[strongSwan] dhcp plugin, isc-dhcp vs dnsmasq

Harald Dunkel harald.dunkel at aixigo.de
Wed Jan 16 09:38:10 CET 2019


Hi folks,

attached you can find charon's and dnsmasq's log files (running on the
same hardware).

Hope this helps
Harri
-------------- next part --------------
Jan 14 10:48:07 12[NET] <43> received packet: from 192.168.1.13[61985] to 192.168.1.209[500] (1256 bytes)
Jan 14 10:48:07 12[ENC] <43> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 14 10:48:07 12[IKE] <43> 192.168.1.13 is initiating an IKE_SA
Jan 14 10:48:07 12[CFG] <43> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jan 14 10:48:07 12[IKE] <43> remote host is behind NAT
Jan 14 10:48:07 12[IKE] <43> sending cert request for "C=DE, ST=NRW, O=example AG, OU=TI, CN=ipsec-ca"
Jan 14 10:48:07 12[IKE] <43> sending cert request for "C=DE, O=example AG, CN=ws-CA"
Jan 14 10:48:07 12[IKE] <43> sending cert request for "C=DE, O=example AG, OU=example Certificate Authority, CN=root-CA"
Jan 14 10:48:07 12[ENC] <43> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) V ]
Jan 14 10:48:07 12[NET] <43> sending packet: from 192.168.1.209[500] to 192.168.1.13[61985] (549 bytes)
Jan 14 10:48:07 31[NET] <43> received packet: from 192.168.1.13[63486] to 192.168.1.209[4500] (1236 bytes)
Jan 14 10:48:07 31[ENC] <43> parsed IKE_AUTH request 1 [ EF(1/3) ]
Jan 14 10:48:07 31[ENC] <43> received fragment #1 of 3, waiting for complete IKE message
Jan 14 10:48:07 10[NET] <43> received packet: from 192.168.1.13[63486] to 192.168.1.209[4500] (1236 bytes)
Jan 14 10:48:07 10[ENC] <43> parsed IKE_AUTH request 1 [ EF(2/3) ]
Jan 14 10:48:07 10[ENC] <43> received fragment #2 of 3, waiting for complete IKE message
Jan 14 10:48:07 18[NET] <43> received packet: from 192.168.1.13[63486] to 192.168.1.209[4500] (900 bytes)
Jan 14 10:48:07 18[ENC] <43> parsed IKE_AUTH request 1 [ EF(3/3) ]
Jan 14 10:48:07 18[ENC] <43> received fragment #3 of 3, reassembled fragmented IKE message (3232 bytes)
Jan 14 10:48:07 18[ENC] <43> parsed IKE_AUTH request 1 [ IDi CERT CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 14 10:48:07 18[IKE] <43> received cert request for "C=DE, O=example AG, OU=example Certificate Authority, CN=root-CA"
Jan 14 10:48:07 18[IKE] <43> received end entity cert "C=DE, ST=NRW, L=Metropolis, O=example AG, CN=roadwarrior.ac.example.de, E=security at example.de"
Jan 14 10:48:07 18[IKE] <43> received issuer cert "C=DE, ST=NRW, O=example AG, OU=TI, CN=ipsec-ca"
Jan 14 10:48:07 18[CFG] <43> looking for peer configs matching 192.168.1.209[%any]...192.168.1.13[C=DE, ST=NRW, L=Metropolis, O=example AG, CN=roadwarrior.ac.example.de, E=security at example.de]
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43> selected peer config 'IPSec-IKEv2'
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   using certificate "C=DE, ST=NRW, L=Metropolis, O=example AG, CN=roadwarrior.ac.example.de, E=security at example.de"
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   using trusted intermediate ca certificate "C=DE, ST=NRW, O=example AG, OU=TI, CN=ipsec-ca"
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43> checking certificate status of "C=DE, ST=NRW, L=Metropolis, O=example AG, CN=roadwarrior.ac.example.de, E=security at example.de"
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   fetching crl from 'http://pki.example.de/pki/ipsec-ca.crl' ...
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   using trusted ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=root-CA"
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   reached self-signed root ca with a path length of 0
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   using trusted certificate "C=DE, ST=NRW, O=example AG, OU=TI, CN=ipsec-ca"
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   crl correctly signed by "C=DE, ST=NRW, O=example AG, OU=TI, CN=ipsec-ca"
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   crl is stale: since Mar 31 09:52:00 2018
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43> certificate status is unknown, crl is stale
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   using trusted ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=root-CA"
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43> checking certificate status of "C=DE, ST=NRW, O=example AG, OU=TI, CN=ipsec-ca"
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   using trusted certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=root-CA"
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   crl correctly signed by "C=DE, O=example AG, OU=example Certificate Authority, CN=root-CA"
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   crl is valid: until Oct 08 12:58:37 2038
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   using cached crl
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43> certificate status is good
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43>   reached self-signed root ca with a path length of 1
Jan 14 10:48:07 18[IKE] <IPSec-IKEv2|43> authentication of 'C=DE, ST=NRW, L=Metropolis, O=example AG, CN=roadwarrior.ac.example.de, E=security at example.de' with RSA_EMSA_PKCS1_SHA2_256 successful
Jan 14 10:48:07 18[IKE] <IPSec-IKEv2|43> peer supports MOBIKE
Jan 14 10:48:07 18[IKE] <IPSec-IKEv2|43> authentication of 'ipsecgate.example.com' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Jan 14 10:48:07 18[IKE] <IPSec-IKEv2|43> IKE_SA IPSec-IKEv2[43] established between 192.168.1.209[ipsecgate.example.com]...192.168.1.13[C=DE, ST=NRW, L=Metropolis, O=example AG, CN=roadwarrior.ac.example.de, E=security at example.de]
Jan 14 10:48:07 18[IKE] <IPSec-IKEv2|43> scheduling reauthentication in 85624s
Jan 14 10:48:07 18[IKE] <IPSec-IKEv2|43> maximum IKE_SA lifetime 86164s
Jan 14 10:48:07 18[IKE] <IPSec-IKEv2|43> sending end entity cert "C=DE, ST=NRW, L=Metropolis, O=example AG, CN=ipsecgate.example.com, E=security at example.de"
Jan 14 10:48:07 18[IKE] <IPSec-IKEv2|43> sending issuer cert "C=DE, ST=NRW, O=example AG, OU=TI, CN=ipsec-ca"
Jan 14 10:48:07 18[IKE] <IPSec-IKEv2|43> peer requested virtual IP %any
Jan 14 10:48:07 18[CFG] <IPSec-IKEv2|43> sending DHCP DISCOVER to 172.16.122.9
Jan 14 10:48:08 18[CFG] <IPSec-IKEv2|43> sending DHCP DISCOVER to 172.16.122.9
Jan 14 10:48:10 18[CFG] <IPSec-IKEv2|43> sending DHCP DISCOVER to 172.16.122.9
Jan 14 10:48:10 16[CFG] received DHCP OFFER 172.16.122.65 from 172.16.122.9
Jan 14 10:48:10 18[CFG] <IPSec-IKEv2|43> sending DHCP REQUEST for 172.16.122.65 to 172.16.122.9
Jan 14 10:48:10 18[CFG] <IPSec-IKEv2|43> sending DHCP REQUEST for 172.16.122.65 to 172.16.122.9
Jan 14 10:48:10 18[CFG] <IPSec-IKEv2|43> sending DHCP REQUEST for 172.16.122.65 to 172.16.122.9
Jan 14 10:48:10 15[CFG] received DHCP ACK for 172.16.122.65
Jan 14 10:48:10 18[IKE] <IPSec-IKEv2|43> assigning virtual IP 172.16.122.65 to peer 'C=DE, ST=NRW, L=Metropolis, O=example AG, CN=roadwarrior.ac.example.de, E=security at example.de'
Jan 14 10:48:10 18[CFG] <IPSec-IKEv2|43> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Jan 14 10:48:10 18[IKE] <IPSec-IKEv2|43> CHILD_SA IPSec-IKEv2{93} established with SPIs c56bd00d_i c87f7ba8_o and TS 10.47.11.0/24 80.87.169.96/27 172.16.96.0/19 172.22.111.0/24 172.23.15.0/24 185.32.32.0/27 === 172.16.122.65/32
Jan 14 10:48:10 18[ENC] <IPSec-IKEv2|43> generating IKE_AUTH response 1 [ IDr CERT CERT AUTH CPRP(ADDR DNS DNS DNS NBNS U_DEFDOM U_SPLITDNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Jan 14 10:48:10 18[ENC] <IPSec-IKEv2|43> splitting IKE message (3328 bytes) into 3 fragments
Jan 14 10:48:10 18[ENC] <IPSec-IKEv2|43> generating IKE_AUTH response 1 [ EF(1/3) ]
Jan 14 10:48:10 18[ENC] <IPSec-IKEv2|43> generating IKE_AUTH response 1 [ EF(2/3) ]
Jan 14 10:48:10 18[ENC] <IPSec-IKEv2|43> generating IKE_AUTH response 1 [ EF(3/3) ]
Jan 14 10:48:10 18[NET] <IPSec-IKEv2|43> sending packet: from 192.168.1.209[4500] to 192.168.1.13[63486] (1236 bytes)
Jan 14 10:48:10 18[NET] <IPSec-IKEv2|43> sending packet: from 192.168.1.209[4500] to 192.168.1.13[63486] (1236 bytes)
Jan 14 10:48:10 18[NET] <IPSec-IKEv2|43> sending packet: from 192.168.1.209[4500] to 192.168.1.13[63486] (996 bytes)
-------------- next part --------------
Jan 14 10:48:00 dnsmasq-dhcp[10542]: 1657285313 available DHCP range: 172.16.122.10 -- 172.16.122.254
Jan 14 10:48:00 dnsmasq-dhcp[10542]: 1657285313 DHCPRELEASE(eth1) 172.16.122.65 7a:a7:c5:fc:7d:59 
Jan 14 10:48:07 dnsmasq-dhcp[10542]: 2364812771 available DHCP range: 172.16.122.10 -- 172.16.122.254
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 DHCPDISCOVER(eth1) 7a:a7:c5:fc:7d:59 
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 tags: eth1
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 DHCPOFFER(eth1) 172.16.122.65 7a:a7:c5:fc:7d:59 
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 requested options: 6:dns-server, 44:netbios-ns
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 next server: 172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  1 option: 53 message-type  2
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 54 server-identifier  172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 51 lease-time  12h
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 58 T1  6h
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 59 T2  10h30m
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option:  1 netmask  255.255.255.0
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 28 broadcast  172.16.122.255
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option:  6 dns-server  172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 available DHCP range: 172.16.122.10 -- 172.16.122.254
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 DHCPDISCOVER(eth1) 7a:a7:c5:fc:7d:59 
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 tags: eth1
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 DHCPOFFER(eth1) 172.16.122.65 7a:a7:c5:fc:7d:59 
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 requested options: 6:dns-server, 44:netbios-ns
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 next server: 172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  1 option: 53 message-type  2
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 54 server-identifier  172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 51 lease-time  12h
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 58 T1  6h
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 59 T2  10h30m
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option:  1 netmask  255.255.255.0
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 28 broadcast  172.16.122.255
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option:  6 dns-server  172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 available DHCP range: 172.16.122.10 -- 172.16.122.254
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 DHCPDISCOVER(eth1) 7a:a7:c5:fc:7d:59 
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 tags: eth1
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 DHCPOFFER(eth1) 172.16.122.65 7a:a7:c5:fc:7d:59 
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 requested options: 6:dns-server, 44:netbios-ns
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 next server: 172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  1 option: 53 message-type  2
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 54 server-identifier  172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 51 lease-time  12h
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 58 T1  6h
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 59 T2  10h30m
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option:  1 netmask  255.255.255.0
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 28 broadcast  172.16.122.255
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option:  6 dns-server  172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 available DHCP range: 172.16.122.10 -- 172.16.122.254
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 DHCPREQUEST(eth1) 172.16.122.65 7a:a7:c5:fc:7d:59 
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 tags: eth1
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 DHCPACK(eth1) 172.16.122.65 7a:a7:c5:fc:7d:59 
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 requested options: 6:dns-server, 44:netbios-ns
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 next server: 172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  1 option: 53 message-type  5
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 54 server-identifier  172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 51 lease-time  12h
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 58 T1  6h
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 59 T2  10h30m
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option:  1 netmask  255.255.255.0
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 28 broadcast  172.16.122.255
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option:  6 dns-server  172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 available DHCP range: 172.16.122.10 -- 172.16.122.254
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 DHCPREQUEST(eth1) 172.16.122.65 7a:a7:c5:fc:7d:59 
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 tags: eth1
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 DHCPACK(eth1) 172.16.122.65 7a:a7:c5:fc:7d:59 
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 requested options: 6:dns-server, 44:netbios-ns
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 next server: 172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  1 option: 53 message-type  5
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 54 server-identifier  172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 51 lease-time  12h
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 58 T1  6h
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 59 T2  10h30m
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option:  1 netmask  255.255.255.0
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 28 broadcast  172.16.122.255
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option:  6 dns-server  172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 available DHCP range: 172.16.122.10 -- 172.16.122.254
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 DHCPREQUEST(eth1) 172.16.122.65 7a:a7:c5:fc:7d:59 
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 tags: eth1
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 DHCPACK(eth1) 172.16.122.65 7a:a7:c5:fc:7d:59 
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 requested options: 6:dns-server, 44:netbios-ns
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 next server: 172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  1 option: 53 message-type  5
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 54 server-identifier  172.16.122.9
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 51 lease-time  12h
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 58 T1  6h
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 59 T2  10h30m
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option:  1 netmask  255.255.255.0
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option: 28 broadcast  172.16.122.255
Jan 14 10:48:10 dnsmasq-dhcp[10542]: 2364812771 sent size:  4 option:  6 dns-server  172.16.122.9
Jan 14 10:48:10 dnsmasq[10542]: query[SOA] local from 172.16.122.65
Jan 14 10:48:10 dnsmasq[10542]: forwarded local to 172.16.96.124
Jan 14 10:48:10 dnsmasq[10542]: forwarded local to 172.16.96.123
Jan 14 10:48:10 dnsmasq[10542]: query[SOA] local from 172.16.122.65
Jan 14 10:48:10 dnsmasq[10542]: forwarded local to 172.16.96.124
Jan 14 10:48:10 dnsmasq[10542]: forwarded local to 172.16.96.123


More information about the Users mailing list