[strongSwan] strongswan-5.1.1 with 4.xx, tunnel pb

s s y52 at europe.com
Tue Jan 7 23:39:35 CET 2014


Hello Volker,

Thanks for your attention to the current pb. 

>sorry, but I doubt this solved your fragmentation problem. To be sure I 
>suggest you once again initiate a ikev2 connection and capture the 
>packets with tcpdump on both sides at the same time. Something like
I attach the complete log from both sides below

>Btw. did you read the strongswan documentation about ikev1 
>fragmentation? Especially the part since which strongswan version it is 
>available? Ikev1 doesn't help here.
Could you point me to the specific link?

I've read already a lot of information material but in vain. The presumably fragmentation problem was the reason that we have started initially storing the both sides certificates locally under the strongswan 4.xx branch. This strategy worked for some time. Then all of a sudden we have been unable to initiate the WORKING connections with the roadwarrior's workstation (Win8). So we made an attempt to migrate to the strongswan 5.x branch, but stuck here with the new problem of being unable to route the connection to the remote host behind our provider's NATed gateway (it works with the public IP). The other problem we have encounted with 5.x is being unable to route transparently in between different networks like for example xx.xx.30.0/24==xx.xx.40.0/24==xx.xx.50.0/24 (it could be discussed later).

Looking forward to your suggestions on resolving the issue with establishing the working IKKv2 tunnel and the routing in between the networks. 
Regards,
Serge

A complete log of the IKEv2 connection cession:


== the bt side =======
root at bt:/etc/ipsec.d# ipsec version
Linux strongSwan U4.3.2/K2.6.38


conn karmaIKE2
     left=%defaultroute
     leftsubnet=10.0.2.0/24
     leftcert=btvm34.hostCert.pem
     leftid=btvm at hmnet
     right=192.168.4.10
     rightsubnet=192.168.4.0/24
     rightcert=peercerts/karmaY2034.hostCert.pem
     rightid=@karma.hmnet
     keyexchange=ikev2
     mobike=yes
     leftfirewall=yes
     auto=add



root at bt:/etc/ipsec.d# ipsec up karmaIKE2
initiating IKE_SA karmaIKE2[1] to 192.168.4.10
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.0.2.15[500] to 192.168.4.10[500]
received packet: from 192.168.4.10[500] to 10.0.2.15[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
received cert request for "OU=CA, CN=certauth"
sending cert request for "OU=CA, CN=certauth"
authentication of 'btvm at hmnet' (myself) with RSA signature successful
sending end entity cert "OU=testbed, CN=btvm.hmnet, E=btvm at hmnet"
establishing CHILD_SA karmaIKE2
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
retransmit 1 of request with message ID 1
sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
retransmit 2 of request with message ID 1
sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
^C
root at bt:/etc/ipsec.d# ipsec down karmaIKE2
destroying IKE_SA in state CONNECTING without notification
root at bt:/etc/ipsec.d# 


root at bt:~# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.0.2.15:500
000 %myid = (none)
000 loaded plugins: curl ldap random pubkey openssl hmac gmp 
000 debug options: none
000 
Status of IKEv2 charon daemon (strongSwan 4.3.2):
  uptime: 41 minutes, since Jan 07 22:53:13 2014
  worker threads: 8 idle of 16, job queue load: 0, scheduled events: 2
  loaded plugins: curl ldap random x509 pubkey openssl xcbc hmac agent gmp kernel-netlink stroke updown eapidentity eapmd5 eapgtc eapaka eapmschapv2 
Listening IP addresses:
  10.0.2.15
Connections:
   karmaIKE2:  10.0.2.15...192.168.4.10
   karmaIKE2:   local:  [btvm at hmnet] uses public key authentication
   karmaIKE2:    cert:  "OU=testbed, CN=btvm.hmnet, E=btvm at hmnet"
   karmaIKE2:   remote: [karma.hmnet] uses any authentication
   karmaIKE2:    cert:  "OU=hmnet CN=karma.hmnet"
   karmaIKE2:   child:  10.0.2.0/24 === 192.168.4.0/24 
Security Associations:
   karmaIKE2[2]: CONNECTING, 10.0.2.15[btvm at hmnet]...192.168.4.10[karma.hmnet]
   karmaIKE2[2]: IKE SPIs: 820084d6d8fb828a_i* b5a3402842ca1c16_r
   karmaIKE2[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048




root at bt:~# tail -f /var/log/syslog /var/log/auth.log /var/log/messages /var/log/daemon.log |grep 'charon:'
Jan  7 22:53:13 bt charon: 08[CFG] received stroke: add connection 'karmaIKE2'
Jan  7 22:53:13 bt charon: 08[LIB]   loaded certificate file '/etc/ipsec.d/certs/btvm34.hostCert.pem'
Jan  7 22:53:13 bt charon: 08[LIB]   loaded certificate file '/etc/ipsec.d/certs/peercerts/karmaY2034.hostCert.pem'
Jan  7 22:53:13 bt charon: 08[CFG] added configuration 'karmaIKE2'
Jan  7 22:53:13 bt charon: 08[CFG] received stroke: add connection 'karmaIKE2'
Jan  7 22:53:13 bt charon: 08[LIB]   loaded certificate file '/etc/ipsec.d/certs/btvm34.hostCert.pem'
Jan  7 22:53:13 bt charon: 08[LIB]   loaded certificate file '/etc/ipsec.d/certs/peercerts/karmaY2034.hostCert.pem'
Jan  7 22:53:13 bt charon: 08[CFG] added configuration 'karmaIKE2'


Jan  7 22:53:48 bt charon: 12[CFG] received stroke: initiate 'karmaIKE2'
Jan  7 22:53:48 bt charon: 16[IKE] initiating IKE_SA karmaIKE2[1] to 192.168.4.10
Jan  7 22:53:48 bt charon: 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan  7 22:53:48 bt charon: 16[NET] sending packet: from 10.0.2.15[500] to 192.168.4.10[500]
Jan  7 22:53:48 bt charon: 17[NET] received packet: from 192.168.4.10[500] to 10.0.2.15[500]
Jan  7 22:53:48 bt charon: 17[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jan  7 22:53:48 bt charon: 17[IKE] local host is behind NAT, sending keep alives
Jan  7 22:53:48 bt charon: 17[IKE] received cert request for "OU=CA, CN=certauth"
Jan  7 22:53:48 bt charon: 17[IKE] sending cert request for "OU=CA, CN=certauth"
Jan  7 22:53:48 bt charon: 17[IKE] authentication of 'btvm at hmnet' (myself) with RSA signature successful
Jan  7 22:53:48 bt charon: 17[IKE] sending end entity cert "OU=testbed, CN=btvm.hmnet, E=btvm at hmnet"
Jan  7 22:53:48 bt charon: 17[IKE] establishing CHILD_SA karmaIKE2
Jan  7 22:53:48 bt charon: 17[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
Jan  7 22:53:48 bt charon: 17[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
Jan  7 22:53:48 bt charon: 16[IKE] initiating IKE_SA karmaIKE2[1] to 192.168.4.10
Jan  7 22:53:48 bt charon: 17[IKE] establishing CHILD_SA karmaIKE2
Jan  7 22:53:48 bt charon: 12[CFG] received stroke: initiate 'karmaIKE2'
Jan  7 22:53:48 bt charon: 16[IKE] initiating IKE_SA karmaIKE2[1] to 192.168.4.10
Jan  7 22:53:48 bt charon: 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan  7 22:53:48 bt charon: 16[NET] sending packet: from 10.0.2.15[500] to 192.168.4.10[500]
Jan  7 22:53:48 bt charon: 17[NET] received packet: from 192.168.4.10[500] to 10.0.2.15[500]
Jan  7 22:53:48 bt charon: 17[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jan  7 22:53:48 bt charon: 17[IKE] local host is behind NAT, sending keep alives
Jan  7 22:53:48 bt charon: 17[IKE] received cert request for "OU=CA, CN=certauth"
Jan  7 22:53:48 bt charon: 17[IKE] sending cert request for "OU=CA, CN=certauth"
Jan  7 22:53:48 bt charon: 17[IKE] authentication of 'btvm at hmnet' (myself) with RSA signature successful
Jan  7 22:53:48 bt charon: 17[IKE] sending end entity cert "OU=testbed, CN=btvm.hmnet, E=btvm at hmnet"
Jan  7 22:53:48 bt charon: 17[IKE] establishing CHILD_SA karmaIKE2
Jan  7 22:53:48 bt charon: 17[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
Jan  7 22:53:48 bt charon: 17[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
Jan  7 22:53:52 bt charon: 08[IKE] retransmit 1 of request with message ID 1
Jan  7 22:53:52 bt charon: 08[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
Jan  7 22:53:52 bt charon: 08[IKE] retransmit 1 of request with message ID 1
Jan  7 22:53:52 bt charon: 08[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
Jan  7 22:54:00 bt charon: 07[IKE] retransmit 2 of request with message ID 1
Jan  7 22:54:00 bt charon: 07[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
Jan  7 22:54:00 bt charon: 07[IKE] retransmit 2 of request with message ID 1
Jan  7 22:54:00 bt charon: 07[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
Jan  7 22:54:13 bt charon: 13[IKE] retransmit 3 of request with message ID 1
Jan  7 22:54:13 bt charon: 13[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
Jan  7 22:54:13 bt charon: 13[IKE] retransmit 3 of request with message ID 1
Jan  7 22:54:13 bt charon: 13[NET] sending packet: from 10.0.2.15[4500] to 192.168.4.10[4500]
Jan  7 22:54:13 bt charon: 14[CFG] received stroke: terminate 'karmaIKE2'
Jan  7 22:54:13 bt charon: 16[IKE] destroying IKE_SA in state CONNECTING without notification
Jan  7 22:54:13 bt charon: 16[KNL] received netlink error: Invalid argument (22)
Jan  7 22:54:13 bt charon: 16[KNL] unable to delete SAD entry with SPI cefffd6e
Jan  7 22:54:13 bt charon: 14[CFG] received stroke: terminate 'karmaIKE2'
Jan  7 22:54:13 bt charon: 16[IKE] destroying IKE_SA in state CONNECTING without notification
Jan  7 22:54:13 bt charon: 16[KNL] received netlink error: Invalid argument (22)
Jan  7 22:54:13 bt charon: 16[KNL] unable to delete SAD entry with SPI cefffd6e
Jan  7 22:54:18 bt charon: 03[KNL] creating delete job for ESP CHILD_SA with SPI cefffd6e and reqid {1}
Jan  7 22:54:18 bt charon: 17[JOB] CHILD_SA with reqid 1 not found for delete
Jan  7 22:54:18 bt charon: 03[KNL] creating delete job for ESP CHILD_SA with SPI cefffd6e and reqid {1}
Jan  7 22:54:18 bt charon: 17[JOB] CHILD_SA with reqid 1 not found for delete




root at bt:~# tcpdump -i eth0 -n -v -s 0 'host 192.168.4.10'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes



22:53:48.558756 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 728)
    10.0.2.15.500 > 192.168.4.10.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
    (sa: len=312
        (p: #1 protoid=isakmp transform=4 len=44
            (t: #1 type=encr id=aes (type=keylen value=0080))
            (t: #2 type=integ id=hmac-sha )
            (t: #3 type=prf id=hmac-sha )
            (t: #4 type=dh id=modp2048 ))
        (p: #2 protoid=isakmp transform=4 len=40
            (t: #1 type=encr id=3des )
            (t: #2 type=integ id=hmac-sha )
            (t: #3 type=prf id=hmac-sha )
            (t: #4 type=dh id=modp1536 ))
        (p: #3 protoid=isakmp transform=26 len=228
            (t: #1 type=encr id=aes (type=keylen value=0080))
            (t: #2 type=encr id=aes (type=keylen value=00c0))
            (t: #3 type=encr id=aes (type=keylen value=0100))
            (t: #4 type=encr id=3des )
            (t: #5 type=integ id=aes-xcbc )
            (t: #6 type=integ id=hmac-sha )
            (t: #7 type=integ id=#12 )
            (t: #8 type=integ id=hmac-md5 )
            (t: #9 type=integ id=#13 )
            (t: #10 type=integ id=#14 )
            (t: #11 type=prf id=aes128_xcbc )
            (t: #12 type=prf id=#5 )
            (t: #13 type=prf id=hmac-sha )
            (t: #14 type=prf id=hmac-md5 )
            (t: #15 type=prf id=#6 )
            (t: #16 type=prf id=#7 )
            (t: #17 type=dh id=#25 )
            (t: #18 type=dh id=#26 )
            (t: #19 type=dh id=#19 )
            (t: #20 type=dh id=#20 )
            (t: #21 type=dh id=#21 )
            (t: #22 type=dh id=modp2048 )
            (t: #23 type=dh id=modp1536 )
            (t: #24 type=dh id=modp4096 )
            (t: #25 type=dh id=modp8192 )
            (t: #26 type=dh id=modp1024 )))
    (v2ke: len=256 group=modp2048)
    (nonce: len=32 data=(bbe2cea2efbb407896e5...636d71f803e75cc747fd9c3a99c84cf9f4ba9bed))
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
22:53:48.818954 IP (tos 0x0, ttl 64, id 24, offset 0, flags [none], proto UDP (17), length 493)
    192.168.4.10.500 > 10.0.2.15.500: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[R]:
    (sa: len=44
        (p: #1 protoid=isakmp transform=4 len=44
            (t: #1 type=encr id=aes (type=keylen value=0080))
            (t: #2 type=integ id=hmac-sha )
            (t: #3 type=prf id=hmac-sha )
            (t: #4 type=dh id=modp2048 )))
    (v2ke: len=256 group=modp2048)
    (nonce: len=32 data=(8f6cd838f2f66aea1a2c...6dc4a7fbe9561b9f34cc71a70000000800004014))
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
    (v2cr: len=21)
    (n: prot_id=#0 type=16404(status))
22:53:48.923237 IP (tos 0x0, ttl 64, id 49759, offset 0, flags [+], proto UDP (17), length 1500)
    10.0.2.15.4500 > 192.168.4.10.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[I]: [|v2e] (len mismatch: isakmp 1484/ip 1468)
22:53:48.923577 IP (tos 0x0, ttl 64, id 49759, offset 1480, flags [none], proto UDP (17), length 36)
    10.0.2.15 > 192.168.4.10: udp
22:53:49.033669 IP (tos 0x0, ttl 64, id 25, offset 0, flags [+], proto UDP (17), length 1500)
    192.168.4.10.4500 > 10.0.2.15.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[R]: [|v2e] (len mismatch: isakmp 1612/ip 1468)
22:53:52.943270 IP (tos 0x0, ttl 64, id 49760, offset 0, flags [+], proto UDP (17), length 1500)
    10.0.2.15.4500 > 192.168.4.10.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[I]: [|v2e] (len mismatch: isakmp 1484/ip 1468)
22:53:52.943605 IP (tos 0x0, ttl 64, id 49760, offset 1480, flags [none], proto UDP (17), length 36)
    10.0.2.15 > 192.168.4.10: udp
22:53:52.949155 IP (tos 0x0, ttl 64, id 26, offset 0, flags [+], proto UDP (17), length 1500)
    192.168.4.10.4500 > 10.0.2.15.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[R]: [|v2e] (len mismatch: isakmp 1612/ip 1468)
22:54:00.143914 IP (tos 0x0, ttl 64, id 49761, offset 0, flags [+], proto UDP (17), length 1500)
    10.0.2.15.4500 > 192.168.4.10.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[I]: [|v2e] (len mismatch: isakmp 1484/ip 1468)
22:54:00.144230 IP (tos 0x0, ttl 64, id 49761, offset 1480, flags [none], proto UDP (17), length 36)
    10.0.2.15 > 192.168.4.10: udp
22:54:00.150632 IP (tos 0x0, ttl 64, id 27, offset 0, flags [+], proto UDP (17), length 1500)
    192.168.4.10.4500 > 10.0.2.15.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[R]: [|v2e] (len mismatch: isakmp 1612/ip 1468)
22:54:13.105541 IP (tos 0x0, ttl 64, id 49762, offset 0, flags [+], proto UDP (17), length 1500)
    10.0.2.15.4500 > 192.168.4.10.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[I]: [|v2e] (len mismatch: isakmp 1484/ip 1468)
22:54:13.105870 IP (tos 0x0, ttl 64, id 49762, offset 1480, flags [none], proto UDP (17), length 36)
    10.0.2.15 > 192.168.4.10: udp
22:54:13.111044 IP (tos 0x0, ttl 64, id 28, offset 0, flags [+], proto UDP (17), length 1500)
    192.168.4.10.4500 > 10.0.2.15.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[R]: [|v2e] (len mismatch: isakmp 1612/ip 1468)
22:54:19.091771 IP (tos 0xc0, ttl 64, id 49763, offset 0, flags [none], proto ICMP (1), length 576)
    10.0.2.15 > 192.168.4.10: ICMP ip reassembly time exceeded, length 556
 IP (tos 0x0, ttl 64, id 25, offset 0, flags [+], proto UDP (17), length 1500)
    192.168.4.10.4500 > 10.0.2.15.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[R]: [|v2e] (len mismatch: isakmp 1612/ip 1468)
22:54:23.011750 IP (tos 0xc0, ttl 64, id 49764, offset 0, flags [none], proto ICMP (1), length 576)
    10.0.2.15 > 192.168.4.10: ICMP ip reassembly time exceeded, length 556
 IP (tos 0x0, ttl 64, id 26, offset 0, flags [+], proto UDP (17), length 1500)
    192.168.4.10.4500 > 10.0.2.15.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[R]: [|v2e] (len mismatch: isakmp 1612/ip 1468)
22:54:30.211776 IP (tos 0xc0, ttl 64, id 49765, offset 0, flags [none], proto ICMP (1), length 576)
    10.0.2.15 > 192.168.4.10: ICMP ip reassembly time exceeded, length 556
 IP (tos 0x0, ttl 64, id 27, offset 0, flags [+], proto UDP (17), length 1500)
    192.168.4.10.4500 > 10.0.2.15.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[R]: [|v2e] (len mismatch: isakmp 1612/ip 1468)
22:54:43.172617 IP (tos 0xc0, ttl 64, id 49766, offset 0, flags [none], proto ICMP (1), length 576)
    10.0.2.15 > 192.168.4.10: ICMP ip reassembly time exceeded, length 556
 IP (tos 0x0, ttl 64, id 28, offset 0, flags [+], proto UDP (17), length 1500)
    192.168.4.10.4500 > 10.0.2.15.4500: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[R]: [|v2e] (len mismatch: isakmp 1612/ip 1468)
















==== the karma side ===
[root at karma ~]# strongswan version
Linux strongSwan U5.1.1/K2.6.18-308.16.1.el5PAE

conn %default
        left=%defaultroute
        leftcert=karmaY2034.hostCert.pem
        auto=add

conn karmaIKE2
        right=%any
        rightcert=peercerts/btvm34.hostCert.pem
        rightid=btvm at hmnet
        rightsubnet=10.0.2.0/24
        leftcert=karmaY2034.hostCert.pem
        leftid=@karma.hmnet
        leftsubnet=192.168.4.0/24
        keyexchange=ikev2
        mobike=yes
        leftfirewall=yes
        auto=add



[root at karma ~]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.1.1, Linux 2.6.18-308.16.1.el5PAE, i686):
  uptime: 2 minutes, since Jan 07 22:51:21 2014
  malloc: sbrk 262144, mmap 0, used 198752, free 63392
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap dhcp
Listening IP addresses:
  192.168.4.10
  2a01:e35:2efd:d1c0:250:bfff:fe08:4d16
  192.168.122.1
Connections:
   karmaIKE2:  %any...%any  IKEv2
   karmaIKE2:   local:  [karma.hmnet] uses public key authentication
   karmaIKE2:    cert:  "OU=hmnet CN=karma.hmnet"
   karmaIKE2:   remote: [btvm at hmnet] uses public key authentication
   karmaIKE2:    cert:  "OU=testbed, CN=btvm.hmnet, E=btvm at hmnet"
   karmaIKE2:   child:  192.168.4.0/24 === 10.0.2.0/24 TUNNEL
Security Associations (2 up, 0 connecting):
   karmaIKE2[3]: ESTABLISHED 7 seconds ago, 192.168.4.10[karma.hmnet]...192.168.4.87[btvm at hmnet]
   karmaIKE2[3]: IKEv2 SPIs: 089b67385c46db86_i fb0d35b1b0fc010f_r*, public key reauthentication in 2 hours
   karmaIKE2[3]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
   karmaIKE2{2}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c5e698fc_i cefffd6e_o
   karmaIKE2{2}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes
   karmaIKE2{2}:   192.168.4.0/24 === 10.0.2.0/24 
  frqx-karma[1]: ESTABLISHED 2 minutes ago, xx.xx.xx.28[OU=hmnet CN=karma.hmnet]...xx.xx.xx.112[OU=frqx, CN=vpn.hmnet]
  frqx-karma[1]: IKEv2 SPIs: 1eed103e1cff4978_i* 76f28e8160207020_r, public key reauthentication in 44 minutes
  frqx-karma[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  frqx-karma{1}:  INSTALLED, TUNNEL, ESP SPIs: c82b8515_i c8a977e9_o
  frqx-karma{1}:  AES_CBC_128/HMAC_SHA1_96, 2400 bytes_i (13 pkts, 26s ago), 5176 bytes_o (25 pkts, 5s ago), rekeying in 39 minutes
  frqx-karma{1}:   192.168.4.0/24 === 192.168.169.0/24 
[root at karma ~]# 




[root at karma ~]# tcpdump -i eth0 -n -v -s 0 'host 192.168.4.87' "and not port ssh and not port https and not port imap and not port netbios-ns and not port snmp and not arp" 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes



22:53:47.814438 IP (tos 0x0, ttl  63, id 5324, offset 0, flags [none], proto: UDP (17), length: 728) 192.168.4.87.61578 > 192.168.4.10.isakmp: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
    (sa: len=312
        (p: #1 protoid=isakmp transform=4 len=44
            (t: #1 type=encr id=aes (type=keylen value=0080))
            (t: #2 type=integ id=hmac-sha )
            (t: #3 type=prf id=hmac-sha )
            (t: #4 type=dh id=modp2048 ))
        (p: #2 protoid=isakmp transform=4 len=40
            (t: #1 type=encr id=3des )
            (t: #2 type=integ id=hmac-sha )
            (t: #3 type=prf id=hmac-sha )
            (t: #4 type=dh id=modp1536 ))
        (p: #3 protoid=isakmp transform=26 len=228
            (t: #1 type=encr id=aes (type=keylen value=0080))
            (t: #2 type=encr id=aes (type=keylen value=00c0))
            (t: #3 type=encr id=aes (type=keylen value=0100))
            (t: #4 type=encr id=3des )
            (t: #5 type=integ id=aes-xcbc )
            (t: #6 type=integ id=hmac-sha )
            (t: #7 type=integ id=#12 )
            (t: #8 type=integ id=hmac-md5 )
            (t: #9 type=integ id=#13 )
            (t: #10 type=integ id=#14 )
            (t: #11 type=prf id=aes128_xcbc )
            (t: #12 type=prf id=#5 )
            (t: #13 type=prf id=hmac-sha )
            (t: #14 type=prf id=hmac-md5 )
            (t: #15 type=prf id=#6 )
            (t: #16 type=prf id=#7 )
            (t: #17 type=dh id=#25 )
            (t: #18 type=dh id=#26 )
            (t: #19 type=dh id=#19 )
            (t: #20 type=dh id=#20 )
            (t: #21 type=dh id=#21 )
            (t: #22 type=dh id=modp2048 )
            (t: #23 type=dh id=modp1536 )
            (t: #24 type=dh id=modp4096 )
            (t: #25 type=dh id=modp8192 )
            (t: #26 type=dh id=modp1024 )))
    (v2ke: len=256 group=modp2048)
    (nonce: len=32 data=(bbe2cea2efbb407896e5...636d71f803e75cc747fd9c3a99c84cf9f4ba9bed))
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
22:53:48.070623 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP (17), length: 493) 192.168.4.10.isakmp > 192.168.4.87.61578: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[]:
    (sa: len=44
        (p: #1 protoid=isakmp transform=4 len=44
            (t: #1 type=encr id=aes (type=keylen value=0080))
            (t: #2 type=integ id=hmac-sha )
            (t: #3 type=prf id=hmac-sha )
            (t: #4 type=dh id=modp2048 )))
    (v2ke: len=256 group=modp2048)
    (nonce: len=32 data=(8f6cd838f2f66aea1a2c...6dc4a7fbe9561b9f34cc71a70000000800004014))
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
    (v2cr: len=21)
    (n: prot_id=#0 type=16404(status))
22:53:48.178489 IP (tos 0x0, ttl  63, id 5326, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.4.87.61579 > 192.168.4.10.ipsec-nat-t: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[I]: [|v2e] (len mismatch: isakmp 1484/ip 1468)
22:53:48.178510 IP (tos 0x0, ttl  63, id 5326, offset 1480, flags [none], proto: UDP (17), length: 36) 192.168.4.87 > 192.168.4.10: udp
22:53:48.284443 IP (tos 0x0, ttl  64, id 17519, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.4.10.ipsec-nat-t > 192.168.4.87.61579: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[]: [|v2e] (len mismatch: isakmp 1612/ip 1468)
22:53:48.284468 IP (tos 0x0, ttl  64, id 17519, offset 1480, flags [none], proto: UDP (17), length: 164) 192.168.4.10 > 192.168.4.87: udp
22:53:52.198156 IP (tos 0x0, ttl  63, id 5339, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.4.87.61579 > 192.168.4.10.ipsec-nat-t: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[I]: [|v2e] (len mismatch: isakmp 1484/ip 1468)
22:53:52.198176 IP (tos 0x0, ttl  63, id 5339, offset 1480, flags [none], proto: UDP (17), length: 36) 192.168.4.87 > 192.168.4.10: udp
22:53:52.200081 IP (tos 0x0, ttl  64, id 17520, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.4.10.ipsec-nat-t > 192.168.4.87.61579: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[]: [|v2e] (len mismatch: isakmp 1612/ip 1468)
22:53:52.200091 IP (tos 0x0, ttl  64, id 17520, offset 1480, flags [none], proto: UDP (17), length: 164) 192.168.4.10 > 192.168.4.87: udp
22:53:58.993951 IP (tos 0xc0, ttl  64, id 50432, offset 0, flags [none], proto: ICMP (1), length: 576) 82.239.221.28 > 192.168.4.87: ICMP 74.208.122.50 unreachable - need to frag (mtu 1428), length 556
        IP (tos 0x0, ttl 127, id 5358, offset 0, flags [DF], proto: TCP (6), length: 1500) 192.168.4.87.51039 > 74.208.122.50.https: . 977898098:977899558(1460) ack 3259647801 win 16425
        MPLS extension v15 packet not supported
22:53:59.399139 IP (tos 0x0, ttl  63, id 5361, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.4.87.61579 > 192.168.4.10.ipsec-nat-t: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[I]: [|v2e] (len mismatch: isakmp 1484/ip 1468)
22:53:59.399156 IP (tos 0x0, ttl  63, id 5361, offset 1480, flags [none], proto: UDP (17), length: 36) 192.168.4.87 > 192.168.4.10: udp
22:53:59.401022 IP (tos 0x0, ttl  64, id 17521, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.4.10.ipsec-nat-t > 192.168.4.87.61579: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[]: [|v2e] (len mismatch: isakmp 1612/ip 1468)
22:53:59.401039 IP (tos 0x0, ttl  64, id 17521, offset 1480, flags [none], proto: UDP (17), length: 164) 192.168.4.10 > 192.168.4.87: udp
22:54:12.361298 IP (tos 0x0, ttl  63, id 5383, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.4.87.61579 > 192.168.4.10.ipsec-nat-t: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[I]: [|v2e] (len mismatch: isakmp 1484/ip 1468)
22:54:12.361311 IP (tos 0x0, ttl  63, id 5383, offset 1480, flags [none], proto: UDP (17), length: 36) 192.168.4.87 > 192.168.4.10: udp
22:54:12.363176 IP (tos 0x0, ttl  64, id 17522, offset 0, flags [+], proto: UDP (17), length: 1500) 192.168.4.10.ipsec-nat-t > 192.168.4.87.61579: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[]: [|v2e] (len mismatch: isakmp 1612/ip 1468)
22:54:12.363191 IP (tos 0x0, ttl  64, id 17522, offset 1480, flags [none], proto: UDP (17), length: 164) 192.168.4.10 > 192.168.4.87: udp






[root at karma ~]# tail -f /var/log/messages | grep 'charon:'
Jan  7 22:51:22 karma charon: 11[IKE] received AUTH_LIFETIME of 3334s, scheduling reauthentication in 2794s 
Jan  7 22:51:22 karma charon: 11[IKE] peer supports MOBIKE 




Jan  7 22:53:47 karma charon: 11[NET] received packet: from 192.168.4.87[61578] to 192.168.4.10[500] (700 bytes) 
Jan  7 22:53:47 karma charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
Jan  7 22:53:47 karma charon: 11[IKE] 192.168.4.87 is initiating an IKE_SA 
Jan  7 22:53:48 karma charon: 11[IKE] remote host is behind NAT 
Jan  7 22:53:48 karma charon: 11[IKE] sending cert request for "OU=CA, CN=certauth" 
Jan  7 22:53:48 karma charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 
Jan  7 22:53:48 karma charon: 11[NET] sending packet: from 192.168.4.10[500] to 192.168.4.87[61578] (465 bytes) 
Jan  7 22:53:48 karma charon: 16[NET] received packet: from 192.168.4.87[61579] to 192.168.4.10[4500] (1484 bytes) 
Jan  7 22:53:48 karma charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] 
Jan  7 22:53:48 karma charon: 16[IKE] received cert request for "OU=CA, CN=certauth" 
Jan  7 22:53:48 karma charon: 16[IKE] received end entity cert "OU=testbed, CN=btvm.hmnet, E=btvm at hmnet" 
Jan  7 22:53:48 karma charon: 16[CFG] looking for peer configs matching 192.168.4.10[karma.hmnet]...192.168.4.87[btvm at hmnet] 
Jan  7 22:53:48 karma charon: 16[CFG] selected peer config 'karmaIKE2' 
Jan  7 22:53:48 karma charon: 16[CFG]   using trusted ca certificate "OU=CA, CN=certauth" 
Jan  7 22:53:48 karma charon: 16[CFG] checking certificate status of "OU=testbed, CN=btvm.hmnet, E=btvm at hmnet" 
Jan  7 22:53:48 karma charon: 16[CFG] certificate status is not available 
Jan  7 22:53:48 karma charon: 16[CFG]   reached self-signed root ca with a path length of 0 
Jan  7 22:53:48 karma charon: 16[CFG]   using trusted certificate "OU=testbed, CN=btvm.hmnet, E=btvm at hmnet" 
Jan  7 22:53:48 karma charon: 16[IKE] authentication of 'btvm at hmnet' with RSA signature successful 
Jan  7 22:53:48 karma charon: 16[IKE] peer supports MOBIKE 
Jan  7 22:53:48 karma charon: 16[IKE] authentication of 'karma.hmnet' (myself) with RSA signature successful 
Jan  7 22:53:48 karma charon: 16[IKE] IKE_SA karmaIKE2[3] established between 192.168.4.10[karma.hmnet]...192.168.4.87[btvm at hmnet] 
Jan  7 22:53:48 karma charon: 16[IKE] scheduling reauthentication in 9733s 
Jan  7 22:53:48 karma charon: 16[IKE] maximum IKE_SA lifetime 10273s 
Jan  7 22:53:48 karma charon: 16[IKE] sending end entity cert "OU=hmnet CN=karma.hmnet" 
Jan  7 22:53:48 karma charon: 16[IKE] CHILD_SA karmaIKE2{2} established with SPIs c5e698fc_i cefffd6e_o and TS 192.168.4.0/24 === 10.0.2.0/24  
Jan  7 22:53:48 karma charon: 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ] 
Jan  7 22:53:48 karma charon: 16[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[61579] (1612 bytes) 
Jan  7 22:53:52 karma charon: 05[NET] received packet: from 192.168.4.87[61579] to 192.168.4.10[4500] (1484 bytes) 
Jan  7 22:53:52 karma charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] 
Jan  7 22:53:52 karma charon: 05[IKE] received retransmit of request with ID 1, retransmitting response 
Jan  7 22:53:52 karma charon: 05[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[61579] (1612 bytes) 
Jan  7 22:53:59 karma charon: 07[NET] received packet: from 192.168.4.87[61579] to 192.168.4.10[4500] (1484 bytes) 
Jan  7 22:53:59 karma charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] 
Jan  7 22:53:59 karma charon: 07[IKE] received retransmit of request with ID 1, retransmitting response 
Jan  7 22:53:59 karma charon: 07[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[61579] (1612 bytes) 
Jan  7 22:54:12 karma charon: 08[NET] received packet: from 192.168.4.87[61579] to 192.168.4.10[4500] (1484 bytes) 
Jan  7 22:54:12 karma charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] 
Jan  7 22:54:12 karma charon: 08[IKE] received retransmit of request with ID 1, retransmitting response 
Jan  7 22:54:12 karma charon: 08[NET] sending packet: from 192.168.4.10[4500] to 192.168.4.87[61579] (1612 bytes) 

 




More information about the Users mailing list