[Swan] ip address assignment
Thomas Stein
himbeere at meine-oma.de
Wed May 9 19:10:48 UTC 2018
On Wednesday, 9 May 2018 19:48:20 CEST you wrote:
> On Wed, 9 May 2018, Thomas Stein wrote:
>
> > Now I have the routes in question. But still no internet connectivity.
>
> > 000
> > 000 #2: "my-vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 27905s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
> > 000 #2: "my-vpn" esp.4535607f at xxx.xxx.xxx.5 esp.5fe2f13b at 192.168.178.21 tun.0 at xxx.xxx.xxx.5 tun.0 at 192.168.178.21 ref=0 refhim=0 Traffic: ESPin=0B ESPout=2KB! ESPmax=4194303B username=myself
>
> This is odd. Your IKE SA established, setup the IPsec SA successfully,
> and then vanished?
>
> > rather /etc/ipsec.d # ip r
> > 0.0.0.0/1 dev wlan0 scope link src xxx.xxx.xxx.193
> > default via 192.168.178.1 dev wlan0 proto dhcp src 192.168.178.21 metric 2007
> > 128.0.0.0/1 dev wlan0 scope link src xxx.xxx.xxx.193
> > 192.168.178.0/24 dev wlan0 proto dhcp scope link src 192.168.178.21 metric 200
>
> That looks good.
>
> > Am I supposed to have some iptables rules? I have non so far:
>
> Nope.
>
> What does "ipsec whack --trafficstatus" show for the traffic counters?
rather ~ # ipsec whack --trafficstatus
006 #2: "my-vpn", username=myself, type=ESP, add_time=1525892039, inBytes=0, outBytes=95061
> It would be useful to see the pluto logs too and see why your IKE SA
> died.
May 9 20:53:22 rather pluto[31225]: NSS DB directory: sql:/etc/ipsec.d
May 9 20:53:22 rather pluto[31225]: Initializing NSS
May 9 20:53:22 rather pluto[31225]: Opening NSS database "sql:/etc/ipsec.d" read-only
May 9 20:53:22 rather pluto[31225]: NSS initialized
May 9 20:53:22 rather pluto[31225]: NSS crypto library initialized
May 9 20:53:22 rather pluto[31225]: FIPS HMAC integrity support [disabled]
May 9 20:53:22 rather pluto[31225]: libcap-ng support [disabled]
May 9 20:53:22 rather pluto[31225]: Linux audit support [disabled]
May 9 20:53:22 rather pluto[31225]: Starting Pluto (Libreswan Version 3.24rc4 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS SECCOMP XAUTH_PAM NETWORKMANAGER) pid:31225
May 9 20:53:22 rather pluto[31225]: core dump dir: /run/pluto
May 9 20:53:22 rather pluto[31225]: secrets file: /etc/ipsec.secrets
May 9 20:53:22 rather pluto[31225]: leak-detective disabled
May 9 20:53:22 rather pluto[31225]: NSS crypto [enabled]
May 9 20:53:22 rather pluto[31225]: XAUTH PAM support [enabled]
May 9 20:53:22 rather pluto[31225]: NAT-Traversal support [enabled]
May 9 20:53:22 rather pluto[31225]: Initializing libevent in pthreads mode: headers: 2.1.7-beta (2010700); library: 2.1.7-beta (2010700)
May 9 20:53:22 rather pluto[31225]: Encryption algorithms:
May 9 20:53:22 rather pluto[31225]: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)
May 9 20:53:22 rather pluto[31225]: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b)
May 9 20:53:22 rather pluto[31225]: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a)
May 9 20:53:22 rather pluto[31225]: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] (3des)
May 9 20:53:22 rather pluto[31225]: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}
May 9 20:53:22 rather pluto[31225]: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (camellia)
May 9 20:53:22 rather pluto[31225]: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)
May 9 20:53:22 rather pluto[31225]: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b)
May 9 20:53:22 rather pluto[31225]: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a)
May 9 20:53:22 rather pluto[31225]: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr)
May 9 20:53:22 rather pluto[31225]: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes)
May 9 20:53:22 rather pluto[31225]: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (serpent)
May 9 20:53:22 rather pluto[31225]: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (twofish)
May 9 20:53:22 rather pluto[31225]: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh)
May 9 20:53:22 rather pluto[31225]: CAST_CBC IKEv1: ESP IKEv2: ESP {*128} (cast)
May 9 20:53:22 rather pluto[31225]: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP {256,192,*128} (aes_gmac)
May 9 20:53:22 rather pluto[31225]: NULL IKEv1: ESP IKEv2: ESP []
May 9 20:53:22 rather pluto[31225]: Hash algorithms:
May 9 20:53:22 rather pluto[31225]: MD5 IKEv1: IKE IKEv2:
May 9 20:53:22 rather pluto[31225]: SHA1 IKEv1: IKE IKEv2: FIPS (sha)
May 9 20:53:22 rather pluto[31225]: SHA2_256 IKEv1: IKE IKEv2: FIPS (sha2 sha256)
May 9 20:53:22 rather pluto[31225]: SHA2_384 IKEv1: IKE IKEv2: FIPS (sha384)
May 9 20:53:22 rather pluto[31225]: SHA2_512 IKEv1: IKE IKEv2: FIPS (sha512)
May 9 20:53:22 rather pluto[31225]: PRF algorithms:
May 9 20:53:22 rather pluto[31225]: HMAC_MD5 IKEv1: IKE IKEv2: IKE (md5)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS (sha sha1)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS (sha2 sha256 sha2_256)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS (sha384 sha2_384)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS (sha512 sha2_512)
May 9 20:53:22 rather pluto[31225]: AES_XCBC IKEv1: IKEv2: IKE (aes128_xcbc)
May 9 20:53:22 rather pluto[31225]: Integrity algorithms:
May 9 20:53:22 rather pluto[31225]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (md5 hmac_md5)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)
May 9 20:53:22 rather pluto[31225]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96)
May 9 20:53:22 rather pluto[31225]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_cmac)
May 9 20:53:22 rather pluto[31225]: NONE IKEv1: ESP IKEv2: ESP FIPS (null)
May 9 20:53:22 rather pluto[31225]: DH algorithms:
May 9 20:53:22 rather pluto[31225]: NONE IKEv1: IKEv2: IKE ESP AH (null dh0)
May 9 20:53:22 rather pluto[31225]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh2)
May 9 20:53:22 rather pluto[31225]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh5)
May 9 20:53:22 rather pluto[31225]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh14)
May 9 20:53:22 rather pluto[31225]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh15)
May 9 20:53:22 rather pluto[31225]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh16)
May 9 20:53:22 rather pluto[31225]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh17)
May 9 20:53:22 rather pluto[31225]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh18)
May 9 20:53:22 rather pluto[31225]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_256)
May 9 20:53:22 rather pluto[31225]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_384)
May 9 20:53:22 rather pluto[31225]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_521)
May 9 20:53:22 rather pluto[31225]: DH23 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
May 9 20:53:22 rather pluto[31225]: DH24 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
May 9 20:53:22 rather pluto[31225]: starting up 3 crypto helpers
May 9 20:53:22 rather pluto[31225]: started thread for crypto helper 0
May 9 20:53:22 rather pluto[31225]: started thread for crypto helper 1
May 9 20:53:22 rather pluto[31225]: started thread for crypto helper 2
May 9 20:53:22 rather pluto[31225]: Using Linux XFRM/NETKEY IPsec interface code on 4.16.5
May 9 20:53:22 rather pluto[31225]: added connection description "my-vpn"
May 9 20:53:22 rather pluto[31225]: listening for IKE messages
May 9 20:53:22 rather pluto[31225]: adding interface wlan0/wlan0 192.168.178.21:500
May 9 20:53:22 rather pluto[31225]: adding interface wlan0/wlan0 192.168.178.21:4500
May 9 20:53:22 rather pluto[31225]: adding interface lo/lo 127.0.0.1:500
May 9 20:53:22 rather pluto[31225]: adding interface lo/lo 127.0.0.1:4500
May 9 20:53:22 rather pluto[31225]: adding interface lo/lo ::1:500
May 9 20:53:22 rather pluto[31225]: | setup callback for interface lo:500 fd 19
May 9 20:53:22 rather pluto[31225]: | setup callback for interface lo:4500 fd 18
May 9 20:53:22 rather pluto[31225]: | setup callback for interface lo:500 fd 17
May 9 20:53:22 rather pluto[31225]: | setup callback for interface wlan0:4500 fd 16
May 9 20:53:22 rather pluto[31225]: | setup callback for interface wlan0:500 fd 15
May 9 20:53:22 rather pluto[31225]: loading secrets from "/etc/ipsec.secrets"
May 9 20:53:49 rather pluto[31225]: "my-vpn": deleting non-instance connection
May 9 20:53:49 rather pluto[31225]: added connection description "my-vpn"
May 9 20:53:49 rather pluto[31225]: "my-vpn": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: multiple DH groups in aggressive mode can cause interop failure
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: initiating Aggressive Mode
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: multiple DH groups in aggressive mode can cause interop failure
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de000502f2]
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.5'
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.5'
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: XAUTH: Answering XAUTH challenge with user='myself'
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 seconds for response
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: DPD: received old or duplicate R_U_THERE
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3 duplicate R_U_THERE's - will reluctantly answer
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: XAUTH: Successfully Authenticated
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: modecfg: Sending IP request (MODECFG_I1)
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received IPv4 address: xxx.xxx.xxx.193/32
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received DNS server xxx.xxx.xxx.116
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received DNS server xxx.xxx.xxx.117
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received subnet 0.0.0.0/0
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Subnet 0.0.0.0/0 already has an spd_route - ignoring
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DONT_REKEY+UP+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:f792899c proposal=AES_CBC_256-HMAC_SHA1_96-MODP1536 pfsgroup=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: ignoring informational payload IPSEC_RESPONDER_LIFETIME, msgid=f792899c, length=28
May 9 20:53:59 rather pluto[31225]: | ISAKMP Notification Payload
May 9 20:53:59 rather pluto[31225]: | 00 00 00 1c 00 00 00 01 03 04 60 00
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: up-client output: updating resolvconf
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: up-client output: backup resolv.conf exists, but current resolv.conf is not generated by Libreswan
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x45356086 <0x8689505c xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=xxx.xxx.xxx.5:4500 DPD=passive username=myself}
May 9 20:54:01 rather pluto[31225]: "my-vpn" #2: retransmitting in response to duplicate packet; already STATE_QUICK_I2
May 9 20:54:05 rather pluto[31225]: "my-vpn" #2: retransmitting in response to duplicate packet; already STATE_QUICK_I2
May 9 20:54:13 rather pluto[31225]: "my-vpn" #2: discarding duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
May 9 20:54:14 rather pluto[31225]: "my-vpn" #1: DPD: received old or duplicate R_U_THERE
May 9 20:54:14 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3 duplicate R_U_THERE's - will reluctantly answer
May 9 20:54:19 rather pluto[31225]: "my-vpn" #1: DPD: received old or duplicate R_U_THERE
May 9 20:54:19 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3 duplicate R_U_THERE's - will reluctantly answer
May 9 20:54:24 rather pluto[31225]: "my-vpn" #1: received Delete SA payload: self-deleting ISAKMP State #1
May 9 20:54:24 rather pluto[31225]: "my-vpn" #1: deleting state (STATE_MAIN_I4) and sending notification
May 9 20:53:22 rather pluto[31225]: NSS DB directory: sql:/etc/ipsec.d
May 9 20:53:22 rather pluto[31225]: Initializing NSS
May 9 20:53:22 rather pluto[31225]: Opening NSS database "sql:/etc/ipsec.d" read-only
May 9 20:53:22 rather pluto[31225]: NSS initialized
May 9 20:53:22 rather pluto[31225]: NSS crypto library initialized
May 9 20:53:22 rather pluto[31225]: FIPS HMAC integrity support [disabled]
May 9 20:53:22 rather pluto[31225]: libcap-ng support [disabled]
May 9 20:53:22 rather pluto[31225]: Linux audit support [disabled]
May 9 20:53:22 rather pluto[31225]: Starting Pluto (Libreswan Version 3.24rc4 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS SECCOMP XAUTH_PAM NETWORKMANAGER) pid:31225
May 9 20:53:22 rather pluto[31225]: core dump dir: /run/pluto
May 9 20:53:22 rather pluto[31225]: secrets file: /etc/ipsec.secrets
May 9 20:53:22 rather pluto[31225]: leak-detective disabled
May 9 20:53:22 rather pluto[31225]: NSS crypto [enabled]
May 9 20:53:22 rather pluto[31225]: XAUTH PAM support [enabled]
May 9 20:53:22 rather pluto[31225]: NAT-Traversal support [enabled]
May 9 20:53:22 rather pluto[31225]: Initializing libevent in pthreads mode: headers: 2.1.7-beta (2010700); library: 2.1.7-beta (2010700)
May 9 20:53:22 rather pluto[31225]: Encryption algorithms:
May 9 20:53:22 rather pluto[31225]: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)
May 9 20:53:22 rather pluto[31225]: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b)
May 9 20:53:22 rather pluto[31225]: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a)
May 9 20:53:22 rather pluto[31225]: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] (3des)
May 9 20:53:22 rather pluto[31225]: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}
May 9 20:53:22 rather pluto[31225]: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (camellia)
May 9 20:53:22 rather pluto[31225]: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)
May 9 20:53:22 rather pluto[31225]: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b)
May 9 20:53:22 rather pluto[31225]: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a)
May 9 20:53:22 rather pluto[31225]: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr)
May 9 20:53:22 rather pluto[31225]: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes)
May 9 20:53:22 rather pluto[31225]: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (serpent)
May 9 20:53:22 rather pluto[31225]: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (twofish)
May 9 20:53:22 rather pluto[31225]: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh)
May 9 20:53:22 rather pluto[31225]: CAST_CBC IKEv1: ESP IKEv2: ESP {*128} (cast)
May 9 20:53:22 rather pluto[31225]: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP {256,192,*128} (aes_gmac)
May 9 20:53:22 rather pluto[31225]: NULL IKEv1: ESP IKEv2: ESP []
May 9 20:53:22 rather pluto[31225]: Hash algorithms:
May 9 20:53:22 rather pluto[31225]: MD5 IKEv1: IKE IKEv2:
May 9 20:53:22 rather pluto[31225]: SHA1 IKEv1: IKE IKEv2: FIPS (sha)
May 9 20:53:22 rather pluto[31225]: SHA2_256 IKEv1: IKE IKEv2: FIPS (sha2 sha256)
May 9 20:53:22 rather pluto[31225]: SHA2_384 IKEv1: IKE IKEv2: FIPS (sha384)
May 9 20:53:22 rather pluto[31225]: SHA2_512 IKEv1: IKE IKEv2: FIPS (sha512)
May 9 20:53:22 rather pluto[31225]: PRF algorithms:
May 9 20:53:22 rather pluto[31225]: HMAC_MD5 IKEv1: IKE IKEv2: IKE (md5)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS (sha sha1)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS (sha2 sha256 sha2_256)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS (sha384 sha2_384)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS (sha512 sha2_512)
May 9 20:53:22 rather pluto[31225]: AES_XCBC IKEv1: IKEv2: IKE (aes128_xcbc)
May 9 20:53:22 rather pluto[31225]: Integrity algorithms:
May 9 20:53:22 rather pluto[31225]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (md5 hmac_md5)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)
May 9 20:53:22 rather pluto[31225]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)
May 9 20:53:22 rather pluto[31225]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96)
May 9 20:53:22 rather pluto[31225]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_cmac)
May 9 20:53:22 rather pluto[31225]: NONE IKEv1: ESP IKEv2: ESP FIPS (null)
May 9 20:53:22 rather pluto[31225]: DH algorithms:
May 9 20:53:22 rather pluto[31225]: NONE IKEv1: IKEv2: IKE ESP AH (null dh0)
May 9 20:53:22 rather pluto[31225]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh2)
May 9 20:53:22 rather pluto[31225]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh5)
May 9 20:53:22 rather pluto[31225]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh14)
May 9 20:53:22 rather pluto[31225]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh15)
May 9 20:53:22 rather pluto[31225]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh16)
May 9 20:53:22 rather pluto[31225]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh17)
May 9 20:53:22 rather pluto[31225]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh18)
May 9 20:53:22 rather pluto[31225]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_256)
May 9 20:53:22 rather pluto[31225]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_384)
May 9 20:53:22 rather pluto[31225]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_521)
May 9 20:53:22 rather pluto[31225]: DH23 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
May 9 20:53:22 rather pluto[31225]: DH24 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
May 9 20:53:22 rather pluto[31225]: starting up 3 crypto helpers
May 9 20:53:22 rather pluto[31225]: started thread for crypto helper 0
May 9 20:53:22 rather pluto[31225]: started thread for crypto helper 1
May 9 20:53:22 rather pluto[31225]: started thread for crypto helper 2
May 9 20:53:22 rather pluto[31225]: Using Linux XFRM/NETKEY IPsec interface code on 4.16.5
May 9 20:53:22 rather pluto[31225]: added connection description "my-vpn"
May 9 20:53:22 rather pluto[31225]: listening for IKE messages
May 9 20:53:22 rather pluto[31225]: adding interface wlan0/wlan0 192.168.178.21:500
May 9 20:53:22 rather pluto[31225]: adding interface wlan0/wlan0 192.168.178.21:4500
May 9 20:53:22 rather pluto[31225]: adding interface lo/lo 127.0.0.1:500
May 9 20:53:22 rather pluto[31225]: adding interface lo/lo 127.0.0.1:4500
May 9 20:53:22 rather pluto[31225]: adding interface lo/lo ::1:500
May 9 20:53:22 rather pluto[31225]: | setup callback for interface lo:500 fd 19
May 9 20:53:22 rather pluto[31225]: | setup callback for interface lo:4500 fd 18
May 9 20:53:22 rather pluto[31225]: | setup callback for interface lo:500 fd 17
May 9 20:53:22 rather pluto[31225]: | setup callback for interface wlan0:4500 fd 16
May 9 20:53:22 rather pluto[31225]: | setup callback for interface wlan0:500 fd 15
May 9 20:53:22 rather pluto[31225]: loading secrets from "/etc/ipsec.secrets"
May 9 20:53:49 rather pluto[31225]: "my-vpn": deleting non-instance connection
May 9 20:53:49 rather pluto[31225]: added connection description "my-vpn"
May 9 20:53:49 rather pluto[31225]: "my-vpn": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: multiple DH groups in aggressive mode can cause interop failure
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: initiating Aggressive Mode
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: multiple DH groups in aggressive mode can cause interop failure
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de000502f2]
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.5'
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.5'
May 9 20:53:49 rather pluto[31225]: "my-vpn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: XAUTH: Answering XAUTH challenge with user='myself'
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 seconds for response
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: DPD: received old or duplicate R_U_THERE
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3 duplicate R_U_THERE's - will reluctantly answer
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: XAUTH: Successfully Authenticated
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: modecfg: Sending IP request (MODECFG_I1)
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received IPv4 address: xxx.xxx.xxx.193/32
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received DNS server xxx.xxx.xxx.116
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received DNS server xxx.xxx.xxx.117
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received subnet 0.0.0.0/0
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: Subnet 0.0.0.0/0 already has an spd_route - ignoring
May 9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DONT_REKEY+UP+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:f792899c proposal=AES_CBC_256-HMAC_SHA1_96-MODP1536 pfsgroup=MODP1536}
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: ignoring informational payload IPSEC_RESPONDER_LIFETIME, msgid=f792899c, length=28
May 9 20:53:59 rather pluto[31225]: | ISAKMP Notification Payload
May 9 20:53:59 rather pluto[31225]: | 00 00 00 1c 00 00 00 01 03 04 60 00
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: up-client output: updating resolvconf
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: up-client output: backup resolv.conf exists, but current resolv.conf is not generated by Libreswan
May 9 20:53:59 rather pluto[31225]: "my-vpn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x45356086 <0x8689505c xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=xxx.xxx.xxx.5:4500 DPD=passive username=myself}
May 9 20:54:01 rather pluto[31225]: "my-vpn" #2: retransmitting in response to duplicate packet; already STATE_QUICK_I2
May 9 20:54:05 rather pluto[31225]: "my-vpn" #2: retransmitting in response to duplicate packet; already STATE_QUICK_I2
May 9 20:54:13 rather pluto[31225]: "my-vpn" #2: discarding duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
May 9 20:54:14 rather pluto[31225]: "my-vpn" #1: DPD: received old or duplicate R_U_THERE
May 9 20:54:14 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3 duplicate R_U_THERE's - will reluctantly answer
May 9 20:54:19 rather pluto[31225]: "my-vpn" #1: DPD: received old or duplicate R_U_THERE
May 9 20:54:19 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3 duplicate R_U_THERE's - will reluctantly answer
May 9 20:54:24 rather pluto[31225]: "my-vpn" #1: received Delete SA payload: self-deleting ISAKMP State #1
May 9 20:54:24 rather pluto[31225]: "my-vpn" #1: deleting state (STATE_MAIN_I4) and sending notification
May 9 20:54:24 rather pluto[31225]: packet from xxx.xxx.xxx.5:4500: received and ignored empty informational notification payload
May 9 20:54:35 rather pluto[31225]: forgetting secrets
May 9 20:54:35 rather pluto[31225]: "my-vpn": deleting non-instance connection
May 9 20:54:35 rather pluto[31225]: "my-vpn" #2: deleting state (STATE_QUICK_I2) and sending notification
May 9 20:54:35 rather pluto[31225]: "my-vpn" #2: ESP traffic information: in=101KB out=0B XAUTHuser=myself
May 9 20:54:35 rather pluto[31225]: "my-vpn": unroute-client output: need at least a destination address
May 9 20:54:35 rather pluto[31225]: shutting down interface lo/lo ::1:500
May 9 20:54:35 rather pluto[31225]: shutting down interface lo/lo 127.0.0.1:4500
May 9 20:54:35 rather pluto[31225]: shutting down interface lo/lo 127.0.0.1:500
May 9 20:54:35 rather pluto[31225]: shutting down interface wlan0/wlan0 192.168.178.21:4500
May 9 20:54:35 rather pluto[31225]: shutting down interface wlan0/wlan0 192.168.178.21:500May 9 20:54:24 rather pluto[31225]: packet from xxx.xxx.xxx.5:4500: received and ignored empty informational notification payload
May 9 20:54:35 rather pluto[31225]: forgetting secrets
May 9 20:54:35 rather pluto[31225]: "my-vpn": deleting non-instance connection
May 9 20:54:35 rather pluto[31225]: "my-vpn" #2: deleting state (STATE_QUICK_I2) and sending notification
May 9 20:54:35 rather pluto[31225]: "my-vpn" #2: ESP traffic information: in=101KB out=0B XAUTHuser=myself
May 9 20:54:35 rather pluto[31225]: "my-vpn": unroute-client output: need at least a destination address
May 9 20:54:35 rather pluto[31225]: shutting down interface lo/lo ::1:500
May 9 20:54:35 rather pluto[31225]: shutting down interface lo/lo 127.0.0.1:4500
May 9 20:54:35 rather pluto[31225]: shutting down interface lo/lo 127.0.0.1:500
May 9 20:54:35 rather pluto[31225]: shutting down interface wlan0/wlan0 192.168.178.21:4500
May 9 20:54:35 rather pluto[31225]: shutting down interface wlan0/wlan0 192.168.178.21:500
Hope this helps.
thanks and cheers
t.
> Paul
>
More information about the Swan
mailing list