[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] Re: strongswan nat traversal problem
From: trocano () adminsrl ! it (Manilo Trocano)
Date: 2005-03-17 13:06:31
Message-ID: 200503171342.j2HDgEFq007944 () ade ! adminsrl ! it
[Download RAW message or body]
Hi Andreas
Ihave upgrade strongswan.. bat I don't have resolved my problems..
now the situation is the following:
FOR THE HOST BLUE:
192.168.1.10/32 -> 83.103.18.205/32 => tun0x100a@83.103.18.205
192.168.6.0/24 -> 83.103.18.205/32 => tun0x1008@83.103.18.205
192.168.1.10/32 -> 192.168.0.0/24 => %hold
192.168.6.0/24 -> 192.168.0.0/24 => tun0x1009@83.103.18.205
+ ipsec auto --statusall
000 interface ipsec0/eth0 192.168.1.10:4500
000 interface ipsec0/eth0 192.168.1.10:500
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlmore
000
000 "bluenap-blueto":
192.168.6.0/24===192.168.1.10:4500[@192.168.1.10]---192.168.1.1...83.103.18.
205:4500[@83.103.18.205]===192.168.0.0/24; erouted; eroute owner: #9
000 "bluenap-blueto": ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "bluenap-blueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0;
000 "bluenap-blueto": newest ISAKMP SA: #0; newest IPsec SA: #9;
000 "bluenap-blueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2,
000 "bluenap-blueto": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2,
5_192-2_160-5, 5_192-2_160-2,
000 "bluenap-blueto": ESP algorithms wanted: 3_000-1, 3_000-2,
000 "bluenap-blueto": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "bluenap-blueto": ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<Phase1>
000 "bluenap-gwblueto":
192.168.1.10:4500[@192.168.1.10]---192.168.1.1...83.103.18.205:4500[@83.103.
18.205]===192.168.0.0/24; erouted HOLD; eroute owner: #0
000 "bluenap-gwblueto": ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "bluenap-gwblueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,32;
interface: eth0;
000 "bluenap-gwblueto": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "bluenap-gwblueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2,
000 "bluenap-gwblueto": IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "bluenap-gwblueto": ESP algorithms wanted: 3_000-1, 3_000-2,
000 "bluenap-gwblueto": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "gwbluenap-blueto":
192.168.6.0/24===192.168.1.10:4500[@192.168.1.10]---192.168.1.1...83.103.18.
205:4500[@83.103.18.205]; erouted; eroute owner: #8
000 "gwbluenap-blueto": ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "gwbluenap-blueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24;
interface: eth0;
000 "gwbluenap-blueto": newest ISAKMP SA: #0; newest IPsec SA: #8;
000 "gwbluenap-blueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2,
000 "gwbluenap-blueto": IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "gwbluenap-blueto": ESP algorithms wanted: 3_000-1, 3_000-2,
000 "gwbluenap-blueto": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "gwbluenap-blueto": ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<Phase1>
000 "gwbluenap-gwblueto":
192.168.1.10:4500[@192.168.1.10]---192.168.1.1...83.103.18.205:4500[@83.103.
18.205]; erouted; eroute owner: #10
000 "gwbluenap-gwblueto": ike_life: 10800s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "gwbluenap-gwblueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
32,32; interface: eth0;
000 "gwbluenap-gwblueto": newest ISAKMP SA: #7; newest IPsec SA: #10;
000 "gwbluenap-gwblueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2,
000 "gwbluenap-gwblueto": IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "gwbluenap-gwblueto": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "gwbluenap-gwblueto": ESP algorithms wanted: 3_000-1, 3_000-2,
000 "gwbluenap-gwblueto": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "gwbluenap-gwblueto": ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<Phase1>
000
000 #4: "bluenap-blueto" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 2687s
000 #4: "bluenap-blueto" esp.3af68232@83.103.18.205
esp.f9e48e0f@192.168.1.10 tun.1004@83.103.18.205 tun.1003@192.168.1.10
000 #9: "bluenap-blueto" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3269s; newest IPSEC; eroute owner
000 #9: "bluenap-blueto" esp.3af68234@83.103.18.205
esp.f9e48e13@192.168.1.10 tun.1009@83.103.18.205 tun.1006@192.168.1.10
000 #13: "bluenap-gwblueto" STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 10s
000 #11: "bluenap-gwblueto" STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 10s
000 #3: "gwbluenap-blueto" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 2810s
000 #3: "gwbluenap-blueto" esp.3af68231@83.103.18.205
esp.f9e48e0e@192.168.1.10 tun.1002@83.103.18.205 tun.1001@192.168.1.10
000 #8: "gwbluenap-blueto" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3269s; newest IPSEC; eroute owner
000 #8: "gwbluenap-blueto" esp.3af68233@83.103.18.205
esp.f9e48e12@192.168.1.10 tun.1008@83.103.18.205 tun.1005@192.168.1.10
000 #1: "gwbluenap-gwblueto" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 9675s
000 #12: "gwbluenap-gwblueto" STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 10s
000 #10: "gwbluenap-gwblueto" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3270s; newest IPSEC; eroute owner
000 #10: "gwbluenap-gwblueto" esp.3af68235@83.103.18.205
esp.f9e48e14@192.168.1.10 tun.100a@83.103.18.205 tun.1007@192.168.1.10
000 #7: "gwbluenap-gwblueto" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 10467s; newest ISAKMP
I don't understand what they mean these logs:
1)"Mar 15 13:01:23 finalel kernel: klips_debug:pfkey_address_parse:
extr->eroute set to 192.168.1.10/0:0->0.0.0.0/0:0" in kernel messages ,whi
0.0.0.0/0 ?"
2) "Mar 15 13:02:46 finalel pluto[22660]: "gwbluenap-gwblueto" #1: ignoring
informational payload, type INVALID_MESSAGE_ID" in ipsec barf..
FOR THE HOST RED:
83.103.18.205/32 -> 82.88.96.124/32 => tun0x1006@82.88.96.124
83.103.18.205/32 -> 192.168.6.0/24 => tun0x1009@82.88.96.124
192.168.0.0/24 -> 82.88.96.124/32 => %trap
192.168.0.0/24 -> 192.168.6.0/24 => tun0x100a@82.88.96.124
+ ipsec auto --statusall
000 interface ipsec0/eth2 83.103.18.205:4500
000 interface ipsec0/eth2 83.103.18.205:500
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlmore
000
000 "bluenap-blueto":
192.168.0.0/24===83.103.18.205:4500[@83.103.18.205]---83.103.18.201...82.88.
96.124:4500[@192.168.1.10]===192.168.6.0/24; erouted; eroute owner: #6
000 "bluenap-blueto": ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "bluenap-blueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth2;
000 "bluenap-blueto": newest ISAKMP SA: #0; newest IPsec SA: #6;
000 "bluenap-blueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2,
000 "bluenap-blueto": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2,
5_192-2_160-5, 5_192-2_160-2,
000 "bluenap-blueto": ESP algorithms wanted: 3_000-1, 3_000-2,
000 "bluenap-blueto": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "bluenap-blueto": ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<Phase1>
000 "bluenap-gwblueto":
192.168.0.0/24===83.103.18.205[@83.103.18.205]---83.103.18.201...82.88.96.12
4[@192.168.1.10]; unrouted; eroute owner: #0
000 "bluenap-gwblueto": ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "bluenap-gwblueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,32;
interface: eth2;
000 "bluenap-gwblueto": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "bluenap-gwblueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2,
000 "bluenap-gwblueto": IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "bluenap-gwblueto": ESP algorithms wanted: 3_000-1, 3_000-2,
000 "bluenap-gwblueto": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "gwbluenap-blueto":
83.103.18.205:4500[@83.103.18.205]---83.103.18.201...82.88.96.124:4500[@192.
168.1.10]===192.168.6.0/24; erouted; eroute owner: #5
000 "gwbluenap-blueto": ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "gwbluenap-blueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24;
interface: eth2;
000 "gwbluenap-blueto": newest ISAKMP SA: #0; newest IPsec SA: #5;
000 "gwbluenap-blueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2,
000 "gwbluenap-blueto": IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "gwbluenap-blueto": ESP algorithms wanted: 3_000-1, 3_000-2,
000 "gwbluenap-blueto": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "gwbluenap-blueto": ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<Phase1>
000 "gwbluenap-gwblueto":
83.103.18.205:4500[@83.103.18.205]---83.103.18.201...82.88.96.124:4500[@192.
168.1.10]; erouted; eroute owner: #7
000 "gwbluenap-gwblueto": ike_life: 10800s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "gwbluenap-gwblueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
32,32; interface: eth2;
000 "gwbluenap-gwblueto": newest ISAKMP SA: #1; newest IPsec SA: #7;
000 "gwbluenap-gwblueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2,
000 "gwbluenap-gwblueto": IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "gwbluenap-gwblueto": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "gwbluenap-gwblueto": ESP algorithms wanted: 3_000-1, 3_000-2,
000 "gwbluenap-gwblueto": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "gwbluenap-gwblueto": ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<Phase1>
000
000 #4: "bluenap-blueto" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3283s
000 #4: "bluenap-blueto" esp.f9e48e0f@82.88.96.124
esp.3af68232@83.103.18.205 tun.1004@82.88.96.124 tun.1002@83.103.18.205
000 #6: "bluenap-blueto" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 2586s; newest IPSEC; eroute owner
000 #6: "bluenap-blueto" esp.f9e48e13@82.88.96.124
esp.3af68234@83.103.18.205 tun.1008@82.88.96.124 tun.1007@83.103.18.205
000 #3: "gwbluenap-blueto" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3283s
000 #3: "gwbluenap-blueto" esp.f9e48e0e@82.88.96.124
esp.3af68231@83.103.18.205 tun.1003@82.88.96.124 tun.1001@83.103.18.205
000 #5: "gwbluenap-blueto" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 2618s; newest IPSEC; eroute owner
000 #5: "gwbluenap-blueto" esp.f9e48e12@82.88.96.124
esp.3af68233@83.103.18.205 tun.1006@82.88.96.124 tun.1005@83.103.18.205
000 #2: "gwbluenap-gwblueto" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 10480s
000 #7: "gwbluenap-gwblueto" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 2998s; newest IPSEC; eroute owner
000 #7: "gwbluenap-gwblueto" esp.f9e48e14@82.88.96.124
esp.3af68235@83.103.18.205 tun.100a@82.88.96.124 tun.1009@83.103.18.205
000 #1: "gwbluenap-gwblueto" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 9732s; newest ISAKMP
In kernel messages i have the same to blue and in ipsec barf :
"Mar 15 13:02:21 Artea-dmz pluto[32682]: "gwbluenap-gwblueto" #2: Quick Mode
I1 message is unacceptable because it uses a previously used Message ID
0x35ab5233 (perhaps this is a duplicated packet)"
Can you help me?
Thanks
Andreas Steffen writes:
> Hi Manila,
>
> oops, I think you are suffering from the "Mode Config" bug introduced
> by strongswan-2.3.2:
>
> > 000 #3 "bluenap-gwblueto" STATE_MODE_CFG_I2 (received ModeCfg reply);
>
> Could you upgrade to the latest version strongswan-2.4.1 where this
> bug has been fixed.
>
> Regards
>
> Andreas
>
> Manilo Trocano wrote:
>> HI,
>> Yes I have applied the NAT-T patch, according to the instructions of
>> installation of strongswan
>> (http://www.strongswan.org/docs/install.htm#chapter_3)
>> however I have made of the small progresses: I have changed the
>> configuration files and now i can ping the host BLUE from host RED but
>> not the contrary
>> I Attach yhe ipsec.conf and the log
>> Do you tell me what mistake?
>> Thanks
>> FOR HOST BLUE
>> version 2.0 # conforms to second version of ipsec.conf specification
>> #VPN BLUE
>> # basic configuration
>> config setup
>> klipsdebug=all
>> plutodebug=all
>> interfaces="ipsec0=eth0"
>> nat_traversal=yes
>> conn %default
>> keyingtries=0
>> leftrsasigkey="0sAQN..XoV"
>> rightrsasigkey="0sAQNz..hOvj"
>> rightid=@192.168.1.10
>> leftid=@83.103.18.205
>> rightnexthop=192.168.1.1
>> conn bluenap-blueto
>> left=83.103.18.205
>> leftsubnet=192.168.0.0/24
>> right=192.168.1.10
>> rightsubnet=192.168.6.0/24
>> auto=start
>> authby=rsasig
>> conn bluenap-gwblueto
>> left=83.103.18.205
>> leftsubnet=192.168.0.0/24
>> right=192.168.1.10
>> auto=start
>> authby=rsasig
>> conn gwbluenap-blueto
>> left=83.103.18.205
>> right=192.168.1.10
>> rightsubnet=192.168.6.0/24
>> auto=start
>> authby=rsasig
>> conn gwbluenap-gwblueto
>> left=83.103.18.205
>> right=192.168.1.10
>> auto=start
>> authby=rsasig
>>
>> root@finalel root]# ipsec eroute
>> 39 192.168.1.10/32 -> 83.103.18.205/32 => %trap
>> 41 192.168.1.10/32 -> 192.168.0.0/24 => %hold
>> 28 192.168.6.0/24 -> 83.103.18.205/32 =>
>> tun0x1009@83.103.18.205
>> 0 192.168.6.0/24 -> 192.168.0.0/24 =>
>> tun0x100a@83.103.18.205
>> [root@finalel root]# ipsec auto --statusall
>> 000 interface ipsec0/eth0 192.168.1.10:4500
>> 000 interface ipsec0/eth0 192.168.1.10:500
>> 000 %myid = (none)
>> 000 debug
>> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlm
>> ore
>>
>> 000
>> 000 "bluenap-blueto":
>> 192.168.6.0/24===192.168.1.10:4500[@192.168.1.10]---192.168.1.1...83.103.
>> 18. 205:4500[@83.103.18.205]===192.168.0.0/24; erouted; eroute owner: #10
>> 000 "bluenap-blueto": ike_life: 10800s; ipsec_life: 3600s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "bluenap-blueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
>> 24,24; interface: eth0;
>> 000 "bluenap-blueto": newest ISAKMP SA: #0; newest IPsec SA: #10;
>> 000 "bluenap-blueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
>> 5_000-2-5, 5_000-2-2,
>> 000 "bluenap-blueto": IKE algorithms found: 5_192-1_128-5,
>> 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
>> 000 "bluenap-blueto": ESP algorithms wanted: 3_000-1, 3_000-2,
>> 000 "bluenap-blueto": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
>> 000 "bluenap-blueto": ESP algorithm newest: 3DES_0-HMAC_MD5;
>> pfsgroup=<Phase1>
>> 000 "bluenap-gwblueto":
>> 0.3.0.0/32===192.168.1.10:4500[@192.168.1.10]---192.168.1.1...83.103.18.2
>> 05: 4500[@83.103.18.205]===192.168.0.0/24; erouted HOLD; eroute owner: #0
>> 000 "bluenap-gwblueto": ike_life: 10800s; ipsec_life: 3600s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "bluenap-gwblueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
>> 24,32; interface: eth0;
>> 000 "bluenap-gwblueto": newest ISAKMP SA: #3; newest IPsec SA: #0;
>> 000 "bluenap-gwblueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
>> 5_000-2-5, 5_000-2-2,
>> 000 "bluenap-gwblueto": IKE algorithms found: 5_192-1_128-5,
>> 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
>> 000 "bluenap-gwblueto": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
>> 000 "bluenap-gwblueto": ESP algorithms wanted: 3_000-1, 3_000-2,
>> 000 "bluenap-gwblueto": ESP algorithms loaded: 3_168-1_128,
>> 3_168-2_160,
>> 000 "gwbluenap-blueto":
>> 192.168.6.0/24===192.168.1.10:4500[@192.168.1.10]---192.168.1.1...83.103.
>> 18. 205:4500[@83.103.18.205]; erouted; eroute owner: #9
>> 000 "gwbluenap-blueto": ike_life: 10800s; ipsec_life: 3600s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "gwbluenap-blueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
>> 32,24; interface: eth0;
>> 000 "gwbluenap-blueto": newest ISAKMP SA: #0; newest IPsec SA: #9;
>> 000 "gwbluenap-blueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
>> 5_000-2-5, 5_000-2-2,
>> 000 "gwbluenap-blueto": IKE algorithms found: 5_192-1_128-5,
>> 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
>> 000 "gwbluenap-blueto": ESP algorithms wanted: 3_000-1, 3_000-2,
>> 000 "gwbluenap-blueto": ESP algorithms loaded: 3_168-1_128,
>> 3_168-2_160,
>> 000 "gwbluenap-blueto": ESP algorithm newest: 3DES_0-HMAC_MD5;
>> pfsgroup=<Phase1>
>> 000 "gwbluenap-gwblueto":
>> 0.3.0.0/32===192.168.1.10:4500[@192.168.1.10]---192.168.1.1...83.103.18.2
>> 05: 4500[@83.103.18.205]; prospective erouted; eroute owner: #0
>> 000 "gwbluenap-gwblueto": ike_life: 10800s; ipsec_life: 3600s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "gwbluenap-gwblueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
>> 32,32; interface: eth0;
>> 000 "gwbluenap-gwblueto": newest ISAKMP SA: #1; newest IPsec SA: #0;
>> 000 "gwbluenap-gwblueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
>> 5_000-2-5, 5_000-2-2,
>> 000 "gwbluenap-gwblueto": IKE algorithms found: 5_192-1_128-5,
>> 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
>> 000 "gwbluenap-gwblueto": IKE algorithm newest:
>> 3DES_CBC_192-MD5-MODP1536
>> 000 "gwbluenap-gwblueto": ESP algorithms wanted: 3_000-1, 3_000-2,
>> 000 "gwbluenap-gwblueto": ESP algorithms loaded: 3_168-1_128,
>> 3_168-2_160,
>> 000
>> 000 #6: "bluenap-blueto" STATE_QUICK_I2 (sent QI2, IPsec SA established);
>> EVENT_SA_REPLACE in 2522s
>> 000 #6: "bluenap-blueto" esp.79be2e78@83.103.18.205
>> esp.f510dd94@192.168.1.10 tun.1004@83.103.18.205 tun.1003@192.168.1.10
>> 000 #10: "bluenap-blueto" STATE_QUICK_R2 (IPsec SA established);
>> EVENT_SA_REPLACE in 3290s; newest IPSEC; eroute owner
>> 000 #10: "bluenap-blueto" esp.79be2e74@83.103.18.205
>> esp.f510dd98@192.168.1.10 tun.100a@83.103.18.205 tun.1008@192.168.1.10
>> 000 #4: "bluenap-gwblueto" STATE_QUICK_I1 (sent QI1, expecting QR1);
>> EVENT_RETRANSMIT in 19s
>> 000 #11: "bluenap-gwblueto" STATE_QUICK_I1 (sent QI1, expecting QR1);
>> EVENT_RETRANSMIT in 31s
>> 000 #3: "bluenap-gwblueto" STATE_MODE_CFG_I2 (received ModeCfg reply);
>> EVENT_SA_REPLACE in 10491s; newest ISAKMP
>> 000 #9: "gwbluenap-blueto" STATE_QUICK_R2 (IPsec SA established);
>> EVENT_SA_REPLACE in 3290s; newest IPSEC; eroute owner
>> 000 #9: "gwbluenap-blueto" esp.79be2e76@83.103.18.205
>> esp.f510dd97@192.168.1.10 tun.1009@83.103.18.205 tun.1007@192.168.1.10
>> 000 #5: "gwbluenap-blueto" STATE_QUICK_I2 (sent QI2, IPsec SA
>> established); EVENT_SA_REPLACE in 2736s
>> 000 #5: "gwbluenap-blueto" esp.79be2e77@83.103.18.205
>> esp.f510dd93@192.168.1.10 tun.1002@83.103.18.205 tun.1001@192.168.1.10
>> 000 #8: "gwbluenap-blueto" STATE_QUICK_R2 (IPsec SA established);
>> EVENT_SA_REPLACE in 3289s
>> 000 #8: "gwbluenap-blueto" esp.79be2e73@83.103.18.205
>> esp.f510dd96@192.168.1.10 tun.1006@83.103.18.205 tun.1005@192.168.1.10
>> 000 #7: "gwbluenap-gwblueto" STATE_QUICK_I1 (sent QI1, expecting QR1);
>> EVENT_RETRANSMIT in 21s
>> 000 #1: "gwbluenap-gwblueto" STATE_MODE_CFG_I2 (received ModeCfg reply);
>> EVENT_SA_REPLACE in 10479s; newest ISAKMP
>> 000 #2: "gwbluenap-gwblueto" STATE_MODE_CFG_I2 (received ModeCfg reply);
>> EVENT_SA_REPLACE in 10479s
>> 000
>> [root@finalel root]# route
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric Ref Use
>> Iface
>> aurorato 192.168.1.1 255.255.255.255 UGH 0 0 0
>> ipsec0
>> 192.168.6.0 * 255.255.255.0 U 0 0 0
>> eth1
>> 192.168.1.0 * 255.255.255.0 U 0 0 0
>> eth0
>> 192.168.1.0 * 255.255.255.0 U 0 0 0
>> ipsec0
>> 192.168.0.0 192.168.1.1 255.255.255.0 UG 0 0 0
>> ipsec0
>> 169.254.0.0 * 255.255.0.0 U 0 0 0
>> eth1
>> 127.0.0.0 * 255.0.0.0 U 0 0 0
>> lo
>> default 192.168.1.1 0.0.0.0 UG 0 0 0
>> eth0
>>
>>
>> FOR HOST RED
>> version 2.0 # conforms to second version of ipsec.conf specification
>> config setup
>> klipsdebug=all
>> plutodebug=all
>> #klipsdebug=all
>> interfaces="ipsec0=eth2"
>> nat_traversal=yes
>> conn %default
>> keyingtries=0
>> leftrsasigkey="0sAQNTGC..oV"
>> rightrsasigkey="0sAQNzHg..hOvj"
>> leftid=@83.103.18.205
>> rightid=@192.168.1.10
>> # sample VPN connection
>> conn bluenap-blueto
>> left=83.103.18.205
>> leftsubnet=192.168.0.0/24
>> leftnexthop=83.103.18.201
>> right=82.88.96.124
>> rightsubnet=192.168.6.0/24
>> auto=start
>> authby=rsasig
>> conn bluenap-gwblueto
>> left=83.103.18.205
>> leftsubnet=192.168.0.0/24
>> leftnexthop=83.103.18.201
>> right=82.88.96.124
>> auto=start
>> authby=rsasig
>> conn gwbluenap-blueto
>> left=83.103.18.205
>> leftnexthop=83.103.18.201
>> right=82.88.96.124
>> rightsubnet=192.168.6.0/24
>> auto=start
>> authby=rsasig
>> conn gwbluenap-gwblueto
>> left=83.103.18.205
>> leftnexthop=83.103.18.201
>> right=82.88.96.124
>> auto=start
>> authby=rsasig
>> [root@Artea-dmz root]# ipsec eroute
>> 9 83.103.18.205/32 -> 82.88.96.124/32 => %trap
>> 9 83.103.18.205/32 -> 192.168.6.0/24 =>
>> tun0x1003@82.88.96.124
>> 0 192.168.0.0/24 -> 82.88.96.124/32 => %trap
>> 0 192.168.0.0/24 -> 192.168.6.0/24 =>
>> tun0x1004@82.88.96.124
>> [root@Artea-dmz root]# ipsec auto --statusall
>> 000 interface ipsec0/eth2 83.103.18.205:4500
>> 000 interface ipsec0/eth2 83.103.18.205:500
>> 000 %myid = (none)
>> 000 debug
>> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlm
>> ore
>>
>> 000
>> 000 "bluenap-blueto":
>> 192.168.0.0/24===83.103.18.205[@83.103.18.205]---83.103.18.201...82.88.96
>> .12 4[@192.168.1.10]===192.168
>> .6.0/24; prospective erouted; eroute owner: #0
>> 000 "bluenap-blueto": ike_life: 10800s; ipsec_life: 3600s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "bluenap-blueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
>> 24,24; interface: eth2;
>> 000 "bluenap-blueto": newest ISAKMP SA: #0; newest IPsec SA: #0;
>> 000 "bluenap-blueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
>> 5_000-2-5, 5_000-2-2,
>> 000 "bluenap-blueto": IKE algorithms found: 5_192-1_128-5,
>> 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
>> 000 "bluenap-blueto": ESP algorithms wanted: 3_000-1, 3_000-2,
>> 000 "bluenap-blueto": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
>> 000 "bluenap-gwblueto":
>> 192.168.0.0/24===83.103.18.205[@83.103.18.205]---83.103.18.201...82.88.96
>> .12 4[@192.168.1.10]; prospe
>> ctive erouted; eroute owner: #0
>> 000 "bluenap-gwblueto": ike_life: 10800s; ipsec_life: 3600s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "bluenap-gwblueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
>> 24,32; interface: eth2;
>> 000 "bluenap-gwblueto": newest ISAKMP SA: #0; newest IPsec SA: #0;
>> 000 "bluenap-gwblueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
>> 5_000-2-5, 5_000-2-2,
>> 000 "bluenap-gwblueto": IKE algorithms found: 5_192-1_128-5,
>> 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
>> 000 "bluenap-gwblueto": ESP algorithms wanted: 3_000-1, 3_000-2,
>> 000 "bluenap-gwblueto": ESP algorithms loaded: 3_168-1_128,
>> 3_168-2_160,
>> 000 "gwbluenap-blueto":
>> 83.103.18.205[@83.103.18.205]---83.103.18.201...82.88.96.124[@192.168.1.1
>> 0]= ==192.168.6.0/24; eroute
>> d HOLD; eroute owner: #0
>> 000 "gwbluenap-blueto": ike_life: 10800s; ipsec_life: 3600s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "gwbluenap-blueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
>> 32,24; interface: eth2;
>> 000 "gwbluenap-blueto": newest ISAKMP SA: #0; newest IPsec SA: #0;
>> 000 "gwbluenap-blueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
>> 5_000-2-5, 5_000-2-2,
>> 000 "gwbluenap-blueto": IKE algorithms found: 5_192-1_128-5,
>> 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
>> 000 "gwbluenap-blueto": ESP algorithms wanted: 3_000-1, 3_000-2,
>> 000 "gwbluenap-blueto": ESP algorithms loaded: 3_168-1_128,
>> 3_168-2_160,
>> 000 "gwbluenap-gwblueto":
>> 83.103.18.205[@83.103.18.205]---83.103.18.201...82.88.96.124[@192.168.1.1
>> 0]; prospective erouted;
>> eroute owner: #0
>> 000 "gwbluenap-gwblueto": ike_life: 10800s; ipsec_life: 3600s;
>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> 000 "gwbluenap-gwblueto": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
>> 32,32; interface: eth2;
>> 000 "gwbluenap-gwblueto": newest ISAKMP SA: #0; newest IPsec SA: #0;
>> 000 "gwbluenap-gwblueto": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
>> 5_000-2-5, 5_000-2-2,
>> 000 "gwbluenap-gwblueto": IKE algorithms found: 5_192-1_128-5,
>> 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
>> 000 "gwbluenap-gwblueto": ESP algorithms wanted: 3_000-1, 3_000-2,
>> 000 "gwbluenap-gwblueto": ESP algorithms loaded: 3_168-1_128,
>> 3_168-2_160,
>> 000
>> 000 #1: "gwbluenap-gwblueto" STATE_MAIN_I1 (sent MI1, expecting MR1);
>> EVENT_RETRANSMIT in 1s
>> 000 #1: pending Phase 2 for "gwbluenap-blueto" replacing #0
>> 000 #1: pending Phase 2 for "bluenap-gwblueto" replacing #0
>> 000 #1: pending Phase 2 for "gwbluenap-blueto" replacing #0
>> 000 #1: pending Phase 2 for "bluenap-blueto" replacing #0
>> 000 #1: pending Phase 2 for "gwbluenap-gwblueto" replacing #0
>> 000
>> [root@Artea-dmz root]# route
>> Kernel IP routing table
>> Destination Gateway Genmask Flags Metric Ref Use
>> Iface
>> host124-96.pool 83.103.18.201 255.255.255.255 UGH 0 0 0
>> ipsec0
>> 83.103.18.200 * 255.255.255.248 U 0 0 0
>> eth2
>> 83.103.18.200 * 255.255.255.248 U 0 0 0
>> ipsec0
>> 192.168.100.0 192.168.0.1 255.255.255.0 UG 0 0 0
>> eth0
>> 192.168.6.0 83.103.18.201 255.255.255.0 UG 0 0 0
>> ipsec0
>> 192.168.5.0 192.168.0.1 255.255.255.0 UG 0 0 0
>> eth0
>> 192.168.4.0 192.168.0.1 255.255.255.0 UG 0 0 0
>> eth0
>> 192.168.3.0 192.168.0.1 255.255.255.0 UG 0 0 0
>> eth0
>> 192.168.2.0 192.168.0.1 255.255.255.0 UG 0 0 0
>> eth0
>> 192.168.1.0 192.168.0.1 255.255.255.0 UG 0 0 0
>> eth0
>> 192.168.0.0 * 255.255.255.0 U 0 0 0
>> eth0
>> 10.1.1.0 * 255.255.255.0 U 0 0 0
>> eth1
>> 169.254.0.0 * 255.255.0.0 U 0 0 0
>> eth2
>> 127.0.0.0 * 255.0.0.0 U 0 0 0
>> lo
>> default 83.103.18.201 0.0.0.0 UG 0 0 0
>> eth2
>
>> Trocano Manilo
>> System Support Specialist
>> Phone +393488563164
>> e-mail trocano@adminsrl.it
>
>
> =======================================================================
> Andreas Steffen e-mail: andreas.steffen@strongsec.com
> strongSec GmbH home: http://www.strongsec.com
> Alter Z?richweg 20 phone: +41 1 730 80 64
> CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
> ==========================================[strong internet security]===
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> http://lists.strongswan.org/mailman/listinfo/users
Trocano Manilo
System Support Specialist
Phone +393488563164
e-mail trocano@adminsrl.it
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic