[Swan] Peer declared dead and tunnel down for 4 hours despite traffic
dsnail at email.com
dsnail at email.com
Wed Aug 24 15:47:48 UTC 2016
We have intermittent tunnel failures that can usually be fixed by a manual 'ipsec auto --up <connection'. This is not an acceptable requirement, though. The source was declared dead by the destination which makes no sense as the source was up/running and communicating with 15+ other peers at the time. I decided to allow the tunnel failure to remain without manual intervention to see if it would eventually fix itself and in this case it did. It appears as though the tunnel was down for about 4 hours and appears it was 'fixed' very close to 8 hours after the last rekey (15:40:17 - 23:35:47), which seems to be the default salifetime. Even if the source was unavailable to the destination, why did both sides stop trying to communicate and why did the source all of a sudden decide to start communicating again (at 23:35:47). Can anything be done to diagnose, prevent, etc?
conn dst-to-src-on-80
leftid=%fromcert
left=10.109.190.151
rightid=%fromcert
right=10.88.180.213
rightrsasigkey=%cert
ike=aes-sha2_256-modp1536
phase2alg=aes_gcm_c-128-null
rightcert=dst.ourdomain.com
rightsendcert=always
dpddelay=20
dpdtimeout=30
dpdaction=restart
authby=rsasig
auto=start
conn src-to-dst-on-80
leftid=%fromcert
left=10.109.190.151
leftrsasigkey=%cert
rightid=%fromcert
right=10.88.180.213
ike=aes-sha2_256-modp1536
phase2alg=aes_gcm_c-128-null
leftcert=src.ourdomain.com
leftsendcert=always
dpddelay=20
dpdtimeout=30
dpdaction=restart
authby=rsasig
auto=start
--------------------------- source log --------------------------------
Aug 23 15:40:17 src pluto[16315]: "src-to-dst-on-80" #7165: keeping refhim=4294901761 during rekey
...
Aug 23 17:13:52 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [Dead Peer Detection]
Aug 23 17:13:52 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [FRAGMENTATION]
Aug 23 17:13:52 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [RFC 3947]
Aug 23 17:13:52 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 17:13:52 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 17:13:52 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: responding to Main Mode
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: certificate CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: I am sending my cert
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256 group=MODP1536}
Aug 23 17:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: Dead Peer Detection (RFC 3706): enabled
Aug 23 17:29:20 src pluto[16315]: "src-to-dst-on-80" #7185: deleting state #7185 (STATE_MAIN_R3)
Aug 23 18:01:16 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [Dead Peer Detection]
Aug 23 18:01:16 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [FRAGMENTATION]
Aug 23 18:01:16 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [RFC 3947]
Aug 23 18:01:16 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 18:01:16 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 18:01:16 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: responding to Main Mode
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: certificate CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: I am sending my cert
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256 group=MODP1536}
Aug 23 18:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: Dead Peer Detection (RFC 3706): enabled
Aug 23 18:13:52 src pluto[16315]: "src-to-dst-on-80" #7202: deleting state #7202 (STATE_MAIN_R3)
Aug 23 18:48:22 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [Dead Peer Detection]
Aug 23 18:48:22 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [FRAGMENTATION]
Aug 23 18:48:22 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [RFC 3947]
Aug 23 18:48:22 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 18:48:22 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 18:48:22 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: responding to Main Mode
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 23 18:48:22 src pluto[16315]: "src-to-dst-on-80" #7248: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 23 18:48:23 src pluto[16315]: "src-to-dst-on-80" #7248: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 23 18:48:23 src pluto[16315]: "src-to-dst-on-80" #7248: certificate CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 18:48:23 src pluto[16315]: "src-to-dst-on-80" #7248: I am sending my cert
Aug 23 18:48:23 src pluto[16315]: "src-to-dst-on-80" #7248: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 23 18:48:23 src pluto[16315]: "src-to-dst-on-80" #7248: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256 group=MODP1536}
Aug 23 18:48:23 src pluto[16315]: "src-to-dst-on-80" #7248: Dead Peer Detection (RFC 3706): enabled
Aug 23 19:01:16 src pluto[16315]: "src-to-dst-on-80" #7221: deleting state #7221 (STATE_MAIN_R3)
Aug 23 19:25:41 src pluto[16315]: "src-to-dst-on-80" #7248: received Delete SA payload: self-deleting ISAKMP State #7248
Aug 23 19:25:41 src pluto[16315]: "src-to-dst-on-80" #7248: deleting state #7248 (STATE_MAIN_R3)
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: received and ignored empty informational notification payload
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [RFC 3947]
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:41 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:41 src pluto[16315]: "src-to-dst-on-80" #7262: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:41 src pluto[16315]: "src-to-dst-on-80" #7262: responding to Main Mode
Aug 23 19:25:41 src pluto[16315]: "src-to-dst-on-80" #7262: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:41 src pluto[16315]: "src-to-dst-on-80" #7262: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [RFC 3947]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7263: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7263: responding to Main Mode
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7263: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7263: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [RFC 3947]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:42 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7264: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7264: responding to Main Mode
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7264: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:42 src pluto[16315]: "src-to-dst-on-80" #7264: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 19:25:43 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:43 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:43 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [RFC 3947]
Aug 23 19:25:43 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:43 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:43 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:43 src pluto[16315]: "src-to-dst-on-80" #7265: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:43 src pluto[16315]: "src-to-dst-on-80" #7265: responding to Main Mode
Aug 23 19:25:43 src pluto[16315]: "src-to-dst-on-80" #7265: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:43 src pluto[16315]: "src-to-dst-on-80" #7265: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 19:25:45 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:45 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:45 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [RFC 3947]
Aug 23 19:25:45 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:45 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:45 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:45 src pluto[16315]: "src-to-dst-on-80" #7267: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:45 src pluto[16315]: "src-to-dst-on-80" #7267: responding to Main Mode
Aug 23 19:25:45 src pluto[16315]: "src-to-dst-on-80" #7267: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:45 src pluto[16315]: "src-to-dst-on-80" #7267: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 19:25:49 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:49 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:49 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [RFC 3947]
Aug 23 19:25:49 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:49 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:49 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:49 src pluto[16315]: "src-to-dst-on-80" #7272: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:49 src pluto[16315]: "src-to-dst-on-80" #7272: responding to Main Mode
Aug 23 19:25:49 src pluto[16315]: "src-to-dst-on-80" #7272: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:49 src pluto[16315]: "src-to-dst-on-80" #7272: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 19:25:51 src pluto[16315]: "src-to-dst-on-80" #7165: DPD: could not find newest phase 1 state
Aug 23 19:25:57 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [Dead Peer Detection]
Aug 23 19:25:57 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [FRAGMENTATION]
Aug 23 19:25:57 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [RFC 3947]
Aug 23 19:25:57 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:25:57 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:25:57 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:25:57 src pluto[16315]: "src-to-dst-on-80" #7279: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:25:57 src pluto[16315]: "src-to-dst-on-80" #7279: responding to Main Mode
Aug 23 19:25:57 src pluto[16315]: "src-to-dst-on-80" #7279: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:25:57 src pluto[16315]: "src-to-dst-on-80" #7279: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 19:26:13 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [Dead Peer Detection]
Aug 23 19:26:13 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [FRAGMENTATION]Aug 23 19:26:13 src pluto[16315]: packet from 10.88.180.213:500: received Vendor ID payload [RFC 3947]
Aug 23 19:26:13 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 19:26:13 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 19:26:13 src pluto[16315]: packet from 10.88.180.213:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 19:26:13 src pluto[16315]: "src-to-dst-on-80" #7283: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 19:26:13 src pluto[16315]: "src-to-dst-on-80" #7283: responding to Main Mode
Aug 23 19:26:13 src pluto[16315]: "src-to-dst-on-80" #7283: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 19:26:13 src pluto[16315]: "src-to-dst-on-80" #7283: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 19:26:45 src pluto[16315]: "src-to-dst-on-80" #7262: max number of retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:26:45 src pluto[16315]: "src-to-dst-on-80" #7262: deleting state #7262 (STATE_MAIN_R1)
Aug 23 19:26:46 src pluto[16315]: "src-to-dst-on-80" #7263: max number of retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:26:46 src pluto[16315]: "src-to-dst-on-80" #7263: deleting state #7263 (STATE_MAIN_R1)
Aug 23 19:26:46 src pluto[16315]: "src-to-dst-on-80" #7264: max number of retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:26:46 src pluto[16315]: "src-to-dst-on-80" #7264: deleting state #7264 (STATE_MAIN_R1)
Aug 23 19:26:47 src pluto[16315]: "src-to-dst-on-80" #7265: max number of retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:26:47 src pluto[16315]: "src-to-dst-on-80" #7265: deleting state #7265 (STATE_MAIN_R1)
Aug 23 19:26:49 src pluto[16315]: "src-to-dst-on-80" #7267: max number of retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:26:49 src pluto[16315]: "src-to-dst-on-80" #7267: deleting state #7267 (STATE_MAIN_R1)
Aug 23 19:26:53 src pluto[16315]: "src-to-dst-on-80" #7272: max number of retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:26:53 src pluto[16315]: "src-to-dst-on-80" #7272: deleting state #7272 (STATE_MAIN_R1)
Aug 23 19:27:01 src pluto[16315]: "src-to-dst-on-80" #7279: max number of retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:27:01 src pluto[16315]: "src-to-dst-on-80" #7279: deleting state #7279 (STATE_MAIN_R1)
Aug 23 19:27:17 src pluto[16315]: "src-to-dst-on-80" #7283: max number of retransmissions (8) reached STATE_MAIN_R1
Aug 23 19:27:17 src pluto[16315]: "src-to-dst-on-80" #7283: deleting state #7283 (STATE_MAIN_R1)
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: initiating Main Mode
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: received Vendor ID payload [Dead Peer Detection]
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: received Vendor ID payload [FRAGMENTATION]
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: received Vendor ID payload [RFC 3947]
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: I am sending my cert
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: I am sending a certificate request
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: received Vendor ID payload [CAN-IKEv2]
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com'
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: certificate CN=dst.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256 group=MODP1536}
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7387: Dead Peer Detection (RFC 3706): enabled
Aug 23 23:35:47 src pluto[16315]: "src-to-dst-on-80" #7388: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#7387 msgid:6e9c076c proposal=AES_GCM_C(20)_128-NONE(0)_000 pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 23 23:35:48 src pluto[16315]: "src-to-dst-on-80" #7388: Dead Peer Detection (RFC 3706): enabled
Aug 23 23:35:48 src pluto[16315]: "src-to-dst-on-80" #7388: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 23 23:35:48 src pluto[16315]: "src-to-dst-on-80" #7388: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x3e9a9ad2 <0x63abe737 xfrm=AES_GCM_C_128-NONE NATOA=none NATD=none DPD=active}
Aug 23 23:40:17 src pluto[16315]: "src-to-dst-on-80" #7165: deleting state #7165 (STATE_QUICK_R2)
Aug 23 23:40:17 src pluto[16315]: "src-to-dst-on-80" #7165: ESP traffic information: in=2KB out=2KB
--------------------------- destination log --------------------------------
Aug 23 17:13:52 dst pluto[3368]: "dst-to-src-on-80" #751: Dead Peer Detection (RFC 3706): enabled
Aug 23 17:29:20 dst pluto[3368]: "dst-to-src-on-80" #748: received Delete SA payload: self-deleting ISAKMP State #748
Aug 23 17:29:20 dst pluto[3368]: "dst-to-src-on-80" #748: deleting state #748 (STATE_MAIN_I4)
Aug 23 17:29:20 dst pluto[3368]: packet from 10.109.190.151:500: received and ignored empty informational notification payload
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: initiating Main Mode to replace #751
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: received Vendor ID payload [Dead Peer Detection]
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: received Vendor ID payload [FRAGMENTATION]
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: received Vendor ID payload [RFC 3947]
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: I am sending my cert
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: I am sending a certificate request
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: received Vendor ID payload [CAN-IKEv2]
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=src.ourdomain.com'
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: certificate CN=src.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256 group=MODP1536}
Aug 23 18:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: Dead Peer Detection (RFC 3706): enabled
Aug 23 18:13:52 dst pluto[3368]: "dst-to-src-on-80" #751: received Delete SA payload: self-deleting ISAKMP State #751
Aug 23 18:13:52 dst pluto[3368]: "dst-to-src-on-80" #751: deleting state #751 (STATE_MAIN_I4)
Aug 23 18:13:52 dst pluto[3368]: packet from 10.109.190.151:500: received and ignored empty informational notification payload
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: initiating Main Mode to replace #754
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: received Vendor ID payload [Dead Peer Detection]
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: received Vendor ID payload [FRAGMENTATION]
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: received Vendor ID payload [RFC 3947]
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 23 18:48:22 dst pluto[3368]: "dst-to-src-on-80" #757: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: I am sending my cert
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: I am sending a certificate request
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: received Vendor ID payload [CAN-IKEv2]
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=src.ourdomain.com'
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: certificate CN=src.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256 group=MODP1536}
Aug 23 18:48:23 dst pluto[3368]: "dst-to-src-on-80" #757: Dead Peer Detection (RFC 3706): enabled
Aug 23 19:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: received Delete SA payload: self-deleting ISAKMP State #754
Aug 23 19:01:16 dst pluto[3368]: "dst-to-src-on-80" #754: deleting state #754 (STATE_MAIN_I4)
Aug 23 19:01:16 dst pluto[3368]: packet from 10.109.190.151:500: received and ignored empty informational notification payload
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #757: DPD: No response from peer - declaring peer dead
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #757: DPD: Restarting all connections that share this peer
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #757: terminating SAs using this connection
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #745: deleting state #745 (STATE_QUICK_I2)
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #745: ESP traffic information: in=0B out=1KB
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #757: deleting state #757 (STATE_MAIN_I4)
Aug 23 19:25:41 dst pluto[3368]: "dst-to-src-on-80" #760: initiating Main Mode
Aug 23 19:26:45 dst pluto[3368]: "dst-to-src-on-80" #760: max number of retransmissions (8) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKEv1 message
Aug 23 19:26:45 dst pluto[3368]: "dst-to-src-on-80" #760: deleting state #760 (STATE_MAIN_I1)
Aug 23 23:35:47 dst pluto[3368]: packet from 10.109.190.151:500: received Vendor ID payload [Dead Peer Detection]
Aug 23 23:35:47 dst pluto[3368]: packet from 10.109.190.151:500: received Vendor ID payload [FRAGMENTATION]
Aug 23 23:35:47 dst pluto[3368]: packet from 10.109.190.151:500: received Vendor ID payload [RFC 3947]
Aug 23 23:35:47 dst pluto[3368]: packet from 10.109.190.151:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Aug 23 23:35:47 dst pluto[3368]: packet from 10.109.190.151:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 23 23:35:47 dst pluto[3368]: packet from 10.109.190.151:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: responding to Main Mode
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: Main mode peer ID is ID_DER_ASN1_DN: 'C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=src.ourdomain.com'
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: certificate CN=src.ourdomain.com,OU=ZZZZZ-IPSEC,O=YYY,C=US OK
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: I am sending my cert
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=OAKLEY_SHA2_256 group=MODP1536}
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: Dead Peer Detection (RFC 3706): enabled
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #774: the peer proposed: 10.88.180.213/32:6/80 -> 10.109.190.151/32:0/0
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #775: responding to Quick Mode proposal {msgid:6e9c076c}
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #775: us: 10.88.180.213<10.88.180.213>[C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=dst.ourdomain.com]:6/80
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #775: them: 10.109.190.151<10.109.190.151>[C=US, O=YYY, OU=ZZZZZ-IPSEC, CN=src.ourdomain.com]
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #775: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 23 23:35:47 dst pluto[3368]: "dst-to-src-on-80" #775: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x63abe737 <0x3e9a9ad2 xfrm=AES_GCM_C_128-NONE NATOA=none NATD=none DPD=active}
Aug 23 23:35:48 dst pluto[3368]: "dst-to-src-on-80" #775: Dead Peer Detection (RFC 3706): enabled
Aug 23 23:35:48 dst pluto[3368]: "dst-to-src-on-80" #775: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 23 23:35:48 dst pluto[3368]: "dst-to-src-on-80" #775: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x63abe737 <0x3e9a9ad2 xfrm=AES_GCM_C_128-NONE NATOA=none NATD=none DPD=active}
More information about the Swan
mailing list