[Swan] Site-to-site with public member addresses, routing trouble
Jesse Butcher
boweeb at gmail.com
Wed Jul 6 18:56:25 UTC 2016
Thanks Paul.
> You do not need to manually change any routing for IPsec to work.
I'm aware of this in principle but the VPN endpoints aren't the default
gateway for the member hosts and the actual default gateway is unaware
of the tunnel. Our side is in a datacenter that we are a client of so
configuration on the gateway is not trivial. So there has to at least
be a route installed on the members to point to the tunnel, right? In
the past a simple `ip route add <remote_subnet> via <our_endpoint>` on
the members was all I needed to get the magic to happen.
Iptables are a bit complicated due to using firewalld but from
firewalld's perspective the rules are quite simple. I'm afraid my
experience with dealing with iptables directly is novice.
Output of `firewall-cmd --list-all`:
dmz (default, active)
interfaces: ens160 ens192
sources:
services: ssh
ports: 500/udp 4500/udp
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
rule protocol value="ah" accept
rule protocol value="esp" accept
After adding this:
iptables -t nat -I POSTROUTING -s 10.250.248.0/24 -o eth+ -m policy
--dir out --pol none -j MASQUERADE
No success with pings. I'm attaching the output of `iptables-save` and
the logs after `ipsec whack --debug-all` and sending four pings from a
member hosts. Also two pcaps. One with the member using it's LAN IP
and one with it's public IP.
Thanks again for your assistance. Is there any other diagnostic
information I can provide?
--
Jesse Butcher
On 7/6/16 10:30 AM, Paul Wouters wrote:
> On Wed, 6 Jul 2016, Jesse Butcher wrote:
>
>> We have successfully established SA's with no errors but I am having
>> trouble configuring the routing on our side.
>
> You do not need to manually change any routing for IPsec to work.
>
> More likely, you are NATing packets meant for IPsec. You might need
> to update your SNAT or MASQUERADE rules to not apply when the packets
> are meant for IPsec tunnels.
>
> something like:
>
> iptables -t nat -I POSTROUTING -s 10.0.0.0/8 -o eth+ -m policy --dir
> out --pol none -j MASQUERADE
>
> This would ensure packets that have a --pol ipsec would not get NAT'ed.
>
> Paul
>
-------------- next part --------------
# Generated by iptables-save v1.4.21 on Wed Jul 6 14:24:55 2016
*nat
:PREROUTING ACCEPT [2:428]
:INPUT ACCEPT [1:344]
:OUTPUT ACCEPT [12:870]
:POSTROUTING ACCEPT [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_dmz - [0:0]
:POST_dmz_allow - [0:0]
:POST_dmz_deny - [0:0]
:POST_dmz_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_dmz - [0:0]
:PRE_dmz_allow - [0:0]
:PRE_dmz_deny - [0:0]
:PRE_dmz_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -s 10.250.248.0/24 -o eth+ -m policy --dir out --pol none -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o ens192 -g POST_dmz
-A POSTROUTING_ZONES -o ens160 -g POST_dmz
-A POSTROUTING_ZONES -g POST_dmz
-A POST_dmz -j POST_dmz_log
-A POST_dmz -j POST_dmz_deny
-A POST_dmz -j POST_dmz_allow
-A POST_dmz_allow ! -i lo -j MASQUERADE
-A PREROUTING_ZONES -i ens192 -g PRE_dmz
-A PREROUTING_ZONES -i ens160 -g PRE_dmz
-A PREROUTING_ZONES -g PRE_dmz
-A PRE_dmz -j PRE_dmz_log
-A PRE_dmz -j PRE_dmz_deny
-A PRE_dmz -j PRE_dmz_allow
COMMIT
# Completed on Wed Jul 6 14:24:55 2016
# Generated by iptables-save v1.4.21 on Wed Jul 6 14:24:55 2016
*mangle
:PREROUTING ACCEPT [475:42810]
:INPUT ACCEPT [471:42530]
:FORWARD ACCEPT [4:280]
:OUTPUT ACCEPT [325:67632]
:POSTROUTING ACCEPT [329:67912]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_dmz - [0:0]
:PRE_dmz_allow - [0:0]
:PRE_dmz_deny - [0:0]
:PRE_dmz_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i ens192 -g PRE_dmz
-A PREROUTING_ZONES -i ens160 -g PRE_dmz
-A PREROUTING_ZONES -g PRE_dmz
-A PRE_dmz -j PRE_dmz_log
-A PRE_dmz -j PRE_dmz_deny
-A PRE_dmz -j PRE_dmz_allow
COMMIT
# Completed on Wed Jul 6 14:24:55 2016
# Generated by iptables-save v1.4.21 on Wed Jul 6 14:24:55 2016
*security
:INPUT ACCEPT [471:42530]
:FORWARD ACCEPT [4:280]
:OUTPUT ACCEPT [325:67632]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Wed Jul 6 14:24:55 2016
# Generated by iptables-save v1.4.21 on Wed Jul 6 14:24:55 2016
*raw
:PREROUTING ACCEPT [475:42810]
:OUTPUT ACCEPT [325:67632]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Wed Jul 6 14:24:55 2016
# Generated by iptables-save v1.4.21 on Wed Jul 6 14:24:55 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [325:67632]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_dmz - [0:0]
:FWDI_dmz_allow - [0:0]
:FWDI_dmz_deny - [0:0]
:FWDI_dmz_log - [0:0]
:FWDO_dmz - [0:0]
:FWDO_dmz_allow - [0:0]
:FWDO_dmz_deny - [0:0]
:FWDO_dmz_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_dmz - [0:0]
:IN_dmz_allow - [0:0]
:IN_dmz_deny - [0:0]
:IN_dmz_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens192 -g FWDI_dmz
-A FORWARD_IN_ZONES -i ens160 -g FWDI_dmz
-A FORWARD_IN_ZONES -g FWDI_dmz
-A FORWARD_OUT_ZONES -o ens192 -g FWDO_dmz
-A FORWARD_OUT_ZONES -o ens160 -g FWDO_dmz
-A FORWARD_OUT_ZONES -g FWDO_dmz
-A FWDI_dmz -j FWDI_dmz_log
-A FWDI_dmz -j FWDI_dmz_deny
-A FWDI_dmz -j FWDI_dmz_allow
-A FWDO_dmz -j FWDO_dmz_log
-A FWDO_dmz -j FWDO_dmz_deny
-A FWDO_dmz -j FWDO_dmz_allow
-A FWDO_dmz_allow -j ACCEPT
-A INPUT_ZONES -i ens192 -g IN_dmz
-A INPUT_ZONES -i ens160 -g IN_dmz
-A INPUT_ZONES -g IN_dmz
-A IN_dmz -j IN_dmz_log
-A IN_dmz -j IN_dmz_deny
-A IN_dmz -j IN_dmz_allow
-A IN_dmz_allow -p ah -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p esp -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p ah -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p esp -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p udp -m udp --dport 500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p udp -m udp --dport 500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_dmz_allow -p udp -m udp --dport 4500 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Wed Jul 6 14:24:55 2016
-------------- next part --------------
Jul 06 14:32:57 hcl-vpn.signetaccel.com pluto[7558]: | base debugging = raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo [163/9221]
Jul 06 14:32:57 hcl-vpn.signetaccel.com pluto[7558]: | handling event EVENT_PENDING_DDNS
Jul 06 14:32:57 hcl-vpn.signetaccel.com pluto[7558]: | event_schedule called for 60 seconds
Jul 06 14:32:57 hcl-vpn.signetaccel.com pluto[7558]: | event_schedule_tv called for about 60 seconds and change
Jul 06 14:32:57 hcl-vpn.signetaccel.com pluto[7558]: | inserting event EVENT_PENDING_DDNS, timeout in 60.000000 seconds
Jul 06 14:32:57 hcl-vpn.signetaccel.com pluto[7558]: | elapsed time in connection_check_ddns for hostname lookup 0.000000
Jul 06 14:32:59 hcl-vpn.signetaccel.com pluto[7558]: | get esp.e6d894ba at 109.174.158.237
Jul 06 14:32:59 hcl-vpn.signetaccel.com pluto[7558]: | get esp.58233a53 at 10.250.248.14
Jul 06 14:32:59 hcl-vpn.signetaccel.com pluto[7558]: | get esp.247db68e at 128.151.71.71
Jul 06 14:32:59 hcl-vpn.signetaccel.com pluto[7558]: | get esp.de4cec5d at 10.250.248.14
Jul 06 14:32:59 hcl-vpn.signetaccel.com pluto[7558]: | get esp.6168a3e0 at 128.151.71.71
Jul 06 14:32:59 hcl-vpn.signetaccel.com pluto[7558]: | get esp.4525b422 at 10.250.248.14
Jul 06 14:33:01 hcl-vpn.signetaccel.com pluto[7558]: | get esp.e6d894ba at 109.174.158.237
Jul 06 14:33:01 hcl-vpn.signetaccel.com pluto[7558]: | get esp.58233a53 at 10.250.248.14
Jul 06 14:33:01 hcl-vpn.signetaccel.com pluto[7558]: | get esp.247db68e at 128.151.71.71
Jul 06 14:33:01 hcl-vpn.signetaccel.com pluto[7558]: | get esp.de4cec5d at 10.250.248.14
Jul 06 14:33:01 hcl-vpn.signetaccel.com pluto[7558]: | get esp.6168a3e0 at 128.151.71.71
Jul 06 14:33:01 hcl-vpn.signetaccel.com pluto[7558]: | get esp.4525b422 at 10.250.248.14
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | handling event EVENT_SHUNT_SCAN
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | expiring aged bare shunts
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | event_schedule called for 20 seconds
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | event_schedule_tv called for about 20 seconds and change
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | inserting event EVENT_SHUNT_SCAN, timeout in 20.000000 seconds
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | *received 92 bytes from 128.151.71.71:4500 on ens160 (port=4500)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 0b 9f fb d3 c5 ed a7 b1 27 0e 5b dd 04 ce 67 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 08 10 05 01 4a de cd fa 00 00 00 5c 59 b5 77 df
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 04 47 97 95 f8 10 d2 86 2f 10 86 bb cd e0 74 a4
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 7c 25 3e 7c 8b bc 24 2c 05 45 07 d6 63 d9 b9 12
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 00 6b c5 f2 34 64 d4 e0 f6 84 d6 78 d4 f7 31 90
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | ae 18 0a 2a d4 11 46 f9 e3 55 d8 69
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | **parse ISAKMP Message:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | initiator cookie:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 0b 9f fb d3 c5 ed a7 b1
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | responder cookie:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 27 0e 5b dd 04 ce 67 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | next payload type: ISAKMP_NEXT_HASH (0x8)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | exchange type: ISAKMP_XCHG_INFO (0x5)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | message ID: 4a de cd fa
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | length: 92 (0x5c)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | finding hash chain in state hash table
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | ICOOKIE: 0b 9f fb d3 c5 ed a7 b1
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | RCOOKIE: 27 0e 5b dd 04 ce 67 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | found hash chain 4
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | peer and cookies match on #206; msgid=00000000 st_msgid=58dc3bea st_msgid_phase15=00000000
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | peer and cookies match on #205; msgid=00000000 st_msgid=df9487ff st_msgid_phase15=00000000
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | peer and cookies match on #204; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | p15 state object #204 found, in STATE_MAIN_I4
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | processing connection "URochesterMC/2x0"
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | last Phase 1 IV: b5 58 8d 67 5a d7 40 fd 66 a1 42 d0 a6 e1 4d ef
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | current Phase 1 IV: b5 58 8d 67 5a d7 40 fd 66 a1 42 d0 a6 e1 4d ef
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | computed Phase 2 IV:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | a2 44 04 ad 2d 2c a9 5f fb 00 4a 16 0e ad 92 3b
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | f2 49 2a 64
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | #204 state_busy:2235 st != NULL && st->st_calculating == FALSE;
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | received encrypted packet from 128.151.71.71:4500
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | decrypting 64 bytes using algorithm OAKLEY_AES_CBC
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | NSS ike_alg_nss_cbc: aes - enter [104/9221]
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | NSS ike_alg_nss_cbc: aes - exit
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | decrypted:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 0b 00 00 18 97 4f 12 9e c4 3d 01 2a 85 c2 98 ee
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 3b e1 cb 10 7e 57 b4 f8 00 00 00 20 00 00 00 01
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 01 10 8d 28 0b 9f fb d3 c5 ed a7 b1 27 0e 5b dd
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 04 ce 67 a2 07 fc a5 07 00 00 00 00 00 00 00 00
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | next IV: d4 f7 31 90 ae 18 0a 2a d4 11 46 f9 e3 55 d8 69
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100opt: 0x0
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | ***parse ISAKMP Hash Payload:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | next payload type: ISAKMP_NEXT_N (0xb)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | length: 24 (0x18)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | got payload 0x800 (ISAKMP_NEXT_N) needed: 0x0opt: 0x0
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | ***parse ISAKMP Notification Payload:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | next payload type: ISAKMP_NEXT_NONE (0x0)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | length: 32 (0x20)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | DOI: ISAKMP_DOI_IPSEC (0x1)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | protocol ID: 1 (0x1)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | SPI size: 16 (0x10)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | Notify Message Type: R_U_THERE (0x8d28)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | removing 8 bytes of padding
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | info: 0b 9f fb d3 c5 ed a7 b1 27 0e 5b dd 04 ce 67 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | info: 07 fc a5 07
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | processing informational R_U_THERE (36136)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | DPD: received R_U_THERE seq:133997831 monotime:1467829983 (state=#204 name="URochesterMC/2x0")
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | **emit ISAKMP Message:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | initiator cookie:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 0b 9f fb d3 c5 ed a7 b1
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | responder cookie:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 27 0e 5b dd 04 ce 67 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | next payload type: ISAKMP_NEXT_HASH (0x8)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | exchange type: ISAKMP_XCHG_INFO (0x5)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | message ID: 2d 05 f1 b6
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | ***emit ISAKMP Hash Payload:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | next payload type: ISAKMP_NEXT_N (0xb)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting 20 zero bytes of HASH into ISAKMP Hash Payload
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting length of ISAKMP Hash Payload: 24
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | ***emit ISAKMP Notification Payload:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | next payload type: ISAKMP_NEXT_NONE (0x0)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | DOI: ISAKMP_DOI_IPSEC (0x1)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | protocol ID: 1 (0x1)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | SPI size: 16 (0x10)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | Notify Message Type: R_U_THERE_ACK (0x8d29)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting 8 raw bytes of notify icookie into ISAKMP Notification Payload
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | notify icookie 0b 9f fb d3 c5 ed a7 b1
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting 8 raw bytes of notify rcookie into ISAKMP Notification Payload
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | notify rcookie 27 0e 5b dd 04 ce 67 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting 4 raw bytes of notify data into ISAKMP Notification Payload
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | notify data 07 fc a5 07
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting length of ISAKMP Notification Payload: 32
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | hmac prf: init 0x7f8cb43b6f40
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | hmac prf: init symkey symkey 0x7f8cb457b9c0 (length 20)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | hmac prf: update
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat_symkey_bytes merge symkey(0x7f8cb457b9c0) bytes(0x7f8cb391d1e0/44) - derive(CONCATENATE_BASE_AND_DATA) target(SHA1_KEY_DERIVATION)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: key(0x7f8cb457b9c0) length(20) type/mechanism(CONCATENATE_BASE_AND_KEY 0x00000360)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: 00 00 00 00 00 00 00 00 00 00 00 00 [45/9221]
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat_symkey_bytes key(0x7f8ca40a1050) length(64) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | xor_symkey_chunk merge symkey(0x7f8ca40a1050) bytes(0x7ffef46120b0/64) - derive(XOR_BASE_AND_DATA) target(CONCATENATE_BASE_AND_DATA)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: key(0x7f8ca40a1050) length(64) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | xor_symkey_chunk key(0x7f8ca406c220) length(64) type/mechanism(CONCATENATE_BASE_AND_DATA 0x00000362)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | hmac prf: update bytes data 0x7ffef46121ac (length 4)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat_symkey_bytes merge symkey(0x7f8ca406c220) bytes(0x7ffef46121ac/4) - derive(CONCATENATE_BASE_AND_DATA) target(SHA1_KEY_DERIVATION)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: key(0x7f8ca406c220) length(64) type/mechanism(CONCATENATE_BASE_AND_DATA 0x00000362)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: 2d 05 f1 b6
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat_symkey_bytes key(0x7f8ca40974b0) length(68) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | append_symkey_bytes: free key 0x7f8ca406c220
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | hmac prf: update bytes data 0x7f8cb39255b4 (length 32)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat_symkey_bytes merge symkey(0x7f8ca40974b0) bytes(0x7f8cb39255b4/32) - derive(CONCATENATE_BASE_AND_DATA) target(SHA1_KEY_DERIVATION)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: key(0x7f8ca40974b0) length(68) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: 00 00 00 20 00 00 00 01 01 10 8d 29 0b 9f fb d3
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: c5 ed a7 b1 27 0e 5b dd 04 ce 67 a2 07 fc a5 07
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat_symkey_bytes key(0x7f8ca406c220) length(100) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | append_symkey_bytes: free key 0x7f8ca40974b0
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | hmac prf: final
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf inner hash: hash(oakley_sha) symkey(0x7f8ca406c220) to symkey - derive(SHA1_KEY_DERIVATION)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: key(0x7f8ca406c220) length(100) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf inner hash: key(0x7f8ca40974b0) length(20) type/mechanism(CONCATENATE_BASE_AND_KEY 0x00000360)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf inner:: free key 0x7f8ca406c220
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | xor_symkey_chunk merge symkey(0x7f8ca40a1050) bytes(0x7ffef4612090/64) - derive(XOR_BASE_AND_DATA) target(CONCATENATE_BASE_AND_DATA)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: key(0x7f8ca40a1050) length(64) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | bytes: 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | xor_symkey_chunk key(0x7f8ca406c220) length(64) type/mechanism(CONCATENATE_BASE_AND_DATA 0x00000362)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat: merge symkey(1: 0x7f8ca406c220) symkey(2: 0x7f8ca40974b0) - derive(CONCATENATE_BASE_AND_KEY) target(SHA1_KEY_DERIVATION)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey 1: key(0x7f8ca406c220) length(64) type/mechanism(CONCATENATE_BASE_AND_DATA 0x00000362)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey 2: key(0x7f8ca40974b0) length(20) type/mechanism(CONCATENATE_BASE_AND_KEY 0x00000360)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | concat: key(0x7f8ca4041700) length(84) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | append_symkey_symkey: free key 0x7f8ca406c220
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf hashed inner:: free key 0x7f8ca40974b0
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf key: free key 0x7f8ca40a1050
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf outer hash hash(oakley_sha) symkey(0x7f8ca4041700) to bytes
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | symkey: key(0x7f8ca4041700) length(84) type/mechanism(SHA1_KEY_DERIVATION 0x00000392)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf outer hash 76 ba e0 d7 2e 31 a9 5f 90 8d a5 bb fd fc e4 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf outer hash 84 c2 22 a8
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf outer: free key 0x7f8ca4041700
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf final bytes 76 ba e0 d7 2e 31 a9 5f 90 8d a5 bb fd fc e4 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | prf final bytes 84 c2 22 a8
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | HASH computed:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 76 ba e0 d7 2e 31 a9 5f 90 8d a5 bb fd fc e4 a2
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 84 c2 22 a8
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | last Phase 1 IV: b5 58 8d 67 5a d7 40 fd 66 a1 42 d0 a6 e1 4d ef
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | current Phase 1 IV: b5 58 8d 67 5a d7 40 fd 66 a1 42 d0 a6 e1 4d ef
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | computed Phase 2 IV:
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 08 fa 35 33 bf 3f e1 62 59 70 3a 74 bb 82 84 e6
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 81 b3 c9 ae
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | encrypting: 0b 00 00 18 76 ba e0 d7 2e 31 a9 5f 90 8d a5 bb
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | encrypting: fd fc e4 a2 84 c2 22 a8 00 00 00 20 00 00 00 01
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | encrypting: 01 10 8d 29 0b 9f fb d3 c5 ed a7 b1 27 0e 5b dd
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | encrypting: 04 ce 67 a2 07 fc a5 07
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | IV: 08 fa 35 33 bf 3f e1 62 59 70 3a 74 bb 82 84 e6
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | IV: 81 b3 c9 ae
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | unpadded size is: 56
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting 8 zero bytes of encryption padding into ISAKMP Message
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | encrypting 64 using OAKLEY_AES_CBC
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | NSS ike_alg_nss_cbc: aes - enter
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | NSS ike_alg_nss_cbc: aes - exit
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | next IV: 17 3c 5b 90 c0 76 15 e6 4e 81 42 56 37 84 c9 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | no IKEv1 message padding required
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | emitting length of ISAKMP Message: 92
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | sending 96 bytes for ISAKMP notify through ens160:4500 to 128.151.71.71:4500 (using #204)
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 00 00 00 00 0b 9f fb d3 c5 ed a7 b1 27 0e 5b dd
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 04 ce 67 a2 08 10 05 01 2d 05 f1 b6 00 00 00 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 6e 79 76 5b 4d 6e cc 6b f4 b1 11 02 dc d7 ef f4
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 0e 3b 97 cd 9a 40 c9 66 88 f8 a6 5c d1 ca 5b c9
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | ca 5c ed c8 81 2e b2 12 52 33 10 8a 2b 23 06 21
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | 17 3c 5b 90 c0 76 15 e6 4e 81 42 56 37 84 c9 5c
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | complete v1 state transition with STF_IGNORE
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | get esp.e6d894ba at 109.174.158.237
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | get esp.58233a53 at 10.250.248.14
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | get esp.247db68e at 128.151.71.71
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | get esp.de4cec5d at 10.250.248.14
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | get esp.6168a3e0 at 128.151.71.71
Jul 06 14:33:03 hcl-vpn.signetaccel.com pluto[7558]: | get esp.4525b422 at 10.250.248.14
Jul 06 14:33:05 hcl-vpn.signetaccel.com pluto[7558]: | get esp.e6d894ba at 109.174.158.237
Jul 06 14:33:05 hcl-vpn.signetaccel.com pluto[7558]: | get esp.58233a53 at 10.250.248.14
Jul 06 14:33:05 hcl-vpn.signetaccel.com pluto[7558]: | get esp.247db68e at 128.151.71.71
Jul 06 14:33:05 hcl-vpn.signetaccel.com pluto[7558]: | get esp.de4cec5d at 10.250.248.14
Jul 06 14:33:05 hcl-vpn.signetaccel.com pluto[7558]: | get esp.6168a3e0 at 128.151.71.71
Jul 06 14:33:05 hcl-vpn.signetaccel.com pluto[7558]: | get esp.4525b422 at 10.250.248.14
Jul 06 14:33:07 hcl-vpn.signetaccel.com pluto[7558]: | get esp.e6d894ba at 109.174.158.237
Jul 06 14:33:07 hcl-vpn.signetaccel.com pluto[7558]: | get esp.58233a53 at 10.250.248.14
Jul 06 14:33:07 hcl-vpn.signetaccel.com pluto[7558]: | get esp.247db68e at 128.151.71.71
Jul 06 14:33:07 hcl-vpn.signetaccel.com pluto[7558]: | get esp.de4cec5d at 10.250.248.14
Jul 06 14:33:07 hcl-vpn.signetaccel.com pluto[7558]: | get esp.6168a3e0 at 128.151.71.71
Jul 06 14:33:07 hcl-vpn.signetaccel.com pluto[7558]: | get esp.4525b422 at 10.250.248.14
Jul 06 14:33:09 hcl-vpn.signetaccel.com pluto[7558]: | get esp.e6d894ba at 109.174.158.237
Jul 06 14:33:09 hcl-vpn.signetaccel.com pluto[7558]: | get esp.58233a53 at 10.250.248.14
Jul 06 14:33:09 hcl-vpn.signetaccel.com pluto[7558]: | get esp.247db68e at 128.151.71.71
Jul 06 14:33:09 hcl-vpn.signetaccel.com pluto[7558]: | get esp.de4cec5d at 10.250.248.14
Jul 06 14:33:09 hcl-vpn.signetaccel.com pluto[7558]: | get esp.6168a3e0 at 128.151.71.71
Jul 06 14:33:09 hcl-vpn.signetaccel.com pluto[7558]: | get esp.4525b422 at 10.250.248.14
Jul 06 14:33:10 hcl-vpn.signetaccel.com pluto[7558]: | base debugging = none
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pings_pub.pcap
Type: application/octet-stream
Size: 3841 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160706/833190d8/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pings.pcap
Type: application/octet-stream
Size: 3841 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160706/833190d8/attachment-0003.obj>
More information about the Swan
mailing list