[Swan] Failed migration from OpenSwan
dsnail at email.com
dsnail at email.com
Sat Aug 13 15:22:24 UTC 2016
We have been using Openswan to Openswan ipsec successfully on CentOS to RHEL. The biggest problem we had with OpenSwan was that it crashed when re-configuring tunnels during a rekey. Now we are forced to move to Libreswan and it has so far been a failure with tons of time spent on it. We have found issues that we have tried to fix, so far unsuccessfully.
The system is:
- Both sides of the tunnel are Libreswan.
- Source is Centos, destination is RHEL.
- Both sides are using X509 keys from the same Certificate Authority.
- Each side has multiple tunnels configured for different end points. The CentOS box is routing traffic from a network device to all the destinations. The destination has connections to multiple CentOS boxes. There are never multiple tunnels to the same end point.
Things we see that totally make Libreswan unusable (these were not a problem in Openswan):
1. Random INVALID_ID_INFORMATION responses. Libreswan goes into a state where it simply will not accept the connection that it has accepted numerous times before. Libreswan says "cert verify failed with internal error" and "Peer public key is not available for this exchange". A restart of Libreswan sometimes fixes this but not always. The worst part is that libreswan allows unencypted traffic between the two points in this situation. There is nothing wrong with the cert. It works sometimes, it always worked for OpenSwan.
2. Tunnels working and then stopping to work and never working again until manual intervention (--up for example), which is a totally unacceptable requirement. This failure usually happens after one side has restarted. We had used auto=start with Openswan but we have found during testing that auto=ondemand may have made the problem in Libreswan less reproducible (but still very,very reproducible).
What can we do to fix these issues? Any help appreciated.
Below are lots of details. The examples are from two sets of source and destination. But all the configs are the same, except for IPs and certs. All use same CA.
==============================================================================================================================================
Source (Centos) ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-642.3.1.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
==============================================================================================================================================
Destination (RHEL) ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-642.1.1.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
==============================================================================================================================================
Example source and destination configuration:
conn src-to-dst-on-80
leftid=%fromcert
left=10.90.156.167
leftrsasigkey=%cert
rightid=%fromcert
right=10.88.180.151
ike=aes-sha2_256-modp1536
phase2alg=aes_gcm_c-128-null
leftcert=src.ourdomain.com
leftsendcert=always
dpddelay=20
dpdtimeout=30
dpdaction=restart
authby=rsasig
auto=ondemand
conn dst-to-src-on-80
leftid=%fromcert
left=10.90.156.167
rightid=%fromcert
right=10.88.180.151
rightrsasigkey=%cert
ike=aes-sha2_256-modp1536
phase2alg=aes_gcm_c-128-null
rightcert=dst.ourdomain.com
rightsendcert=always
dpddelay=20
dpdtimeout=30
dpdaction=restart
authby=rsasig
auto=ondemand
==============================================================================================================================================
Example source and destination NSS database
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
src.ourdomain.com u,u,u
our_ca_nickname CT,,
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
dst.ourdomain.com u,u,u
our_ca_nickname CT,,
==============================================================================================================================================
Example source and destination ipsec.secrets
: RSA "src.ourdomain.com"
: RSA "dst.ourdomain.com"
==============================================================================================================================================
Example of Libreswan throwing INVALID_ID_INFORMATION and example of the exact same tunnel working at some point later. Source is 10.90.156.167, destination is 10.102.14.96
> ipsec auto --up src-to-dst-on-80
002 "src-to-dst-on-80" #347: initiating Main Mode
104 "src-to-dst-on-80" #347: STATE_MAIN_I1: initiate
003 "src-to-dst-on-80" #347: received Vendor ID payload [Dead Peer Detection]
003 "src-to-dst-on-80" #347: received Vendor ID payload [FRAGMENTATION]
003 "src-to-dst-on-80" #347: received Vendor ID payload [RFC 3947]
002 "src-to-dst-on-80" #347: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "src-to-dst-on-80" #347: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "src-to-dst-on-80" #347: STATE_MAIN_I2: sent MI2, expecting MR2
003 "src-to-dst-on-80" #347: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
002 "src-to-dst-on-80" #347: I am sending my cert
002 "src-to-dst-on-80" #347: I am sending a certificate request
002 "src-to-dst-on-80" #347: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "src-to-dst-on-80" #347: STATE_MAIN_I3: sent MI3, expecting MR3
003 "src-to-dst-on-80" #347: received Vendor ID payload [CAN-IKEv2]
002 "src-to-dst-on-80" #347: Main mode peer ID is ID_DER_ASN1_DN: 'C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
002 "src-to-dst-on-80" #347: cert verify failed with internal error
002 "src-to-dst-on-80" #347: Peer public key is not available for this exchange
218 "src-to-dst-on-80" #347: STATE_MAIN_I3: INVALID_ID_INFORMATION
002 "src-to-dst-on-80" #347: sending encrypted notification INVALID_ID_INFORMATION to 10.102.14.96:500
> ipsec auto --up src-to-dst-on-80
002 "src-to-dst-on-80" #3: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:030e4c99 proposal=AES_GCM_C(20)_128-NONE(0)_000 pfsgroup=OAKLEY_GROUP_MODP1536}
117 "src-to-dst-on-80" #3: STATE_QUICK_I1: initiate
002 "src-to-dst-on-80" #3: Dead Peer Detection (RFC 3706): enabled
002 "src-to-dst-on-80" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "src-to-dst-on-80" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6ea9bb5f <0x233a3f4f xfrm=AES_GCM_C_128-NONE NATOA=none NATD=none DPD=active}
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: responding to Main Mode
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: certificate CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=XX OK
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: I am sending my cert
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256 group=MODP1536}
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: Dead Peer Detection (RFC 3706): enabled
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #1: the peer proposed: 10.102.14.96/32:6/80 -> 10.90.156.167/32:0/0
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: responding to Quick Mode proposal {msgid:3526a400}
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: us: 10.102.14.96<10.102.14.96>[C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com]:6/80
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: them: 10.90.156.167<10.90.156.167>[C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com]
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x79004908 <0x49e18c34 xfrm=AES_GCM_C_128-NONE NATOA=none NATD=none DPD=active}
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: Dead Peer Detection (RFC 3706): enabled
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 13 15:06:38 dst pluto[4347]: "dst-to-dst-on-80" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x79004908 <0x49e18c34 xfrm=AES_GCM_C_128-NONE NATOA=none NATD=none DPD=active}
==============================================================================================================================================
Example source and destination connection configured when Libreswan fails to reconnect a tunnel after destination restarts Source is 10.90.156.167, destination is 10.88.180.151
000 "src-to-dst-on-80": 10.90.156.167<10.90.156.167>[C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=src.ourdomain.com]...10.88.180.151<10.88.180.151>[C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com]:6/80; erouted; eroute owner: #167
000 "src-to-dst-on-80": oriented; my_ip=unset; their_ip=unset; mycert=src.ourdomain.com
000 "src-to-dst-on-80": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "src-to-dst-on-80": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "src-to-dst-on-80": labeled_ipsec:no;
000 "src-to-dst-on-80": policy_label:unset;
000 "src-to-dst-on-80": CAs: 'C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=our_ca_cn'...'%any'
000 "src-to-dst-on-80": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "src-to-dst-on-80": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "src-to-dst-on-80": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "src-to-dst-on-80": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "src-to-dst-on-80": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "src-to-dst-on-80": dpd: action:restart; delay:20; timeout:30; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "src-to-dst-on-80": newest ISAKMP SA: #0; newest IPsec SA: #167;
000 "src-to-dst-on-80": IKE algorithms wanted: AES_CBC(7)_000-SHA2_256(4)_000-MODP1536(5)
000 "src-to-dst-on-80": IKE algorithms found: AES_CBC(7)_128-SHA2_256(4)_256-MODP1536(5)
000 "src-to-dst-on-80": ESP algorithms wanted: AES_GCM_C(20)_128-NONE(0)_000
000 "src-to-dst-on-80": ESP algorithms loaded: AES_GCM_C(20)_128-NONE(0)_000
000 "src-to-dst-on-80": ESP algorithm newest: AES_GCM_C_128-NONE; pfsgroup=<Phase1>
000 "dst-to-src-on-80": 10.88.180.151<10.88.180.151>[C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com]:6/80...10.90.156.167<10.90.156.167>[%fromcert]; prospective erouted; eroute owner: #0
000 "dst-to-src-on-80": oriented; my_ip=unset; their_ip=unset; mycert=dst.ourdomain.com
000 "dst-to-src-on-80": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "dst-to-src-on-80": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "dst-to-src-on-80": labeled_ipsec:no;
000 "dst-to-src-on-80": policy_label:unset;
000 "dst-to-src-on-80": CAs: 'C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=our_ca_cn'...'%any'
000 "dst-to-src-on-80": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "dst-to-src-on-80": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "dst-to-src-on-80": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "dst-to-src-on-80": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "dst-to-src-on-80": conn_prio: 32,32; interface: bond0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "dst-to-src-on-80": dpd: action:restart; delay:20; timeout:30; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "dst-to-src-on-80": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "dst-to-src-on-80": IKE algorithms wanted: AES_CBC(7)_000-SHA2_256(4)_000-MODP1536(5)
000 "dst-to-src-on-80": IKE algorithms found: AES_CBC(7)_128-SHA2_256(4)_256-MODP1536(5)
000 "dst-to-src-on-80": ESP algorithms wanted: AES_GCM_C(20)_128-NONE(0)_000
000 "dst-to-src-on-80": ESP algorithms loaded: AES_GCM_C(20)_128-NONE(0)_000
==============================================================================================================================================
Example source and destination log snippets when Libreswan fails to reconnect a tunnel after destination has restarted. There is traffic trying to get from source to destination and Libreswan isn't even trying to re-establish a connection. We can't be expected to have manual intervention. Source is 10.90.156.167, destination is 10.88.180.151
Aug 13 11:03:43 src pluto[4431]: "src-to-dst-on-80" #167: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xb9f042f6 <0x1949bfe3 xfrm=AES_GCM_C_128-NONE NATOA=none NATD=none DPD=active}
Aug 13 11:06:46 src pluto[4431]: packet from 10.88.180.151:500: received Vendor ID payload [Dead Peer Detection]
Aug 13 11:06:46 src pluto[4431]: packet from 10.88.180.151:500: received Vendor ID payload [FRAGMENTATION]
Aug 13 11:06:46 src pluto[4431]: packet from 10.88.180.151:500: received Vendor ID payload [RFC 3947]
Aug 13 11:06:46 src pluto[4431]: packet from 10.88.180.151:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 13 11:06:46 src pluto[4431]: packet from 10.88.180.151:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 13 11:06:46 src pluto[4431]: packet from 10.88.180.151:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: responding to Main Mode
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: Main mode peer ID is ID_DER_ASN1_DN: 'C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: certificate CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=XX OK
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: I am sending my cert
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256 group=MODP1536}
Aug 13 11:06:46 src pluto[4431]: "src-to-dst-on-80" #168: Dead Peer Detection (RFC 3706): enabled
Aug 13 11:20:23 src pluto[4431]: "src-to-dst-on-80" #156: deleting state #156 (STATE_MAIN_R3)
Aug 13 11:20:55 src pluto[4431]: "src-to-dst-on-80" #56: deleting state #56 (STATE_QUICK_R2)
Aug 13 11:20:55 src pluto[4431]: "src-to-dst-on-80" #56: ESP traffic information: in=0B out=6KB
Aug 13 11:49:32 src pluto[4431]: packet from 10.88.180.151:500: received Vendor ID payload [Dead Peer Detection]
Aug 13 11:49:32 src pluto[4431]: packet from 10.88.180.151:500: received Vendor ID payload [FRAGMENTATION]
Aug 13 11:49:32 src pluto[4431]: packet from 10.88.180.151:500: received Vendor ID payload [RFC 3947]
Aug 13 11:49:32 src pluto[4431]: packet from 10.88.180.151:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 13 11:49:32 src pluto[4431]: packet from 10.88.180.151:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 13 11:49:32 src pluto[4431]: packet from 10.88.180.151:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: responding to Main Mode
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: Main mode peer ID is ID_DER_ASN1_DN: 'C=XX, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: certificate CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=XX OK
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: I am sending my cert
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256 group=MODP1536}
Aug 13 11:49:32 src pluto[4431]: "src-to-dst-on-80" #185: Dead Peer Detection (RFC 3706): enabled
Aug 13 11:51:59 src pluto[4431]: "src-to-dst-on-80" #185: received Delete SA payload: self-deleting ISAKMP State #185
Aug 13 11:51:59 src pluto[4431]: "src-to-dst-on-80" #185: deleting state #185 (STATE_MAIN_R3)
Aug 13 11:51:59 src pluto[4431]: packet from 10.88.180.151:500: received and ignored empty informational notification payload
Aug 13 11:51:59 src pluto[4431]: "src-to-dst-on-80" #168: received Delete SA payload: self-deleting ISAKMP State #168
Aug 13 11:51:59 src pluto[4431]: "src-to-dst-on-80" #168: deleting state #168 (STATE_MAIN_R3)
Aug 13 11:51:59 src pluto[4431]: packet from 10.88.180.151:500: received and ignored empty informational notification payload
Aug 13 11:52:12 src pluto[4431]: "src-to-dst-on-80" #167: DPD: could not find newest phase 1 state
Aug 13 12:00:37 dst pluto[19668]: Starting Pluto (Libreswan Version 3.15 XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:19668
Aug 13 12:00:37 dst pluto[19668]: core dump dir: /var/run/pluto/
Aug 13 12:00:37 dst pluto[19668]: secrets file: /etc/ipsec.secrets
Aug 13 12:00:37 dst pluto[19668]: leak-detective disabled
Aug 13 12:00:37 dst pluto[19668]: NSS crypto [enabled]
Aug 13 12:00:37 dst pluto[19668]: XAUTH PAM support [enabled]
Aug 13 12:00:37 dst pluto[19668]: NAT-Traversal support [enabled]
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
Aug 13 12:00:37 dst pluto[19668]: starting up 23 crypto helpers
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 0 (master fd 10)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 1 (master fd 13)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 2 (master fd 15)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 3 (master fd 17)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 4 (master fd 19)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 5 (master fd 21)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 6 (master fd 23)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 7 (master fd 25)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 8 (master fd 27)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 9 (master fd 29)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 10 (master fd 31)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 11 (master fd 33)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 12 (master fd 35)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 13 (master fd 37)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 14 (master fd 39)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 15 (master fd 41)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 16 (master fd 43)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 17 (master fd 45)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 18 (master fd 47)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 19 (master fd 49)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 20 (master fd 51)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 21 (master fd 53)
Aug 13 12:00:37 dst pluto[19668]: started thread for crypto helper 22 (master fd 55)
Aug 13 12:00:37 dst pluto[19668]: Using Linux XFRM/NETKEY IPsec interface code on 2.6.32-642.3.1.el6.x86_64
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating aes_ccm_8: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating aes_ccm_12: Ok
Aug 13 12:00:37 dst pluto[19668]: ike_alg_register_enc(): Activating aes_ccm_16: Ok
Aug 13 12:00:37 dst pluto[19668]: | selinux support is NOT enabled.
Aug 13 12:00:38 dst pluto[19668]: | certificate not loaded for this end
Aug 13 12:00:38 dst pluto[19668]: added connection description "dst-to-src-on-80"
Aug 13 12:00:38 dst pluto[19668]: | certificate not loaded for this end
Aug 13 12:00:38 dst pluto[19668]: | certificate not loaded for this end
Aug 13 12:00:38 dst pluto[19668]: added connection description "v6neighbor-hole-in"
Aug 13 12:00:38 dst pluto[19668]: | certificate not loaded for this end
Aug 13 12:00:38 dst pluto[19668]: | certificate not loaded for this end
Aug 13 12:00:38 dst pluto[19668]: added connection description "v6neighbor-hole-out"
Aug 13 12:00:38 dst pluto[19668]: listening for IKE messages
Aug 13 12:00:38 dst pluto[19668]: adding interface bond0/bond0 10.88.180.151:500
Aug 13 12:00:38 dst pluto[19668]: adding interface bond0/bond0 10.88.180.151:4500
Aug 13 12:00:38 dst pluto[19668]: adding interface lo/lo 127.0.0.1:500
Aug 13 12:00:38 dst pluto[19668]: adding interface lo/lo 127.0.0.1:4500
Aug 13 12:00:38 dst pluto[19668]: adding interface lo/lo ::1:500
Aug 13 12:00:38 dst pluto[19668]: | setup callback for interface lo:500 fd 66
Aug 13 12:00:38 dst pluto[19668]: | setup callback for interface lo:4500 fd 65
Aug 13 12:00:38 dst pluto[19668]: | setup callback for interface lo:500 fd 64
Aug 13 12:00:38 dst pluto[19668]: | setup callback for interface bond0:4500 fd 63
Aug 13 12:00:38 dst pluto[19668]: | setup callback for interface bond0:500 fd 62
Aug 13 12:00:38 dst pluto[19668]: loading secrets from "/etc/ipsec.secrets"
Aug 13 12:00:38 dst pluto[19668]: loading secrets from "/etc/ipsec.d/ipsec.secrets"
Aug 13 12:00:38 dst pluto[19668]: loaded private key for keyid: PPK_RSA:
Aug 13 12:16:07 dst pluto[19668]: forgetting secrets
Aug 13 12:16:07 dst pluto[19668]: loading secrets from "/etc/ipsec.secrets"
Aug 13 12:16:07 dst pluto[19668]: loading secrets from "/etc/ipsec.d/ipsec.secrets"
Aug 13 12:16:07 dst pluto[19668]: loaded private key for keyid: PPK_RSA:
Aug 13 12:20:29 dst pluto[19668]: forgetting secrets
Aug 13 12:20:29 dst pluto[19668]: loading secrets from "/etc/ipsec.secrets"
Aug 13 12:20:29 dst pluto[19668]: loading secrets from "/etc/ipsec.d/ipsec.secrets"
Aug 13 12:20:29 dst pluto[19668]: loaded private key for keyid: PPK_RSA:
More information about the Swan
mailing list