[Swan] ip address assignment

Thomas Stein himbeere at meine-oma.de
Wed May 9 19:10:48 UTC 2018


On Wednesday, 9 May 2018 19:48:20 CEST you wrote:
> On Wed, 9 May 2018, Thomas Stein wrote:
> 
> > Now I have the routes in question. But still no internet connectivity.
> 
> > 000
> > 000 #2: "my-vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 27905s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
> > 000 #2: "my-vpn" esp.4535607f at xxx.xxx.xxx.5 esp.5fe2f13b at 192.168.178.21 tun.0 at xxx.xxx.xxx.5 tun.0 at 192.168.178.21 ref=0 refhim=0 Traffic: ESPin=0B ESPout=2KB! ESPmax=4194303B username=myself
> 
> This is odd. Your IKE SA established, setup the IPsec SA successfully,
> and then vanished?
> 
> > rather /etc/ipsec.d # ip r
> > 0.0.0.0/1 dev wlan0 scope link src xxx.xxx.xxx.193
> > default via 192.168.178.1 dev wlan0 proto dhcp src 192.168.178.21 metric 2007
> > 128.0.0.0/1 dev wlan0 scope link src xxx.xxx.xxx.193
> > 192.168.178.0/24 dev wlan0 proto dhcp scope link src 192.168.178.21 metric 200
> 
> That looks good.
> 
> > Am I supposed to have some iptables rules? I have non so far:
> 
> Nope.
> 
> What does "ipsec whack --trafficstatus" show for the traffic counters?

rather ~ # ipsec whack --trafficstatus
006 #2: "my-vpn", username=myself, type=ESP, add_time=1525892039, inBytes=0, outBytes=95061

> It would be useful to see the pluto logs too and see why your IKE SA
> died.

May  9 20:53:22 rather pluto[31225]: NSS DB directory: sql:/etc/ipsec.d
May  9 20:53:22 rather pluto[31225]: Initializing NSS
May  9 20:53:22 rather pluto[31225]: Opening NSS database "sql:/etc/ipsec.d" read-only
May  9 20:53:22 rather pluto[31225]: NSS initialized
May  9 20:53:22 rather pluto[31225]: NSS crypto library initialized
May  9 20:53:22 rather pluto[31225]: FIPS HMAC integrity support [disabled]
May  9 20:53:22 rather pluto[31225]: libcap-ng support [disabled]
May  9 20:53:22 rather pluto[31225]: Linux audit support [disabled]
May  9 20:53:22 rather pluto[31225]: Starting Pluto (Libreswan Version 3.24rc4 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS SECCOMP XAUTH_PAM NETWORKMANAGER) pid:31225
May  9 20:53:22 rather pluto[31225]: core dump dir: /run/pluto
May  9 20:53:22 rather pluto[31225]: secrets file: /etc/ipsec.secrets
May  9 20:53:22 rather pluto[31225]: leak-detective disabled
May  9 20:53:22 rather pluto[31225]: NSS crypto [enabled]
May  9 20:53:22 rather pluto[31225]: XAUTH PAM support [enabled]
May  9 20:53:22 rather pluto[31225]: NAT-Traversal support  [enabled]
May  9 20:53:22 rather pluto[31225]: Initializing libevent in pthreads mode: headers: 2.1.7-beta (2010700); library: 2.1.7-beta (2010700)
May  9 20:53:22 rather pluto[31225]: Encryption algorithms:
May  9 20:53:22 rather pluto[31225]:   AES_CCM_16          IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm aes_ccm_c)
May  9 20:53:22 rather pluto[31225]:   AES_CCM_12          IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_b)
May  9 20:53:22 rather pluto[31225]:   AES_CCM_8           IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_a)
May  9 20:53:22 rather pluto[31225]:   3DES_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  (3des)
May  9 20:53:22 rather pluto[31225]:   CAMELLIA_CTR        IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}
May  9 20:53:22 rather pluto[31225]:   CAMELLIA_CBC        IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (camellia)
May  9 20:53:22 rather pluto[31225]:   AES_GCM_16          IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm aes_gcm_c)
May  9 20:53:22 rather pluto[31225]:   AES_GCM_12          IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_b)
May  9 20:53:22 rather pluto[31225]:   AES_GCM_8           IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_a)
May  9 20:53:22 rather pluto[31225]:   AES_CTR             IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aesctr)
May  9 20:53:22 rather pluto[31225]:   AES_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes)
May  9 20:53:22 rather pluto[31225]:   SERPENT_CBC         IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (serpent)
May  9 20:53:22 rather pluto[31225]:   TWOFISH_CBC         IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (twofish)
May  9 20:53:22 rather pluto[31225]:   TWOFISH_SSH         IKEv1: IKE         IKEv2: IKE ESP           {256,192,*128}  (twofish_cbc_ssh)
May  9 20:53:22 rather pluto[31225]:   CAST_CBC            IKEv1:     ESP     IKEv2:     ESP           {*128}  (cast)
May  9 20:53:22 rather pluto[31225]:   NULL_AUTH_AES_GMAC  IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}  (aes_gmac)
May  9 20:53:22 rather pluto[31225]:   NULL                IKEv1:     ESP     IKEv2:     ESP           []
May  9 20:53:22 rather pluto[31225]: Hash algorithms:
May  9 20:53:22 rather pluto[31225]:   MD5                 IKEv1: IKE         IKEv2:                 
May  9 20:53:22 rather pluto[31225]:   SHA1                IKEv1: IKE         IKEv2:             FIPS  (sha)
May  9 20:53:22 rather pluto[31225]:   SHA2_256            IKEv1: IKE         IKEv2:             FIPS  (sha2 sha256)
May  9 20:53:22 rather pluto[31225]:   SHA2_384            IKEv1: IKE         IKEv2:             FIPS  (sha384)
May  9 20:53:22 rather pluto[31225]:   SHA2_512            IKEv1: IKE         IKEv2:             FIPS  (sha512)
May  9 20:53:22 rather pluto[31225]: PRF algorithms:
May  9 20:53:22 rather pluto[31225]:   HMAC_MD5            IKEv1: IKE         IKEv2: IKE               (md5)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA1           IKEv1: IKE         IKEv2: IKE         FIPS  (sha sha1)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA2_256       IKEv1: IKE         IKEv2: IKE         FIPS  (sha2 sha256 sha2_256)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA2_384       IKEv1: IKE         IKEv2: IKE         FIPS  (sha384 sha2_384)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA2_512       IKEv1: IKE         IKEv2: IKE         FIPS  (sha512 sha2_512)
May  9 20:53:22 rather pluto[31225]:   AES_XCBC            IKEv1:             IKEv2: IKE               (aes128_xcbc)
May  9 20:53:22 rather pluto[31225]: Integrity algorithms:
May  9 20:53:22 rather pluto[31225]:   HMAC_MD5_96         IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (md5 hmac_md5)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA1_96        IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha sha1 sha1_96 hmac_sha1)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA2_512_256   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha512 sha2_512 hmac_sha2_512)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA2_384_192   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha384 sha2_384 hmac_sha2_384)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA2_256_128   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha2 sha256 sha2_256 hmac_sha2_256)
May  9 20:53:22 rather pluto[31225]:   AES_XCBC_96         IKEv1:     ESP AH  IKEv2: IKE ESP AH  FIPS  (aes_xcbc aes128_xcbc aes128_xcbc_96)
May  9 20:53:22 rather pluto[31225]:   AES_CMAC_96         IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  (aes_cmac)
May  9 20:53:22 rather pluto[31225]:   NONE                IKEv1:     ESP     IKEv2:     ESP     FIPS  (null)
May  9 20:53:22 rather pluto[31225]: DH algorithms:
May  9 20:53:22 rather pluto[31225]:   NONE                IKEv1:             IKEv2: IKE ESP AH        (null dh0)
May  9 20:53:22 rather pluto[31225]:   MODP1024            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (dh2)
May  9 20:53:22 rather pluto[31225]:   MODP1536            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (dh5)
May  9 20:53:22 rather pluto[31225]:   MODP2048            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh14)
May  9 20:53:22 rather pluto[31225]:   MODP3072            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh15)
May  9 20:53:22 rather pluto[31225]:   MODP4096            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh16)
May  9 20:53:22 rather pluto[31225]:   MODP6144            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh17)
May  9 20:53:22 rather pluto[31225]:   MODP8192            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh18)
May  9 20:53:22 rather pluto[31225]:   DH19                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_256)
May  9 20:53:22 rather pluto[31225]:   DH20                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_384)
May  9 20:53:22 rather pluto[31225]:   DH21                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_521)
May  9 20:53:22 rather pluto[31225]:   DH23                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
May  9 20:53:22 rather pluto[31225]:   DH24                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
May  9 20:53:22 rather pluto[31225]: starting up 3 crypto helpers
May  9 20:53:22 rather pluto[31225]: started thread for crypto helper 0
May  9 20:53:22 rather pluto[31225]: started thread for crypto helper 1
May  9 20:53:22 rather pluto[31225]: started thread for crypto helper 2
May  9 20:53:22 rather pluto[31225]: Using Linux XFRM/NETKEY IPsec interface code on 4.16.5
May  9 20:53:22 rather pluto[31225]: added connection description "my-vpn"
May  9 20:53:22 rather pluto[31225]: listening for IKE messages
May  9 20:53:22 rather pluto[31225]: adding interface wlan0/wlan0 192.168.178.21:500
May  9 20:53:22 rather pluto[31225]: adding interface wlan0/wlan0 192.168.178.21:4500
May  9 20:53:22 rather pluto[31225]: adding interface lo/lo 127.0.0.1:500
May  9 20:53:22 rather pluto[31225]: adding interface lo/lo 127.0.0.1:4500
May  9 20:53:22 rather pluto[31225]: adding interface lo/lo ::1:500
May  9 20:53:22 rather pluto[31225]: | setup callback for interface lo:500 fd 19
May  9 20:53:22 rather pluto[31225]: | setup callback for interface lo:4500 fd 18
May  9 20:53:22 rather pluto[31225]: | setup callback for interface lo:500 fd 17
May  9 20:53:22 rather pluto[31225]: | setup callback for interface wlan0:4500 fd 16
May  9 20:53:22 rather pluto[31225]: | setup callback for interface wlan0:500 fd 15
May  9 20:53:22 rather pluto[31225]: loading secrets from "/etc/ipsec.secrets"
May  9 20:53:49 rather pluto[31225]: "my-vpn": deleting non-instance connection
May  9 20:53:49 rather pluto[31225]: added connection description "my-vpn"
May  9 20:53:49 rather pluto[31225]: "my-vpn": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: multiple DH groups in aggressive mode can cause interop failure
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: initiating Aggressive Mode
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: multiple DH groups in aggressive mode can cause interop failure
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de000502f2]
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.5'
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.5'
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: XAUTH: Answering XAUTH challenge with user='myself'
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 seconds for response
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: DPD: received old or duplicate R_U_THERE
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3 duplicate R_U_THERE's - will reluctantly answer
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: XAUTH: Successfully Authenticated
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: modecfg: Sending IP request (MODECFG_I1)
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received IPv4 address: xxx.xxx.xxx.193/32
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received DNS server xxx.xxx.xxx.116
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received DNS server xxx.xxx.xxx.117
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received subnet 0.0.0.0/0
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: Subnet 0.0.0.0/0 already has an spd_route - ignoring
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May  9 20:53:59 rather pluto[31225]: "my-vpn" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DONT_REKEY+UP+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:f792899c proposal=AES_CBC_256-HMAC_SHA1_96-MODP1536 pfsgroup=MODP1536}
May  9 20:53:59 rather pluto[31225]: "my-vpn" #2: ignoring informational payload IPSEC_RESPONDER_LIFETIME, msgid=f792899c, length=28
May  9 20:53:59 rather pluto[31225]: | ISAKMP Notification Payload
May  9 20:53:59 rather pluto[31225]: |   00 00 00 1c  00 00 00 01  03 04 60 00
May  9 20:53:59 rather pluto[31225]: "my-vpn" #2: up-client output: updating resolvconf
May  9 20:53:59 rather pluto[31225]: "my-vpn" #2: up-client output: backup resolv.conf exists, but current resolv.conf is not generated by Libreswan
May  9 20:53:59 rather pluto[31225]: "my-vpn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x45356086 <0x8689505c xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=xxx.xxx.xxx.5:4500 DPD=passive username=myself}
May  9 20:54:01 rather pluto[31225]: "my-vpn" #2: retransmitting in response to duplicate packet; already STATE_QUICK_I2
May  9 20:54:05 rather pluto[31225]: "my-vpn" #2: retransmitting in response to duplicate packet; already STATE_QUICK_I2
May  9 20:54:13 rather pluto[31225]: "my-vpn" #2: discarding duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
May  9 20:54:14 rather pluto[31225]: "my-vpn" #1: DPD: received old or duplicate R_U_THERE
May  9 20:54:14 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3 duplicate R_U_THERE's - will reluctantly answer
May  9 20:54:19 rather pluto[31225]: "my-vpn" #1: DPD: received old or duplicate R_U_THERE
May  9 20:54:19 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3 duplicate R_U_THERE's - will reluctantly answer
May  9 20:54:24 rather pluto[31225]: "my-vpn" #1: received Delete SA payload: self-deleting ISAKMP State #1
May  9 20:54:24 rather pluto[31225]: "my-vpn" #1: deleting state (STATE_MAIN_I4) and sending notification
May  9 20:53:22 rather pluto[31225]: NSS DB directory: sql:/etc/ipsec.d
May  9 20:53:22 rather pluto[31225]: Initializing NSS
May  9 20:53:22 rather pluto[31225]: Opening NSS database "sql:/etc/ipsec.d" read-only
May  9 20:53:22 rather pluto[31225]: NSS initialized
May  9 20:53:22 rather pluto[31225]: NSS crypto library initialized
May  9 20:53:22 rather pluto[31225]: FIPS HMAC integrity support [disabled]
May  9 20:53:22 rather pluto[31225]: libcap-ng support [disabled]
May  9 20:53:22 rather pluto[31225]: Linux audit support [disabled]
May  9 20:53:22 rather pluto[31225]: Starting Pluto (Libreswan Version 3.24rc4 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS SECCOMP XAUTH_PAM NETWORKMANAGER) pid:31225
May  9 20:53:22 rather pluto[31225]: core dump dir: /run/pluto
May  9 20:53:22 rather pluto[31225]: secrets file: /etc/ipsec.secrets
May  9 20:53:22 rather pluto[31225]: leak-detective disabled
May  9 20:53:22 rather pluto[31225]: NSS crypto [enabled]
May  9 20:53:22 rather pluto[31225]: XAUTH PAM support [enabled]
May  9 20:53:22 rather pluto[31225]: NAT-Traversal support  [enabled]
May  9 20:53:22 rather pluto[31225]: Initializing libevent in pthreads mode: headers: 2.1.7-beta (2010700); library: 2.1.7-beta (2010700)
May  9 20:53:22 rather pluto[31225]: Encryption algorithms:
May  9 20:53:22 rather pluto[31225]:   AES_CCM_16          IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm aes_ccm_c)
May  9 20:53:22 rather pluto[31225]:   AES_CCM_12          IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_b)
May  9 20:53:22 rather pluto[31225]:   AES_CCM_8           IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_a)
May  9 20:53:22 rather pluto[31225]:   3DES_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  (3des)
May  9 20:53:22 rather pluto[31225]:   CAMELLIA_CTR        IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}
May  9 20:53:22 rather pluto[31225]:   CAMELLIA_CBC        IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (camellia)
May  9 20:53:22 rather pluto[31225]:   AES_GCM_16          IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm aes_gcm_c)
May  9 20:53:22 rather pluto[31225]:   AES_GCM_12          IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_b)
May  9 20:53:22 rather pluto[31225]:   AES_GCM_8           IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_a)
May  9 20:53:22 rather pluto[31225]:   AES_CTR             IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aesctr)
May  9 20:53:22 rather pluto[31225]:   AES_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes)
May  9 20:53:22 rather pluto[31225]:   SERPENT_CBC         IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (serpent)
May  9 20:53:22 rather pluto[31225]:   TWOFISH_CBC         IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (twofish)
May  9 20:53:22 rather pluto[31225]:   TWOFISH_SSH         IKEv1: IKE         IKEv2: IKE ESP           {256,192,*128}  (twofish_cbc_ssh)
May  9 20:53:22 rather pluto[31225]:   CAST_CBC            IKEv1:     ESP     IKEv2:     ESP           {*128}  (cast)
May  9 20:53:22 rather pluto[31225]:   NULL_AUTH_AES_GMAC  IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}  (aes_gmac)
May  9 20:53:22 rather pluto[31225]:   NULL                IKEv1:     ESP     IKEv2:     ESP           []
May  9 20:53:22 rather pluto[31225]: Hash algorithms:
May  9 20:53:22 rather pluto[31225]:   MD5                 IKEv1: IKE         IKEv2:                 
May  9 20:53:22 rather pluto[31225]:   SHA1                IKEv1: IKE         IKEv2:             FIPS  (sha)
May  9 20:53:22 rather pluto[31225]:   SHA2_256            IKEv1: IKE         IKEv2:             FIPS  (sha2 sha256)
May  9 20:53:22 rather pluto[31225]:   SHA2_384            IKEv1: IKE         IKEv2:             FIPS  (sha384)
May  9 20:53:22 rather pluto[31225]:   SHA2_512            IKEv1: IKE         IKEv2:             FIPS  (sha512)
May  9 20:53:22 rather pluto[31225]: PRF algorithms:
May  9 20:53:22 rather pluto[31225]:   HMAC_MD5            IKEv1: IKE         IKEv2: IKE               (md5)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA1           IKEv1: IKE         IKEv2: IKE         FIPS  (sha sha1)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA2_256       IKEv1: IKE         IKEv2: IKE         FIPS  (sha2 sha256 sha2_256)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA2_384       IKEv1: IKE         IKEv2: IKE         FIPS  (sha384 sha2_384)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA2_512       IKEv1: IKE         IKEv2: IKE         FIPS  (sha512 sha2_512)
May  9 20:53:22 rather pluto[31225]:   AES_XCBC            IKEv1:             IKEv2: IKE               (aes128_xcbc)
May  9 20:53:22 rather pluto[31225]: Integrity algorithms:
May  9 20:53:22 rather pluto[31225]:   HMAC_MD5_96         IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (md5 hmac_md5)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA1_96        IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha sha1 sha1_96 hmac_sha1)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA2_512_256   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha512 sha2_512 hmac_sha2_512)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA2_384_192   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha384 sha2_384 hmac_sha2_384)
May  9 20:53:22 rather pluto[31225]:   HMAC_SHA2_256_128   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha2 sha256 sha2_256 hmac_sha2_256)
May  9 20:53:22 rather pluto[31225]:   AES_XCBC_96         IKEv1:     ESP AH  IKEv2: IKE ESP AH  FIPS  (aes_xcbc aes128_xcbc aes128_xcbc_96)
May  9 20:53:22 rather pluto[31225]:   AES_CMAC_96         IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  (aes_cmac)
May  9 20:53:22 rather pluto[31225]:   NONE                IKEv1:     ESP     IKEv2:     ESP     FIPS  (null)
May  9 20:53:22 rather pluto[31225]: DH algorithms:
May  9 20:53:22 rather pluto[31225]:   NONE                IKEv1:             IKEv2: IKE ESP AH        (null dh0)
May  9 20:53:22 rather pluto[31225]:   MODP1024            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (dh2)
May  9 20:53:22 rather pluto[31225]:   MODP1536            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (dh5)
May  9 20:53:22 rather pluto[31225]:   MODP2048            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh14)
May  9 20:53:22 rather pluto[31225]:   MODP3072            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh15)
May  9 20:53:22 rather pluto[31225]:   MODP4096            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh16)
May  9 20:53:22 rather pluto[31225]:   MODP6144            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh17)
May  9 20:53:22 rather pluto[31225]:   MODP8192            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh18)
May  9 20:53:22 rather pluto[31225]:   DH19                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_256)
May  9 20:53:22 rather pluto[31225]:   DH20                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_384)
May  9 20:53:22 rather pluto[31225]:   DH21                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_521)
May  9 20:53:22 rather pluto[31225]:   DH23                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
May  9 20:53:22 rather pluto[31225]:   DH24                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
May  9 20:53:22 rather pluto[31225]: starting up 3 crypto helpers
May  9 20:53:22 rather pluto[31225]: started thread for crypto helper 0
May  9 20:53:22 rather pluto[31225]: started thread for crypto helper 1
May  9 20:53:22 rather pluto[31225]: started thread for crypto helper 2
May  9 20:53:22 rather pluto[31225]: Using Linux XFRM/NETKEY IPsec interface code on 4.16.5
May  9 20:53:22 rather pluto[31225]: added connection description "my-vpn"
May  9 20:53:22 rather pluto[31225]: listening for IKE messages
May  9 20:53:22 rather pluto[31225]: adding interface wlan0/wlan0 192.168.178.21:500
May  9 20:53:22 rather pluto[31225]: adding interface wlan0/wlan0 192.168.178.21:4500
May  9 20:53:22 rather pluto[31225]: adding interface lo/lo 127.0.0.1:500
May  9 20:53:22 rather pluto[31225]: adding interface lo/lo 127.0.0.1:4500
May  9 20:53:22 rather pluto[31225]: adding interface lo/lo ::1:500
May  9 20:53:22 rather pluto[31225]: | setup callback for interface lo:500 fd 19
May  9 20:53:22 rather pluto[31225]: | setup callback for interface lo:4500 fd 18
May  9 20:53:22 rather pluto[31225]: | setup callback for interface lo:500 fd 17
May  9 20:53:22 rather pluto[31225]: | setup callback for interface wlan0:4500 fd 16
May  9 20:53:22 rather pluto[31225]: | setup callback for interface wlan0:500 fd 15
May  9 20:53:22 rather pluto[31225]: loading secrets from "/etc/ipsec.secrets"
May  9 20:53:49 rather pluto[31225]: "my-vpn": deleting non-instance connection
May  9 20:53:49 rather pluto[31225]: added connection description "my-vpn"
May  9 20:53:49 rather pluto[31225]: "my-vpn": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: multiple DH groups in aggressive mode can cause interop failure
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: initiating Aggressive Mode
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: multiple DH groups in aggressive mode can cause interop failure
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de000502f2]
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.5'
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.5'
May  9 20:53:49 rather pluto[31225]: "my-vpn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: XAUTH: Answering XAUTH challenge with user='myself'
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: retransmission; will wait 0.5 seconds for response
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: DPD: received old or duplicate R_U_THERE
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3 duplicate R_U_THERE's - will reluctantly answer
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: XAUTH: Successfully Authenticated
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: modecfg: Sending IP request (MODECFG_I1)
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received IPv4 address: xxx.xxx.xxx.193/32
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received DNS server xxx.xxx.xxx.116
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received DNS server xxx.xxx.xxx.117
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: Received subnet 0.0.0.0/0
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: Subnet 0.0.0.0/0 already has an spd_route - ignoring
May  9 20:53:59 rather pluto[31225]: "my-vpn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
May  9 20:53:59 rather pluto[31225]: "my-vpn" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DONT_REKEY+UP+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:f792899c proposal=AES_CBC_256-HMAC_SHA1_96-MODP1536 pfsgroup=MODP1536}
May  9 20:53:59 rather pluto[31225]: "my-vpn" #2: ignoring informational payload IPSEC_RESPONDER_LIFETIME, msgid=f792899c, length=28
May  9 20:53:59 rather pluto[31225]: | ISAKMP Notification Payload
May  9 20:53:59 rather pluto[31225]: |   00 00 00 1c  00 00 00 01  03 04 60 00
May  9 20:53:59 rather pluto[31225]: "my-vpn" #2: up-client output: updating resolvconf
May  9 20:53:59 rather pluto[31225]: "my-vpn" #2: up-client output: backup resolv.conf exists, but current resolv.conf is not generated by Libreswan
May  9 20:53:59 rather pluto[31225]: "my-vpn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x45356086 <0x8689505c xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=xxx.xxx.xxx.5:4500 DPD=passive username=myself}
May  9 20:54:01 rather pluto[31225]: "my-vpn" #2: retransmitting in response to duplicate packet; already STATE_QUICK_I2
May  9 20:54:05 rather pluto[31225]: "my-vpn" #2: retransmitting in response to duplicate packet; already STATE_QUICK_I2
May  9 20:54:13 rather pluto[31225]: "my-vpn" #2: discarding duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
May  9 20:54:14 rather pluto[31225]: "my-vpn" #1: DPD: received old or duplicate R_U_THERE
May  9 20:54:14 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3 duplicate R_U_THERE's - will reluctantly answer
May  9 20:54:19 rather pluto[31225]: "my-vpn" #1: DPD: received old or duplicate R_U_THERE
May  9 20:54:19 rather pluto[31225]: "my-vpn" #1: DPD: received less than 3 duplicate R_U_THERE's - will reluctantly answer
May  9 20:54:24 rather pluto[31225]: "my-vpn" #1: received Delete SA payload: self-deleting ISAKMP State #1
May  9 20:54:24 rather pluto[31225]: "my-vpn" #1: deleting state (STATE_MAIN_I4) and sending notification
May  9 20:54:24 rather pluto[31225]: packet from xxx.xxx.xxx.5:4500: received and ignored empty informational notification payload
May  9 20:54:35 rather pluto[31225]: forgetting secrets
May  9 20:54:35 rather pluto[31225]: "my-vpn": deleting non-instance connection
May  9 20:54:35 rather pluto[31225]: "my-vpn" #2: deleting state (STATE_QUICK_I2) and sending notification
May  9 20:54:35 rather pluto[31225]: "my-vpn" #2: ESP traffic information: in=101KB out=0B XAUTHuser=myself
May  9 20:54:35 rather pluto[31225]: "my-vpn": unroute-client output: need at least a destination address
May  9 20:54:35 rather pluto[31225]: shutting down interface lo/lo ::1:500
May  9 20:54:35 rather pluto[31225]: shutting down interface lo/lo 127.0.0.1:4500
May  9 20:54:35 rather pluto[31225]: shutting down interface lo/lo 127.0.0.1:500
May  9 20:54:35 rather pluto[31225]: shutting down interface wlan0/wlan0 192.168.178.21:4500
May  9 20:54:35 rather pluto[31225]: shutting down interface wlan0/wlan0 192.168.178.21:500May  9 20:54:24 rather pluto[31225]: packet from xxx.xxx.xxx.5:4500: received and ignored empty informational notification payload
May  9 20:54:35 rather pluto[31225]: forgetting secrets
May  9 20:54:35 rather pluto[31225]: "my-vpn": deleting non-instance connection
May  9 20:54:35 rather pluto[31225]: "my-vpn" #2: deleting state (STATE_QUICK_I2) and sending notification
May  9 20:54:35 rather pluto[31225]: "my-vpn" #2: ESP traffic information: in=101KB out=0B XAUTHuser=myself
May  9 20:54:35 rather pluto[31225]: "my-vpn": unroute-client output: need at least a destination address
May  9 20:54:35 rather pluto[31225]: shutting down interface lo/lo ::1:500
May  9 20:54:35 rather pluto[31225]: shutting down interface lo/lo 127.0.0.1:4500
May  9 20:54:35 rather pluto[31225]: shutting down interface lo/lo 127.0.0.1:500
May  9 20:54:35 rather pluto[31225]: shutting down interface wlan0/wlan0 192.168.178.21:4500
May  9 20:54:35 rather pluto[31225]: shutting down interface wlan0/wlan0 192.168.178.21:500

Hope this helps.

thanks and cheers
t.

> Paul
> 






More information about the Swan mailing list