> pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202
> #11: Peer ID is ID_DER_ASN1_DN: 'DC=test, DC=testuml, OU=Benut Nov 12
> 14:58:36 bb53 pluto[5852]: "v_ipsec_xauth_server_cert__ipseccert"[3]
> 10.14.11.213:47202 #11: crl not found Nov 12 14:58:36 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11:
> certificate status unknown Nov 12 14:58:36 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: we have
> a cert and are sending it Nov 12 14:58:36 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: sent
> MR3, ISAKMP SA established Nov 12 14:59:10 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: DPD: No
> response from peer - declaring peer dead Nov 12 14:59:10 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202 #11: DPD:
> Terminating all SAs using this connection Nov 12 14:59:10 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert" #10: deleting state
> (STATE_QUICK_R2) Nov 12 14:59:10 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert" #11: deleting state
> (STATE_MAIN_R3) Nov 12 14:59:10 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert" #9: deleting state
> (STATE_MODE_CFG_R1) Nov 12 14:59:10 bb53 pluto[5852]: DPD: Clearing
> connection "v_ipsec_xauth_server_cert__ipseccert"
> Nov 12 14:59:10 bb53 pluto[5852]:
> "v_ipsec_xauth_server_cert__ipseccert"[3] 10.14.11.213:47202: deleting
> connection "v_ipsec_xauth_server_cert__ipseccert" in Nov 12 14:59:10 bb53
> pluto[5852]: lease 10.11.99.2 by 'richter3' went offline
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users





More information about the Users mailing list