<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br clear="all"><div>No sure that to make of this message. Originally I thought it was a warning letting me know that after restarting ipsec that cache was check and then private key <br></div><div>had to be loaded again from NSS. I'm not sure where to begin to troubleshoot this and would appreciate some guidance. I'm fairly certain this is a NAT issue but tcpdump</div><div>show 4500/UDP being used immediately after initial handshake. I'm still not quiet sure where the apparatus is breaking down so unsure of where to look After days of</div><div>unsuccessfully troubleshoot I'm finally coming to the list. Goals it so make a mesh network hosts only and not servers across lots of divers infrastructure. <br></div><div><br></div><div><br></div><div>network setup.<b> ipsechost1(172.16.1.61)---> Netgate(76.1XX.2XX.2XX.2xx) <--> AWS(13.57.XXX.XX) --> Thor(10.0.0.47)</b></div><div><br></div><div>Using NSS of course with /etc/ipsec.d/nsspassword(NSS Certificate DB:12345678)</div><div><br></div><div>#Thor god of thunder<br></div><div>conn private<br>        # IPsec mandatory<br>       hostaddrfamily=ipv4<br>        rightrsasigkey=%cert<br>        right=%opportunisticgroup<br>        rightid=%fromcert<br>        rightca=%same<br>        rightmodecfgclient=yes<br>        leftsubnet=<a href="http://10.0.0.47/32">10.0.0.47/32</a><br>        left=%defaultroute<br>        leftcert=Thor<br>        leftsendcert=always<br>        leftid=%cert<br>        leftnexthop=13.57.xxx.xx<br>        leftrsasigkey=%cert<br>        #narrowing=yes<br>        type=tunnel<br>        ikev2=insist<br>        negotiationshunt=hold<br>        failureshunt=drop<br>        keyingtries=0<br>        retransmit-timeout=3s<br>        auto=ondemand<br>        ike=aes256-sha1;modp2048<br>        phase2alg=aes256-sha1;modp2048<br></div><div><br></div><div>#ipsechost1 7 of 9 tertiary 12<br></div><div>conn private<br>        # IPsec mandatory<br>        hostaddrfamily=ipv4<br>        rightrsasigkey=%cert<br>        right=%opportunisticgroup<br>        rightid=%fromcert<br>        rightca=%same<br>        left=%defaultroute<br>        leftcert=ipsechost1<br>        leftsendcert=always<br>        leftid=%fromcert<br>        leftrsasigkey=%cert<br>        #narrowing=yes<br>        type=tunnel<br>        ikev2=insist<br>        negotiationshunt=hold<br>        failureshunt=drop<br>        keyingtries=0<br>        retransmit-timeout=3s<br>        auto=ondemand<br>       ike=aes256-sha1;modp2048<br>       phase2alg=aes256-sha1;modp2048<br></div><div><br></div><div>#debug "control"<br></div><div> oppo instantiate d="private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>" from c="private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>" with c->routing prospective erouted, d->routing unrouted<br> new oppo instance: <a href="http://10.0.0.47/32===10.0.0.47---13.57.XXX.XX...76.1XX.2XX.2XX.2xx[%fromcert,+MC+S=C]">10.0.0.47/32===10.0.0.47---13.57.XXX.XX...76.1XX.2XX.2XX.2xx[%fromcert,+MC+S=C]</a><br> oppo_instantiate() instantiated "[1] <b>...76.1XX.2XX.2XX.2xx"private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>: <a href="http://10.0.0.47/32===10.0.0.47---13.57.XXX.XX...76.1XX.2XX.2XX.2xx[%fromcert,+MC+S=C]">10.0.0.47/32===10.0.0.47---13.57.XXX.XX...76.1XX.2XX.2XX.2xx[%fromcert,+MC+S=C]</a></b><br> found connection: private#<a href="http://0.0.0.0/0[1]">0.0.0.0/0[1]</a> ...76.1XX.2XX.2XX.2xx with policy RSASIG+IKEV2_ALLOW<br> constructing local IKE proposals for private#<a href="http://0.0.0.0/0">0.0.0.0/0</a> (IKE SA responder matching remote proposals)<br>Oct  4 14:38:50.476485: packet from 76.1XX.2XX.2XX.2xx:500: constructed local IKE proposals for private#<a href="http://0.0.0.0/0">0.0.0.0/0</a> (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048<br> processing: start state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in initialize_new_state() at ipsec_doi.c:483)<br> processing: [RE]START state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in initialize_new_state() at ipsec_doi.c:501)<br> processing: [RE]START state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in log_stf_suspend() at ikev2.c:2690)<br> "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:2763<br> processing: stop state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in process_md() at demux.c:395)<br> processing: start state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in schedule_event_now_cb() at server.c:558)<br> going to send a certreq<br> processing: [RE]START state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in complete_v2_state_transition() at ikev2.c:2788)<br> processing: stop state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in schedule_event_now_cb() at server.c:561)<br> processing: start state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in processed_retransmit() at ikev2.c:1182)<br> processing: [RE]START state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in ikev2_process_packet() at ikev2.c:1552)<br> processing: start connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1557)<br> processing: stop state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in process_md() at demux.c:395)<br> processing: resume connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in process_md() at demux.c:395)<br> processing: stop connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in process_md() at demux.c:396)<br> processing: start state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in processed_retransmit() at ikev2.c:1182)<br> processing: [RE]START state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in ikev2_process_packet() at ikev2.c:1552)<br> processing: start connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1557)<br> processing: stop state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in process_md() at demux.c:395)<br> processing: resume connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in process_md() at demux.c:395)<br> processing: stop connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in process_md() at demux.c:396)<br> processing: start state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in processed_retransmit() at ikev2.c:1182)<br> processing: [RE]START state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in ikev2_process_packet() at ikev2.c:1552)<br> processing: start connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1557)<br> processing: stop state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in process_md() at demux.c:395)<br> processing: resume connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in process_md() at demux.c:395)<br> processing: stop connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in process_md() at demux.c:396)<br> processing: start state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in processed_retransmit() at ikev2.c:1182)<br> processing: [RE]START state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in ikev2_process_packet() at ikev2.c:1552)<br> processing: start connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1557)<br> processing: [RE]START state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in log_stf_suspend() at ikev2.c:2690)<br> "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx #1 suspended from complete_v2_state_transition:2763<br> processing: stop state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in process_md() at demux.c:395)<br> processing: resume connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in process_md() at demux.c:395)<br> processing: stop connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in process_md() at demux.c:396)<br> processing: start state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in schedule_event_now_cb() at server.c:558)<br> Now let's proceed with payload (ISAKMP_NEXT_v2CERT)<br> Now let's proceed with payload (ISAKMP_NEXT_v2CERTREQ)<br> processing: [RE]START state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (<span style="background-color:rgb(243,243,243)"><span></span></span>in for_each_state() at state.c:1600)<br> processing: stop state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in for_each_state() at state.c:1600)<br> processing: resume state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in for_each_state() at state.c:1600)<br>Oct  4 14:38:50.506799: "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx #1: c<b>ertificate verified OK: E=<a href="mailto:admin@mycompany.com">admin@mycompany.com</a>,CN=ipsechost1,OU=Level5,O=mycompany,L=Palo Alto,ST=CA,C=US</b><br>Oct  4 14:38:50.507848: "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx #1: <b>Authenticated using RSA</b><br><span style="background-color:rgb(255,255,255)"><span style="color:rgb(255,0,0)"><b> private key for cert Thor not found in local cache; loading from NSS DB</b></span></span><br> searching for certificate PKK_RSA:AwEAAeaaN vs PKK_RSA:AwEAAeaaN<b><br>Oct  4 14:38:50.512359: "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx #1: responding to AUTH message (ID 1) from 76.1XX.2XX.2XX.2xx:61427 with encrypted notification AUTHENTICATION_FAILED</b><br> processing: [RE]START state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in complete_v2_state_transition() at ikev2.c:2788)<br> processing: [RE]START state #1 connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (in delete_state() at state.c:969)<br>Oct  4 14:38:50.512478: "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx #1: deleting state (STATE_PARENT_R2) and sending notification<br> in connection_discard for connection private#<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> processing: start connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>"[1] ...76.1XX.2XX.2XX.2xx (BACKGROUND) (in delete_connection() at connections.c:263)<br>    left=76.1XX.2XX.2XX.2xx<br> processing: stop connection "private#<a href="http://0.0.0.0/0">0.0.0.0/0</a>" (BACKGROUND) (in delete_connection() at connections.c:313)<br></div></div></div></div></div></div></div>