<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="monospace">Dear Paul,<br>
<br>
Thank you very much for the suggestion. Unfortunately the client
doesn't have options for choosing the algorithms. I then added<br>
</font>
<blockquote><font face="monospace">ike=3des-md5;modp1536,3des-sha1;modp1536,aes-sha1;modp1536,aes-md5;modp1536<br>
</font></blockquote>
<font face="monospace">to my ipsec.conf, but I am getting pretty
much the same result in the log:<br>
</font>
<blockquote><font face="monospace">NSS DB directory:
sql:/var/lib/ipsec/nss<br>
Initializing NSS<br>
Opening NSS database "sql:/var/lib/ipsec/nss" read-only<br>
NSS initialized<br>
NSS crypto library initialized<br>
FIPS HMAC integrity support [disabled]<br>
libcap-ng support [enabled]<br>
Linux audit support [enabled]<br>
Linux audit activated<br>
Starting Pluto (Libreswan Version 3.29 XFRM(netkey)
esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile)
DNSSEC SYSTEMD_WATCHDOG LABELED_IPSEC LIBCAP_NG LINUX_AUDIT
XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:7125<br>
core dump dir: /run/pluto<br>
secrets file: /etc/ipsec.secrets<br>
leak-detective enabled<br>
NSS crypto [enabled]<br>
XAUTH PAM support [enabled]<br>
| libevent is using pluto's memory allocator<br>
Initializing libevent in pthreads mode: headers: 2.1.11-stable
(2010b00); library: 2.1.11-stable (2010b00)<br>
| libevent_malloc: new ptr-libevent@0x55b964c91e18 size 40<br>
| libevent_malloc: new ptr-libevent@0x55b964c918a8 size 40<br>
| libevent_malloc: new ptr-libevent@0x55b964c91fc8 size 40<br>
| creating event base<br>
| libevent_malloc: new ptr-libevent@0x55b964c93238 size 56<br>
| libevent_malloc: new ptr-libevent@0x55b964cb53c8 size 664<br>
| libevent_malloc: new ptr-libevent@0x55b964cb5698 size 24<br>
| libevent_malloc: new ptr-libevent@0x55b964cb56e8 size 384<br>
| libevent_malloc: new ptr-libevent@0x55b964cb4f78 size 16<br>
| libevent_malloc: new ptr-libevent@0x55b964c94628 size 40<br>
| libevent_malloc: new ptr-libevent@0x55b964c91f38 size 48<br>
| libevent_realloc: new ptr-libevent@0x55b964c95f88 size 256<br>
| libevent_malloc: new ptr-libevent@0x55b964cb5898 size 16<br>
| libevent_free: release ptr-libevent@0x55b964c93238<br>
| libevent initialized<br>
| init_nat_traversal() initialized with keep_alive=0s<br>
NAT-Traversal support [enabled]<br>
| global one-shot timer EVENT_NAT_T_KEEPALIVE initialized<br>
| global one-shot timer EVENT_FREE_ROOT_CERTS initialized<br>
| libevent_realloc: new ptr-libevent@0x55b964c92cf8 size 64<br>
| global periodic timer EVENT_REINIT_SECRET enabled with
interval of 3600 seconds<br>
| global one-shot timer EVENT_REVIVE_CONNS initialized<br>
| global periodic timer EVENT_PENDING_DDNS enabled with interval
of 60 seconds<br>
| global periodic timer EVENT_PENDING_PHASE2 enabled with
interval of 120 seconds<br>
Encryption algorithms:<br>
AES_CCM_16 IKEv1: ESP IKEv2: ESP
FIPS {256,192,*128} aes_ccm, aes_ccm_c<br>
AES_CCM_12 IKEv1: ESP IKEv2: ESP
FIPS {256,192,*128} aes_ccm_b<br>
AES_CCM_8 IKEv1: ESP IKEv2: ESP
FIPS {256,192,*128} aes_ccm_a<br>
3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP
FIPS [*192] 3des<br>
CAMELLIA_CTR IKEv1: ESP IKEv2:
ESP {256,192,*128}<br>
CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE
ESP {256,192,*128} camellia<br>
AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP
FIPS {256,192,*128} aes_gcm, aes_gcm_c<br>
AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP
FIPS {256,192,*128} aes_gcm_b<br>
AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP
FIPS {256,192,*128} aes_gcm_a<br>
AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP
FIPS {256,192,*128} aesctr<br>
AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP
FIPS {256,192,*128} aes<br>
SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE
ESP {256,192,*128} serpent<br>
TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE
ESP {256,192,*128} twofish<br>
TWOFISH_SSH IKEv1: IKE IKEv2: IKE
ESP {256,192,*128} twofish_cbc_ssh<br>
NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP
FIPS {256,192,*128} aes_gmac<br>
NULL IKEv1: ESP IKEv2:
ESP []<br>
CHACHA20_POLY1305 IKEv1: IKEv2: IKE
ESP [*256] chacha20poly1305<br>
Hash algorithms:<br>
MD5 IKEv1: IKE
IKEv2: <br>
SHA1 IKEv1: IKE IKEv2:
FIPS sha<br>
SHA2_256 IKEv1: IKE IKEv2:
FIPS sha2, sha256<br>
SHA2_384 IKEv1: IKE IKEv2:
FIPS sha384<br>
SHA2_512 IKEv1: IKE IKEv2:
FIPS sha512<br>
PRF algorithms:<br>
HMAC_MD5 IKEv1: IKE IKEv2:
IKE md5<br>
HMAC_SHA1 IKEv1: IKE IKEv2: IKE
FIPS sha, sha1<br>
HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE
FIPS sha2, sha256, sha2_256<br>
HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE
FIPS sha384, sha2_384<br>
HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE
FIPS sha512, sha2_512<br>
AES_XCBC IKEv1: IKEv2:
IKE aes128_xcbc<br>
Integrity algorithms:<br>
HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH md5, hmac_md5<br>
HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH
FIPS sha, sha1, sha1_96, hmac_sha1<br>
HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH
FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512<br>
HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH
FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384<br>
HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH
FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256<br>
HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2:
AH <br>
AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP
AH aes_xcbc, aes128_xcbc, aes128_xcbc_96<br>
AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH
FIPS aes_cmac<br>
NONE IKEv1: ESP IKEv2: IKE ESP
FIPS null<br>
DH algorithms:<br>
NONE IKEv1: IKEv2: IKE ESP AH
FIPS null, dh0<br>
MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH dh2<br>
MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP
AH dh5<br>
MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH
FIPS dh14<br>
MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH
FIPS dh15<br>
MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH
FIPS dh16<br>
MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH
FIPS dh17<br>
MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH
FIPS dh18<br>
DH19 IKEv1: IKE IKEv2: IKE ESP AH
FIPS ecp_256, ecp256<br>
DH20 IKEv1: IKE IKEv2: IKE ESP AH
FIPS ecp_384, ecp384<br>
DH21 IKEv1: IKE IKEv2: IKE ESP AH
FIPS ecp_521, ecp521<br>
DH31 IKEv1: IKE IKEv2: IKE ESP
AH curve25519<br>
8 CPU cores online<br>
starting up 7 crypto helpers<br>
started thread for crypto helper 0<br>
started thread for crypto helper 1<br>
| starting up helper thread 0<br>
seccomp security for crypto helper not supported<br>
| starting up helper thread 1<br>
seccomp security for crypto helper not supported<br>
| status value returned by setting the priority of this thread
(crypto helper 1) 22<br>
| crypto helper 1 waiting (nothing to do)<br>
| starting up helper thread 2<br>
seccomp security for crypto helper not supported<br>
| status value returned by setting the priority of this thread
(crypto helper 2) 22<br>
started thread for crypto helper 2<br>
| status value returned by setting the priority of this thread
(crypto helper 0) 22<br>
| starting up helper thread 3<br>
started thread for crypto helper 3<br>
started thread for crypto helper 4<br>
| crypto helper 2 waiting (nothing to do)<br>
started thread for crypto helper 5<br>
| crypto helper 0 waiting (nothing to do)<br>
seccomp security for crypto helper not supported<br>
started thread for crypto helper 6<br>
| status value returned by setting the priority of this thread
(crypto helper 3) 22<br>
| starting up helper thread 4<br>
| checking IKEv1 state table<br>
| MAIN_R0: category: half-open IKE SA flags: 0:<br>
| -> MAIN_R1 EVENT_SO_DISCARD<br>
| starting up helper thread 6<br>
seccomp security for crypto helper not supported<br>
| status value returned by setting the priority of this thread
(crypto helper 6) 22<br>
| crypto helper 3 waiting (nothing to do)<br>
seccomp security for crypto helper not supported<br>
| MAIN_I1: category: half-open IKE SA flags: 0:<br>
| status value returned by setting the priority of this thread
(crypto helper 4) 22<br>
| -> MAIN_I2 EVENT_RETRANSMIT<br>
| starting up helper thread 5<br>
| crypto helper 4 waiting (nothing to do)<br>
| MAIN_R1: category: open IKE SA flags: 200:<br>
| -> MAIN_R2 EVENT_RETRANSMIT<br>
| -> UNDEFINED EVENT_RETRANSMIT<br>
seccomp security for crypto helper not supported<br>
| -> UNDEFINED EVENT_RETRANSMIT<br>
| status value returned by setting the priority of this thread
(crypto helper 5) 22<br>
| MAIN_I2: category: open IKE SA flags: 0:<br>
| -> MAIN_I3 EVENT_RETRANSMIT<br>
| -> UNDEFINED EVENT_RETRANSMIT<br>
| -> UNDEFINED EVENT_RETRANSMIT<br>
| MAIN_R2: category: open IKE SA flags: 0:<br>
| -> MAIN_R3 EVENT_SA_REPLACE<br>
| -> MAIN_R3 EVENT_SA_REPLACE<br>
| -> UNDEFINED EVENT_SA_REPLACE<br>
| crypto helper 5 waiting (nothing to do)<br>
| MAIN_I3: category: open IKE SA flags: 0:<br>
| -> MAIN_I4 EVENT_SA_REPLACE<br>
| -> MAIN_I4 EVENT_SA_REPLACE<br>
| -> UNDEFINED EVENT_SA_REPLACE<br>
| MAIN_R3: category: established IKE SA flags: 200:<br>
| -> UNDEFINED EVENT_NULL<br>
| MAIN_I4: category: established IKE SA flags: 0:<br>
| -> UNDEFINED EVENT_NULL<br>
| AGGR_R0: category: half-open IKE SA flags: 0:<br>
| -> AGGR_R1 EVENT_SO_DISCARD<br>
| AGGR_I1: category: half-open IKE SA flags: 0:<br>
| -> AGGR_I2 EVENT_SA_REPLACE<br>
| -> AGGR_I2 EVENT_SA_REPLACE<br>
| AGGR_R1: category: open IKE SA flags: 200:<br>
| -> AGGR_R2 EVENT_SA_REPLACE<br>
| -> AGGR_R2 EVENT_SA_REPLACE<br>
| AGGR_I2: category: established IKE SA flags: 200:<br>
| -> UNDEFINED EVENT_NULL<br>
| AGGR_R2: category: established IKE SA flags: 0:<br>
| -> UNDEFINED EVENT_NULL<br>
| QUICK_R0: category: established CHILD SA flags: 0:<br>
| -> QUICK_R1 EVENT_RETRANSMIT<br>
| QUICK_I1: category: established CHILD SA flags: 0:<br>
| -> QUICK_I2 EVENT_SA_REPLACE<br>
| crypto helper 6 waiting (nothing to do)<br>
| QUICK_R1: category: established CHILD SA flags: 0:<br>
| -> QUICK_R2 EVENT_SA_REPLACE<br>
| QUICK_I2: category: established CHILD SA flags: 200:<br>
| -> UNDEFINED EVENT_NULL<br>
| QUICK_R2: category: established CHILD SA flags: 0:<br>
| -> UNDEFINED EVENT_NULL<br>
| INFO: category: informational flags: 0:<br>
| -> UNDEFINED EVENT_NULL<br>
| INFO_PROTECTED: category: informational flags: 0:<br>
| -> UNDEFINED EVENT_NULL<br>
| XAUTH_R0: category: established IKE SA flags: 0:<br>
| -> XAUTH_R1 EVENT_NULL<br>
| XAUTH_R1: category: established IKE SA flags: 0:<br>
| -> MAIN_R3 EVENT_SA_REPLACE<br>
| MODE_CFG_R0: category: informational flags: 0:<br>
| -> MODE_CFG_R1 EVENT_SA_REPLACE<br>
| MODE_CFG_R1: category: established IKE SA flags: 0:<br>
| -> MODE_CFG_R2 EVENT_SA_REPLACE<br>
| MODE_CFG_R2: category: established IKE SA flags: 0:<br>
| -> UNDEFINED EVENT_NULL<br>
| MODE_CFG_I1: category: established IKE SA flags: 0:<br>
| -> MAIN_I4 EVENT_SA_REPLACE<br>
| XAUTH_I0: category: established IKE SA flags: 0:<br>
| -> XAUTH_I1 EVENT_RETRANSMIT<br>
| XAUTH_I1: category: established IKE SA flags: 0:<br>
| -> MAIN_I4 EVENT_RETRANSMIT<br>
| checking IKEv2 state table<br>
| PARENT_I0: category: ignore flags: 0:<br>
| -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate
IKE_SA_INIT)<br>
| PARENT_I1: category: half-open IKE SA flags: 0:<br>
| -> PARENT_I1 EVENT_RETAIN send-request (Initiator:
process SA_INIT reply notification)<br>
| -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator:
process IKE_SA_INIT reply, initiate IKE_AUTH)<br>
| PARENT_I2: category: open IKE SA flags: 0:<br>
| -> PARENT_I2 EVENT_NULL (Initiator: process
INVALID_SYNTAX AUTH notification)<br>
| -> PARENT_I2 EVENT_NULL (Initiator: process
AUTHENTICATION_FAILED AUTH notification)<br>
| -> PARENT_I2 EVENT_NULL (Initiator: process
UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification)<br>
| -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process
IKE_AUTH response)<br>
| -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH
response containing unknown notification)<br>
| PARENT_I3: category: established IKE SA flags: 0:<br>
| -> PARENT_I3 EVENT_RETAIN (I3: Informational Request)<br>
| -> PARENT_I3 EVENT_RETAIN (I3: Informational Response)<br>
| -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request)<br>
| -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response)<br>
| PARENT_R1: category: half-open IKE SA flags: 0:<br>
| -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder:
process IKE_AUTH request (no SKEYSEED))<br>
| -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder:
process IKE_AUTH request)<br>
| PARENT_R2: category: established IKE SA flags: 0:<br>
| -> PARENT_R2 EVENT_RETAIN (R2: process Informational
Request)<br>
| -> PARENT_R2 EVENT_RETAIN (R2: process Informational
Response)<br>
| -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL
Request)<br>
| -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL
Response)<br>
| V2_CREATE_I0: category: established IKE SA flags: 0:<br>
| -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate
CREATE_CHILD_SA IPsec SA)<br>
| V2_CREATE_I: category: established IKE SA flags: 0:<br>
| -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA
IPsec SA Response)<br>
| V2_REKEY_IKE_I0: category: established IKE SA flags: 0:<br>
| -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request
(Initiate CREATE_CHILD_SA IKE Rekey)<br>
| V2_REKEY_IKE_I: category: established IKE SA flags: 0:<br>
| -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA
IKE Rekey Response)<br>
| V2_REKEY_CHILD_I0: category: established IKE SA flags: 0:<br>
| -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request
(Initiate CREATE_CHILD_SA IPsec Rekey SA)<br>
| V2_REKEY_CHILD_I: category: established IKE SA flags: 0:
<none><br>
| V2_CREATE_R: category: established IKE SA flags: 0:<br>
| -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to
CREATE_CHILD_SA IPsec SA Request)<br>
| V2_REKEY_IKE_R: category: established IKE SA flags: 0:<br>
| -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to
CREATE_CHILD_SA IKE Rekey)<br>
| V2_REKEY_CHILD_R: category: established IKE SA flags: 0:
<none><br>
| V2_IPSEC_I: category: established CHILD SA flags: 0:
<none><br>
| V2_IPSEC_R: category: established CHILD SA flags: 0:
<none><br>
| IKESA_DEL: category: established IKE SA flags: 0:<br>
| -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process
INFORMATIONAL)<br>
| CHILDSA_DEL: category: informational flags: 0: <none><br>
| PARENT_R0: category: half-open IKE SA flags: 0:<br>
| -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to
IKE_SA_INIT)<br>
Using Linux XFRM/NETKEY IPsec interface code on
5.13.0-35-generic<br>
| Hard-wiring algorithms<br>
| adding AES_CCM_16 to kernel algorithm db<br>
| adding AES_CCM_12 to kernel algorithm db<br>
| adding AES_CCM_8 to kernel algorithm db<br>
| adding 3DES_CBC to kernel algorithm db<br>
| adding CAMELLIA_CBC to kernel algorithm db<br>
| adding AES_GCM_16 to kernel algorithm db<br>
| adding AES_GCM_12 to kernel algorithm db<br>
| adding AES_GCM_8 to kernel algorithm db<br>
| adding AES_CTR to kernel algorithm db<br>
| adding AES_CBC to kernel algorithm db<br>
| adding SERPENT_CBC to kernel algorithm db<br>
| adding TWOFISH_CBC to kernel algorithm db<br>
| adding NULL_AUTH_AES_GMAC to kernel algorithm db<br>
| adding NULL to kernel algorithm db<br>
| adding CHACHA20_POLY1305 to kernel algorithm db<br>
| adding HMAC_MD5_96 to kernel algorithm db<br>
| adding HMAC_SHA1_96 to kernel algorithm db<br>
| adding HMAC_SHA2_512_256 to kernel algorithm db<br>
| adding HMAC_SHA2_384_192 to kernel algorithm db<br>
| adding HMAC_SHA2_256_128 to kernel algorithm db<br>
| adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db<br>
| adding AES_XCBC_96 to kernel algorithm db<br>
| adding AES_CMAC_96 to kernel algorithm db<br>
| adding NONE to kernel algorithm db<br>
| global periodic timer EVENT_SHUNT_SCAN enabled with interval
of 20 seconds<br>
| setup kernel fd callback<br>
| pluto_event_add: new KERNEL_XRM_FD-pe@0x55b964c931c8<br>
| libevent_malloc: new ptr-libevent@0x55b964c9e388 size 128<br>
| libevent_malloc: new ptr-libevent@0x55b964cbaa98 size 16<br>
| pluto_event_add: new KERNEL_ROUTE_FD-pe@0x55b964c92078<br>
| libevent_malloc: new ptr-libevent@0x55b964c9e688 size 128<br>
| libevent_malloc: new ptr-libevent@0x55b964cbaa58 size 16<br>
| global one-shot timer EVENT_CHECK_CRLS initialized<br>
selinux support is NOT enabled.<br>
systemd watchdog for ipsec service configured with timeout of
200000000 usecs<br>
watchdog: sending probes every 100 secs<br>
| pluto_sd: executing action action: start(2), status 0<br>
| global periodic timer EVENT_SD_WATCHDOG enabled with interval
of 100 seconds<br>
| unbound context created - setting debug level to 5<br>
| /etc/hosts lookups activated<br>
| /etc/resolv.conf usage activated<br>
| outgoing-port-avoid set 0-65535<br>
| outgoing-port-permit set 32768-60999<br>
| Loading dnssec root key from:/usr/share/dns/root.key<br>
| No additional dnssec trust anchors defined via dnssec-trusted=
option<br>
| Setting up events, loop start<br>
| pluto_event_add: new PLUTO_CTL_FD-pe@0x55b964c92168<br>
| libevent_malloc: new ptr-libevent@0x55b964cc5aa8 size 128<br>
| libevent_malloc: new ptr-libevent@0x55b964cc79c8 size 16<br>
| libevent_realloc: new ptr-libevent@0x55b964cc9118 size 256<br>
| libevent_malloc: new ptr-libevent@0x55b964cc9248 size 8<br>
| libevent_realloc: new ptr-libevent@0x55b964c94488 size 144<br>
| libevent_malloc: new ptr-libevent@0x55b964c32ed8 size 152<br>
| libevent_malloc: new ptr-libevent@0x55b964cc9288 size 16<br>
| signal event handler PLUTO_SIGCHLD installed<br>
| libevent_malloc: new ptr-libevent@0x55b964cc92c8 size 8<br>
| libevent_malloc: new ptr-libevent@0x55b964c32d08 size 152<br>
| signal event handler PLUTO_SIGTERM installed<br>
| libevent_malloc: new ptr-libevent@0x55b964cc9308 size 8<br>
| libevent_malloc: new ptr-libevent@0x55b964c30738 size 152<br>
| signal event handler PLUTO_SIGHUP installed<br>
| created addconn helper (pid:7133) using fork+execve<br>
| forked child 7133<br>
seccomp security not supported<br>
| accept(whackctlfd, (struct sockaddr *)&whackaddr,
&whackaddrlen) -> fd@14 (in whack_handle() at
rcv_whack.c:717)<br>
| Added new connection xauth-psk with policy
PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO<br>
| ike (phase1) algorithm values: 3DES_CBC-HMAC_MD5-MODP1536,
3DES_CBC-HMAC_SHA1-MODP1536, AES_CBC-HMAC_SHA1-MODP1536,
AES_CBC-HMAC_MD5-MODP1536<br>
| counting wild cards for <server.address.redacted> is 0<br>
| counting wild cards for (none) is 15<br>
| add new addresspool to global pools
10.231.247.10-10.231.247.254 size 245 ptr 0x55b964cc9f98<br>
| based upon policy, the connection is a template.<br>
| reference addresspool of conn xauth-psk[0] kind CK_TEMPLATE
refcnt 0<br>
added connection description "xauth-psk"<br>
| ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy:
PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO<br>
|
0.0.0.0/0===<server.address.redacted><<server.address.redacted>>[MS+XS+S=C]...%any[+MC+XC+S=C]<br>
| close_any(fd@14) (in whack_process() at rcv_whack.c:698)<br>
| accept(whackctlfd, (struct sockaddr *)&whackaddr,
&whackaddrlen) -> fd@14 (in whack_handle() at
rcv_whack.c:717)<br>
| pluto_sd: executing action action: reloading(4), status 0<br>
listening for IKE messages<br>
| Inspecting interface lo <br>
| found lo with address 127.0.0.1<br>
| Inspecting interface enp0s31f6 <br>
| found enp0s31f6 with address 192.168.0.56<br>
| Inspecting interface ap0 <br>
| found ap0 with address 192.168.12.1<br>
| Inspecting interface vipnet <br>
| found vipnet with address <server.address.redacted><br>
Kernel supports NIC esp-hw-offload<br>
adding interface vipnet/vipnet (esp-hw-offload=no)
<server.address.redacted>:500<br>
| NAT-Traversal: Trying sockopt style NAT-T<br>
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style
NAT-T family IPv4<br>
adding interface vipnet/vipnet
<server.address.redacted>:4500<br>
Kernel supports NIC esp-hw-offload<br>
adding interface ap0/ap0 (esp-hw-offload=no) 192.168.12.1:500<br>
| NAT-Traversal: Trying sockopt style NAT-T<br>
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style
NAT-T family IPv4<br>
adding interface ap0/ap0 192.168.12.1:4500<br>
Kernel supports NIC esp-hw-offload<br>
adding interface enp0s31f6/enp0s31f6 (esp-hw-offload=no)
192.168.0.56:500<br>
| NAT-Traversal: Trying sockopt style NAT-T<br>
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style
NAT-T family IPv4<br>
adding interface enp0s31f6/enp0s31f6 192.168.0.56:4500<br>
Kernel supports NIC esp-hw-offload<br>
adding interface lo/lo (esp-hw-offload=no) 127.0.0.1:500<br>
| NAT-Traversal: Trying sockopt style NAT-T<br>
| NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style
NAT-T family IPv4<br>
adding interface lo/lo 127.0.0.1:4500<br>
| found lo with address 0000:0000:0000:0000:0000:0000:0000:0001<br>
| sorting 1 interfaces<br>
Kernel supports NIC esp-hw-offload<br>
adding interface lo/lo (esp-hw-offload=no) ::1:500<br>
| connect_to_host_pair: <server.address.redacted>:500
0.0.0.0:500 -> hp:none<br>
| pluto_event_add: new ethX-pe@0x55b964c9dbc8<br>
| libevent_malloc: new ptr-libevent@0x55b964cc21e8 size 128<br>
| libevent_malloc: new ptr-libevent@0x55b964cca798 size 16<br>
| setup callback for interface lo:500 fd 23<br>
| pluto_event_add: new ethX-pe@0x55b964cca7d8<br>
| libevent_malloc: new ptr-libevent@0x55b964c9e788 size 128<br>
| libevent_malloc: new ptr-libevent@0x55b964cca848 size 16<br>
| setup callback for interface lo:4500 fd 22<br>
| pluto_event_add: new ethX-pe@0x55b964cca888<br>
| libevent_malloc: new ptr-libevent@0x55b964c9e988 size 128<br>
| libevent_malloc: new ptr-libevent@0x55b964cca8f8 size 16<br>
| setup callback for interface lo:500 fd 21<br>
| pluto_event_add: new ethX-pe@0x55b964cca938<br>
| libevent_malloc: new ptr-libevent@0x55b964c9e888 size 128<br>
| libevent_malloc: new ptr-libevent@0x55b964cca9a8 size 16<br>
| setup callback for interface enp0s31f6:4500 fd 20<br>
| pluto_event_add: new ethX-pe@0x55b964cca9e8<br>
| libevent_malloc: new ptr-libevent@0x55b964c9e588 size 128<br>
| libevent_malloc: new ptr-libevent@0x55b964ccaa58 size 16<br>
| setup callback for interface enp0s31f6:500 fd 19<br>
| pluto_event_add: new ethX-pe@0x55b964ccaa98<br>
| libevent_malloc: new ptr-libevent@0x55b964c9e488 size 128<br>
| libevent_malloc: new ptr-libevent@0x55b964ccab08 size 16<br>
| setup callback for interface ap0:4500 fd 18<br>
| pluto_event_add: new ethX-pe@0x55b964ccab48<br>
| libevent_malloc: new ptr-libevent@0x55b964ccabb8 size 128<br>
| libevent_malloc: new ptr-libevent@0x55b964ccac68 size 16<br>
| setup callback for interface ap0:500 fd 17<br>
| pluto_event_add: new ethX-pe@0x55b964ccaca8<br>
| libevent_malloc: new ptr-libevent@0x55b964ccad18 size 128<br>
| libevent_malloc: new ptr-libevent@0x55b964ccadc8 size 16<br>
| setup callback for interface vipnet:4500 fd 16<br>
| pluto_event_add: new ethX-pe@0x55b964ccae08<br>
| libevent_malloc: new ptr-libevent@0x55b964ccae78 size 128<br>
| libevent_malloc: new ptr-libevent@0x55b964ccaf28 size 16<br>
| setup callback for interface vipnet:500 fd 15<br>
| certs and keys locked by 'free_preshared_secrets'<br>
| certs and keys unlocked by 'free_preshared_secrets'<br>
loading secrets from "/etc/ipsec.secrets"<br>
| Processing PSK at line 2: passed<br>
| certs and keys locked by 'process_secret'<br>
| certs and keys unlocked by 'process_secret'<br>
| pluto_sd: executing action action: ready(5), status 0<br>
| close_any(fd@14) (in whack_process() at rcv_whack.c:698)<br>
| signal PLUTO_SIGCHLD event<br>
| waitpid returned pid 7133 (exited with status 0)<br>
| reaped addconn helper child (status 0)<br>
| waitpid returned ECHILD (no child processes left)<br>
| kernel_process_msg_cb process netlink message<br>
| netlink_get: XFRM_MSG_NEWSA message<br>
| *received 572 bytes from 192.168.12.87:1500 on vipnet
(port=500)<br>
| 0c 75 da 3b 07 7a f1 49 00 00 00 00 00 00 00 00<br>
| 01 10 04 00 00 00 00 00 00 00 02 3c 04 00 00 9c<br>
| 00 00 00 01 00 00 00 01 00 00 00 90 01 01 00 04<br>
| 03 00 00 24 01 01 00 00 80 0b 00 01 80 0c 70 80<br>
| 80 01 00 07 80 0e 00 80 80 03 00 01 80 02 00 02<br>
| 80 04 00 05 03 00 00 24 02 01 00 00 80 0b 00 01<br>
| 80 0c 70 80 80 01 00 07 80 0e 00 80 80 03 00 01<br>
| 80 02 00 01 80 04 00 05 03 00 00 20 03 01 00 00<br>
| 80 0b 00 01 80 0c 70 80 80 01 00 05 80 03 00 01<br>
| 80 02 00 02 80 04 00 05 00 00 00 20 04 01 00 00<br>
| 80 0b 00 01 80 0c 70 80 80 01 00 05 80 03 00 01<br>
| 80 02 00 01 80 04 00 05 0a 00 00 c4 e3 e1 3f a5<br>
| 89 56 dc 7e 40 cd 82 d5 13 ab 66 74 d5 72 35 18<br>
| d0 b1 3d e3 4b 4d e5 c9 8f 64 78 04 58 84 3a 91<br>
| bf 18 98 37 84 f0 ee 1e a8 08 42 33 b1 a9 38 e6<br>
| ed 5d ae 27 04 3f e3 9d 77 95 5a 92 46 dc c9 47<br>
| 33 cb d7 b4 c4 37 da b3 98 b9 9e da eb 78 87 4e<br>
| f5 8d 2f f4 fe 1a e0 f6 8d 4f 79 84 30 17 17 62<br>
| e3 52 34 30 a9 67 a9 4b 4c a1 f9 fb 74 0c e1 3b<br>
| e9 58 19 a4 bd 28 ae 36 be e7 14 0f 58 f5 09 8c<br>
| 50 19 89 e5 59 5c 6e 99 e1 8b d0 a4 5c 0f b2 75<br>
| 92 6d 81 b6 b5 4d f6 78 db 6d c7 4b d0 c3 84 3a<br>
| 7c 2e c2 be 7b 6b f5 d2 2a 33 09 dc f8 1c 15 7d<br>
| 16 e6 94 c7 da 3d 5e 2b 95 d1 11 c0 05 00 00 14<br>
| a5 64 e4 ab 96 3d 82 ba f1 c0 a5 24 4c e1 6c 73<br>
| 0d 00 00 0c 01 11 05 dc c0 a8 0c 57 0d 00 00 14<br>
| 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f<br>
| 0d 00 00 14 cd 60 46 43 35 df 21 f8 7c fd b2 fc<br>
| 68 b6 a4 48 0d 00 00 14 90 cb 80 91 3e bb 69 6e<br>
| 08 63 81 b5 ec 42 7b 1f 0d 00 00 14 44 85 15 2d<br>
| 18 b6 bb cd 0b e8 a8 46 95 79 dd cc 0d 00 00 14<br>
| 12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00<br>
| 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc<br>
| 77 57 01 00 0d 00 00 14 4c 53 42 7b 6d 46 5d 1b<br>
| 33 7b b7 55 a3 7a 7f ef 00 00 00 14 b4 f0 1c a9<br>
| 51 e9 da 8d 0b af bb d3 4a d3 04 4e<br>
| processing: start from 192.168.12.87:1500 (in process_md() at
demux.c:441)<br>
| **parse ISAKMP Message:<br>
| initiator cookie:<br>
| 0c 75 da 3b 07 7a f1 49<br>
| responder cookie:<br>
| 00 00 00 00 00 00 00 00<br>
| next payload type: ISAKMP_NEXT_SA (0x1)<br>
| ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)<br>
| exchange type: ISAKMP_XCHG_AGGR (0x4)<br>
| flags: none (0x0)<br>
| Message ID: 0 (0x0)<br>
| length: 572 (0x23c)<br>
| processing version=1.0 packet with exchange
type=ISAKMP_XCHG_AGGR (4)<br>
| State DB: IKEv1 state object not found (find_state_ikev1_init)<br>
| #null state always idle<br>
| got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x432 opt: 0x102000<br>
| ***parse ISAKMP Security Association Payload:<br>
| next payload type: ISAKMP_NEXT_KE (0x4)<br>
| length: 156 (0x9c)<br>
| DOI: ISAKMP_DOI_IPSEC (0x1)<br>
| got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x430 opt: 0x102000<br>
| ***parse ISAKMP Key Exchange Payload:<br>
| next payload type: ISAKMP_NEXT_NONCE (0xa)<br>
| length: 196 (0xc4)<br>
| got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x420 opt:
0x102000<br>
| ***parse ISAKMP Nonce Payload:<br>
| next payload type: ISAKMP_NEXT_ID (0x5)<br>
| length: 20 (0x14)<br>
| got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x20 opt: 0x102000<br>
| ***parse ISAKMP Identification Payload:<br>
| next payload type: ISAKMP_NEXT_VID (0xd)<br>
| length: 12 (0xc)<br>
| ID type: ID_IPV4_ADDR (0x1)<br>
| DOI specific A: 17 (0x11)<br>
| DOI specific B: 1500 (0x5dc)<br>
| obj: c0 a8 0c 57<br>
| got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt:
0x102000<br>
| ***parse ISAKMP Vendor ID Payload:<br>
| next payload type: ISAKMP_NEXT_VID (0xd)<br>
| length: 20 (0x14)<br>
| got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt:
0x102000<br>
| ***parse ISAKMP Vendor ID Payload:<br>
| next payload type: ISAKMP_NEXT_VID (0xd)<br>
| length: 20 (0x14)<br>
| got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt:
0x102000<br>
| ***parse ISAKMP Vendor ID Payload:<br>
| next payload type: ISAKMP_NEXT_VID (0xd)<br>
| length: 20 (0x14)<br>
| got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt:
0x102000<br>
| ***parse ISAKMP Vendor ID Payload:<br>
| next payload type: ISAKMP_NEXT_VID (0xd)<br>
| length: 20 (0x14)<br>
| got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt:
0x102000<br>
| ***parse ISAKMP Vendor ID Payload:<br>
| next payload type: ISAKMP_NEXT_VID (0xd)<br>
| length: 20 (0x14)<br>
| got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt:
0x102000<br>
| ***parse ISAKMP Vendor ID Payload:<br>
| next payload type: ISAKMP_NEXT_VID (0xd)<br>
| length: 20 (0x14)<br>
| got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt:
0x102000<br>
| ***parse ISAKMP Vendor ID Payload:<br>
| next payload type: ISAKMP_NEXT_VID (0xd)<br>
| length: 20 (0x14)<br>
| got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt:
0x102000<br>
| ***parse ISAKMP Vendor ID Payload:<br>
| next payload type: ISAKMP_NEXT_NONE (0x0)<br>
| length: 20 (0x14)<br>
| quirks.qnat_traversal_vid set to=117 [RFC 3947]<br>
| received Vendor ID payload [RFC 3947]<br>
| Ignoring older NAT-T Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]<br>
| ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]<br>
| Ignoring older NAT-T Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]<br>
| ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<br>
| ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>
| received Vendor ID payload [Cisco-Unity]<br>
| received Vendor ID payload [Dead Peer Detection]<br>
packet from 192.168.12.87:1500: ignoring unknown Vendor ID
payload [4c53427b6d465d1b337bb755a37a7fef]<br>
packet from 192.168.12.87:1500: ignoring unknown Vendor ID
payload [b4f01ca951e9da8d0bafbbd34ad3044e]<br>
| ****parse IPsec DOI SIT:<br>
| IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1)<br>
| ****parse ISAKMP Proposal Payload:<br>
| next payload type: ISAKMP_NEXT_NONE (0x0)<br>
| length: 144 (0x90)<br>
| proposal number: 1 (0x1)<br>
| protocol ID: PROTO_ISAKMP (0x1)<br>
| SPI size: 0 (0x0)<br>
| number of transforms: 4 (0x4)<br>
| *****parse ISAKMP Transform Payload (ISAKMP):<br>
| next payload type: ISAKMP_NEXT_T (0x3)<br>
| length: 36 (0x24)<br>
| ISAKMP transform number: 1 (0x1)<br>
| ISAKMP transform ID: KEY_IKE (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_LIFE_TYPE (0x800b)<br>
| length/value: 1 (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c)<br>
| length/value: 28800 (0x7080)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001)<br>
| length/value: 7 (0x7)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_KEY_LENGTH (0x800e)<br>
| length/value: 128 (0x80)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003)<br>
| length/value: 1 (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002)<br>
| length/value: 2 (0x2)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004)<br>
| length/value: 5 (0x5)<br>
| *****parse ISAKMP Transform Payload (ISAKMP):<br>
| next payload type: ISAKMP_NEXT_T (0x3)<br>
| length: 36 (0x24)<br>
| ISAKMP transform number: 2 (0x2)<br>
| ISAKMP transform ID: KEY_IKE (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_LIFE_TYPE (0x800b)<br>
| length/value: 1 (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c)<br>
| length/value: 28800 (0x7080)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001)<br>
| length/value: 7 (0x7)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_KEY_LENGTH (0x800e)<br>
| length/value: 128 (0x80)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003)<br>
| length/value: 1 (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002)<br>
| length/value: 1 (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004)<br>
| length/value: 5 (0x5)<br>
| *****parse ISAKMP Transform Payload (ISAKMP):<br>
| next payload type: ISAKMP_NEXT_T (0x3)<br>
| length: 32 (0x20)<br>
| ISAKMP transform number: 3 (0x3)<br>
| ISAKMP transform ID: KEY_IKE (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_LIFE_TYPE (0x800b)<br>
| length/value: 1 (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c)<br>
| length/value: 28800 (0x7080)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001)<br>
| length/value: 5 (0x5)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003)<br>
| length/value: 1 (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002)<br>
| length/value: 2 (0x2)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004)<br>
| length/value: 5 (0x5)<br>
| *****parse ISAKMP Transform Payload (ISAKMP):<br>
| next payload type: ISAKMP_NEXT_NONE (0x0)<br>
| length: 32 (0x20)<br>
| ISAKMP transform number: 4 (0x4)<br>
| ISAKMP transform ID: KEY_IKE (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_LIFE_TYPE (0x800b)<br>
| length/value: 1 (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c)<br>
| length/value: 28800 (0x7080)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001)<br>
| length/value: 5 (0x5)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003)<br>
| length/value: 1 (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002)<br>
| length/value: 1 (0x1)<br>
| ******parse ISAKMP Oakley attribute:<br>
| af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004)<br>
| length/value: 5 (0x5)<br>
| find_host_connection me=<server.address.redacted>:500
him=192.168.12.87:1500 policy=PSK+AGGRESSIVE+IKEV1_ALLOW<br>
| find_host_pair: comparing <server.address.redacted>:500
to 0.0.0.0:500<br>
| find_next_host_connection policy=PSK+AGGRESSIVE+IKEV1_ALLOW<br>
| find_next_host_connection returns empty<br>
| find_host_connection me=<server.address.redacted>:500
him=%any:1500 policy=PSK+AGGRESSIVE+IKEV1_ALLOW<br>
| find_host_pair: comparing <server.address.redacted>:500
to 0.0.0.0:500<br>
| find_next_host_connection policy=PSK+AGGRESSIVE+IKEV1_ALLOW<br>
| found policy =
PSK+ENCRYPT+TUNNEL+DONT_REKEY+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
(xauth-psk)<br>
| find_next_host_connection returns empty<br>
packet from 192.168.12.87:1500: initial Aggressive Mode message
from 192.168.12.87 but no (wildcard) connection has been
configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW<br>
| complete v1 state transition with STF_IGNORE<br>
| processing: stop from 192.168.12.87:1500 (in process_md() at
demux.c:443)<br>
| processing: STOP state #0 (in process_md() at demux.c:445)<br>
| processing: STOP connection NULL (in process_md() at
demux.c:446)<br>
</font></blockquote>
<font face="monospace"><br>
Thanks.<br>
<br>
Cheers,<br>
Wolf<br>
</font><br>
<div class="moz-cite-prefix">On 15/03/2022 01:48, Paul Wouters
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:c97267b-6828-51b8-97ce-fb7cc8fac347@nohats.ca">
<br>
<br>
---------- Forwarded message ----------
<br>
Date: Mon, 14 Mar 2022 13:47:01
<br>
From: Paul Wouters <a class="moz-txt-link-rfc2396E" href="mailto:paul.wouters@aiven.io"><paul.wouters@aiven.io></a>
<br>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:swan@lists.libreswan.org">swan@lists.libreswan.org</a>
<br>
To: 1one.w01f <a class="moz-txt-link-rfc2396E" href="mailto:dev.1one.w01f@gmail.com"><dev.1one.w01f@gmail.com></a>
<br>
Subject: Re: [Swan] no (wildcard) connection has been configured
with policy
<br>
PSK+AGGRESSIVE+IKEV1_ALLOW
<br>
<br>
<br>
<br>
On Sun, 13 Mar 2022, 1one.w01f wrote:
<br>
<br>
<blockquote type="cite">Date: Sun, 13 Mar 2022 09:28:57
<br>
From: 1one.w01f <a class="moz-txt-link-rfc2396E" href="mailto:dev.1one.w01f@gmail.com"><dev.1one.w01f@gmail.com></a>
<br>
To: <a class="moz-txt-link-abbreviated" href="mailto:swan@lists.libreswan.org">swan@lists.libreswan.org</a>
<br>
Subject: Re: [Swan] no (wildcard) connection has been configured
with policy
<br>
PSK+AGGRESSIVE+IKEV1_ALLOW
<br>
</blockquote>
<br>
Based on your logs, I think the ike= hash algorithm is the
problem:
<br>
<br>
Mar 13 16:19:32.346942: | ******parse ISAKMP Oakley attribute:
<br>
Mar 13 16:19:32.346954: | af+type:
AF+OAKLEY_AUTHENTICATION_METHOD
<br>
(0x8003)
<br>
Mar 13 16:19:32.346965: | length/value: 1 (0x1)
<br>
<br>
<br>
That is MD5. Can you tell the other end to use SHA1 or SHA256
instead ?
<br>
<br>
If not, you can try and add:
<br>
<br>
ike=3des-md5;modp1536
<br>
<br>
Paul
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
</body>
</html>