[Swan] INVALID_ID_INFORMATION
LAURIA Giuseppe
giuseppe.lauria at axa-winterthur.ch
Thu Jan 31 18:11:13 UTC 2019
Hi all.
We are using libreswan between two different RedHat Servers and want to do host-to-host transport tunnel encryption to port 8080.
Left: RHEL 7.6 ( SELinux set to Permissive )
libreswan version: libreswan-3.25-2.el7.x86_64
Right: RHEL 6.10
Libreswan version : libreswan-3.15-7.5.el6_9.x86_64
I initialized NSS DB
ipsec initnss
Imported the certificate and used the nickname to reference them in the connection config file.
They seem to talk to each other but then the message " sending encrypted notification INVALID_ID_INFORMATION ".
I have to say that the left certificate has a CN which contains an left-server-alias for Loadbalancer, which is not yet in place. But the certificate has also a SAN list which contains the correct hostname.
But if libreswan ignores SAN and checks for the exact entry in the first DN than this will fail.
Can you say whether libreswan checks also for the SAN entries ?
pluto.log from Server right:
Jan 31 18:28:23: added connection description "cloud_core_tunnel"
Jan 31 18:31:13: packet from <left-IP>:500: received Vendor ID payload [Dead Peer Detection]
Jan 31 18:31:13: packet from <left-IP>:500: received Vendor ID payload [FRAGMENTATION]
Jan 31 18:31:13: packet from <left-IP>:500: received Vendor ID payload [RFC 3947]
Jan 31 18:31:13: packet from <left-IP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jan 31 18:31:13: packet from <left-IP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jan 31 18:31:13: packet from <left-IP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jan 31 18:31:13: "cloud_core_tunnel" #681: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jan 31 18:31:13: "cloud_core_tunnel" #681: responding to Main Mode
Jan 31 18:31:13: "cloud_core_tunnel" #681: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 31 18:31:13: "cloud_core_tunnel" #681: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 31 18:31:13: "cloud_core_tunnel" #681: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Jan 31 18:31:13: "cloud_core_tunnel" #681: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 31 18:31:13: "cloud_core_tunnel" #681: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 31 18:31:13: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN: '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:13: "cloud_core_tunnel" #681: EXPECTATION FAILED at /var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843: r != NULL
Jan 31 18:31:13: "cloud_core_tunnel" #681: no suitable connection for peer '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:13: "cloud_core_tunnel" #681: sending encrypted notification INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:13: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN: '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:13: "cloud_core_tunnel" #681: EXPECTATION FAILED at /var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843: r != NULL
Jan 31 18:31:13: "cloud_core_tunnel" #681: no suitable connection for peer '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:13: "cloud_core_tunnel" #681: sending encrypted notification INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:14: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN: '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:14: "cloud_core_tunnel" #681: EXPECTATION FAILED at /var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843: r != NULL
Jan 31 18:31:14: "cloud_core_tunnel" #681: no suitable connection for peer '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:14: "cloud_core_tunnel" #681: sending encrypted notification INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:15: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN: '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:15: "cloud_core_tunnel" #681: EXPECTATION FAILED at /var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843: r != NULL
Jan 31 18:31:15: "cloud_core_tunnel" #681: no suitable connection for peer '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:15: "cloud_core_tunnel" #681: sending encrypted notification INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:17: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN: '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:17: "cloud_core_tunnel" #681: EXPECTATION FAILED at /var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843: r != NULL
Jan 31 18:31:17: "cloud_core_tunnel" #681: no suitable connection for peer '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:17: "cloud_core_tunnel" #681: sending encrypted notification INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:21: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN: '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:21: "cloud_core_tunnel" #681: EXPECTATION FAILED at /var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843: r != NULL
Jan 31 18:31:21: "cloud_core_tunnel" #681: no suitable connection for peer '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:21: "cloud_core_tunnel" #681: sending encrypted notification INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:29: "cloud_core_tunnel" #681: Main mode peer ID is ID_DER_ASN1_DN: '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:29: "cloud_core_tunnel" #681: EXPECTATION FAILED at /var/tmp/build-libreswan-3.15-7.5.el6_9.src.rpm/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843: r != NULL
Jan 31 18:31:29: "cloud_core_tunnel" #681: no suitable connection for peer '<CN-of-LB-Alias-which-does-not-yet-exist>'
Jan 31 18:31:29: "cloud_core_tunnel" #681: sending encrypted notification INVALID_ID_INFORMATION to <left-IP>:500
Jan 31 18:31:36: "cloud_core_tunnel": deleting connection
Jan 31 18:31:36: "cloud_core_tunnel" #681: deleting state #681 (STATE_MAIN_R2)
Jan 31 18:31:36: added connection description "cloud_core_tunnel"
Jan 31 18:31:43: "cloud_core_tunnel" #682: initiating Main Mode
Jan 31 18:31:43: "cloud_core_tunnel" #682: received Vendor ID payload [Dead Peer Detection]
Jan 31 18:31:43: "cloud_core_tunnel" #682: received Vendor ID payload [FRAGMENTATION]
Jan 31 18:31:43: "cloud_core_tunnel" #682: received Vendor ID payload [RFC 3947]
Jan 31 18:31:43: "cloud_core_tunnel" #682: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jan 31 18:31:43: "cloud_core_tunnel" #682: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 31 18:31:43: "cloud_core_tunnel" #682: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 31 18:31:43: "cloud_core_tunnel" #682: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Jan 31 18:31:43: "cloud_core_tunnel" #682: I am sending my cert
Jan 31 18:31:43: "cloud_core_tunnel" #682: I am sending a certificate request
Jan 31 18:31:43: "cloud_core_tunnel" #682: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 31 18:31:43: "cloud_core_tunnel" #682: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 31 18:31:43: "cloud_core_tunnel" #682: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:43: | ISAKMP Notification Payload
Jan 31 18:31:43: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:43: "cloud_core_tunnel" #682: received and ignored informational message
Jan 31 18:31:43: "cloud_core_tunnel" #682: discarding duplicate packet; already STATE_MAIN_I3
Jan 31 18:31:43: "cloud_core_tunnel" #682: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:43: | ISAKMP Notification Payload
Jan 31 18:31:43: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:43: "cloud_core_tunnel" #682: received and ignored informational message
Jan 31 18:31:44: "cloud_core_tunnel" #682: discarding duplicate packet; already STATE_MAIN_I3
Jan 31 18:31:44: "cloud_core_tunnel" #682: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:44: | ISAKMP Notification Payload
Jan 31 18:31:44: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:44: "cloud_core_tunnel" #682: received and ignored informational message
Jan 31 18:31:45: "cloud_core_tunnel" #682: discarding duplicate packet; already STATE_MAIN_I3
Jan 31 18:31:45: "cloud_core_tunnel" #682: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:45: | ISAKMP Notification Payload
Jan 31 18:31:45: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:45: "cloud_core_tunnel" #682: received and ignored informational message
Jan 31 18:31:45: packet from <left-IP>:500: phase 1 message is part of an unknown exchange
Jan 31 18:31:45: packet from <left-IP>:500: phase 1 message is part of an unknown exchange
Jan 31 18:31:45: packet from <left-IP>:500: phase 1 message is part of an unknown exchange
Jan 31 18:31:45: packet from <left-IP>:500: phase 1 message is part of an unknown exchange
Jan 31 18:31:45: packet from <left-IP>:500: phase 1 message is part of an unknown exchange
Jan 31 18:31:47: "cloud_core_tunnel" #682: discarding duplicate packet; already STATE_MAIN_I3
Jan 31 18:31:47: "cloud_core_tunnel" #682: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:47: | ISAKMP Notification Payload
Jan 31 18:31:47: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:47: "cloud_core_tunnel" #682: received and ignored informational message
Jan 31 18:31:51: "cloud_core_tunnel" #682: discarding duplicate packet; already STATE_MAIN_I3
Jan 31 18:31:51: "cloud_core_tunnel" #682: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:51: | ISAKMP Notification Payload
Jan 31 18:31:51: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:51: "cloud_core_tunnel" #682: received and ignored informational message
Jan 31 18:31:54: "cloud_core_tunnel": terminating SAs using this connection
Jan 31 18:31:54: "cloud_core_tunnel" #682: deleting state #682 (STATE_MAIN_I3)
Jan 31 18:31:59: packet from <left-IP>:500: phase 1 message is part of an unknown exchange
Jan 31 18:32:24: "cloud_core_tunnel": deleting connection
pluto.log form Server left:
Jan 31 18:30:59.087939: shutting down
Jan 31 18:30:59.088214: forgetting secrets
Jan 31 18:30:59.088246: shutting down interface eth1/eth1 <left-IP>:4500
Jan 31 18:30:59.088251: shutting down interface eth1/eth1 <left-IP>:500
Jan 31 18:30:59.088662: leak detective found no leaks
Jan 31 18:31:02.693356: FIPS Product: NO
Jan 31 18:31:02.693488: FIPS Kernel: NO
Jan 31 18:31:02.693492: FIPS Mode: NO
Jan 31 18:31:02.693496: NSS DB directory: sql:/etc/ipsec.d
Jan 31 18:31:02.693578: Initializing NSS
Jan 31 18:31:02.693601: Opening NSS database "sql:/etc/ipsec.d" read-only
Jan 31 18:31:02.815400: NSS initialized
Jan 31 18:31:02.815418: NSS crypto library initialized
Jan 31 18:31:02.815423: FIPS HMAC integrity support [enabled]
Jan 31 18:31:02.815427: FIPS mode disabled for pluto daemon
Jan 31 18:31:02.840930: FIPS HMAC integrity verification self-test passed
Jan 31 18:31:02.841604: libcap-ng support [enabled]
Jan 31 18:31:02.841616: Linux audit support [enabled]
Jan 31 18:31:02.841804: Linux audit activated
Jan 31 18:31:02.841811: Starting Pluto (Libreswan Version 3.25 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO GCC_EXCEPTIONS NSS DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:58065
Jan 31 18:31:02.841815: core dump dir: /run/pluto
Jan 31 18:31:02.841819: secrets file: /etc/ipsec.secrets
Jan 31 18:31:02.841822: leak-detective enabled
Jan 31 18:31:02.841836: NSS crypto [enabled]
Jan 31 18:31:02.841840: XAUTH PAM support [enabled]
Jan 31 18:31:02.841900: NAT-Traversal support [enabled]
Jan 31 18:31:02.841926: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
Jan 31 18:31:02.842148: Encryption algorithms:
Jan 31 18:31:02.842161: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)
Jan 31 18:31:02.842174: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b)
Jan 31 18:31:02.842181: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a)
Jan 31 18:31:02.842188: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] (3des)
Jan 31 18:31:02.842195: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}
Jan 31 18:31:02.842201: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (camellia)
Jan 31 18:31:02.842207: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)
Jan 31 18:31:02.842213: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b)
Jan 31 18:31:02.842220: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a)
Jan 31 18:31:02.842226: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr)
Jan 31 18:31:02.842231: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes)
Jan 31 18:31:02.842237: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (serpent)
Jan 31 18:31:02.842243: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (twofish)
Jan 31 18:31:02.842250: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh)
Jan 31 18:31:02.842256: CAST_CBC IKEv1: ESP IKEv2: ESP {*128} (cast)
Jan 31 18:31:02.842262: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP {256,192,*128} (aes_gmac)
Jan 31 18:31:02.842266: NULL IKEv1: ESP IKEv2: ESP []
Jan 31 18:31:02.842274: Hash algorithms:
Jan 31 18:31:02.842279: MD5 IKEv1: IKE IKEv2:
Jan 31 18:31:02.842283: SHA1 IKEv1: IKE IKEv2: FIPS (sha)
Jan 31 18:31:02.842287: SHA2_256 IKEv1: IKE IKEv2: FIPS (sha2 sha256)
Jan 31 18:31:02.842291: SHA2_384 IKEv1: IKE IKEv2: FIPS (sha384)
Jan 31 18:31:02.842294: SHA2_512 IKEv1: IKE IKEv2: FIPS (sha512)
Jan 31 18:31:02.842302: PRF algorithms:
Jan 31 18:31:02.842307: HMAC_MD5 IKEv1: IKE IKEv2: IKE (md5)
Jan 31 18:31:02.842311: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS (sha sha1)
Jan 31 18:31:02.842314: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS (sha2 sha256 sha2_256)
Jan 31 18:31:02.842318: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS (sha384 sha2_384)
Jan 31 18:31:02.842323: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS (sha512 sha2_512)
Jan 31 18:31:02.842327: AES_XCBC IKEv1: IKEv2: IKE FIPS (aes128_xcbc)
Jan 31 18:31:02.842336: Integrity algorithms:
Jan 31 18:31:02.842340: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (md5 hmac_md5)
Jan 31 18:31:02.842344: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)
Jan 31 18:31:02.842348: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)
Jan 31 18:31:02.842352: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)
Jan 31 18:31:02.842356: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)
Jan 31 18:31:02.842360: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96)
Jan 31 18:31:02.842364: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_cmac)
Jan 31 18:31:02.842368: NONE IKEv1: ESP IKEv2: ESP FIPS (null)
Jan 31 18:31:02.842378: DH algorithms:
Jan 31 18:31:02.842382: NONE IKEv1: IKEv2: IKE ESP AH (null dh0)
Jan 31 18:31:02.842388: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh2)
Jan 31 18:31:02.842393: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh5)
Jan 31 18:31:02.842397: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh14)
Jan 31 18:31:02.842400: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh15)
Jan 31 18:31:02.842404: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh16)
Jan 31 18:31:02.842408: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh17)
Jan 31 18:31:02.842412: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh18)
Jan 31 18:31:02.842416: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_256)
Jan 31 18:31:02.842419: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_384)
Jan 31 18:31:02.842423: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_521)
Jan 31 18:31:02.842427: DH22 IKEv1: IKE ESP AH IKEv2: IKE ESP AH
Jan 31 18:31:02.842431: DH23 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
Jan 31 18:31:02.842434: DH24 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
Jan 31 18:31:02.844407: starting up 4 crypto helpers
Jan 31 18:31:02.844477: started thread for crypto helper 0
Jan 31 18:31:02.844500: started thread for crypto helper 1
Jan 31 18:31:02.844519: started thread for crypto helper 2
Jan 31 18:31:02.844537: started thread for crypto helper 3
Jan 31 18:31:02.844671: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-957.1.3.el7.x86_64
Jan 31 18:31:02.876826: | selinux support is enabled.
Jan 31 18:31:02.877271: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Jan 31 18:31:02.877280: watchdog: sending probes every 100 secs
Jan 31 18:31:02.891177: listening for IKE messages
Jan 31 18:31:02.891406: adding interface eth1/eth1 <left-IP>:500
Jan 31 18:31:02.891462: adding interface eth1/eth1 <left-IP>:4500
Jan 31 18:31:02.891471: skipping interface eth0 with 10.99.8.131
Jan 31 18:31:02.891477: skipping interface lo with 127.0.0.1
Jan 31 18:31:02.891537: | setup callback for interface eth1:4500 fd 17
Jan 31 18:31:02.891546: | setup callback for interface eth1:500 fd 16
Jan 31 18:31:02.891580: loading secrets from "/etc/ipsec.secrets"
Jan 31 18:31:02.891652: loading secrets from "/etc/ipsec.d/ivoryserver.secrets"
Jan 31 18:31:02.892423: "/etc/ipsec.d/ivoryserver.secrets" line 1: WARNING: The :RSA secrets entries for X.509 certificates are no longer needed
Jan 31 18:31:02.892466: loading secrets from "/etc/ipsec.d/lagu-conn.secrets"
Jan 31 18:31:02.892519: loaded private key for keyid: PKK_RSA:AwEAAai2q
Jan 31 18:31:06.032957: added connection description "cloud_core_tunnel"
Jan 31 18:31:13.233300: "cloud_core_tunnel" #1: initiating Main Mode
Jan 31 18:31:13.239412: "cloud_core_tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 31 18:31:13.244679: "cloud_core_tunnel" #1: I am sending my cert
Jan 31 18:31:13.244704: "cloud_core_tunnel" #1: I am sending a certificate request
Jan 31 18:31:13.250324: "cloud_core_tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 31 18:31:13.254655: "cloud_core_tunnel" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:13.254681: | ISAKMP Notification Payload
Jan 31 18:31:13.254688: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:13.254694: "cloud_core_tunnel" #1: received and ignored informational message
Jan 31 18:31:13.744914: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission; will wait 0.5 seconds for response
Jan 31 18:31:13.747787: "cloud_core_tunnel" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:13.747805: | ISAKMP Notification Payload
Jan 31 18:31:13.747811: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:13.747815: "cloud_core_tunnel" #1: received and ignored informational message
Jan 31 18:31:14.246371: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission; will wait 1 seconds for response
Jan 31 18:31:14.249222: "cloud_core_tunnel" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:14.249243: | ISAKMP Notification Payload
Jan 31 18:31:14.249249: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:14.249253: "cloud_core_tunnel" #1: received and ignored informational message
Jan 31 18:31:15.248312: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission; will wait 2 seconds for response
Jan 31 18:31:15.252637: "cloud_core_tunnel" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:15.252657: | ISAKMP Notification Payload
Jan 31 18:31:15.252662: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:15.252666: "cloud_core_tunnel" #1: received and ignored informational message
Jan 31 18:31:17.249826: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission; will wait 4 seconds for response
Jan 31 18:31:17.252971: "cloud_core_tunnel" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:17.252991: | ISAKMP Notification Payload
Jan 31 18:31:17.252996: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:17.253001: "cloud_core_tunnel" #1: received and ignored informational message
Jan 31 18:31:21.254066: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission; will wait 8 seconds for response
Jan 31 18:31:21.257004: "cloud_core_tunnel" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:21.257027: | ISAKMP Notification Payload
Jan 31 18:31:21.257032: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:21.257037: "cloud_core_tunnel" #1: received and ignored informational message
Jan 31 18:31:29.260002: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission; will wait 16 seconds for response
Jan 31 18:31:29.263114: "cloud_core_tunnel" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Jan 31 18:31:29.263137: | ISAKMP Notification Payload
Jan 31 18:31:29.263143: | 00 00 00 0c 00 00 00 01 01 00 00 12
Jan 31 18:31:29.263151: "cloud_core_tunnel" #1: received and ignored informational message
Jan 31 18:31:42.978288: "cloud_core_tunnel" #2: responding to Main Mode
Jan 31 18:31:42.978398: "cloud_core_tunnel" #2: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 31 18:31:42.983222: "cloud_core_tunnel" #2: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 31 18:31:42.992330: "cloud_core_tunnel" #2: Peer ID is ID_DER_ASN1_DN: '<DN-of-righ-server-alias>'
Jan 31 18:31:43.000467: "cloud_core_tunnel" #2: X509: no EE-cert in chain!
Jan 31 18:31:43.000482: "cloud_core_tunnel" #2: X509: Certificate rejected for this connection
Jan 31 18:31:43.000487: "cloud_core_tunnel" #2: X509: CERT payload bogus or revoked
Jan 31 18:31:43.000500: "cloud_core_tunnel" #2: sending encrypted notification INVALID_ID_INFORMATION to <right-IP>:500
Jan 31 18:31:43.487204: "cloud_core_tunnel" #2: STATE_MAIN_R2: retransmission; will wait 0.5 seconds for response
Jan 31 18:31:43.487366: "cloud_core_tunnel" #2: Peer ID is ID_DER_ASN1_DN: '<DN-of-righ-server-alias>'
Jan 31 18:31:43.490862: "cloud_core_tunnel" #2: X509: no EE-cert in chain!
Jan 31 18:31:43.490874: "cloud_core_tunnel" #2: X509: Certificate rejected for this connection
Jan 31 18:31:43.490879: "cloud_core_tunnel" #2: X509: CERT payload bogus or revoked
Jan 31 18:31:43.490893: "cloud_core_tunnel" #2: sending encrypted notification INVALID_ID_INFORMATION to <right-IP>:500
Jan 31 18:31:43.988658: "cloud_core_tunnel" #2: STATE_MAIN_R2: retransmission; will wait 1 seconds for response
Jan 31 18:31:43.989154: "cloud_core_tunnel" #2: Peer ID is ID_DER_ASN1_DN: '<DN-of-righ-server-alias>'
Jan 31 18:31:43.993705: "cloud_core_tunnel" #2: X509: no EE-cert in chain!
Jan 31 18:31:43.993720: "cloud_core_tunnel" #2: X509: Certificate rejected for this connection
Jan 31 18:31:43.993726: "cloud_core_tunnel" #2: X509: CERT payload bogus or revoked
Jan 31 18:31:43.993741: "cloud_core_tunnel" #2: sending encrypted notification INVALID_ID_INFORMATION to <right-IP>:500
Jan 31 18:31:44.990237: "cloud_core_tunnel" #2: STATE_MAIN_R2: retransmission; will wait 2 seconds for response
Jan 31 18:31:44.990425: "cloud_core_tunnel" #2: Peer ID is ID_DER_ASN1_DN: '<DN-of-righ-server-alias>'
Jan 31 18:31:44.994998: "cloud_core_tunnel" #2: X509: no EE-cert in chain!
Jan 31 18:31:44.995013: "cloud_core_tunnel" #2: X509: Certificate rejected for this connection
Jan 31 18:31:44.995019: "cloud_core_tunnel" #2: X509: CERT payload bogus or revoked
Jan 31 18:31:44.995035: "cloud_core_tunnel" #2: sending encrypted notification INVALID_ID_INFORMATION to <right-IP>:500
Jan 31 18:31:45.265441: "cloud_core_tunnel" #1: STATE_MAIN_I3: retransmission; will wait 32 seconds for response
Jan 31 18:31:46.992124: "cloud_core_tunnel" #2: STATE_MAIN_R2: retransmission; will wait 4 seconds for response
Jan 31 18:31:46.992551: "cloud_core_tunnel" #2: Peer ID is ID_DER_ASN1_DN: '<DN-of-righ-server-alias>'
Jan 31 18:31:46.996179: "cloud_core_tunnel" #2: X509: no EE-cert in chain!
Jan 31 18:31:46.996195: "cloud_core_tunnel" #2: X509: Certificate rejected for this connection
Jan 31 18:31:46.996201: "cloud_core_tunnel" #2: X509: CERT payload bogus or revoked
Jan 31 18:31:46.996214: "cloud_core_tunnel" #2: sending encrypted notification INVALID_ID_INFORMATION to <right-IP>:500
Jan 31 18:31:50.996673: "cloud_core_tunnel" #2: STATE_MAIN_R2: retransmission; will wait 8 seconds for response
Jan 31 18:31:50.996866: "cloud_core_tunnel" #2: Peer ID is ID_DER_ASN1_DN: '<DN-of-righ-server-alias>'
Jan 31 18:31:51.001665: "cloud_core_tunnel" #2: X509: no EE-cert in chain!
Jan 31 18:31:51.001680: "cloud_core_tunnel" #2: X509: Certificate rejected for this connection
Jan 31 18:31:51.001687: "cloud_core_tunnel" #2: X509: CERT payload bogus or revoked
Jan 31 18:31:51.001702: "cloud_core_tunnel" #2: sending encrypted notification INVALID_ID_INFORMATION to <right-IP>:500
Jan 31 18:31:59.009857: "cloud_core_tunnel" #2: STATE_MAIN_R2: retransmission; will wait 16 seconds for response
Jan 31 18:32:02.096743: "cloud_core_tunnel": terminating SAs using this connection
Jan 31 18:32:02.096778: "cloud_core_tunnel" #2: deleting state (STATE_MAIN_R2) and NOT sending notification
Jan 31 18:32:02.096866: "cloud_core_tunnel" #1: deleting state (STATE_MAIN_I3) and NOT sending notification
Jan 31 18:32:12.578197: "cloud_core_tunnel": deleting non-instance connection
Thank you very much for the help.
Best regards.
Giuseppe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190131/c375720c/attachment-0001.html>
More information about the Swan
mailing list