[strongSwan] Setting up strongSwan 4.3.6
長野 高太郎
Nagano.Kotaro at mss.co.jp
Thu Jan 31 07:46:36 CET 2013
Hello,
I am trying to set up strongSwan 4.3.6, like below network.
172.22.1.0/24 - 192.168.1.6 ... 192.168.1.7 - 192.168.32.0/24
Here 192.168.1.6 is Ubuntu 12.04 and 192.168.1.7 is Linux based
Gateway(Linux kernel 2.6.33.5). I must use strongSwan 4.3.6 ikev1
by Gateway ristrictions.
Responder is Gateway, and Initiator is Ubuntu. I can get connection
but it is not encapsulated.
My setting and connection time pluto.log is shown below.
Please let me know what is wrong.
===================================================================
ipsec.conf 192.168.1.6
===================================================================
config setup
plutostderrlog=/var/log/pluto.log
plutodebug=control
nat_traversal=yes
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
esp=3des-sha1
ike=3des-sha
conn test
type=tunnel
left=192.168.1.6
leftsubnet=172.22.1.0/24
leftnexthop=%defaultroute
leftfirewall=yes
right=192.168.1.7
rightsubnet=192.168.32.0/24
auto=start
===================================================================
ipsec.conf 192.168.1.7
===================================================================
config setup
plutostderrlog=/var/log/pluto.log
plutodebug=control
nat_traversal=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
esp=3des-sha1
ike=3des-sha
conn test
type=tunnel
leftsubnet=192.168.32.0/24
left=192.168.1.7
leftnexthop=%defaultroute
leftfirewall=yes
right=192.168.1.6
rightsubnet=172.22.1.0/24
auto=add
===================================================================
pluto.log 192.168.1.6
===================================================================
Starting IKEv1 pluto daemon (strongSwan 4.3.6) THREADS VENDORID
loaded plugins: aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem hmac gmp
| inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
including NAT-Traversal patch (Version 0.6c)
| xauth module: using default get_secret() function
| xauth module: using default verify_secret() function
Using Linux 2.6 IPsec interface code
loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
loading ocsp certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Changing to directory '/usr/local/etc/ipsec.d/crls'
loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
| inserting event EVENT_LOG_DAILY, timeout in 69358 seconds
| next event EVENT_REINIT_SECRET in 3600 seconds
|
| *received whack message
listening for IKE messages
| found lo with address 127.0.0.1
| found eth0 with address 172.22.1.42
| found eth1 with address 192.168.1.6
adding interface eth1/eth1 192.168.1.6:500
adding interface eth1/eth1 192.168.1.6:4500
adding interface eth0/eth0 172.22.1.42:500
adding interface eth0/eth0 172.22.1.42:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
| found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
adding interface lo/lo ::1:500
loading secrets from "/usr/local/etc/ipsec.secrets"
loaded shared key for 192.168.1.7 192.168.1.6
| next event EVENT_REINIT_SECRET in 3600 seconds
|
| *received whack message
| from whack: got --esp=3des-sha1
| esp proposal: 3DES_CBC/HMAC_SHA1,
| from whack: got --ike=3des-sha
| ike proposal: 3DES_CBC/HMAC_SHA1/MODP_1536, 3DES_CBC/HMAC_SHA1/MODP_1024,
added connection description "test"
| 172.22.1.0/24===192.168.1.6[192.168.1.6]---172.22.1.254...192.168.1.7[192.168.1.7]===192.168.32.0/24
| ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1; policy: PSK+ENCRYPT+TUNNEL+PFS
| next event EVENT_REINIT_SECRET in 3600 seconds
|
| *received whack message
| creating state object #1 at 0x85ca648
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: 00 00 00 00 00 00 00 00
| peer: c0 a8 01 07
| state hash entry 8
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| Queuing pending Quick Mode with 192.168.1.7 "test"
"test" #1: initiating Main Mode
| ike proposal: 3DES_CBC/HMAC_SHA1/MODP_1536, 3DES_CBC/HMAC_SHA1/MODP_1024,
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
| next event EVENT_RETRANSMIT in 10 seconds for #1
|
| *received 172 bytes from 192.168.1.7:500 on eth1
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 07
| state hash entry 13
| state object not found
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: 00 00 00 00 00 00 00 00
| peer: c0 a8 01 07
| state hash entry 8
| state object #1 found, in STATE_MAIN_I1
"test" #1: ignoring Vendor ID payload [strongSwan]
"test" #1: ignoring Vendor ID payload [Cisco-Unity]
"test" #1: received Vendor ID payload [XAUTH]
"test" #1: received Vendor ID payload [Dead Peer Detection]
"test" #1: received Vendor ID payload [RFC 3947]
"test" #1: enabling possible NAT-traversal with method 3
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: 00 00 00 00 00 00 00 00
| peer: c0 a8 01 07
| state hash entry 8
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 07
| state hash entry 13
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
| next event EVENT_RETRANSMIT in 10 seconds for #1
|
| *received 292 bytes from 192.168.1.7:500 on eth1
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 07
| state hash entry 13
| state object #1 found, in STATE_MAIN_I2
"test" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
| inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
| next event EVENT_RETRANSMIT in 10 seconds for #1
|
| *received 68 bytes from 192.168.1.7:500 on eth1
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 07
| state hash entry 13
| state object #1 found, in STATE_MAIN_I3
"test" #1: Peer ID is ID_IPV4_ADDR: '192.168.1.7'
| peer CA: %none
| required CA: %none
| inserting event EVENT_SA_REPLACE, timeout in 3269 seconds for #1
"test" #1: ISAKMP SA established
| unqueuing pending Quick Mode with 192.168.1.7 "test"
| duplicating state object #1
| creating state object #2 at 0x85cc8e0
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 07
| state hash entry 13
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2
"test" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
| esp proposal: 3DES_CBC/HMAC_SHA1,
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
| next event EVENT_RETRANSMIT in 10 seconds for #2
|
| *received 356 bytes from 192.168.1.7:500 on eth1
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 07
| state hash entry 13
| state object #2 found, in STATE_QUICK_I1
| our client is subnet 172.22.1.0/24
| our client protocol/port is 0/0
| peer client is subnet 192.168.32.0/24
| peer client protocol/port is 0/0
| kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20
| install_ipsec_sa() for #2: inbound and outbound
| route owner of "test" unrouted: NULL; eroute owner: NULL
| add inbound eroute 192.168.32.0/24:0 -> 172.22.1.0/24:0 => tun.10000 at 192.168.1.6:0
| sr for #2: unrouted
| route owner of "test" unrouted: NULL; eroute owner: NULL
| eroute_connection add eroute 172.22.1.0/24:0 -> 192.168.32.0/24:0 => tun.0 at 192.168.1.7:0
| executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='test' PLUTO_NEXT_HOP='172.22.1.254' PLUTO_INTERFACE='eth1' PLUTO_REQID='16385' PLUTO_ME='192.168.1.6' PLUTO_MY_ID='192.168.1.6' PLUTO_MY_CLIENT='172.22.1.0/24' PLUTO_MY_CLIENT_NET='172.22.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.168.1.7' PLUTO_PEER_ID='192.168.1.7' PLUTO_PEER_CLIENT='192.168.32.0/24' PLUTO_PEER_CLIENT_NET='192.168.32.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' ipsec _updown iptables
| route_and_eroute: firewall_notified: true
| executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='test' PLUTO_NEXT_HOP='172.22.1.254' PLUTO_INTERFACE='eth1' PLUTO_REQID='16385' PLUTO_ME='192.168.1.6' PLUTO_MY_ID='192.168.1.6' PLUTO_MY_CLIENT='172.22.1.0/24' PLUTO_MY_CLIENT_NET='172.22.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.168.1.7' PLUTO_PEER_ID='192.168.1.7' PLUTO_PEER_CLIENT='192.168.32.0/24' PLUTO_PEER_CLIENT_NET='192.168.32.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' ipsec _updown iptables
| executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='test' PLUTO_NEXT_HOP='172.22.1.254' PLUTO_INTERFACE='eth1' PLUTO_REQID='16385' PLUTO_ME='192.168.1.6' PLUTO_MY_ID='192.168.1.6' PLUTO_MY_CLIENT='172.22.1.0/24' PLUTO_MY_CLIENT_NET='172.22.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.168.1.7' PLUTO_PEER_ID='192.168.1.7' PLUTO_PEER_CLIENT='192.168.32.0/24' PLUTO_PEER_CLIENT_NET='192.168.32.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' ipsec _updown iptables
| route_and_eroute: instance "test", setting eroute_owner {spd=0x85c9c54,sr=0x85c9c54} to #2 (was #0) (newest_ipsec_sa=#0)
| inserting event EVENT_SA_REPLACE, timeout in 950 seconds for #2
"test" #2: sent QI2, IPsec SA established {ESP=>0x97e0be80 <0x64f28598}
| next event EVENT_NAT_T_KEEPALIVE in 20 seconds
|
| *received whack message
shutting down
forgetting secrets
"test": deleting connection
"test" #2: deleting state (STATE_QUICK_I2)
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 07
| state hash entry 13
| executing down-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='test' PLUTO_NEXT_HOP='172.22.1.254' PLUTO_INTERFACE='eth1' PLUTO_REQID='16385' PLUTO_ME='192.168.1.6' PLUTO_MY_ID='192.168.1.6' PLUTO_MY_CLIENT='172.22.1.0/24' PLUTO_MY_CLIENT_NET='172.22.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.168.1.7' PLUTO_PEER_ID='192.168.1.7' PLUTO_PEER_CLIENT='192.168.32.0/24' PLUTO_PEER_CLIENT_NET='192.168.32.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' ipsec _updown iptables
| replace with shunt eroute 192.168.32.0/24:0 -> 172.22.1.0/24:0 => int.104 at 192.168.1.6:0
| eroute_connection replace with shunt eroute 172.22.1.0/24:0 -> 192.168.32.0/24:0 => %trap:0
| delete inbound eroute 192.168.32.0/24:0 -> 172.22.1.0/24:0 => unk255.10000 at 192.168.1.6:0
"test" #1: deleting state (STATE_MAIN_I4)
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 07
| state hash entry 13
| delete eroute 192.168.32.0/24:0 -> 172.22.1.0/24:0 => int.0 at 192.168.1.6:0
| eroute_connection delete eroute 172.22.1.0/24:0 -> 192.168.32.0/24:0 => int.0 at 0.0.0.0:0
| route owner of "test" unrouted: NULL
| executing unroute-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='unroute-client' PLUTO_CONNECTION='test' PLUTO_NEXT_HOP='172.22.1.254' PLUTO_INTERFACE='eth1' PLUTO_REQID='16385' PLUTO_ME='192.168.1.6' PLUTO_MY_ID='192.168.1.6' PLUTO_MY_CLIENT='172.22.1.0/24' PLUTO_MY_CLIENT_NET='172.22.1.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.168.1.7' PLUTO_PEER_ID='192.168.1.7' PLUTO_PEER_CLIENT='192.168.32.0/24' PLUTO_PEER_CLIENT_NET='192.168.32.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' ipsec _updown iptables
===================================================================
pluto.log 192.168.1.7
===================================================================
| *received 264 bytes from 192.168.1.6:500 on eth0
packet from 192.168.1.6:500: ignoring Vendor ID payload [strongSwan]
packet from 192.168.1.6:500: received Vendor ID payload [XAUTH]
packet from 192.168.1.6:500: received Vendor ID payload [Dead Peer Detection]
packet from 192.168.1.6:500: received Vendor ID payload [RFC 3947]
packet from 192.168.1.6:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
packet from 192.168.1.6:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
packet from 192.168.1.6:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
packet from 192.168.1.6:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
| preparse_isakmp_policy: peer requests PSK authentication
| creating state object #8 at 0x91690
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 06
| state hash entry 12
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #8
"test" #8: responding to Main Mode
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #8
| next event EVENT_RETRANSMIT in 10 seconds for #8
|
| *received 292 bytes from 192.168.1.6:500 on eth0
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 06
| state hash entry 12
| state object #8 found, in STATE_MAIN_R1
"test" #8: NAT-Traversal: Result using RFC 3947: no NAT detected
| inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #8
| next event EVENT_RETRANSMIT in 10 seconds for #8
|
| *received 68 bytes from 192.168.1.6:500 on eth0
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 06
| state hash entry 12
| state object #8 found, in STATE_MAIN_R2
"test" #8: Peer ID is ID_IPV4_ADDR: '192.168.1.6'
| peer CA: %none
| current connection is a full match -- no need to look further
| offered CA: %none
| inserting event (12), timeout in 20 seconds for #8
| inserting event EVENT_SA_REPLACE, timeout in 3510 seconds for #8
"test" #8: sent MR3, ISAKMP SA established
| next event EVENT_NAT_T_KEEPALIVE in 20 seconds
|
| *received 356 bytes from 192.168.1.6:500 on eth0
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 06
| state hash entry 12
| state object not found
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 06
| state hash entry 12
| state object #8 found, in STATE_MAIN_R3
| peer client is subnet 172.22.1.0/24
| peer client protocol/port is 0/0
| our client is subnet 192.168.32.0/24
| our client protocol/port is 0/0
| duplicating state object #8
| creating state object #9 at 0x92668
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 06
| state hash entry 12
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #9
"test" #9: responding to Quick Mode
| kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20
| route owner of "test" prospective erouted: self
| install_inbound_ipsec_sa() checking if we can route
| route owner of "test" prospective erouted: self; eroute owner: self
| add inbound eroute 172.22.1.0/24:0 -> 192.168.32.0/24:0 => tun.10000 at 192.168.1.7:0
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #9
| next event EVENT_RETRANSMIT in 10 seconds for #9
|
| *received 52 bytes from 192.168.1.6:500 on eth0
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 06
| state hash entry 12
| state object #9 found, in STATE_QUICK_R1
| install_ipsec_sa() for #9: outbound only
| route owner of "test" prospective erouted: self; eroute owner: self
| sr for #9: prospective erouted
| route owner of "test" prospective erouted: self; eroute owner: self
| eroute_connection replace eroute 192.168.32.0/24:0 -> 172.22.1.0/24:0 => tun.0 at 192.168.1.6:0
| executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='test' PLUTO_NEXT_HOP='192.168.1.6' PLUTO_INTERFACE='eth0' PLUTO_REQID='16385' PLUTO_ME='192.168.1.7' PLUTO_MY_ID='192.168.1.7' PLUTO_MY_CLIENT='192.168.32.0/24' PLUTO_MY_CLIENT_NET='192.168.32.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.168.1.6' PLUTO_PEER_ID='192.168.1.6' PLUTO_PEER_CLIENT='172.22.1.0/24' PLUTO_PEER_CLIENT_NET='172.22.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' ipsec _updown iptables
| route_and_eroute: firewall_notified: true
| route_and_eroute: instance "test", setting eroute_owner {spd=0x8f55c,sr=0x8f55c} to #9 (was #0) (newest_ipsec_sa=#0)
| inserting event EVENT_SA_REPLACE, timeout in 1110 seconds for #9
"test" #9: IPsec SA established {ESP=>0x64f28598 <0x97e0be80}
| next event EVENT_NAT_T_KEEPALIVE in 20 seconds
|
| *received 68 bytes from 192.168.1.6:500 on eth0
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 06
| state hash entry 12
| state object #8 found, in STATE_MAIN_R3
"test" #8: received Delete SA(0x64f28598) payload: deleting IPSEC State #9
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 06
| state hash entry 12
| executing down-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='test' PLUTO_NEXT_HOP='192.168.1.6' PLUTO_INTERFACE='eth0' PLUTO_REQID='16385' PLUTO_ME='192.168.1.7' PLUTO_MY_ID='192.168.1.7' PLUTO_MY_CLIENT='192.168.32.0/24' PLUTO_MY_CLIENT_NET='192.168.32.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.168.1.6' PLUTO_PEER_ID='192.168.1.6' PLUTO_PEER_CLIENT='172.22.1.0/24' PLUTO_PEER_CLIENT_NET='172.22.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' ipsec _updown iptables
| replace with shunt eroute 172.22.1.0/24:0 -> 192.168.32.0/24:0 => int.104 at 192.168.1.7:0
| eroute_connection replace with shunt eroute 192.168.32.0/24:0 -> 172.22.1.0/24:0 => %trap:0
| delete inbound eroute 172.22.1.0/24:0 -> 192.168.32.0/24:0 => unk255.10000 at 192.168.1.7:0
| next event EVENT_NAT_T_KEEPALIVE in 10 seconds
|
| *received 84 bytes from 192.168.1.6:500 on eth0
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 06
| state hash entry 12
| state object #8 found, in STATE_MAIN_R3
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 06
| state hash entry 12
| state object #8 found, in STATE_MAIN_R3
"test" #8: received Delete SA payload: deleting ISAKMP State #8
| event (1075548268) to be deleted not found
| ICOOKIE: fa 68 13 d6 3a b1 be 62
| RCOOKIE: b6 74 1a 1d d6 41 bf 60
| peer: c0 a8 01 06
| state hash entry 12
| next event EVENT_NAT_T_KEEPALIVE in 10 seconds
--
Thanks,
kotaro
More information about the Users
mailing list