[strongSwan] The option "rightca=ca-dn-here" in v5.5.1 seems to have no effect for IKEv1, cert requests for all CAs in cacerts are still sent to peer
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Sun Sep 24 13:01:03 CEST 2017
Hello Tobias,
As per your advice i did run a check....but i did not see any of the errors
or not-found messages when the config was loaded
On further narrowing down the issue...i believe the issue with
"rightca=<xxxxxxxx-xxxx>" is ONLY when the ipsec-gw acts as a responder...
As a responder to incoming connections, it simply ignores the
"rightca=xxxx" option and sends cert-requests for all the 100+ CAs to the
remote-iniitator
But as a iniitator of the ipsec tunnel it properly uses the rightca option
and sends cert request for only that ca, and also the ipsec tunnel is
established successfully
Please find the sample traces as captured on my test-setup (sorry for the
long info...i thought you may want to have to details...)
Note: the "leftsendcert=always" in the config, i intend to use primarily
when i create connection profiles for remote Mac-iOs-GreenBow IKEv2 VPN
clients using EAP-auth...i checked by removing this option completely...but
it seems to have nothing to do with the issue observed for now...
-----------------------------------------------------------------------------------------------------------
ipsec config on DUT "leftgw"
===============================
root at leftgwgwdut:/etc# cat ipsec.conf
# auto-generated config file from /tmp/etc/config/strongswan
config setup
charondebug="chd 2,knl 2,ike 2,cfg 2"
strictcrlpolicy=no
conn %default
auto=route
leftfirewall=yes
lefthostaccess=yes
keyingtries=1
mobike=no
fragmentation=yes
leftsendcert=always
conn s2s_topeergw1
left=1.1.1.11
right=2.2.2.51
auto=add
keyexchange=ikev1
leftauth=pubkey
rightauth=pubkey
leftid="/C=IN/ST=MAH/L=MUMBAI/O=Acme Systems/OU=acmenet/CN=
vpnsrvgw1.acmenet.com"
rightid="C=CN,ST=BJG,L=PKG,O=Acme Systems,OU=BJGRND,CN=
vpnsrvgw2.acmenet.com"
leftcert=/etc/ssl/certs/vpnsrvgw1cert.pem
rightca="C=IN,ST=TELG,L=HYDERABAD,O=Acme Systems,OU=CORPHQ,CN=RDBCA"
dpddelay=30
dpdtimeout=120
dpdaction=clear
ike=aes128-sha1-modp1536!
ikelifetime=28800s
esp=aes128-sha1-modp1536!
lifetime=3600s
rekeymargin=180s
conn s2s_topeergw1-1
auto=route
also=s2s_topeergw1
leftsubnet=192.168.1.0/24
rightsubnet=192.168.33.0/24
root at leftgwgwdut:/etc#
As Initiator:
=============
Sep 24 10:40:33 leftgwdut VPN-RPC:<notice> Executing RPC for connection
topeergw1 to bring up
Sep 24 10:40:33 leftgwdut VPN-cfg:<notice> Bringing UP tunnel s2s_topeergw1
...
Sep 24 10:40:33 leftgwdut charon:<info> 13[CFG] received stroke: initiate
's2s_topeergw1-1'
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] queueing ISAKMP_VENDOR task
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] queueing ISAKMP_CERT_PRE
task
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] queueing MAIN_MODE task
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] queueing ISAKMP_CERT_POST
task
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] queueing ISAKMP_NATD task
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] queueing QUICK_MODE task
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] activating new tasks
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] activating ISAKMP_VENDOR
task
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] activating
ISAKMP_CERT_PRE task
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] activating MAIN_MODE task
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] activating
ISAKMP_CERT_POST task
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] activating ISAKMP_NATD
task
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] sending XAuth vendor ID
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] sending DPD vendor ID
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] sending Acme Unity vendor
ID
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] sending FRAGMENTATION
vendor ID
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] sending NAT-T (RFC 3947)
vendor ID
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] sending
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] initiating Main Mode IKE_SA
s2s_topeergw1[2] to 2.2.2.51
Sep 24 10:40:33 leftgwdut charon:<info> Last message '14[IKE] initiating M'
repeated 1 times, supressed by syslog-ng on leftgwdut
Sep 24 10:40:33 leftgwdut charon:<info> 14[IKE] IKE_SA s2s_topeergw1[2]
state change: CREATED => CONNECTING
Sep 24 10:40:33 leftgwdut charon:<info> 14[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Sep 24 10:40:33 leftgwdut charon:<info> 14[ENC] generating ID_PROT request
0 [ SA V V V V V V ]
Sep 24 10:40:33 leftgwdut charon:<info> 14[NET] sending packet: from
1.1.1.11[500] to 2.2.2.51[500] (200 bytes)
Sep 24 10:40:33 leftgwdut charon:<info> 15[NET] received packet: from
2.2.2.51[500] to 1.1.1.11[500] (156 bytes)
Sep 24 10:40:33 leftgwdut charon:<info> 15[ENC] parsed ID_PROT response 0 [
SA V V V V ]
Sep 24 10:40:33 leftgwdut charon:<info> 15[IKE] received XAuth vendor ID
Sep 24 10:40:33 leftgwdut charon:<info> 15[IKE] received DPD vendor ID
Sep 24 10:40:33 leftgwdut charon:<info> 15[IKE] received Acme Unity vendor
ID
Sep 24 10:40:33 leftgwdut charon:<info> 15[IKE] received NAT-T (RFC 3947)
vendor ID
Sep 24 10:40:33 leftgwdut charon:<info> 15[CFG] selecting proposal:
Sep 24 10:40:33 leftgwdut charon:<info> 15[CFG] proposal matches
Sep 24 10:40:33 leftgwdut charon:<info> 15[CFG] received proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Sep 24 10:40:33 leftgwdut charon:<info> 15[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Sep 24 10:40:33 leftgwdut charon:<info> 15[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Sep 24 10:40:33 leftgwdut charon:<info> 15[IKE] reinitiating already active
tasks
Sep 24 10:40:33 leftgwdut charon:<info> 15[IKE] ISAKMP_VENDOR task
Sep 24 10:40:33 leftgwdut charon:<info> 15[IKE] ISAKMP_CERT_PRE task
Sep 24 10:40:33 leftgwdut charon:<info> 15[IKE] MAIN_MODE task
Sep 24 10:40:33 leftgwdut charon:<info> 15[ENC] generating ID_PROT request
0 [ KE No NAT-D NAT-D ]
Sep 24 10:40:33 leftgwdut charon:<info> 15[NET] sending packet: from
1.1.1.11[500] to 2.2.2.51[500] (308 bytes)
Sep 24 10:40:33 leftgwdut charon:<info> 16[NET] received packet: from
2.2.2.51[500] to 1.1.1.11[500] (550 bytes)
Sep 24 10:40:33 leftgwdut charon:<info> 16[ENC] parsed ID_PROT response 0 [
KE No CERTREQ CERTREQ CERTREQ NAT-D NAT-D ]
Sep 24 10:40:33 leftgwdut charon:<info> 16[IKE] received cert request for
'C=IN, O=strongSwan, CN=strongSwan CA'
Sep 24 10:40:33 leftgwdut charon:<info> 16[IKE] received cert request for
'C=IN, ST=TELG, L=HYDERABAD, O=Acme Systems, OU=CORPHQ, CN=RDBCA'
Sep 24 10:40:33 leftgwdut charon:<info> 16[IKE] received cert request for
'C=IN, O=strongSwan, CN=strongSwan CA'
Sep 24 10:40:33 leftgwdut charon:<info> 16[IKE] reinitiating already active
tasks
Sep 24 10:40:33 leftgwdut charon:<info> 16[IKE] ISAKMP_VENDOR task
Sep 24 10:40:33 leftgwdut charon:<info> 16[IKE] ISAKMP_CERT_PRE task
Sep 24 10:40:33 leftgwdut charon:<info> 16[IKE] MAIN_MODE task
Sep 24 10:40:33 leftgwdut charon:<info> 16[IKE] sending cert request for
"C=IN, ST=TELG, L=HYDERABAD, O=Acme Systems, OU=CORPHQ, CN=RDBCA"
Sep 24 10:40:33 leftgwdut charon:<info> 16[IKE] authentication of 'C=IN,
ST=MAH, L=MUMBAI, O=Acme Systems, OU=acmenet, CN=vpnsrvgw1.acmenet.com'
(myself) successful
Sep 24 10:40:33 leftgwdut charon:<info> 16[IKE] sending end entity cert
"C=IN, ST=MAH, L=MUMBAI, O=Acme Systems, OU=acmenet, CN=
vpnsrvgw1.acmenet.com"
Sep 24 10:40:33 leftgwdut charon:<info> 16[ENC] generating ID_PROT request
0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Sep 24 10:40:33 leftgwdut charon:<info> 16[NET] sending packet: from
1.1.1.11[500] to 2.2.2.51[500] (1596 bytes)
Sep 24 10:40:33 leftgwdut charon:<info> 05[NET] received packet: from
2.2.2.51[500] to 1.1.1.11[500] (1452 bytes)
Sep 24 10:40:33 leftgwdut charon:<info> 05[ENC] parsed ID_PROT response 0 [
ID CERT SIG ]
Sep 24 10:40:33 leftgwdut charon:<info> 05[IKE] received end entity cert
"C=CN, ST=BJG, L=PKG, O=Acme Systems, OU=BJGRND, CN=vpnsrvgw2.acmenet.com"
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] using certificate "C=CN,
ST=BJG, L=PKG, O=Acme Systems, OU=BJGRND, CN=vpnsrvgw2.acmenet.com"
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] certificate "C=CN,
ST=BJG, L=PKG, O=Acme Systems, OU=BJGRND, CN=vpnsrvgw2.acmenet.com" key:
2048 bit RSA
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] using trusted ca
certificate "C=IN, ST=TELG, L=HYDERABAD, O=Acme Systems, OU=CORPHQ,
CN=RDBCA"
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] checking certificate status
of "C=CN, ST=BJG, L=PKG, O=Acme Systems, OU=BJGRND, CN=vpnsrvgw2.acmenet.com
"
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] ocsp check skipped, no ocsp
found
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] certificate status is not
available
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] certificate "C=IN,
ST=TELG, L=HYDERABAD, O=Acme Systems, OU=CORPHQ, CN=RDBCA" key: 2048 bit
RSA
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] reached self-signed root
ca with a path length of 0
Sep 24 10:40:33 leftgwdut charon:<info> 05[IKE] authentication of 'C=CN,
ST=BJG, L=PKG, O=Acme Systems, OU=BJGRND, CN=vpnsrvgw2.acmenet.com' with
RSA_EMSA_PKCS1_NULL successful
Sep 24 10:40:33 leftgwdut charon:<info> 05[IKE] IKE_SA s2s_topeergw1[2]
established between 1.1.1.11[C=IN, ST=MAH, L=MUMBAI, O=Acme Systems,
OU=acmenet, CN=vpnsrvgw1.acmenet.com]...2.2.2.51[C=CN, ST=BJG, L=PKG,
O=Acme Systems, OU=BJGRND, CN=vpnsrvgw2.acmenet.com]
Sep 24 10:40:33 leftgwdut charon:<info> Last message '05[IKE] IKE_SA s2s_t'
repeated 1 times, supressed by syslog-ng on leftgwdut
Sep 24 10:40:33 leftgwdut charon:<info> 05[IKE] IKE_SA s2s_topeergw1[2]
state change: CONNECTING => ESTABLISHED
Sep 24 10:40:33 leftgwdut charon:<info> 05[IKE] scheduling reauthentication
in 28553s
Sep 24 10:40:33 leftgwdut charon:<info> 05[IKE] maximum IKE_SA lifetime
28733s
Sep 24 10:40:33 leftgwdut charon:<info> 05[IKE] activating new tasks
Sep 24 10:40:33 leftgwdut charon:<info> 05[IKE] activating QUICK_MODE
task
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Sep 24 10:40:33 leftgwdut charon:<info> 05[KNL] got SPI c2f8e22f
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] proposing traffic selectors
for us:
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] 192.168.1.0/24
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] proposing traffic selectors
for other:
Sep 24 10:40:33 leftgwdut charon:<info> 05[CFG] 192.168.33.0/24
Sep 24 10:40:33 leftgwdut charon:<info> 05[ENC] generating QUICK_MODE
request 2957591986 [ HASH SA No KE ID ID ]
Sep 24 10:40:33 leftgwdut charon:<info> 05[NET] sending packet: from
1.1.1.11[500] to 2.2.2.51[500] (380 bytes)
Sep 24 10:40:34 leftgwdut charon:<info> 06[NET] received packet: from
2.2.2.51[500] to 1.1.1.11[500] (380 bytes)
Sep 24 10:40:34 leftgwdut charon:<info> 06[ENC] parsed QUICK_MODE response
2957591986 [ HASH SA No KE ID ID ]
Sep 24 10:40:34 leftgwdut charon:<info> 06[CFG] selecting proposal:
Sep 24 10:40:34 leftgwdut charon:<info> 06[CFG] proposal matches
Sep 24 10:40:34 leftgwdut charon:<info> 06[CFG] received proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Sep 24 10:40:34 leftgwdut charon:<info> 06[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Sep 24 10:40:34 leftgwdut charon:<info> 06[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Sep 24 10:40:34 leftgwdut charon:<info> 06[CFG] selecting traffic selectors
for other:
Sep 24 10:40:34 leftgwdut charon:<info> 06[CFG] config: 192.168.33.0/24,
received: 192.168.33.0/24 => match: 192.168.33.0/24
Sep 24 10:40:34 leftgwdut charon:<info> 06[CHD] using AES_CBC for
encryption
Sep 24 10:40:34 leftgwdut charon:<info> 06[CHD] using HMAC_SHA1_96 for
integrity
Sep 24 10:40:34 leftgwdut charon:<info> 06[CHD] adding inbound ESP SA
Sep 24 10:40:34 leftgwdut charon:<info> 06[CHD] SPI 0xc2f8e22f, src
2.2.2.51 dst 1.1.1.11
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] adding SAD entry with SPI
c2f8e22f and reqid {1}
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] using encryption
algorithm AES_CBC with key size 128
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] using integrity algorithm
HMAC_SHA1_96 with key size 160
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] using replay window of 32
packets
Sep 24 10:40:34 leftgwdut charon:<info> 06[CHD] adding outbound ESP SA
Sep 24 10:40:34 leftgwdut charon:<info> 06[CHD] SPI 0xc7dea690, src
1.1.1.11 dst 2.2.2.51
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] adding SAD entry with SPI
c7dea690 and reqid {1}
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] using encryption
algorithm AES_CBC with key size 128
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] using integrity algorithm
HMAC_SHA1_96 with key size 160
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] using replay window of 0
packets
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] policy 192.168.1.0/24 ===
192.168.33.0/24 out already exists, increasing refcount
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] not updating policy
192.168.1.0/24 === 192.168.33.0/24 out [priority 287712,refcount 2]
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] policy 192.168.33.0/24 ===
192.168.1.0/24 in already exists, increasing refcount
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] not updating policy
192.168.33.0/24 === 192.168.1.0/24 in [priority 287712,refcount 2]
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] policy 192.168.33.0/24 ===
192.168.1.0/24 fwd already exists, increasing refcount
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] not updating policy
192.168.33.0/24 === 192.168.1.0/24 fwd [priority 287712,refcount 2]
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] policy 192.168.1.0/24 ===
192.168.33.0/24 out already exists, increasing refcount
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] updating policy
192.168.1.0/24 === 192.168.33.0/24 out [priority 187712, refcount 3]
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] getting a local address in
traffic selector 192.168.1.0/24
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] using host 192.168.1.1
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] getting iface name for
index 10
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] using 1.1.1.1 as nexthop
and eth0 as dev to reach 2.2.2.51/32
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] policy 192.168.33.0/24 ===
192.168.1.0/24 in already exists, increasing refcount
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] updating policy
192.168.33.0/24 === 192.168.1.0/24 in [priority 187712, refcount 3]
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] policy 192.168.33.0/24 ===
192.168.1.0/24 fwd already exists, increasing refcount
Sep 24 10:40:34 leftgwdut charon:<info> 06[KNL] updating policy
192.168.33.0/24 === 192.168.1.0/24 fwd [priority 187712, refcount 3]
Sep 24 10:40:34 leftgwdut charon:<info> 06[IKE] CHILD_SA s2s_topeergw1-1{2}
established with SPIs c2f8e22f_i c7dea690_o and TS 192.168.1.0/24 ===
192.168.33.0/24
Sep 24 10:40:34 leftgwdut charon:<info> Last message '06[IKE] CHILD_SA s2s'
repeated 1 times, supressed by syslog-ng on leftgwdut
Sep 24 10:40:34 leftgwdut dnsmasq:<info> exiting on receipt of SIGTERM
Sep 24 10:40:35 leftgwdut dnsmasq:<info> started, version 2.72 cachesize
150
Sep 24 10:40:35 leftgwdut dnsmasq:<info> compile time options: IPv6
GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack
ipset auth no-DNSSEC loop-detect
Sep 24 10:40:35 leftgwdut dnsmasq-dhcp:<info> DHCP, IP range 192.168.1.100
-- 192.168.1.149, lease time 1d
Sep 24 10:40:35 leftgwdut dnsmasq:<info> using nameserver 192.168.33.68#53
for domain tester.net
Sep 24 10:40:35 leftgwdut dnsmasq:<info> using nameserver 192.168.33.25#53
for domain tester.net
#######################################
As a Responder:
================
root at leftgwgwdut:/etc#
root at leftgwgwdut:/etc#
root at leftgwgwdut:/etc# root at leftgwgwdut:/etc# ipsec
restartroot at leftgwgwdut:/etc#
vi ipsec.conf root at leftgwgwdut:/etc# tail -f /var/log/messages
Sep 24 10:39:15 leftgwgwdut charon:<info> 09[KNL] installing route:
192.168.33.0/24 via 1.1.1.1 src 192.168.1.1 dev eth0
Sep 24 10:39:15 leftgwgwdut charon:<info> 09[KNL] getting iface index for
eth0
Sep 24 10:39:15 leftgwgwdut charon:<info> 09[KNL] adding policy
192.168.33.0/24 === 192.168.1.0/24 in [priority 287712, refcount 1]
Sep 24 10:39:15 leftgwgwdut charon:<info> 09[KNL] adding policy
192.168.33.0/24 === 192.168.1.0/24 fwd [priority 287712, refcount 1]
Sep 24 10:39:15 leftgwgwdut PnP:<info> [11640]: AGENT INFO Client work
request:
Sep 24 10:39:15 leftgwgwdut PnP:<info> [11640]: AGENT INFO <?xml
version="1.0" encoding="UTF-8"?><pnp xmlns="urn:acme:pnp" version="1.0"
udi="PID:leftgw-K9,VID:V01,SN:DNI2106A050"><info
xmlns="urn:acme:pnp:work-info"
correlator="Acme-PnP-1.0-1-3f162a41-15ef-44d5-b0c3-78bd5d0e739f-1"><deviceId><authRequired>false</authRequired><udi>PID:leftgw-K9,VID:V01,SN:DNI2106A050</udi><hostname>None</hostname></deviceId></info></pnp>
Sep 24 10:39:15 leftgwgwdut PnP:<info> [11640]: AGENT INFO address_type is
ipv4
Sep 24 10:39:15 leftgwgwdut PnP:<info> [11640]: AGENT INFO PNP requests
with url: http://127.0.0.1:80/pnp/WORK-REQUEST
Sep 24 10:39:15 leftgwgwdut PnP:<error> [11640]: AGENT ERROR HTTP Error
403: Forbidden
Sep 24 10:39:16 leftgwgwdut lldpd:<info> lldp_send: LLDP packet sent on LAN
interface eth2 , Ports = 0xf
Sep 24 10:39:28 leftgwgwdut ripd:<debug> update timer fire!
Sep 24 10:39:30 leftgwgwdut PnP:<error> [11640]: AGENT ERROR Exception in
trying send_work_request(): HTTP Error 403: Forbidden
Sep 24 10:39:30 leftgwgwdut PnP:<error> [11640]: AGENT ERROR <class
'urllib2.HTTPError'>
Sep 24 10:39:33 leftgwgwdut PnP:<info> [11640]: AGENT INFO Client work
request:
Sep 24 10:39:33 leftgwgwdut PnP:<info> [11640]: AGENT INFO <?xml
version="1.0" encoding="UTF-8"?><pnp xmlns="urn:acme:pnp" version="1.0"
udi="PID:leftgw-K9,VID:V01,SN:DNI2106A050"><info
xmlns="urn:acme:pnp:work-info"
correlator="Acme-PnP-1.0-1-3f162a41-15ef-44d5-b0c3-78bd5d0e739f-1"><deviceId><authRequired>false</authRequired><udi>PID:leftgw-K9,VID:V01,SN:DNI2106A050</udi><hostname>None</hostname></deviceId></info></pnp>
Sep 24 10:39:33 leftgwgwdut PnP:<info> [11640]: AGENT INFO address_type is
ipv4
Sep 24 10:39:33 leftgwgwdut PnP:<info> [11640]: AGENT INFO PNP requests
with url: http://127.0.0.1:80/pnp/WORK-REQUEST
Sep 24 10:39:33 leftgwgwdut PnP:<error> [11640]: AGENT ERROR HTTP Error
403: Forbidden
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[NET] received packet: from
2.2.2.51[500] to 1.1.1.11[500] (176 bytes)
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[ENC] parsed ID_PROT request 0
[ SA V V V V V ]
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[CFG] looking for an ike config
for 1.1.1.11...2.2.2.51
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[CFG] candidate:
1.1.1.11...2.2.2.51, prio 3100
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[CFG] found matching ike
config: 1.1.1.11...2.2.2.51 with prio 3100
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[IKE] received XAuth vendor ID
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[IKE] received DPD vendor ID
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[IKE] received Acme Unity
vendor ID
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[IKE] received NAT-T (RFC 3947)
vendor ID
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[IKE] received
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[IKE] 2.2.2.51 is initiating a
Main Mode IKE_SA
Sep 24 10:39:34 leftgwgwdut charon:<info> Last message '12[IKE] 2.2.2.51 is
' repeated 1 times, supressed by syslog-ng on leftgwgwdut
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[IKE] IKE_SA (unnamed)[1] state
change: CREATED => CONNECTING
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[CFG] selecting proposal:
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[CFG] proposal matches
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[CFG] received proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[IKE] sending XAuth vendor ID
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[IKE] sending DPD vendor ID
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[IKE] sending Acme Unity vendor
ID
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[IKE] sending NAT-T (RFC 3947)
vendor ID
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[ENC] generating ID_PROT
response 0 [ SA V V V V ]
Sep 24 10:39:34 leftgwgwdut charon:<info> 12[NET] sending packet: from
1.1.1.11[500] to 2.2.2.51[500] (156 bytes)
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[NET] received packet: from
2.2.2.51[500] to 1.1.1.11[500] (308 bytes)
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[ENC] parsed ID_PROT request 0
[ KE No NAT-D NAT-D ]
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center,
CN=T-TeleSec GlobalRoot Class 2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=TR, L=Gebze - Kocaeli, O=T??rkiye Bilimsel ve Teknolojik Ara??t??rma
Kurumu - T??B??TAK, OU=Ulusal Elektronik ve Kriptoloji Ara??t??rma
Enstit??s?? - UEKAE, OU=Kamu Sertifikasyon Merkezi, CN=T??B??TAK UEKAE K??k
Sertifika Hizmet Sa??lay??c??s?? - S??r??m 3"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s??, C=TR, L=Ankara,
O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??. (c)
Aral??k 2007"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s??, C=TR, L=Ankara,
O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??. (c)
Kas??m 2005"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s??, C=TR, L=ANKARA,
O=(c) 2005 T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri
A.??."
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Universal CA, CN=TC
TrustCenter Universal CA I"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Class 3 CA, CN=TC
TrustCenter Class 3 CA II"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Class 2 CA, CN=TC
TrustCenter Class 2 CA II"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root EV CA
2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=CH, O=SwissSign AG, CN=SwissSign Platinum CA - G2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=IL, O=StartCom Ltd., CN=StartCom Certification Authority G2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom
Certification Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> Last message '13[IKE] sending
cert' repeated 1 times, supressed by syslog-ng on leftgwgwdut
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc.,
CN=Starfield Services Root Certificate Authority - G2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc.,
CN=Starfield Root Certificate Authority - G2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification
Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=FI, O=Sonera, CN=Sonera Class2 CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=FI, O=Sonera, CN=Sonera Class1 CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication EV
RootCA1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=SecureTrust Corporation, CN=Secure Global CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=SecureTrust Corporation, CN=SecureTrust CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=DE, O=Deutscher Sparkassen Verlag GmbH, OU=S-TRUST Certification
Services, CN=S-TRUST Universal Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=DE, ST=Baden-Wuerttemberg (BW), L=Stuttgart, O=Deutscher Sparkassen
Verlag GmbH, CN=S-TRUST Authentication and Encryption Root CA 2005:PN"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"CN=SG TRUST SERVICES RACINE, OU=0002 43525289500022, O=SG TRUST SERVICES,
C=FR"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=ES, O=Generalitat Valenciana, OU=PKIGVA, CN=Root CA Generalitat
Valenciana"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"O=RSA Security Inc, OU=RSA Security 2048 V3"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis
Root Certification Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"E=contacto at procert.net.ve, L=Chacao, ST=Miranda, OU=Proveedor de
Certificados PROCERT, O=Sistema Nacional de Certificacion Electronica,
C=VE, CN=PSCProcert"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed,
CN=OISTE WISeKey Global Root GA CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate
Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok,
CN=NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado, E=
info at netlock.hu"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=HU, ST=Hungary, L=Budapest, O=NetLock Halozatbiztonsagi Kft.,
OU=Tanusitvanykiadok, CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok,
CN=NetLock Expressz (Class C) Tanusitvanykiado"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok,
CN=NetLock Uzleti (Class B) Tanusitvanykiado"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=HU, L=Budapest, O=NetLock Kft., OU=Tan??s??tv??nykiad??k (Certification
Services), CN=NetLock Arany (Class Gold) F??tan??s??tv??ny"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=
info at e-szigno.hu"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=HU, L=Budapest, O=Microsec Ltd., OU=e-Szigno CA, CN=Microsec e-Szigno
Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"E=pki at sk.ee, C=EE, O=AS Sertifitseerimiskeskus, CN=Juur-SK"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=ES, O=IZENPE S.A., CN=Izenpe.com"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI, CN=IGC/A, E=
igca at sgdn.pm.gouv.fr"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=GR, O=Hellenic Academic and Research Institutions Cert. Authority,
CN=Hellenic Academic and Research Institutions RootCA 2011"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root
Certificate Authority - G2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification
Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=EU, L=Madrid (see current address at www.camerfirma.com/address),
SN=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use
only, CN=GeoTrust Primary Certification Authority - G3"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=GeoTrust Inc., CN=GeoTrust Global CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=Equifax Secure Inc., CN=Equifax Secure eBusiness CA-1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=Equifax, OU=Equifax Secure Certificate Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009
Entrust, Inc. - for authorized use only, CN=Entrust Root Certification
Authority - G2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by
reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification
Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority
(2048)"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=TR, L=Ankara, O=E-Tu??ra EBG Bili??im Teknolojileri ve Hizmetleri A.??.,
OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=
pki at sk.ee"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis
Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03,
OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"CN=EBG Elektronik Sertifika Hizmet Sa??lay??c??s??, O=EBG Bili??im
Teknolojileri ve Hizmetleri A.??., C=TR"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=Digital Signature Trust Co., OU=DSTCA E2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=Digital Signature Trust Co., OU=DSTCA E1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV
Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche
Telekom Root CA 2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"O=Digital Signature Trust Co., CN=DST Root CA X3"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"O=Cybertrust, Inc, CN=Cybertrust Global Root"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Trusted
Certificate Services"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Secure
Certificate Services"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA
Certificate Services"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"CN=ComSign Secured CA, O=ComSign, C=IL"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"CN=ComSign CA, O=ComSign, C=IL"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=CN, O=China Internet Network Information Center, CN=China Internet
Network Information Center EV Certificates Root"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=EU, L=Madrid (see current address at www.camerfirma.com/address),
SN=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority,
CN=Certum Trusted Network CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=PL, O=Unizeto Sp. z o.o., CN=Certum CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=FR, O=Certplus, CN=Class 2 Primary CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Autorit?? Racine"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=FR, O=Dhimyotis, CN=Certigna"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org,
CN=Global Chambersign Root"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org,
CN=Chambers of Commerce Root"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA
Certification Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO
Certification Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=CN, O=CNNIC, CN=CNNIC ROOT"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 CA 1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 CA 1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"CN=Atos TrustedRoot 2011, O=Atos, C=DE"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=JP, O=Japanese Government, OU=ApplicationCA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=AffirmTrust, CN=AffirmTrust Premium"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=AffirmTrust, CN=AffirmTrust Networking"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=AffirmTrust, CN=AffirmTrust Commercial"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Qualified CA
Root"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Public CA Root"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Class 1 CA Root"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust
External CA Root"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication
Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=AT, O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,
OU=A-Trust-nQual-03, CN=A-Trust-nQual-03"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=CO, O=Sociedad Cameral de Certificaci??n Digital - Certic??mara S.A.,
CN=AC Ra??z Certic??mara S.A."
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"CN=ACEDICOM Root, OU=PKI, O=EDICOM, C=ES"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008
thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006
thawte, Inc. - For authorized use only, CN=thawte Primary Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, ST=Indiana, L=Indianapolis, O=Software in the Public Interest,
OU=hostmaster, CN=Certificate Authority, E=hostmaster at spi-inc.org"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust
RSA Certification Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=RO, O=certSIGN, OU=certSIGN ROOT CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=Wells Fargo WellsSecure, OU=Wells Fargo Bank NA, CN=WellsSecure
Public Root Certificate Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=
http://www.usertrust.com, CN=UTN - DATACorp SGC"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp
Global Certification Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=GB, O=Trustis Limited, OU=Trustis FPS Root CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=TW, O=Government Root Certification Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=CN, O=WoSign CA Limited, CN=CA ???????????????"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"O=TeliaSonera, CN=TeliaSonera Root CA v1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=
http://www.usertrust.com, CN=UTN-USERFirst-Client Authentication and Email"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center,
CN=T-TeleSec GlobalRoot Class 3"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign,
Inc. - For authorized use only, CN=VeriSign Universal Root Certification
Authority"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign,
Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary
Certification Authority - G5"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=
http://www.usertrust.com, CN=UTN-USERFirst-Hardware"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=CN, ST=PKGN, L=BJGN, O=ACME-SYSTEMS, OU=CORPHQ, CN=leftgwDUTCA1"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce
Root"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=IN, ST=TELG, L=HYDERABAD, O=Acme Systems, OU=CORPHQ, CN=RDBCA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[IKE] sending cert request for
"C=IN, O=strongSwan, CN=strongSwan CA"
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[ENC] generating ID_PROT
response 0 [ KE No CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ
CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ
CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ
CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ
CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ
CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ
CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CERTREQ CER
Sep 24 10:39:34 leftgwgwdut charon:<info> 13[NET] sending packet: from
1.1.1.11[500] to 2.2.2.51[500] (18931 bytes)
Sep 24 10:39:38 leftgwgwdut charon:<info> 15[NET] received packet: from
2.2.2.51[500] to 1.1.1.11[500] (308 bytes)
Sep 24 10:39:38 leftgwgwdut charon:<info> 15[IKE] received retransmit of
request with ID 0, retransmitting response
Sep 24 10:39:38 leftgwgwdut charon:<info> 15[NET] sending packet: from
1.1.1.11[500] to 2.2.2.51[500] (18931 bytes)
Sep 24 10:39:44 leftgwgwdut lldpd:<info> lldp_decode: LLDP packet received
on LAN port [99] on interface eth2
Sep 24 10:39:45 leftgwgwdut charon:<info> 16[NET] received packet: from
2.2.2.51[500] to 1.1.1.11[500] (308 bytes)
Sep 24 10:39:45 leftgwgwdut charon:<info> 16[IKE] received retransmit of
request with ID 0, retransmitting response
Sep 24 10:39:45 leftgwgwdut charon:<info> 16[NET] sending packet: from
1.1.1.11[500] to 2.2.2.51[500] (18931 bytes)
Sep 24 10:39:46 leftgwgwdut lldpd:<info> lldp_send: LLDP packet sent on LAN
interface eth2 , Ports = 0xf
Sep 24 10:39:49 leftgwgwdut PnP:<error> [11640]: AGENT ERROR Exception in
trying send_work_request(): HTTP Error 403: Forbidden
Sep 24 10:39:49 leftgwgwdut PnP:<error> [11640]: AGENT ERROR <class
'urllib2.HTTPError'>
Sep 24 10:39:53 leftgwgwdut PnP:<info> [11640]: AGENT INFO Client work
request:
Sep 24 10:39:53 leftgwgwdut PnP:<info> [11640]: AGENT INFO <?xml
version="1.0" encoding="UTF-8"?><pnp xmlns="urn:acme:pnp" version="1.0"
udi="PID:leftgw-K9,VID:V01,SN:DNI2106A050"><info
xmlns="urn:acme:pnp:work-info"
correlator="Acme-PnP-1.0-1-3f162a41-15ef-44d5-b0c3-78bd5d0e739f-1"><deviceId><authRequired>false</authRequired><udi>PID:leftgw-K9,VID:V01,SN:DNI2106A050</udi><hostname>None</hostname></deviceId></info></pnp>
Sep 24 10:39:53 leftgwgwdut PnP:<info> [11640]: AGENT INFO address_type is
ipv4
Sep 24 10:39:53 leftgwgwdut PnP:<info> [11640]: AGENT INFO PNP requests
with url: http://127.0.0.1:80/pnp/WORK-REQUEST
Sep 24 10:39:53 leftgwgwdut PnP:<error> [11640]: AGENT ERROR HTTP Error
403: Forbidden
Sep 24 10:39:53 leftgwgwdut ripd:<debug> update timer fire!
Sep 24 10:39:58 leftgwgwdut charon:<info> 06[NET] received packet: from
2.2.2.51[500] to 1.1.1.11[500] (308 bytes)
Sep 24 10:39:58 leftgwgwdut charon:<info> 06[IKE] received retransmit of
request with ID 0, retransmitting response
Sep 24 10:39:58 leftgwgwdut charon:<info> 06[NET] sending packet: from
1.1.1.11[500] to 2.2.2.51[500] (18931 bytes)
Sep 24 10:40:00 leftgwgwdut crond:<info> USER root pid 8317 cmd
/usr/bin/cron.d/command/every_5minutes
Sep 24 10:40:00 leftgwgwdut crond:<info> USER root pid 8318 cmd
/usr/bin/cron.d/command/every_10minutes
Sep 24 10:40:04 leftgwgwdut charon:<info> 07[JOB] deleting half open IKE_SA
after timeout
Sep 24 10:40:04 leftgwgwdut charon:<info> 07[IKE] IKE_SA (unnamed)[1] state
change: CONNECTING => DESTROYING
-------------------------------------------------------------------------
hope the above info helps
thanks & regards
Rajiv
On Fri, Sep 22, 2017 at 12:36 PM, Tobias Brunner <tobias at strongswan.org>
wrote:
> Hi Rajiv,
>
> > I have used the <rightca="ca-dn"> option in a IKEv1 gateway to gateway
> > tunnel on GW1 running strongswan 5.5.1.
>
> Please look for the log message "CA certificate ... not found,
> discarding CA constraint" when the config is loaded.
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170924/0dcd4dfd/attachment-0001.html>
More information about the Users
mailing list