Discussion:
[strongSwan] ipsec.conf working vs swanctl.conf not working
Marco Berizzi
2018-05-03 15:33:39 UTC
Permalink
Hello everyone,

I'm running strongswan 5.6.3dr1 on Slackware linux.

I would like to migrate the configuration files from
the old ipsec.conf style to the new swanctl.conf
I'm experimenting a crazy behavior between an old
working configuration and the new non working one.
Here is the old working config:

conn customer
left=205.223.229.254
right=217.118.9.36
leftsubnet=10.68.63.3
leftsendcert=no
rightsendcert=no
leftauth=secret
rightauth=secret
ike=aes256-sha512-ecp521
esp=aes256-sha512-ecp521
compress=no
leftid=205.223.229.254
rightid=217.118.9.36
keyingtries=%forever
lifetime=4h
ikelifetime=24h
keyexchange=ikev2

conn customer-172.16.10.0
rightsubnet=172.16.10.0/24
auto=route
also=customer

and here is the new non working config:

connections {

customer {
local_addrs = 205.223.229.254
remote_addrs = 217.118.9.36

local {
auth = psk
id = 205.223.229.254
}
remote {
auth = psk
id = 217.118.9.36
}
children {
customer-networks {
local_ts = 10.68.63.3/32
remote_ts = 172.16.10.0/24

start_action = route
esp_proposals = aes256-sha512-ecp521
rekey_time = 14400
rekey_bytes = 4608000000
}
}
version = 2
mobike = no
proposals = aes256-sha512-ecp521
reauth_time = 24h
keyingtries = 0
send_cert = never
send_certreq = no
encap = yes
}
}

secrets {

ike-customer {
id = 217.118.9.36
id = 205.223.229.254
secret = 0sblablabla
}
}

Here is the output from the ipsec up:

initiating IKE_SA customer-172.16.10.0[47423] to 217.118.9.36
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 205.223.229.254[500] to 217.118.9.36[500] (880 bytes)
received packet: from 217.118.9.36[500] to 205.223.229.254[500] (450 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]
received Cisco Delete Reason vendor ID
received Cisco Copyright (c) 2009 vendor ID
received FRAGMENTATION vendor ID
authentication of '205.223.229.254' (myself) with pre-shared key
establishing CHILD_SA customer-172.16.10.0{64813}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 205.223.229.254[4500] to 217.118.9.36[4500] (432 bytes)
received packet: from 217.118.9.36[4500] to 205.223.229.254[4500] (304 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
authentication of '217.118.9.36' with pre-shared key successful
IKE_SA customer-172.16.10.0[47423] established between 205.223.229.254[205.223.229.254]...217.118.9.36[217.118.9.36]
scheduling reauthentication in 85491s
maximum IKE_SA lifetime 86031s
received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
CHILD_SA customer-172.16.10.0{64813} established with SPIs c1fbb908_i 33cdcd59_o and TS 10.68.68.3/32 === 172.16.10.0/24
connection 'customer-172.16.10.0' established successfully


By the way I don't understand why strongswan is
sending packets to 4500/udp.

and here is the output from swanctl:

[IKE] initiating IKE_SA customer[47454] to 217.118.9.36
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 205.223.229.254[500] to 217.118.9.36[500] (340 bytes)
[NET] received packet: from 217.118.9.36[500] to 205.223.229.254[500] (450 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]
[IKE] received Cisco Delete Reason vendor ID
[IKE] received Cisco Copyright (c) 2009 vendor ID
[IKE] received FRAGMENTATION vendor ID
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '205.223.229.254' (myself) with pre-shared key
[IKE] establishing CHILD_SA customer-networks{64861}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 205.223.229.254[500] to 217.118.9.36[500] (288 bytes)
[NET] received packet: from 217.118.9.36[500] to 205.223.229.254[500] (96 bytes)
[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
[IKE] received AUTHENTICATION_FAILED notify error
initiate failed: establishing CHILD_SA 'customer-networks' failed

This time strongswan doesn't send packets to 4500/udp

What am I missing on the swanctl configuration?

TIA

Here is the more detailed output from swanctl:

[MGR] checkout IKE_SA by config
[JOB] watcher got notification, rebuilding
[JOB] watching 9 for reading
[JOB] watching 13 for reading
[JOB] watching 14 for reading
[JOB] watching 15 for reading
[IKE] queueing IKE_VENDOR task
[IKE] queueing IKE_INIT task
[IKE] queueing IKE_NATD task
[IKE] queueing IKE_CERT_PRE task
[IKE] queueing IKE_AUTH task
[IKE] queueing IKE_CERT_POST task
[IKE] queueing IKE_CONFIG task
[IKE] queueing IKE_AUTH_LIFETIME task
[IKE] queueing CHILD_CREATE task
[IKE] activating new tasks
[IKE] activating IKE_VENDOR task
[IKE] activating IKE_INIT task
[IKE] activating IKE_NATD task
[IKE] activating IKE_CERT_PRE task
[IKE] activating IKE_AUTH task
[IKE] activating IKE_CERT_POST task
[IKE] activating IKE_CONFIG task
[IKE] activating CHILD_CREATE task
[IKE] activating IKE_AUTH_LIFETIME task
[IKE] initiating IKE_SA customer[47511] to 217.118.9.36
[IKE] IKE_SA customer[47511] state change: CREATED => CONNECTING
[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
[ENC] added payload of type SECURITY_ASSOCIATION to message
[ENC] added payload of type KEY_EXCHANGE to message
[ENC] added payload of type NONCE to message
[ENC] added payload of type NOTIFY to message
[ENC] added payload of type NOTIFY to message
[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity
[ENC] added payload of type NOTIFY to message
[IKE]
[IKE]
[ENC] added payload of type NOTIFY to message
[IKE]
[IKE]
[ENC] added payload of type NOTIFY to message
[ENC] order payloads in message
[ENC] added payload of type SECURITY_ASSOCIATION to message
[ENC] added payload of type KEY_EXCHANGE to message
[ENC] added payload of type NONCE to message
[ENC] added payload of type NOTIFY to message
[ENC] added payload of type NOTIFY to message
[ENC] added payload of type NOTIFY to message
[ENC] added payload of type NOTIFY to message
[ENC] added payload of type NOTIFY to message
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[ENC] not encrypting payloads
[ENC] generating payload of type HEADER
[ENC] generating rule 0 IKE_SPI
[ENC]
[ENC] generating rule 1 IKE_SPI
[ENC]
[ENC] generating rule 2 U_INT_8
[ENC] => 33
[ENC] generating rule 3 U_INT_4
[ENC] => 32
[ENC] generating rule 4 U_INT_4
[ENC] => 32
[ENC] generating rule 5 U_INT_8
[ENC] => 34
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 FLAG
[ENC] => 0
[ENC] generating rule 9 FLAG
[ENC] => 0
[ENC] generating rule 10 FLAG
[ENC] => 8
[ENC] generating rule 11 FLAG
[ENC] => 8
[ENC] generating rule 12 FLAG
[ENC] => 8
[ENC] generating rule 13 FLAG
[ENC] => 8
[ENC] generating rule 14 U_INT_32
[ENC]
[ENC] generating rule 15 HEADER_LENGTH
[ENC]
[ENC] generating HEADER payload finished
[ENC]
[ENC] generating payload of type SECURITY_ASSOCIATION
[ENC] generating rule 0 U_INT_8
[ENC] => 34
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 (1258)
[ENC] generating payload of type SECURITY_ASSOCIATION
[ENC] generating rule 0 U_INT_8
[ENC] => 0
[ENC] generating rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 3 U_INT_8
[ENC] => 1
[ENC] generating rule 4 U_INT_8
[ENC] => 1
[ENC] generating rule 5 SPI_SIZE
[ENC] => 0
[ENC] generating rule 6 U_INT_8
[ENC] => 4
[ENC] generating rule 7 SPI
[ENC] => 0 bytes @ (nil)
[ENC] generating rule 8 (1261)
[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE
[ENC] generating rule 0 U_INT_8
[ENC] => 3
[ENC] generating rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 3 U_INT_8
[ENC] => 1
[ENC] generating rule 4 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 5 U_INT_16
[ENC]
[ENC] generating rule 6 (1262)
[ENC] generating payload of type TRANSFORM_ATTRIBUTE
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] => 128
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] => 3712
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC]
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE payload finished
[ENC]
[ENC] generating TRANSFORM_SUBSTRUCTURE payload finished
[ENC]
[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE
[ENC] generating rule 0 U_INT_8
[ENC] => 3
[ENC] generating rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 3 U_INT_8
[ENC] => 3
[ENC] generating rule 4 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 5 U_INT_16
[ENC]
[ENC] generating rule 6 (1262)
[ENC] generating TRANSFORM_SUBSTRUCTURE payload finished
[ENC]
[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE
[ENC] generating rule 0 U_INT_8
[ENC] => 3
[ENC] generating rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 3 U_INT_8
[ENC] => 2
[ENC] generating rule 4 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 5 U_INT_16
[ENC]
[ENC] generating rule 6 (1262)
[ENC] generating TRANSFORM_SUBSTRUCTURE payload finished
[ENC]
[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE
[ENC] generating rule 0 U_INT_8
[ENC] => 0
[ENC] generating rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 3 U_INT_8
[ENC] => 4
[ENC] generating rule 4 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 5 U_INT_16
[ENC]
[ENC] generating rule 6 (1262)
[ENC] generating TRANSFORM_SUBSTRUCTURE payload finished
[ENC]
[ENC] generating SECURITY_ASSOCIATION payload finished
[ENC]
[ENC] generating SECURITY_ASSOCIATION payload finished
[ENC]
[ENC] generating payload of type KEY_EXCHANGE
[ENC] generating rule 0 U_INT_8
[ENC] => 40
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_16
[ENC]
[ENC] generating rule 11 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 12 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 13 CHUNK_DATA
[ENC]
[ENC] generating KEY_EXCHANGE payload finished
[ENC]
[ENC] generating payload of type NONCE
[ENC] generating rule 0 U_INT_8
[ENC] => 41
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 CHUNK_DATA
[ENC]
[ENC] generating NONCE payload finished
[ENC]
[ENC] generating payload of type NOTIFY
[ENC] generating rule 0 U_INT_8
[ENC] => 41
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_8
[ENC] => 0
[ENC] generating rule 11 SPI_SIZE
[ENC] => 0
[ENC] generating rule 12 U_INT_16
[ENC]
[ENC] generating rule 13 SPI
[ENC] => 0 bytes @ (nil)
[ENC] generating rule 14 CHUNK_DATA
[ENC]
[ENC] generating NOTIFY payload finished
[ENC]
[ENC] generating payload of type NOTIFY
[ENC] generating rule 0 U_INT_8
[ENC] => 41
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_8
[ENC] => 0
[ENC] generating rule 11 SPI_SIZE
[ENC] => 0
[ENC] generating rule 12 U_INT_16
[ENC]
[ENC] generating rule 13 SPI
[ENC] => 0 bytes @ (nil)
[ENC] generating rule 14 CHUNK_DATA
[ENC]
[ENC] generating NOTIFY payload finished
[ENC]
[ENC] generating payload of type NOTIFY
[ENC] generating rule 0 U_INT_8
[ENC] => 41
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_8
[ENC] => 0
[ENC] generating rule 11 SPI_SIZE
[ENC] => 0
[ENC] generating rule 12 U_INT_16
[ENC]
[ENC] generating rule 13 SPI
[ENC] => 0 bytes @ (nil)
[ENC] generating rule 14 CHUNK_DATA
[ENC] => 0 bytes @ (nil)
[ENC] generating NOTIFY payload finished
[ENC]
[ENC] generating payload of type NOTIFY
[ENC] generating rule 0 U_INT_8
[ENC] => 41
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_8
[ENC] => 0
[ENC] generating rule 11 SPI_SIZE
[ENC] => 0
[ENC] generating rule 12 U_INT_16
[ENC]
[ENC] generating rule 13 SPI
[ENC] => 0 bytes @ (nil)
[ENC] generating rule 14 CHUNK_DATA
[ENC]
[ENC] generating NOTIFY payload finished
[ENC]
[ENC] generating payload of type NOTIFY
[ENC] generating rule 0 U_INT_8
[ENC] => 0
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_8
[ENC] => 0
[ENC] generating rule 11 SPI_SIZE
[ENC] => 0
[ENC] generating rule 12 U_INT_16
[ENC]
[ENC] generating rule 13 SPI
[ENC] => 0 bytes @ (nil)
[ENC] generating rule 14 CHUNK_DATA
[ENC] => 0 bytes @ (nil)
[ENC] generating NOTIFY payload finished
[ENC]
[ENC]
[NET] sending packet: from 205.223.229.254[500] to 217.118.9.36[500] (340 bytes)
[MGR] checkin IKE_SA customer[47511]
[MGR] checkin of IKE_SA successful
[NET] received packet: from 217.118.9.36[500] to 205.223.229.254[500] (450 bytes)
[ENC] parsing body of message, first payload is SECURITY_ASSOCIATION
[ENC] starting parsing a SECURITY_ASSOCIATION payload
[ENC] parsing SECURITY_ASSOCIATION payload, 422 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 34
[ENC] parsing rule 1 FLAG
[ENC] => 0
[ENC] parsing rule 2 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 3 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 4 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 5 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 6 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 7 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 8 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] => 48
[ENC] parsing rule 10 (1258)
[ENC] 44 bytes left, parsing recursively PROPOSAL_SUBSTRUCTURE
[ENC] parsing PROPOSAL_SUBSTRUCTURE payload, 418 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 0
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] => 44
[ENC] parsing rule 3 U_INT_8
[ENC] => 1
[ENC] parsing rule 4 U_INT_8
[ENC] => 1
[ENC] parsing rule 5 SPI_SIZE
[ENC] => 0
[ENC] parsing rule 6 U_INT_8
[ENC] => 4
[ENC] parsing rule 7 SPI
[ENC] => 0 bytes @ (nil)
[ENC] parsing rule 8 (1260)
[ENC] 36 bytes left, parsing recursively TRANSFORM_SUBSTRUCTURE
[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 410 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 3
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] => 12
[ENC] parsing rule 3 U_INT_8
[ENC] => 1
[ENC] parsing rule 4 RESERVED_BYTE
[ENC] => 0
[ENC] parsing rule 5 U_INT_16
[ENC] => 12
[ENC] parsing rule 6 (1262)
[ENC] 4 bytes left, parsing recursively TRANSFORM_ATTRIBUTE
[ENC] parsing TRANSFORM_ATTRIBUTE payload, 402 bytes left
[ENC]
[ENC] parsing rule 0 ATTRIBUTE_FORMAT
[ENC] => 1
[ENC] parsing rule 1 ATTRIBUTE_TYPE
[ENC] => 14
[ENC] parsing rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC] => 256
[ENC] parsing rule 3 ATTRIBUTE_VALUE
[ENC] parsing TRANSFORM_ATTRIBUTE payload finished
[ENC] parsing TRANSFORM_SUBSTRUCTURE payload finished
[ENC] 24 bytes left, parsing recursively TRANSFORM_SUBSTRUCTURE
[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 398 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 3
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] => 8
[ENC] parsing rule 3 U_INT_8
[ENC] => 2
[ENC] parsing rule 4 RESERVED_BYTE
[ENC] => 0
[ENC] parsing rule 5 U_INT_16
[ENC] => 7
[ENC] parsing rule 6 (1262)
[ENC] parsing TRANSFORM_SUBSTRUCTURE payload finished
[ENC] 16 bytes left, parsing recursively TRANSFORM_SUBSTRUCTURE
[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 390 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 3
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] => 8
[ENC] parsing rule 3 U_INT_8
[ENC] => 3
[ENC] parsing rule 4 RESERVED_BYTE
[ENC] => 0
[ENC] parsing rule 5 U_INT_16
[ENC] => 14
[ENC] parsing rule 6 (1262)
[ENC] parsing TRANSFORM_SUBSTRUCTURE payload finished
[ENC] 8 bytes left, parsing recursively TRANSFORM_SUBSTRUCTURE
[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 382 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 0
[ENC] parsing rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] => 8
[ENC] parsing rule 3 U_INT_8
[ENC] => 4
[ENC] parsing rule 4 RESERVED_BYTE
[ENC] => 0
[ENC] parsing rule 5 U_INT_16
[ENC] => 21
[ENC] parsing rule 6 (1262)
[ENC] parsing TRANSFORM_SUBSTRUCTURE payload finished
[ENC] parsing PROPOSAL_SUBSTRUCTURE payload finished
[ENC] parsing SECURITY_ASSOCIATION payload finished
[ENC] verifying payload of type SECURITY_ASSOCIATION
[ENC] SECURITY_ASSOCIATION payload verified, adding to payload list
[ENC] starting parsing a KEY_EXCHANGE payload
[ENC] parsing KEY_EXCHANGE payload, 374 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 40
[ENC] parsing rule 1 FLAG
[ENC] => 0
[ENC] parsing rule 2 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 3 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 4 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 5 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 6 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 7 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 8 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] => 140
[ENC] parsing rule 10 U_INT_16
[ENC] => 21
[ENC] parsing rule 11 RESERVED_BYTE
[ENC] => 0
[ENC] parsing rule 12 RESERVED_BYTE
[ENC] => 0
[ENC] parsing rule 13 CHUNK_DATA
[ENC]
[ENC] parsing KEY_EXCHANGE payload finished
[ENC] verifying payload of type KEY_EXCHANGE
[ENC] KEY_EXCHANGE payload verified, adding to payload list
[ENC] starting parsing a NONCE payload
[ENC] parsing NONCE payload, 234 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 43
[ENC] parsing rule 1 FLAG
[ENC] => 0
[ENC] parsing rule 2 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 3 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 4 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 5 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 6 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 7 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 8 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] => 68
[ENC] parsing rule 10 CHUNK_DATA
[ENC]
[ENC] parsing NONCE payload finished
[ENC] verifying payload of type NONCE
[ENC] NONCE payload verified, adding to payload list
[ENC] starting parsing a VENDOR_ID payload
[ENC] parsing VENDOR_ID payload, 166 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 43
[ENC] parsing rule 1 FLAG
[ENC] => 0
[ENC] parsing rule 2 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 3 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 4 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 5 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 6 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 7 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 8 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] => 23
[ENC] parsing rule 10 CHUNK_DATA
[ENC]
[ENC] parsing VENDOR_ID payload finished
[ENC] verifying payload of type VENDOR_ID
[ENC] VENDOR_ID payload verified, adding to payload list
[ENC] starting parsing a VENDOR_ID payload
[ENC] parsing VENDOR_ID payload, 143 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 41
[ENC] parsing rule 1 FLAG
[ENC] => 0
[ENC] parsing rule 2 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 3 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 4 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 5 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 6 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 7 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 8 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] => 59
[ENC] parsing rule 10 CHUNK_DATA
[ENC]
[ENC] parsing VENDOR_ID payload finished
[ENC] verifying payload of type VENDOR_ID
[ENC] VENDOR_ID payload verified, adding to payload list
[ENC] starting parsing a NOTIFY payload
[ENC] parsing NOTIFY payload, 84 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 41
[ENC] parsing rule 1 FLAG
[ENC] => 0
[ENC] parsing rule 2 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 3 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 4 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 5 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 6 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 7 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 8 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] => 28
[ENC] parsing rule 10 U_INT_8
[ENC] => 1
[ENC] parsing rule 11 SPI_SIZE
[ENC] => 0
[ENC] parsing rule 12 U_INT_16
[ENC] => 16388
[ENC] parsing rule 13 SPI
[ENC] => 0 bytes @ (nil)
[ENC] parsing rule 14 CHUNK_DATA
[ENC]
[ENC] parsing NOTIFY payload finished
[ENC] verifying payload of type NOTIFY
[ENC] NOTIFY payload verified, adding to payload list
[ENC] starting parsing a NOTIFY payload
[ENC] parsing NOTIFY payload, 56 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 41
[ENC] parsing rule 1 FLAG
[ENC] => 0
[ENC] parsing rule 2 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 3 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 4 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 5 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 6 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 7 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 8 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] => 28
[ENC] parsing rule 10 U_INT_8
[ENC] => 1
[ENC] parsing rule 11 SPI_SIZE
[ENC] => 0
[ENC] parsing rule 12 U_INT_16
[ENC] => 16389
[ENC] parsing rule 13 SPI
[ENC] => 0 bytes @ (nil)
[ENC] parsing rule 14 CHUNK_DATA
[ENC]
[ENC] parsing NOTIFY payload finished
[ENC] verifying payload of type NOTIFY
[ENC] NOTIFY payload verified, adding to payload list
[ENC] starting parsing a NOTIFY payload
[ENC] parsing NOTIFY payload, 28 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 43
[ENC] parsing rule 1 FLAG
[ENC] => 0
[ENC] parsing rule 2 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 3 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 4 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 5 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 6 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 7 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 8 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] => 8
[ENC] parsing rule 10 U_INT_8
[ENC] => 0
[ENC] parsing rule 11 SPI_SIZE
[ENC] => 0
[ENC] parsing rule 12 U_INT_16
[ENC] => 16430
[ENC] parsing rule 13 SPI
[ENC] => 0 bytes @ (nil)
[ENC] parsing rule 14 CHUNK_DATA
[ENC] => 0 bytes @ (nil)
[ENC] parsing NOTIFY payload finished
[ENC] verifying payload of type NOTIFY
[ENC] NOTIFY payload verified, adding to payload list
[ENC] starting parsing a VENDOR_ID payload
[ENC] parsing VENDOR_ID payload, 20 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 0
[ENC] parsing rule 1 FLAG
[ENC] => 0
[ENC] parsing rule 2 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 3 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 4 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 5 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 6 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 7 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 8 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] => 20
[ENC] parsing rule 10 CHUNK_DATA
[ENC]
[ENC] parsing VENDOR_ID payload finished
[ENC] verifying payload of type VENDOR_ID
[ENC] VENDOR_ID payload verified, adding to payload list
[ENC] process payload of type SECURITY_ASSOCIATION
[ENC] process payload of type KEY_EXCHANGE
[ENC] process payload of type NONCE
[ENC] process payload of type VENDOR_ID
[ENC] process payload of type VENDOR_ID
[ENC] process payload of type NOTIFY
[ENC] process payload of type NOTIFY
[ENC] process payload of type NOTIFY
[ENC] process payload of type VENDOR_ID
[ENC] verifying message structure
[ENC] found payload of type NOTIFY
[ENC] found payload of type NOTIFY
[ENC] found payload of type NOTIFY
[ENC] found payload of type SECURITY_ASSOCIATION
[ENC] found payload of type KEY_EXCHANGE
[ENC] found payload of type NONCE
[ENC] found payload of type VENDOR_ID
[ENC] found payload of type VENDOR_ID
[ENC] found payload of type VENDOR_ID
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]
[IKE] received Cisco Delete Reason vendor ID
[IKE] received Cisco Copyright (c) 2009 vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received FRAGMENTATION_SUPPORTED notify
[CFG] selecting proposal:
[CFG] proposal matches
[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE] faking NAT situation to enforce UDP encapsulation
[IKE] reinitiating already active tasks
[IKE] IKE_CERT_PRE task
[IKE] IKE_AUTH task
[ENC] added payload of type NOTIFY to message
[ENC] added payload of type NOTIFY to message
[ENC] added payload of type ID_RESPONDER to message
[ENC] added payload of type ID_INITIATOR to message
[ENC] added payload of type NOTIFY to message
[IKE] authentication of '205.223.229.254' (myself) with pre-shared key
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE]
[IKE] successfully created shared key MAC
[ENC] added payload of type AUTH to message
[CFG] proposing traffic selectors for us:
[CFG] 10.68.68.3/32
[CFG] proposing traffic selectors for other:
[CFG] 172.16.10.0/24
[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
[IKE] establishing CHILD_SA customer-networks{64948}
[KNL]
[KNL]
[KNL] got SPI cd040247
[ENC] added payload of type SECURITY_ASSOCIATION to message
[ENC] added payload of type TS_INITIATOR to message
[ENC] added payload of type TS_RESPONDER to message
[ENC] order payloads in message
[ENC] added payload of type ID_INITIATOR to message
[ENC] added payload of type NOTIFY to message
[ENC] added payload of type ID_RESPONDER to message
[ENC] added payload of type AUTH to message
[ENC] added payload of type SECURITY_ASSOCIATION to message
[ENC] added payload of type TS_INITIATOR to message
[ENC] added payload of type TS_RESPONDER to message
[ENC] added payload of type NOTIFY to message
[ENC] added payload of type NOTIFY to message
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[ENC] insert payload ID_INITIATOR into encrypted payload
[ENC] insert payload NOTIFY into encrypted payload
[ENC] insert payload ID_RESPONDER into encrypted payload
[ENC] insert payload AUTH into encrypted payload
[ENC] insert payload SECURITY_ASSOCIATION into encrypted payload
[ENC] insert payload TS_INITIATOR into encrypted payload
[ENC] insert payload TS_RESPONDER into encrypted payload
[ENC] insert payload NOTIFY into encrypted payload
[ENC] insert payload NOTIFY into encrypted payload
[ENC] generating payload of type HEADER
[ENC] generating rule 0 IKE_SPI
[ENC]
[ENC] generating rule 1 IKE_SPI
[ENC]
[ENC] generating rule 2 U_INT_8
[ENC] => 46
[ENC] generating rule 3 U_INT_4
[ENC] => 32
[ENC] generating rule 4 U_INT_4
[ENC] => 32
[ENC] generating rule 5 U_INT_8
[ENC] => 35
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 FLAG
[ENC] => 0
[ENC] generating rule 9 FLAG
[ENC] => 0
[ENC] generating rule 10 FLAG
[ENC] => 8
[ENC] generating rule 11 FLAG
[ENC] => 8
[ENC] generating rule 12 FLAG
[ENC] => 8
[ENC] generating rule 13 FLAG
[ENC] => 8
[ENC] generating rule 14 U_INT_32
[ENC]
[ENC] generating rule 15 HEADER_LENGTH
[ENC]
[ENC] generating HEADER payload finished
[ENC]
[ENC]
[ENC]
[ENC] generating payload of type ID_INITIATOR
[ENC] generating rule 0 U_INT_8
[ENC] => 41
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_8
[ENC] => 1
[ENC] generating rule 11 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 12 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 13 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 14 CHUNK_DATA
[ENC]
[ENC] generating ID_INITIATOR payload finished
[ENC]
[ENC] generating payload of type NOTIFY
[ENC] generating rule 0 U_INT_8
[ENC] => 36
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_8
[ENC] => 0
[ENC] generating rule 11 SPI_SIZE
[ENC] => 0
[ENC] generating rule 12 U_INT_16
[ENC]
[ENC] generating rule 13 SPI
[ENC] => 0 bytes @ (nil)
[ENC] generating rule 14 CHUNK_DATA
[ENC] => 0 bytes @ (nil)
[ENC] generating NOTIFY payload finished
[ENC]
[ENC] generating payload of type ID_RESPONDER
[ENC] generating rule 0 U_INT_8
[ENC] => 39
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_8
[ENC] => 1
[ENC] generating rule 11 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 12 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 13 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 14 CHUNK_DATA
[ENC]
[ENC] generating ID_RESPONDER payload finished
[ENC]
[ENC] generating payload of type AUTH
[ENC] generating rule 0 U_INT_8
[ENC] => 33
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_8
[ENC] => 2
[ENC] generating rule 11 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 12 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 13 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 14 CHUNK_DATA
[ENC]
[ENC] generating AUTH payload finished
[ENC]
[ENC] generating payload of type SECURITY_ASSOCIATION
[ENC] generating rule 0 U_INT_8
[ENC] => 44
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 (1258)
[ENC] generating payload of type SECURITY_ASSOCIATION
[ENC] generating rule 0 U_INT_8
[ENC] => 0
[ENC] generating rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 3 U_INT_8
[ENC] => 1
[ENC] generating rule 4 U_INT_8
[ENC] => 3
[ENC] generating rule 5 SPI_SIZE
[ENC] => 4
[ENC] generating rule 6 U_INT_8
[ENC] => 3
[ENC] generating rule 7 SPI
[ENC]
[ENC] generating rule 8 (1261)
[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE
[ENC] generating rule 0 U_INT_8
[ENC] => 3
[ENC] generating rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 3 U_INT_8
[ENC] => 1
[ENC] generating rule 4 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 5 U_INT_16
[ENC]
[ENC] generating rule 6 (1262)
[ENC] generating payload of type TRANSFORM_ATTRIBUTE
[ENC] generating rule 0 ATTRIBUTE_FORMAT
[ENC] => 128
[ENC] generating rule 1 ATTRIBUTE_TYPE
[ENC] => 3712
[ENC] generating rule 2 ATTRIBUTE_LENGTH_OR_VALUE
[ENC]
[ENC] generating rule 3 ATTRIBUTE_VALUE
[ENC] generating TRANSFORM_ATTRIBUTE payload finished
[ENC]
[ENC] generating TRANSFORM_SUBSTRUCTURE payload finished
[ENC]
[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE
[ENC] generating rule 0 U_INT_8
[ENC] => 3
[ENC] generating rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 3 U_INT_8
[ENC] => 3
[ENC] generating rule 4 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 5 U_INT_16
[ENC]
[ENC] generating rule 6 (1262)
[ENC] generating TRANSFORM_SUBSTRUCTURE payload finished
[ENC]
[ENC] generating payload of type TRANSFORM_SUBSTRUCTURE
[ENC] generating rule 0 U_INT_8
[ENC] => 0
[ENC] generating rule 1 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 3 U_INT_8
[ENC] => 5
[ENC] generating rule 4 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 5 U_INT_16
[ENC]
[ENC] generating rule 6 (1262)
[ENC] generating TRANSFORM_SUBSTRUCTURE payload finished
[ENC]
[ENC] generating SECURITY_ASSOCIATION payload finished
[ENC]
[ENC] generating SECURITY_ASSOCIATION payload finished
[ENC]
[ENC] generating payload of type TS_INITIATOR
[ENC] generating rule 0 U_INT_8
[ENC] => 45
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_8
[ENC] => 1
[ENC] generating rule 11 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 12 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 13 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 14 (1264)
[ENC] generating payload of type TRAFFIC_SELECTOR_SUBSTRUCTURE
[ENC] generating rule 0 TS_TYPE
[ENC] => 7
[ENC] generating rule 1 U_INT_8
[ENC] => 0
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 3 U_INT_16
[ENC]
[ENC] generating rule 4 U_INT_16
[ENC]
[ENC] generating rule 5 ADDRESS
[ENC]
[ENC] generating rule 6 ADDRESS
[ENC]
[ENC] generating TRAFFIC_SELECTOR_SUBSTRUCTURE payload finished
[ENC]
[ENC] generating TS_INITIATOR payload finished
[ENC]
[ENC] generating payload of type TS_RESPONDER
[ENC] generating rule 0 U_INT_8
[ENC] => 41
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_8
[ENC] => 1
[ENC] generating rule 11 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 12 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 13 RESERVED_BYTE
[ENC] => 0
[ENC] generating rule 14 (1264)
[ENC] generating payload of type TRAFFIC_SELECTOR_SUBSTRUCTURE
[ENC] generating rule 0 TS_TYPE
[ENC] => 7
[ENC] generating rule 1 U_INT_8
[ENC] => 0
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 3 U_INT_16
[ENC]
[ENC] generating rule 4 U_INT_16
[ENC]
[ENC] generating rule 5 ADDRESS
[ENC]
[ENC] generating rule 6 ADDRESS
[ENC]
[ENC] generating TRAFFIC_SELECTOR_SUBSTRUCTURE payload finished
[ENC]
[ENC] generating TS_RESPONDER payload finished
[ENC]
[ENC] generating payload of type NOTIFY
[ENC] generating rule 0 U_INT_8
[ENC] => 41
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rinitiate failed: establishing CHILD_SA 'customer-networks' failed
ule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_8
[ENC] => 0
[ENC] generating rule 11 SPI_SIZE
[ENC] => 0
[ENC] generating rule 12 U_INT_16
[ENC]
[ENC] generating rule 13 SPI
[ENC] => 0 bytes @ (nil)
[ENC] generating rule 14 CHUNK_DATA
[ENC] => 0 bytes @ (nil)
[ENC] generating NOTIFY payload finished
[ENC]
[ENC] generating payload of type NOTIFY
[ENC] generating rule 0 U_INT_8
[ENC] => 0
[ENC] generating rule 1 FLAG
[ENC] => 0
[ENC] generating rule 2 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 3 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 4 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 5 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 6 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 7 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 8 RESERVED_BIT
[ENC] => 0
[ENC] generating rule 9 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 10 U_INT_8
[ENC] => 0
[ENC] generating rule 11 SPI_SIZE
[ENC] => 0
[ENC] generating rule 12 U_INT_16
[ENC]
[ENC] generating rule 13 SPI
[ENC] => 0 bytes @ (nil)
[ENC] generating rule 14 CHUNK_DATA
[ENC] => 0 bytes @ (nil)
[ENC] generating NOTIFY payload finished
[ENC]
[ENC]
[ENC] generated content in encrypted payload
[ENC] encrypted payload encryption:
[ENC]
[ENC]
[ENC]
[ENC]
[ENC]
[ENC]
[ENC] generating payload of type ENCRYPTED
[ENC] generating rule 0 U_INT_8
[ENC] => 35
[ENC] generating rule 1 U_INT_8
[ENC] => 0
[ENC] generating rule 2 PAYLOAD_LENGTH
[ENC]
[ENC] generating rule 3 CHUNK_DATA
[ENC]
[ENC] generating ENCRYPTED payload finished
[ENC]
[ENC]
[NET] sending packet: from 205.223.229.254[4500] to 217.118.9.36[4500] (304 bytes)
[MGR] checkin IKE_SA customer[47511]
[MGR] checkin of IKE_SA successful
[NET] received packet: from 217.118.9.36[4500] to 205.223.229.254[4500] (96 bytes)
[ENC] parsing body of message, first payload is ENCRYPTED
[ENC] starting parsing a ENCRYPTED payload
[ENC] parsing ENCRYPTED payload, 68 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 41
[ENC] parsing rule 1 U_INT_8
[ENC] => 0
[ENC] parsing rule 2 PAYLOAD_LENGTH
[ENC] => 68
[ENC] parsing rule 3 CHUNK_DATA
[ENC]
[ENC] parsing ENCRYPTED payload finished
[ENC] verifying payload of type ENCRYPTED
[ENC] ENCRYPTED payload verified, adding to payload list
[ENC] ENCRYPTED payload found, stop parsing
[ENC] process payload of type ENCRYPTED
[ENC] found an encrypted payload
[ENC] encrypted payload decryption:
[ENC]
[ENC]
[ENC]
[ENC]
[ENC]
[ENC]
[ENC] parsing NOTIFY payload, 8 bytes left
[ENC]
[ENC] parsing rule 0 U_INT_8
[ENC] => 0
[ENC] parsing rule 1 FLAG
[ENC] => 0
[ENC] parsing rule 2 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 3 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 4 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 5 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 6 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 7 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 8 RESERVED_BIT
[ENC] => 0
[ENC] parsing rule 9 PAYLOAD_LENGTH
[ENC] => 8
[ENC] parsing rule 10 U_INT_8
[ENC] => 1
[ENC] parsing rule 11 SPI_SIZE
[ENC] => 0
[ENC] parsing rule 12 U_INT_16
[ENC] => 24
[ENC] parsing rule 13 SPI
[ENC] => 0 bytes @ (nil)
[ENC] parsing rule 14 CHUNK_DATA
[ENC] => 0 bytes @ (nil)
[ENC] parsing NOTIFY payload finished
[ENC] parsed content of encrypted payload
[ENC] insert decrypted payload of type NOTIFY at end of list
[ENC] verifying message structure
[ENC] found payload of type NOTIFY
[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
[IKE] received AUTHENTICATION_FAILED notify error
[CHD] CHILD_SA customer-networks{64948} state change: CREATED => DESTROYING
[KNL] deleting SAD entry with SPI cd040247
[KNL]
Marco Berizzi
2018-05-04 08:53:39 UTC
Permalink
> mobike = no

> By the way I don't understand why strongswan is
> sending packets to 4500/udp.

Ok I found that "mobike = no" change the swap to the 4500/udp

However, I don't understand why the psk authentication is failing.
Tobias Brunner
2018-05-04 10:33:52 UTC
Permalink
Hi Marco,

> [ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> [IKE] received AUTHENTICATION_FAILED notify error

The other end sends that notify back because it couldn't authenticate
the initiator, so check the log there.

Regards,
Tobias
Marco Berizzi
2018-05-04 11:50:01 UTC
Permalink
Hi Tobias,

> The other end sends that notify back because it couldn't authenticate
> the initiator, so check the log there.

Unfortunately I have no access to the other ipsec peer.
I have also tried with another customer and I'm getting
the same behavior.

Here are the two outputs:

(non working)
[IKE] initiating Main Mode IKE_SA cbt[494] to 31.169.105.210
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (180 bytes)

Why only 180 bytes?

[NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (40 bytes)
[ENC] parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN error notify


(working)
initiating Main Mode IKE_SA cbt[499] to 31.169.105.210
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (248 bytes)

this time strongswan send a 248 bytes ike packet?

received packet: from 31.169.105.210[500] to 205.223.229.254[500] (140 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received unknown vendor ID: 4f:45:68:79:4c:64:41:43:65:63:66:61
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (244 bytes)
received packet: from 31.169.105.210[500] to 205.223.229.254[500] (228 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (68 bytes)
received packet: from 31.169.105.210[500] to 205.223.229.254[500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received unknown vendor ID: 49:4b:45:76:32
IKE_SA cbt[499] established between 205.223.229.254[205.223.229.254]...31.169.105.210[31.169.105.210]
scheduling reauthentication in 85571s
maximum IKE_SA lifetime 86111s
generating QUICK_MODE request 4227161388 [ HASH SA No ID ID ]
sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (204 bytes)
received packet: from 31.169.105.210[500] to 205.223.229.254[500] (156 bytes)
parsed QUICK_MODE response 4227161388 [ HASH SA No ID ID ]
CHILD_SA cbt{788} established with SPIs c2384552_i b807ce0a_o and TS 10.28.131.200/29 === 192.168.170.128/28
generating QUICK_MODE request 4227161388 [ HASH ]
connection 'cbt' established successfully

These are the two config. I'm not able to catch the
configuration bug:

connections {

cbt {
local_addrs = 205.223.229.254
remote_addrs = 31.169.105.210

local {
auth = psk
id = 205.223.229.254
}
remote {
auth = psk
id = 31.169.105.210
}
children {
cbt-networks {
local_ts = 10.28.131.200/29
remote_ts = 192.168.170.128/28

start_action = trap
esp_proposals = 3des-sha1
rekey_time = 3600
# rekey_bytes = 4608000000
}
}
version = 1
# mobike = no
proposals = 3des-sha1-modp1024
reauth_time = 24h
keyingtries = 0
send_cert = never
send_certreq = no
# encap = yes
# unique = never
}
}

secrets {

ike-cbt {
id = 31.169.105.210
secret = 0sblabla
}
}


conn cbt
left=205.223.229.254
right=31.169.105.210
leftsubnet=10.28.131.200/29
rightsubnet=192.168.170.128/28
authby=secret
auto=route
esp=3des-sha1
compress=no
leftid=205.223.229.254
rightid=31.169.105.210
keyingtries=%forever
lifetime=1h
ikelifetime=86400
ike=3des-sha1-modp1024
Tobias Brunner
2018-05-04 12:46:42 UTC
Permalink
Hi Marco,

> Here are the two outputs:
>
> (non working)
> [IKE] initiating Main Mode IKE_SA cbt[494] to 31.169.105.210
> [ENC] generating ID_PROT request 0 [ SA V V V V V ]
> [NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (180 bytes)

So you're using IKEv1 now? (Was IKEv2 in your original mail, and you
should definitely prefer that if you can.)

> Why only 180 bytes?
>
> [NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (40 bytes)
> [ENC] parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
> [IKE] received NO_PROPOSAL_CHOSEN error notify
>
>
> (working)
> initiating Main Mode IKE_SA cbt[499] to 31.169.105.210
> generating ID_PROT request 0 [ SA V V V V V ]
> sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (248 bytes)
>
> this time strongswan send a 248 bytes ike packet?

Different IKE proposals. With ipsec.conf the default proposal(s) are
added to whatever you configure in ike/esp unless that ends with a !.
With swanctl.conf the default proposal(s) have to be added explicitly to
the IKE/ESP proposals (e.g. in your example `proposals =
3des-sha1-modp1024, default`) . So that indicates your configured
proposal is incorrect. But that's a completely different problem than
the one you had before with IKEv2.

Regards,
Tobias
Marco Berizzi
2018-05-04 14:37:46 UTC
Permalink
Hi Tobias,

> So you're using IKEv1 now?  (Was IKEv2 in your original mail, and you
> should definitely prefer that if you can.)

yes this is another customer. I should have opened another thread.

> Different IKE proposals.  With ipsec.conf the default proposal(s) are
> added to whatever you configure in ike/esp unless that ends with a !.
> With swanctl.conf the default proposal(s) have to be added explicitly to
> the IKE/ESP proposals (e.g. in your example `proposals =
> 3des-sha1-modp1024, default`) .  So that indicates your configured
> proposal is incorrect.  But that's a completely different problem than
> the one you had before with IKEv2.

thanks for the explanation.
I have found the problematic parameter:

reauth_time

decreasing from 24h to 20h I got this message:

[IKE] initiating Main Mode IKE_SA cbt[874] to 31.169.105.210
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (248 bytes)
[NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (140 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V ]
[ENC] received unknown vendor ID: 4f:45:68:79:4c:64:41:43:65:63:66:61
[IKE] received DPD vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (244 bytes)
[NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (228 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (68 bytes)
[NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (40 bytes)
[ENC] parsed INFORMATIONAL_V1 request 2534754901 [ N(PLD_MAL) ]
[ENC] ignoring unprotected INFORMATIONAL from 31.169.105.210
[IKE] message verification failed
[IKE] ignore malformed INFORMATIONAL request
[IKE] INFORMATIONAL_V1 request with message ID 2534754901 processing failed
[IKE] sending retransmit 1 of request message ID 0, seq 3
[NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (68 bytes)
[NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (40 bytes)
[ENC] parsed INFORMATIONAL_V1 request 1470134926 [ N(PLD_MAL) ]
[ENC] ignoring unprotected INFORMATIONAL from 31.169.105.210
[IKE] message verification failed
[IKE] ignore malformed INFORMATIONAL request
[IKE] INFORMATIONAL_V1 request with message ID 1470134926 processing failed
Tobias Brunner
2018-05-07 08:33:13 UTC
Permalink
Hi Marco,

> I have found the problematic parameter:
>
> reauth_time
>
> decreasing from 24h to 20h I got this message:
>
> [IKE] initiating Main Mode IKE_SA cbt[874] to 31.169.105.210
> [ENC] generating ID_PROT request 0 [ SA V V V V V ]
> [NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (248 bytes)
> [NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (140 bytes)
> [ENC] parsed ID_PROT response 0 [ SA V V V ]
> [ENC] received unknown vendor ID: 4f:45:68:79:4c:64:41:43:65:63:66:61
> [IKE] received DPD vendor ID
> [IKE] received NAT-T (RFC 3947) vendor ID
> [ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> [NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (244 bytes)
> [NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (228 bytes)
> [ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
> [ENC] generating ID_PROT request 0 [ ID HASH ]
> [NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (68 bytes)
> [NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (40 bytes)
> [ENC] parsed INFORMATIONAL_V1 request 2534754901 [ N(PLD_MAL) ]

Could indicate a wrong password. As that seems to be a response to the
first encrypted message.

Regards,
Tobias
Marco Berizzi
2018-05-07 11:29:23 UTC
Permalink
Hi Tobias,

> > [NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (68 bytes)
> > [NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (40 bytes)
> > [ENC] parsed INFORMATIONAL_V1 request 2534754901 [ N(PLD_MAL) ]

> Could indicate a wrong password.  As that seems to be a response to the
> first encrypted message.

yes indeed, fixing the psk did the trick.
Thanks for the prompt feedback.
Loading...