Tugas Akhir EC5010 Keamanan Sistem Informasi “ Kompatibilitas mekanisme IKE IPSec Tunnel pada kasus FreeBSD (Racoon) dan Linux (OpenSwan) “ Oleh : Hadi Gunawan 13201174 (hg [at] students [dot] ee [dot] itb [dot] ac [dot] id) Departemen Teknik Elektro Fakultas Teknologi Industri Institut Teknologi Bandung 2005
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Tugas Akhir EC5010 Keamanan Sistem Informasi
“ Kompatibilitas mekanisme IKE IPSec Tunnel pada kasus FreeBSD (Racoon) dan Linux (OpenSwan) “
Oleh : Hadi Gunawan
13201174 (hg [at] students [dot] ee [dot] itb [dot] ac [dot] id)
Departemen Teknik Elektro Fakultas Teknologi Industri Institut Teknologi Bandung
2005
- i -
ABSTRAKSI Internet merupakan suatu wilayah pertukaran data yang bersifat publik. Namun dalam
implementasinya, ada beberapa pertukaran informasi yang bersifat privat. Dengan adanya
informasi yang bersifat privat ini, dikembangkanlah suatu teknik untuk menghantarkan informasi
tersebut melalui jaringan publik secara lebih secure.
Hingga saat ini telah banyak sistem yang telah dikembangkan diantaranya IPSec Tunnel.
Sistem IPSec Tunnel merupakan sistem untuk menghantarkan informasi antara dua network atau
lebih dengan menggunakan jalur khusus (tunnel) dan proses enkripsi-autentifikasi (IKE) pada
layer network. Enkripsi tersebut meliputi ESP (Encapsulated Security Payload) sedangkan
autentifikasi meliputi AH (Autentication Header) disertai algoritma enkripsi yang telah ada saat ini
(misal DES, 3DES, HMAC dan lain-lain). Sehingga diharapkan pertukaran informasi tersebut
menjadi lebih secure.
Tugas kali ini, akan mencoba untuk mengimplementasikan sistem IPSec Tunnel pada dua
operating system dan dua software yang berbeda yaitu Racoon pada FreeBSD dan OpenSwan
pada Linux serta menunjukkan kompatibilitas dua sistem IPSec Tunnel tersebut.
- ii -
Daftar Isi Abstraksi ................................................................................................... i
Daftar Isi ................................................................................................... ii
1. Pendahuluan ................................................................................................... 1
2. IPSec Tunnel ................................................................................................... 2
2.1 Apa itu IPSec Tunnel ............................................................................... 2
2.2 Security Association ................................................................................. 5
2.3 Enkripsi pada IPSec ................................................................................. 6
2.3.1 Apa itu enkripsi ............................................................................... 6
2.3.2 Bagaimana enkripsi bekerja pada IPSec ............................................ 9
2.4 Penentuan Algoritma IKE ......................................................................... 9
3. Implementasi IPSec Tunnel .............................................................................. 13
3.1 Contoh Kasus........................................................................................... 14
3.1.1 Implementasi IPSec Tunnel dan Racoon pada FreeBSD ...................... 14
3.1.2 Implementasi IPSec Tunnel dan OpenSwan pada Linux ...................... 18
3.1.3 Kompatibilitas dan TCPDump ........................................................... 20
4. Kesimpulan ................................................................................................... 22
Referensi ................................................................................................... 23
Lampiran
Log OpenSwan .............................................................................................. 24
Log Racoon .................................................................................................. 46
- 1 -
1. Pendahuluan Seiring dengan perkembangan jaman, kebutuhan manusia terus meningkat. Tak terkecuali
kebutuhan akan arus informasi. Semenjak internet diperkenalkan, permintaan masyarakat untuk
dapat terhubung melalui jaringan internet terus meningkat. Hal ini didukung dengan
meningkatnya fasilitas untuk mengakses internet, pergerakan arus informasi melalui internet
yang lebih cepat tanpa mengenal perbedaan jarak, serta kemudahan mengakses informasi di
dunia maya.
Dalam perkembangannya, internet tidak lagi dimonopoli oleh beberapa elemen industri namun
sebagian besar industri kecil dan menengah juga diikutsertakan untuk bisa memanfaatkan
teknologi internet dalam usaha mereka. Di tengah-tengah pergolakan teknologi informasi pada
dunia usaha, internet ternyata tidak lagi bisa menyediakan arus informasi yang lebih bersifat
privat. Berbagai mesin pencari tumbuh dan layanan e-commerce juga berkembang. Belum lagi
serangan virus dan spam, serta kejahatan informasi yang lain terus mengintai.
Alhasil, kemudahan manusia terhambat dalam masalah privatisasi. Dengan permasalahan
tersebut mulailah dikembangkan teknologi keamanan baik itu meliputi antivirus, antispam,
private dan public key, Certificate Association (CA), enkripsi bahkan kunci yang bersifat toggle
yang diimplementasikan pada e-banking serta VPN.
Salah satu yang sedang berkembang ialah teknologi VPN dimana karyawan perusahaan dapat
mengakses jaringan perusahaan tanpa harus berada di wilayah perusahaan tersebut. Didalam
VPN itu sendiri terdapat suatu system IPSec Tunnel yang berusaha menghubungkan antara dua
network yang bersifat privat melalui suatu jaringan public. Sehingga diharapkan arus informasi
bersifat secure dan dapat dipercaya.
Perkembangan teknologi IPSec Tunnel terus berkembang terlihat dengan banyaknya software
baik yang bersifat opensource maupun komersial. Di dalam tulisan ini, kami berusaha untuk
menjelaskan apa itu IPSec Tunnel, bagaimana mengimplementasikannya serta
mengimplementasikan dua software yang berbeda vendor untuk menciptakan jaringan yang lebih
aman.
- 2 -
2. IPSec Tunnel
2.1 Apa itu IPSec Tunnel ? IPSec merupakan jenis protocol yang mengintegrasikan fitur security meliputi proses
autentifikasi, integritas dan kepastian ke dalam IP (Internet Protocol). Dimana proses
tersebut dilakukan pada network layer atau layer ketiga dalam model OSI.
IPSec Tunnel memperbolehkan peer untuk mengirimkan informasi secara aman melalui
jaringan IP public atau jaringan yang tidak dipercayai.
Dengan menggunakan IPSec Tunnel, kita dapat melakukan enkripsi dan atau membuat
media komunikasi (tunnel) terautentifikasi tergantung kondisi protocol yang diinginkan oleh
dua peer tersebut. Protocol tersebut antara lain :
• AH (Authentication Header), autentifikasi sumber data dan proteksi terhadap
pencurian data. Protocol AH dibuat dengan melakukan enkapsulasi paket IP asli
kedalam paket baru yang mengandung IP header yang baru yaitu AH header
disertai dengan header asli.
Isi data yang dikirimkan melalui protocol AH bersifat clear text sehingga tunnel
yang berdasar protocol AH ini tidak menyediakan kepastian data. (RFC 2402)
Format Paket data AH :
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Next Header Payload Length Reserved Security Parameter Index (SPI)
Sequence Number Field Authentication Data (variable)
Proses implementasi AH pada paket o Transport Mode
Original IP Header TCP DataSebelum
Original IP Header AH TCP Data Sesudah
o Tunnel Mode Original IP Header TCP Data
Sebelum New IP Header AH Original IP Header TCP Data
• ESP (Encapsulated Security Payload) dapat menyediakan kepastian data,
autentifikasi sumber data dan proteksi terhadap gangguan pada data. Protocol ESP
dibuat dengan melakukan enkripsi pada paket IP dan membuat paket IP lain yang
mengandung header IP asli dan header ESP. Data yang terenkripsi (yang
- 3 -
mengandung header IP asli) dan trailer ESP, separuhnya terenkripsi dan sebagian
tidak. (RFC 2406)
Format Paket Data ESP : 0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Security Parameters Index (SPI) Sequence Number
Payload Data (variable) Padding (0-255 byte)
Pad Length Next Header Authentication Data (variable)
Salah satu contoh penggunaannya ialah VPN. Dimana VPN memperbolehkan komunikasi
data yang aman melalui jaringan public atau jaringan yang tidak dipercayai
Spesifikasi IPSec memperbolehkan kedua protocol AH dan ESP untuk diaplikasikan pada
data yang ingin dilindungi, tetapi dengan menggunakan IPSec Tunnel yang berdasar pada
protocol ESP, hal tersebut tidak dibutuhkan. ESP menyediakan algoritma autentifikasi yang
disebut dengan “authenticator” yang dapat digunakan sebagai autentifikasi sumber data.
Authenticator ini, dapat diset null atau ESP tidak melakukan autentifikasi sumber data.
Dalam hal ini dapat dipergunakan metode autentifikasi berdasarkan protocol AH.
Protocol AH dan ESP berdasar pada beberapa kunci yang terenkripsi dan algoritma hash
untuk menyediakan integritas, autentifikasi dan kepastian. Spesifikasi IPSec tidak hanya
berdasar pada algoritma mana yang harus dipergunakan, tapi dapat pula disertakan
beberapa algoritma lain yang didukung oleh operating system dimana IPSec ini akan
diimplementasikan. Beberapa algoritma yang sering dipakai untuk kedua protocol tersebut
antara lain meliputi HMAC-MD5 dan HMAC-SHA.
Tunnel yang berdasar pada protocol ESP menggunakan algoritma DES (Data Encryption
Standard) atau 3DES (Triple Data Encryption Standard) pada blok ciphernya.
IPSec menyediakan dua metode untuk menentukan kunci yang akan digunakan pada
algoritma yaitu
• Metode Manual
IPSec Tunnel dengan metode ini dikenal sebagai IPSec Tunnel manual dimana
shared key atau kunci yang akan dipakai, protocol (AH,ESP atau keduanya) dan
algoritma yang akan digunakan ditetapkan sebelum tunnel tersebut terbentuk.
Keuntungan :
o Kecepatan Transfer yang lebih cepat dibandingkan IKE tunnel.
Kunci yang dipergunakan telah dikonfigurasi pada saat pembetukan tunnel
secara manual dan tidak terdapat proses pembaharuan kunci secara
- 4 -
automatic sehingga sekali tunnel terbentuk tidak ada lagi proses
renegosiasi antar peer dalam hal kunci maupun algoritma yang dipakai.
o Resource yang dibutuhkan lebih sedikit daripada IKE tunnel
Kekurangan :
o Manajemen Kunci
Pada jaringan yang besar dapat dipastikan terdapat banyak unit jaringan
yang lebih kecil sehingga dibutuhkan lebih banyak tunnel untuk
menghubungkan unit-unit tersebut. Dengan system manual, maka
diperlukan waktu tambahan untuk dapat mengatur kunci antar peer yang
juga diset secara manual. Oleh karena itu, manual tunnel
direkomendasikan untuk jaringan yang kecil, dimana kita hanya
membutuhkan tunnel yang sedikit sehingga proses manajemen lebih cepat
o Keamanan yang lebih rendah dibandingkan IKE tunnel
Hal ini disebabkan penggunaan kunci yang bersifat static dan dikonfigurasi
secara manual hanya pada saat pembentukan tunnel antar peer. Selain itu,
pada metode ini terdapat renegosiasi secara automatic. Sehingga jika
pihak ketiga telah mendapatkan kunci, data yang kita transmit dapat
didengar.
• IKE (Internet Key Exchange).
IKE tunnel melakukan negosiasi kunci yang akan dipergunakan diantara peer serta
melakukan negosiasi dalam penentuan algoritma protocol (AH dan atau ESP) yang
akan dipakai. Selain itu, IKE tunnel menggunakan algoritma Diffie-Hellman untuk
menciptakan kunci yang simetris antar peer dalam membentuk tunnel. Kunci ini
hanya akan berlaku sepanjang nilai time to live, setelah itu kunci baru akan
dinegosiasikan kembali.
Tunnel yang terbentuk disebut IKE Tunnel atau Tunnel Negosiasi.
Keuntungan :
o Manajemen Kunci yang dilakukan secara otomatis
Kunci dan protocol yang dipergunakan selalu dinegosiasikan terlebih
dahulu diantara peer yang akan saling berhubungan. Selain itu, kunci
tersebut juga akan memiliki batas waktu pemakaian sesuai dengan time to
live yang diberikan. Dan selanjutnya akan dinegosiasikan kunci dan
protocol baru pada proses selanjutnya.
- 5 -
Selain itu, IKE tidak terbatas pada protocol tunggal (AH atau ESP), tetapi
dapat melakukan prioritas dengan proposal pada saat negosiasi.
o Keamanan yang lebih tinggi dibandingkan IPSec Tunnel manual
Hal ini disebabkan adanya proses negosiasi dan renegosiasi pada
penentuan kunci dan time to live untuk kunci tersebut. Sehingga setiap
saat kunci yang dipergunakan akan berbeda-beda.
Kekurangan :
o Kecepatan yang lebih lambat dan adanya Resource tambahan
IKE Tunnel memerlukan waktu tambahan dan proses tambahan untuk
negosiasi kunci yang akan dipergunakan. Oleh karena itu jika kita
melakukan konfigurasi time-to-live kunci terlalu kecil maka negosiasi kunci
akan lebih sering dilakukan dan memperlambat proses. Selain itu,
diperlukan pula konfigurasi dan sumber daya jaringan tambahan. Hal ini
berkaitan, bila kita menggunakan certificates untuk proses autentifikasi
negosiasi IKE. Sehingga dibutuhkan suatu system autentifikasi certificate
dan atau membeli servis certificate pada pihak ketiga.
2.2 Security Association Kombinasi tentang bagaimana melindungi data (ESP dan atau AH termasuk algoritma dan
kunci), apa data yang dilindungi dan pada saat apa data dilindungi disebut dengan Security
Association (SA).
SA merupakan identifikasi unik dengan berbasiskan Security Parameter Index (SPI), alamat
tujuan IP dan protocol keamanan (AH dan atau ESP) yang diimplementasikan dalam trafik
jaringan IPSec. Dua tipe SA yang didefinisikan yaitu
• Transport Mode
Pada mode ini, SA diimplementasikan pada trafik antara dua host. Pada kasus ESP,
transport mode SA memberikan pelayanan keamanan hanya pada layer tersebut
tidak untuk IP Header atau header lain yang tidak mendahului header ESP. Pada
kasus AH, perlindungan juga diberikan pada IP Header atau header tambahan
lainnya.
• Tunnel mode
Merupakan SA yang diimplementasikan pada dua gateway IPSec Tunnel. Pada
mode ini, terdapat IP Header tambahan di luar yang menspesifikasikan tujuan
pemrosesan IPSec ditambah IP Header tambahan di dalam yang menunjukkan
alamat tujuan paket yang sebenarnya. Header protocol keamanan akan tampak
- 6 -
pada bagian setelah IP Header tambahan di luar dan sebelum IP Header tambahan
di dalam. Pada kasus AH, bagian IP Header tambahan di luar diberikan
perlindungan seperti paket IP yang di tunnel. Pada kasus ESP, proteksi hanya
diberikan pada paket yang di tunnel saja.
Dalam implementasinya Security Association ini dikelompokkan dalam suatu database.
Database tersebut antara lain:
• Security Policy Database (SPD)
Semua elemen yang penting pada proses SA dimasukkan kedalam Security Policy
Database (SPD), yang akan menspesifikasikan pelayanan apakah yang diberikan
pada IP Datagram yang lewat pada trafik tersebut.
SPD harus memperhitungkan semua proses pada trafik meliputi Inbound dan
Outbound dan trafik non IPSec. Pada pelaksanaannya, IPSec akan mengecek SA
pada SPD tersebut dan memberikan aksi discard (untuk paket pada host yang
berada diluar network tersebut), bypass IPSec atau apply IPSec. Manajemen SPD
harus meliputi beberapa selector yaitu alamat IP sumber, nama sub bagian
database, dan port serta protocol tujuan dan sumber paket (TCP,UDP).
• Security Association Database (SAD)
Pada dasarnya isi dari SAD mirip dengan isi SPD yaitu policy trafik Inbound dan
Outbound. Perbedaannya pada SPD setiap proses outbound tidak langsung
menunjuk pada satu SA atau dikenal dengan SA Bundle. Pada proses inbound SAD
memiliki index tujuan alamat IP, protocol IPSec dan SPI.
Untuk proses Inbound pada SA akan melihat beberapa hal pada SAD yaitu header
terluar alamat IP tujuan, protocol IPSec, SPI, Sequence Number Counter,
Sequence Counter Overflow, Anti-replay Window, AH algorithm,ESP algorithm dan
lifetime.
2.3 Enkripsi Pada IPSec
2.3.1 Apa itu enkripsi ? Tujuan penggunaan enkripsi ialah mengijinkan jaringan peer untuk saling berkomunikasi
melalui jaringan yang tidak aman dan tidak terlindungi.
Pada enkripsi terdapat dua komponen utama yaitu Cipher dan Secret key. Cipher
merupakan algoritma matematika yang mengkonversi string atau sumber data yang
diketahui atau plaintext menjadi random data yang disebut dengan Ciphertext. Hal ini yang
disebut dengan enkripsi.
- 7 -
Dengan menggunakan cipher, kita juga dapat melakukan dekripsi data atau mengubah
ciphertext menjadi plaintext. Cipher secara unik tergantung pada nilai variable kriptografi
yang disebut dengan kunci. Jika kita tidak memiliki kunci maka kita tidak dapat melakukan
enkripsi atau dekripsi data. Kunci rahasia ini disebut dengan “kunci simetris”. Ketika kita
menggunakan cipher yang sama untuk melakukan enkripsi dan dekripsi data, pengirim dan
penerima harus berbagi informasi yang rahasia. Tipe cipher ini dikenal dengan “secret key
cipher”.
Mode enkripsi
• ECB (Electronic Code Book) mode, merupakan mode dasar dan kurang aman.
Dimana setiap blok plaintext yang diberikan dan kunci selalu dienkripsi dengan
menggunakan blok yang sama dengan Ciphertext.
• CBC (Cipher Block Chaining) mode, merupakan mode yang mirip dengan ECB
namun enkripsi pada blok dengan menggunakan plaintext, kunci dan input ketiga
dihasilkan dari ciphertext blok sebelumnya. Secara spesifik, proses blok ciphertext
dengan melakukan XOR pada blok plaintext saat ini sebelum enkripsi normal
dengan kunci. Blok ciphertext tersebut dirangkaikan dengan sebelumnya untuk
menyembunyikan pattern yang diulang pada plaintext.
Mode yang paling mudah adalah ECB, atau dikenal pula dengan block mode. Block mode
melakukan kombinasi blok plaintext (64 bits atau 8 karakter) dan sebuah kunci untuk
menghasilkan blok ciphertext. Setiap blok plaintext dienkripsi secara independent dari
pemrosesan blok. Pada komunikasi yang umum, mode ini tidak cocok karena transformasi
blok plaintext berulang akan menimbulkan ciphertext yang berulang dan sangat mudah
untuk dianalisis dengan beberapa substitution (dikenal juga dengan “plaintext attack”).
Meskipun demikian block mode merupakan bentuk enkripsi yang tercepat yang disupport
oleh implementasi DES. Berikut ini adalah prosesnya :
- 8 -
Untuk mengatasi kelemahan pada plaintext yang berulang, beberapa implementasi DES
juga mendukung satu atau lebih chaining mode. Pada chaining mode, setiap blok selalu
dienkripsi, meskipun demikian ciphertext akan dihitung dengan menggunakan input ketiga,
sebuah feedback yang berdasar pada blok informasi sebelumnya. Sama dengan block
mode, dua input yang tersisa adalah plaintext block dan kunci. Dengan menggunakan
chaining mode, dapat dipastikan bahwa ciphertext akan tampak sebagai data yang acak,
meskipun sumber plaintextnya berulang. Berikut ini adalah prosesnya :
Cipher
Cipher
Cipher
Cipher
Plaintext Block 1
Key
Plaintext Block 2
Key
Initialization Vector
EncryptDecrypt
Ciphertext Block 1
Sent across network
Initialization Vector
Plaintext Block 1
Key
Key
Plaintext Block 2
Ciphertext Block 2
Sent across network
Pada penempatan nilai feedback untuk blok pertama, sebuah vector inisialisasi digunakan
untuk memulai proses enkripsi. Vector inilah yang menyebabkan perubahan bit pada satu
blok dari plaintext, dimana mempropagasikan pada bagian ciphertext.
Karena chaining mode, memiliki starting point yang berbeda dimana vector inisialisasi
dimasukkan pada proses penghitungan, pengirim dan penerima harus melakukan
sinkronisasi antara pesan. Untuk melakukan ini, pengirim dan penerima harus setuju akan
vector inisialisasi dan kunci serta metode untuk memberikan sinyal pada pesan pertama.
Kesalahan yang terjadi selama proses transmisi (termasuk perubahan, penghilangan, atau
adanya extra bit pada ciphertext) dapat dikenali dengan masalah sinkronisasi. Chaining
mode didesain untuk memberikan alamat pada masalah sinkronisasi ini. Jika masalah
tersebut tidak dialamatkan, maka plaintext yang diterima akan tidak lagi dimengerti.
- 9 -
2.3.2 Bagaimana enkripsi bekerja pada IPSec ? IPSec menggunakan tipe enkripsi yang dikenal sebagai enkripsi paket. Hal ini disebabkan
proses enkripsi terjadi pada network layer atau layer 3 pada model OSI. Selain itu, karena
proses enkripsi ini dilakukan diatas data link layer (layer 2), komunikasi paket yang
dilakukan bergantung pada control protocol yang dipergunakan pada sesi tersebut (TCP
atau UDP). Enkripsi paket dikenal juga dengan end-to-end encryption karena proses
enkripsi berlangsung pada sumber dan tujuan.
Tidak seperti enkripsi yang dilakukan pada data link layer, enkripsi paket mencegah
masalah sinkronisasi karena proses rangkaiannya dimulai pada setiap paket. Jika terdapat
paket yang hilang atau tidak dianggap oleh sisi penerima, penerima akan tetap dapat
melakukan proses decipher pada bagian paket yang tidak terkena kesalahan karena setiap
paket bersifat independent terhadap paket sebelumnya dari sisi mekanisme enkripsi.
Gangguan transmisi pada satu paket tidak akan mengganggu pada bagian paket yang lain.
Pada enkripsi paket, data paket tidak dienkripsi, khususnya pada header paket. Bagian dari
header harus dibiarkan tidak dienkripsi karena header mengandung informasi yang
dibutuhkan oleh penerima pada proses decipher data.
2.4 Penentuan Algoritma IKE Proses untuk menentukan algoritma yang digunakan pada IKE meliputi beberapa hal yaitu
• Integritas
Integritas data didukung dengan penentuan hash algorithm yang akan dipakai pada
proses negosiasi. Meliputi :
o SHA
SHA memproduksi 160 bit digest, dimana hasil hash function tersebut akan
lebih tahan terhadap proses brute force daripada MD5. tetapi proses ini
membutuhkan resource yang lebih banyak daripada MD5.
Berikut ini salah satu iterasi fungsi kompresi SHA1 dimana A,B,C,D dan E berisi
32 bit words, F merupakan fungsi nonlinier yang bervariasi, <<< menandakan
left circular shift, Kt konstan.
- 10 -
o MD5
MD5 memproduksi 128 bit digest dimana waktu pemrosesan lebih cepat
dibandingkan performance SHA tetapi lebih lemah dibandingkan SHA
Salah satu operasi hash MD5 : MD5 terdiri dari 64 operasi ini, dikelompokkan
pada 4 ronde masing-masing 16 operasi. F merupakan fungsi nonlinear, satu
fungsi digunakan pada setiap ronde. MI menunjukkan blok data input 32 bit
dan Ki menunjukkan konstanta 32 bit yang berbeda setiap operasi.
- 11 -
• Autentifikasi
Proses autentifikasi dapat dilakukan dengan cara sebagai berikut :
o Certificate (RSA Encryption)
Konfigurasi ini akan memperbolehkan dua peer untuk melakukan autentifikasi
dengan berbagi kunci public. Konfigurasi ini dapat melakukan penyangkalan
pada negosiasi IKE. RSA Encryption dibutuhkan untuk melakukan pemeriksaan
authority saja.
o Certifitace (RSA Signature)
Konfigurasi ini dapat melakukan penyangkalan juga sehingga pihak ketiga
harus dibuktikan terlebih dahulu dengan RSA Signature ini. Tingkat keamanan
konfigurasi ini dibawah Certificate dengan RSA Encryption
o Shared secret
Konfigurasi ini akan membutuhkan pre-shared-key daripada certificate.
Konfigurasi ini lebih mudah namun dalam jaringan yang besar waktu yang
diperlukan lebih besar.
• Kepastian
o DES
DES lebih cepat dibandingkan triple DES dan membutuhkan resource yang
lebih sedikit tetapi kurang aman. Jika kita membutuhkan kepastian data
dengan memperhatikan factor resource dan kecepatan maka pilihan ini lebih
baik
o Triple DES
Triple DES bukan merupakan bagian dari IPSec standard, karena
implementasinya belum dilakukan secara menyeluruh. Kecepatan yang
dibutuhkan lebih lambat dan membutuhkan resource lebih banyak untuk
melakukan tiga kali penghitungan.
• Penurunan Kunci
yaitu pembentukan awal kunci berdasarkan Group Diffie-Hellman (dh group)
o Group 1
menggunakan modulus 768 bit (mod768)
o Group 2
menggunakan modulus 1024 bit. (mod1024)
o Group 5
menggunakan modulus 1536 bit (mod1536)
- 12 -
o Group 14
menggunakan modulus 2048 bit (mod2048)
o Group 15
menggunakan modulus 3072 bit (mod3072)
o Group 16
menggunakan modulus 4096 bit (mod4096)
o Group 17
menggunakan modulus 6144 bit (mod6144)
o Group 18
menggunakan modulus 8192 bit (mod8192)
- 13 -
3. Implementasi IPSec Tunnel Seperti telah dijelaskan bahwa IPSec Tunnel merupakan protocol pelayanan keamanan
berbasis enkripsi dan autentifikasi pada layer network (layer ke 3 pada model OSI). Oleh
karena itu pada implementasinya kita harus memastikan bahwa opsi IPSec telah berada
pada kernel dari suatu operating system. Hal ini dapat dipastikan dengan adanya
KLIPS/Kernel IPSec Support (pada Linux kernel 2.4) atau native IPSec (pada Linux kernel
2.6).
Setelah itu, kita baru melakukan manajemen kunci melalui mekanisme IKE ataupun
ISAKMP (Internet Security Association and Key Management Protocol). Dalam
mengendalikan manajemen kunci tersebut kita memerlukan suatu interface yang berbeda-
beda di tiap operating system. Beberapa diantaranya yaitu
• FreeS/WAN ( Free Secure Wide-Area Network)
http://www.freeswan.org/
Free software ini sudah lama tidak dilanjutkan perkembangannya. Dan compatible
untuk linux.
• Openswan
http://www.openswan.org/
merupakan software untuk implementasi IPSec pada Linux. Project ini merupakan
kelanjutan dari pengembangan FreeS/WAN dan sudah terinclude pada beberapa distro
linux diantaranya
Suse (http://www.novell.com/products/linuxpackages/professional/openswan.html)
• Strongswan
http://www.strongswan.org/
merupakan pengembangan dari FreeS/WAN, dan mengimplementasikan IPSec pada
Linux.
• Racoon
http://ipsec-tools.sourceforge.net/
merupakan utilitas IPSec berbasis port yang dikembangkan oleh kame
(http://www.kame.net/). Jenis software ini compatible dengan FreeBSD dan NetBSD.
Selain software-software diatas, masih banyak jenis yang lainnya, namun yang
dijelaskan di contoh diatas adalah yang diimplementasikan oleh penulis.
- 14 -
3.1 Contoh Kasus
Internet
Router 1 Router 2
167.205.65.5 167.205.108.129
Gateway 167.205.65.16
Gateway 167.205.108.139
Private network192.168.2.0/24
Private network192.168.1.0/24
3.1.1 Implementasi IPSec Tunnel dan Racoon pada FreeBSD Dalam implementasi ini, saya menggunakan : • Operating system FreeBSD 5.3 RELEASE • Racoon versi 20050510a • SPD berbasis protocol ESP dengan tunnel mode • Negosiasi IKE dengan Pre-Shared-Key
1. Langkah pertama yang kita lakukan ialah memastikan kernel yang kita gunakan telah
mendukung IPSec. Lebih baik dilengkapi dengan Firewall untuk mekanisme penutupan akses oleh network yang tidak berhubungan. Berikut ini beberapa langkahnya:
Setelah anda login sebagai root : $ cd /usr/src/sys/i386/conf/ $ cp GENERIC KSI $ vi KSI
#tambahkan options IPSEC options IPSEC_ESP options IPSEC_DEBUG options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT
$ config KSI $ cd ../compile/KSI $ make depend $ make $ make install $ vi /etc/sysctl.conf
net.ipv4.ip_forward=1 #ip forwarding $ reboot
#Pastikan server kembali berjalan dengan baik
2. Setelah itu, kita install aplikasi racoon melalui fasilitas ports collection FreeBSD
$ cd /usr/ports/security/racoon $ more Makefile
# New ports collection makefile for: racoon
- 15 -
# Date created: 4 July 2000 # Whom: sumikawa # #$FreeBSD:ports/security/racoon/Makefile,v1.362005/05/1004:16:21sumikawaExp $ # PORTNAME= racoon PORTVERSION= 20050510a CATEGORIES= security net ipv6 MASTER_SITES= ftp://ftp.kame.net/pub/kame/misc/ MAINTAINER= [email protected] COMMENT= KAME racoon IKE daemon
$ make install # jika tidak ada masalah maka racoon telah terinstall # pastikan direktori /usr/local/etc/racoon telah terbentuk
3. Konfigurasi racoon
$ cd /usr/local/etc/racoon $ vi racoon.conf
path include "/usr/local/etc/racoon" ; # direktori racoon path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; #file Pre-Shared-Key path certificate "/usr/local/etc/racoon/certs" ; #direktori file certificate log debug; # jenis log yang akan dihasilkan padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } Listen #interface yang akan didengar oleh racoon, { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } Timer # lama waktu tiap phase negosiasi { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote 167.205.65.16 # file konfigurasi untuk server dengan ip 167.205.65.16 { exchange_mode base,main; #server kita bertipe base (atau menunggu)
- 16 -
doi ipsec_doi; situation identity_only;
#lifetime time 1 min; proposal { #proses negosiasi yang akan dilakukan encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; // diffie-hellman group } } sainfo anonymous # konfigurasi negosiasi SA { #pfs_group 1; #lifetime time 1 min; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; }
Bagian yang kita ubah antara lain : - path (menunjukkan direktori file, certificate, shared key - listen (menunjukkan interface yang akan kita dengar) - timer (waktu send,resend waktu negosiasi) - remote (file konfigurasi untuk server IPSec tetangga) - sainfo (informasi Security Association)
4. Konfigurasi Pre-Shared-Key (PSK) $ cd /usr/local/etc/racoon $ vi psk.txt
# IPv4/v6 addresses 167.205.65.16 asdfghjkl # tipe penulisan = <ip tujuan> <psk>
Berisi alamat tujuan dan Pre-Shared-Key yang digunakan
5. Konfigurasi tunnel $ ifconfig gif0 create $ ifconfig gif0 192.168.1.1 192.168.2.1 255.255.255.0 $ ifconfig gif0 tunnel 167.205.108.139 167.205.65.16 $ ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 tunnel inet 167.205.108.139 --> 167.205.65.16 inet6 fe80::260:8ff:fec1:e688%gif0 prefixlen 64 scopeid 0x4 inet 192.168.1.1 --> 255.255.255.0 netmask 0xffffff00
6. Konfigurasi Security Policy Database (SPD)
$ setkey –FP $ setkey –F $ setkey –c << EOF ? spdadd 192.168.1.0/24 192.168.2.0/24 any –P out ipsec esp/tunnel/167.205.108.139-167.205.65.16/require; ? spdadd 192.168.2.0/24 192.168.1.0/24 any –P in ipsec esp/tunnel/167.205.65.16-167.205.108.139/require; ? EOF $ setkey –DP
- 17 -
192.168.2.0/24[any] 192.168.1.0/24[any] any in ipsec esp/tunnel/167.205.65.16-167.205.108.139/require created: Jun 20 15:36:29 2005 lastused: Jun 20 15:36:29 2005 lifetime: 0(s) validtime: 0(s) spid=16389 seq=1 pid=7962 refcnt=1 192.168.1.0/24[any] 192.168.2.0/24[any] any out ipsec esp/tunnel/167.205.108.139-167.205.65.16/require created: Jun 20 15:36:29 2005 lastused: Jun 20 15:36:29 2005 lifetime: 0(s) validtime: 0(s) spid=16388 seq=0 pid=7962 refcnt=1
Penjelasan : SA yang kita pergunakan ada dua yaitu o Semua trafik keluar dari network 192.168.1.0/24 ke 192.168.2.0/24 dikenakan
ipsec dengan protocol esp (Encapsulated Security Payload) melalui tunnel antara 167.205.108.139 ke 167.205.65.16.
o Semua trafik masuk dari network 192.168.2.0/24 ke 192.168.1.0/24 dikenakan ipsec dengan protocol esp (Encapsulated Security Payload) melalui tunnel antara 167.205.65.16 ke 167.205.108.139
7. Jalankan racoon
$ /usr/local/sbin/racoon –f /usr/local/etc/racoon/racoon.conf –l /var/log/racoon.log $ tail –f /var/log/racoon.log 2005-06-19 21:32:33: INFO: main.c:172:main(): @(#)package version freebsd-20050510a 2005-06-19 23:32:33: INFO: main.c:174:main(): @(#)internal version 20001216 [email protected] 2005-06-19 21:32:33: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/) 2005-06-19 21:32:33: WARNING: cftoken.l:514:yywarn(): /usr/local/etc/racoon/racoon.conf:66: "support_mip6" it is obsoleted. u se "support_proxy". 2005-06-19 21:32:33: DEBUG: pfkey.c:2379:pk_checkalg(): compression algorithm can not be checked because sadb message doesn't support it. 2005-06-19 21:32:33: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: 167.205.108.139 (xl0) 2005-06-19 21:32:33: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: fe80::260:8ff:fec1:e688%xl0 (xl0) 2005-06-19 21:32:33: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: 192.168.1.1 (lo0) 2005-06-19 21:32:33: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: ::1 (lo0) 2005-06-19 21:32:33: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: fe80::1%lo0 (lo0) 2005-06-19 21:32:33: DEBUG: grabmyaddr.c:474:autoconf_myaddrsport(): configuring default isakmp port. 2005-06-19 21:32:33: DEBUG: grabmyaddr.c:496:autoconf_myaddrsport(): 5 addrs are configured successfully 2005-06-19 21:32:33: INFO: isakmp.c:1368:isakmp_open(): fe80::1%lo0[500] used as isakmp port (fd=5) 2005-06-19 21:32:33: INFO: isakmp.c:1368:isakmp_open(): ::1[500] used as isakmp port (fd=6) 2005-06-19 21:32:33: INFO: isakmp.c:1368:isakmp_open(): 192.168.1.1[500] used as isakmp
- 18 -
port (fd=7) 2005-06-19 21:32:33: INFO: isakmp.c:1368:isakmp_open(): fe80::260:8ff:fec1:e688%xl0[500] used as isakmp port (fd=8) 2005-06-19 21:32:33: INFO: isakmp.c:1368:isakmp_open(): 167.205.108.139[500] used as isakmp port (fd=9) 2005-06-19 21:32:33: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey X_SPDDUMP message 2005-06-19 21:32:33: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey X_SPDDUMP message 2005-06-19 21:32:33: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfe9b0: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=o ut 2005-06-19 21:32:33: DEBUG: policy.c:185:cmpspidxstrict(): db :0x809d808: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
8. Tambahkan routing dari 192.168.1.0/24 ke 192.168.2.0/24 $ route add 192.168.2.0/24 167.205.108.139
3.1.2 Implementasi IPSec Tunnel dan OpenSwan pada Linux Dalam implementasi ini, saya menggunakan : • Operating System Linux Suse kernel 2.6.11 dengan native IPSec
Cat: Linux dengan native IPSec tidak mendukung perintah ipsec eroute untuk melihat SPD, tapi dapat dipergunakan perintah setkey -DP
• OpenSwan 2.2.0-8.1 • SPD berbasis protocol ESP dengan tunnel mode • Negosiasi IKE dengan Pre-Shared-Key 1. Instalasi OpenSwan
# kita ambil source ipsec-tools dan openswan $ ftp
ftp> open (to) ftp.suse.com Connected to ftp.suse.com. 220 "Welcome to the SUSE ftp server: Please login as user 'ftp'" Name (ftp.suse.com:admin): ftp 331 Please send your email address as a password. Password: 230 Login successful. Have a lot of fun. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd /pub/suse/i386/current/suse/i586 250 CWD command successful. ftp> get openswan-2.2.0-8.1.i586.rpm local: openswan-2.2.0-8.1.i586.rpm remote: openswan-2.2.0-8.1.i586.rpm 227 Entering Passive Mode (195,135,221,132,207,114) 150 Opening BINARY mode data connection for openswan-2.2.0-8.1.i586.rpm (2465483 bytes). 100% |*************************************| 2407 KB 5.43 KB/s 00:00 ETA 226 File send OK. 2465483 bytes received in 07:22 (5.43 KB/s) ftp> get ipsec-tools-0.4rc1-3.1.i586.rpm local: ipsec-tools-0.4rc1-3.1.i586.rpm remote: ipsec-tools-0.4rc1-3.1.i586.rpm 227 Entering Passive Mode (195,135,221,132,189,204)
- 19 -
150 Opening BINARY mode data connection for ipsec-tools-0.4rc1-3.1.i586.rpm (266624 bytes). 100% |*************************************| 260 KB 6.87 KB/s 00:00 ETA 226 File send OK. 266624 bytes received in 00:38 (6.70 KB/s) ftp> exit 221 Goodbye.
$ rpm –i ipsec-tools-0.4rc1-3.1.i586.rpm $ rpm –i openswan-2.2.0-8.1.i586.rpm # pastikan semua file yang ada di list http://www.novell.com/products/linuxpackages/professional/openswan.html ada di komputer kita
2. konfigurasi ip forwarding
$ vi /etc/sysctl.conf net.ipv4.ip_forward=1
3. konfigurasi IPSec
$ vi /etc/ipsec.conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup interfaces="ipsec0=eth0" #interface ipsec # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=all # proses debugging untuk KLIPS (Kernel IPSec Linux Support) #plutodebug="control parsing" plutodebug=all # debugging Pluto (daemon IPSec) conn ksi # konfigurasi connection KSI type=tunnel #tipe left=167.205.65.16 # ip VPN gateway kita leftsubnet=192.168.2.0/24 # network privat di bawah gateway kita leftnexthop=167.205.65.5 # next hop setelah VPN gateway kita right=167.205.108.139 # ip VPN gateway tetangga rightsubnet=192.168.1.0/24 # network privat dibawah VPN gateway tetangga rightnexthop=167.205.108.129 # next hop sebelum VPN gateway tetangga authby=secret # tipe pre-shared-key auth=esp pfs=no #Disable Opportunistic Encryption include /etc/ipsec.d/examples/no_oe.conf 4. Konfigurasi Pre-Shared-Key
$ vi /etc/ipsec.secrets 167.205.65.16 167.205.108.139: PSK "asdfghjkl" #jenis penulisan berbeda dengan psk pada raccoon. Pada openswan ditulis <ip asal> <ip tujuan>: PSK “<psk>”
5. Konfigurasi ip privat
$ ifconfig lo 192.168.2.1
- 20 -
6. Jalankan ipsec $ ipsec setup –start $ ipsec auto --config /etc/ipsec.conf --add ksi $ ipsec auto --config /etc/ipsec.conf --up ksi
104 "ksi" #1: STATE_MAIN_I1: initiate 003 "ksi" #1: ignoring Vendor ID payload [KAME/racoon] 106 "ksi" #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "ksi" #1: ignoring Vendor ID payload [KAME/racoon] 108 "ksi" #1: STATE_MAIN_I3: sent MI3, expecting MR3 010 "ksi" #1: STATE_MAIN_I3: retransmission; will wait 20s for response 004 "ksi" #1: STATE_MAIN_I4: ISAKMP SA established 112 "ksi" #2: STATE_QUICK_I1: initiate 004 "ksi" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x07a94e55 <0x1c70daa6}
7. Tambahkan routing dari 192.168.2.0/24 ke 192.168.1.0/24
$ route add –net 192.168.1.0/24 gw 167.205.65.16
Log pada saat negosiasi ditampilkan di bagian lampiran.
3.1.3 Kompatibilitas dan TCPDump Setelah terjadi tunnel antara dua gateway kita lakukan test kompatibilitas.
Untuk melakukan test tersebut terdapat beberapa cara. Diantaranya CheckPoint dan ping.
Cara yang paling mudah yaitu dengan mengirimkan paket ICMP melalui perintah ping antar
network private. Berikut ini log hasil ping antar network private tersebut.
# dari network 192.168.1.0/24 $ ping 192.168.2.1 PING 192.168.2.1 (192.168.2.1): 56 data bytes 64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.944 ms 64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=0.921 ms 64 bytes from 192.168.2.1: icmp_seq=3 ttl=64 time=1.285 ms 64 bytes from 192.168.2.1: icmp_seq=4 ttl=64 time=0.885 ms 64 bytes from 192.168.2.1: icmp_seq=5 ttl=64 time=0.898 ms 64 bytes from 192.168.2.1: icmp_seq=6 ttl=64 time=0.897 ms 64 bytes from 192.168.2.1: icmp_seq=7 ttl=64 time=1.029 ms 64 bytes from 192.168.2.1: icmp_seq=8 ttl=64 time=0.867 ms 64 bytes from 192.168.2.1: icmp_seq=9 ttl=64 time=1.187 ms 64 bytes from 192.168.2.1: icmp_seq=10 ttl=64 time=0.917 ms 64 bytes from 192.168.2.1: icmp_seq=11 ttl=64 time=0.976 ms 64 bytes from 192.168.2.1: icmp_seq=12 ttl=64 time=1.086 ms 64 bytes from 192.168.2.1: icmp_seq=13 ttl=64 time=0.888 ms
Hasil tcpdump pada saat bersamaan
$ tcpdump -ni xl0 src host 167.205.65.16 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on xl0, link-type EN10MB (Ethernet), capture size 96 bytes 22:00:43.188724 IP 167.205.65.16 > 167.205.108.139: ESP(spi=0x0eab7ea0,seq=0x4) 22:00:44.198719 IP 167.205.65.16 > 167.205.108.139: ESP(spi=0x0eab7ea0,seq=0x5) 22:00:45.209104 IP 167.205.65.16 > 167.205.108.139: ESP(spi=0x0eab7ea0,seq=0x6) 22:00:46.218746 IP 167.205.65.16 > 167.205.108.139: ESP(spi=0x0eab7ea0,seq=0x7)
- 21 -
22:00:47.228746 IP 167.205.65.16 > 167.205.108.139: ESP(spi=0x0eab7ea0,seq=0x8) 22:00:48.238774 IP 167.205.65.16 > 167.205.108.139: ESP(spi=0x0eab7ea0,seq=0x9) 22:00:49.248914 IP 167.205.65.16 > 167.205.108.139: ESP(spi=0x0eab7ea0,seq=0xa) 22:00:50.258772 IP 167.205.65.16 > 167.205.108.139: ESP(spi=0x0eab7ea0,seq=0xb) 22:00:51.269102 IP 167.205.65.16 > 167.205.108.139: ESP(spi=0x0eab7ea0,seq=0xc) 22:00:52.278853 IP 167.205.65.16 > 167.205.108.139: ESP(spi=0x0eab7ea0,seq=0xd) 22:00:53.288924 IP 167.205.65.16 > 167.205.108.139: ESP(spi=0x0eab7ea0,seq=0xe) 22:00:54.299048 IP 167.205.65.16 > 167.205.108.139: ESP(spi=0x0eab7ea0,seq=0xf) 22:00:55.308878 IP 167.205.65.16 > 167.205.108.139: ESP(spi=0x0eab7ea0,seq=0x10)
$ tcpdump -ni xl0 dst host 167.205.65.16 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on xl0, link-type EN10MB (Ethernet), capture size 96 bytes 22:00:42.179649 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0x4) 22:00:43.187998 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0x5) 22:00:44.198026 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0x6) 22:00:45.208035 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0x7) 22:00:46.218063 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0x8) 22:00:47.228050 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0x9) 22:00:48.238085 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0xa) 22:00:49.248078 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0xb) 22:00:50.258097 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0xc) 22:00:51.268108 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0xd) 22:00:52.278147 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0xe) 22:00:53.288145 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0xf) 22:00:54.298158 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0x10) 22:00:55.308185 IP 167.205.108.139 > 167.205.65.16: ESP(spi=0xacb06afe,seq=0x11)
Hasil tcpdump diatas menunjukkan trafik antara dua gateway. Mengapa bisa demikian?
Karena pada konfigurasi SPD diatas kita menentukan bahwa trafik dari network private
BSD ke network private Linux membutuhkan tunnel dari BSD (167.205.108.129) ke Linux
(167.205.65.16). Sehingga bila kita lihat paket pada router di antara network tersebut
terlihat paket berasal dari dua gateway saja namun dengan protocol ESP beserta variable
spi dan seq.
- 22 -
4. Kesimpulan Dengan berkembangnya teknologi informasi serta kemudahan akses informasi pada dunia
maya, membuat manusia semakin bergantung pada teknologi tersebut. Dimulai dari
persahabatan, pendidikan hingga menuju dunia bisnis. Beberapa aplikasi tentu
membutuhkan privatisasi. Sedangkan Internet yang kita kenal saat ini sudah menjadi jalur
umum, dimana terdapat pihak yang baik maupun pihak yang jahat. Dengan adanya
kebutuhan privatisasi informasi pada dunia maya, banyak dikembangkan aplikasi yang
membantu. Salah satunya ialah IPSec Tunnel.
Berbagai software untuk mengimplementasikannya tersedia. Mulai dari opensource hingga
komersial. Meskipun berbeda vendor namun pada utamanya semua software IPSec Tunnel
tersebut memiliki prinsip yang sama yaitu proses autentifikasi dan enkripsi pada data
dengan menggunakan protocol AH maupun ESP. Hal tersebut disertai pula dengan
algoritma pembentukan IPSec yang meliputi hash function hingga proses enkripsi.
Perbedaan yang terlihat hanyalah sisi konifgurasi dan interface yang ada. Pada keluarga
Linux lebih banyak digunakan OpenSwan dan StrongSwan, meskipun saat ini racoon mulai
diimplementasikan pada Linux. Sedangkan keluarga BSD menggunakan aplikasi racoon.
Seperti yang telah kita lihat pada kasus diatas bahwa implementasi IPSec Tunnel antara
Racoon dan OpenSwan dapat berjalan lancer, meskipun dengan interface konsfigurasi yang
berbeda.
Oleh karena itu, dapat kita lihat bahwa suatu system IPSec Tunnel yang sekarang banyak
dikembangkan memiliki kesamaan dalam proses transmisinya sehingga memiliki
kompatibilitas yang baik dengan disertai konfigurasi yang benar.
Selain itu, hasil yang kita dapatkan arus informasi yang bersifat privat dapat berjalan
dengan aman di dalam dunia maya yang berisifat untrusted.
- 23 -
Referensi - IPSec Tunnel Implementation, v.2.0 (Cisco Secure Policy Manager)
http://www.cisco.com/en/US/products/sw/secursw/ps2133/products_user_guide_book09186a008010703e.html
- http://www.cisco.com - http://en.wikipedia.org/wiki/Main_Page - http://en.wikipedia.org/wiki/IPsec - http://en.wikipedia.org/wiki/Tunneling - http://en.wikipedia.org/wiki/SHA - http://en.wikipedia.org/wiki/MD5 - http://en.wikipedia.org/wiki/DES - http://www.freebsddiary.org/ipsec-tunnel.php - http://www.suse.de - http://www.kame.net - http://www.openswan.org - http://www.vpnlabs.org/ - http://www.freebsd.org - http://howtos.linux.com/guides/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/fSWAn.shtml - Mailing list : [email protected], [email protected] - http://lartc.org/howto/lartc.ipsec.tunnel.html
- 24 -
Lampiran Berikut ini log yang dicapai pada saat proses negosiasi antara racoon dan openswan
Log OpenSwan Jun 19 21:57:49 kamboja pluto[6520]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR) Jun 19 21:57:49 kamboja pluto[6520]: including NAT-Traversal patch (Version 0.6c) [disabled] Jun 19 21:57:49 kamboja pluto[6520]: | opening /dev/urandom Jun 19 21:57:49 kamboja pluto[6520]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds Jun 19 21:57:49 kamboja pluto[6520]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Jun 19 21:57:49 kamboja pluto[6520]: | process 6520 listening for PF_KEY_V2 on file descriptor 6 Jun 19 21:57:49 kamboja pluto[6520]: Using Linux 2.6 IPsec interface code Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_hdr_build: Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_hdr_build: on_entry &pfkey_ext=0p0xbfffdf40 pfkey_ext=0p0xbfffef80 *pfkey_ext=0p(nil). Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_hdr_build: on_exit &pfkey_ext=0p0xbfffdf40 pfkey_ext=0p0xbfffef80 *pfkey_ext=0p0x80e13b8. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_build: pfkey_msg=0p0x80e13d0 allocated 16 bytes, &(extensions[0])=0p0xbfffef80 Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_build: extensions permitted=00000001, seen=00000001, required=00000001. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_parse: parsing message ver=2, type=7(register), errno=0, satype=2(AH), len=2, res=0, seq=1, pid=6520. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_parse: remain=0, ext_type=0(reserved), ext_len=0. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_parse: extensions permitted=00000001, required=00000001. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_parse: extensions permitted=00000001, seen=00000001, required=00000001. Jun 19 21:57:49 kamboja pluto[6520]: | finish_pfkey_msg: SADB_REGISTER message 1 for AH Jun 19 21:57:49 kamboja pluto[6520]: | 02 07 00 02 02 00 00 00 01 00 00 00 78 19 00 00 Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_get: SADB_REGISTER message 1 Jun 19 21:57:49 kamboja pluto[6520]: | AH registered with kernel. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_hdr_build: Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_hdr_build: on_entry &pfkey_ext=0p0xbfffdf40 pfkey_ext=0p0xbfffef80 *pfkey_ext=0p(nil). Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_hdr_build: on_exit &pfkey_ext=0p0xbfffdf40 pfkey_ext=0p0xbfffef80 *pfkey_ext=0p0x80e13b8. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_build: pfkey_msg=0p0x80e13d0 allocated 16 bytes, &(extensions[0])=0p0xbfffef80 Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_build: extensions permitted=00000001, seen=00000001, required=00000001. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_parse: parsing message ver=2, type=7(register), errno=0, satype=3(ESP), len=2, res=0, seq=2, pid=6520. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_parse: remain=0, ext_type=0(reserved), ext_len=0.
- 25 -
Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_parse: extensions permitted=00000001, required=00000001. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_parse: extensions permitted=00000001, seen=00000001, required=00000001. Jun 19 21:57:49 kamboja pluto[6520]: | finish_pfkey_msg: SADB_REGISTER message 2 for ESP Jun 19 21:57:49 kamboja pluto[6520]: | 02 07 00 03 02 00 00 00 02 00 00 00 78 19 00 00 Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_get: SADB_REGISTER message 2 Jun 19 21:57:49 kamboja pluto[6520]: | alg_init():memset(0x80dda60, 0, 2016) memset(0x80de240, 0, 2048) Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=15 sadb_supported_len=40 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_add():satype=3, exttype=14, alg_id=251 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14, satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_add():satype=3, exttype=14, alg_id=2 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14, satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_add():satype=3, exttype=14, alg_id=3 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14, satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_add():satype=3, exttype=14, alg_id=5 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14, satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256, res=0, ret=1 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=15 sadb_supported_len=64 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_add():satype=3, exttype=15, alg_id=11 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=15, satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_add():satype=3, exttype=15, alg_id=2 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=15, satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0, ret=1 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_add():satype=3, exttype=15, alg_id=3 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=15, satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_add():satype=3, exttype=15, alg_id=7 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=15, satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0, ret=1 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_add():satype=3, exttype=15, alg_id=12 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15, satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_add():satype=3, exttype=15, alg_id=252 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15, satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_add():satype=3, exttype=15, alg_id=253 Jun 19 21:57:49 kamboja pluto[6520]: | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15, satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1 Jun 19 21:57:49 kamboja pluto[6520]: | ESP registered with kernel. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_hdr_build: Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_hdr_build: on_entry &pfkey_ext=0p0xbfffdf40 pfkey_ext=0p0xbfffef80 *pfkey_ext=0p(nil).
- 26 -
Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_hdr_build: on_exit &pfkey_ext=0p0xbfffdf40 pfkey_ext=0p0xbfffef80 *pfkey_ext=0p0x80e13b8. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_build: pfkey_msg=0p0x80e13d0 allocated 16 bytes, &(extensions[0])=0p0xbfffef80 Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_build: extensions permitted=00000001, seen=00000001, required=00000001. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_parse: parsing message ver=2, type=7(register), errno=0, satype=9(IPIP), len=2, res=0, seq=3, pid=6520. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_parse: remain=0, ext_type=0(reserved), ext_len=0. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_parse: extensions permitted=00000001, required=00000001. Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_lib_debug:pfkey_msg_parse: extensions permitted=00000001, seen=00000001, required=00000001. Jun 19 21:57:49 kamboja pluto[6520]: | finish_pfkey_msg: SADB_REGISTER message 3 for IPCOMP Jun 19 21:57:49 kamboja pluto[6520]: | 02 07 00 09 02 00 00 00 03 00 00 00 78 19 00 00 Jun 19 21:57:49 kamboja pluto[6520]: | pfkey_get: SADB_REGISTER message 3 Jun 19 21:57:49 kamboja pluto[6520]: | IPCOMP registered with kernel. Jun 19 21:57:49 kamboja pluto[6520]: Changing to directory '/etc/ipsec.d/cacerts' Jun 19 21:57:49 kamboja pluto[6520]: Could not change to directory '/etc/ipsec.d/aacerts' Jun 19 21:57:49 kamboja pluto[6520]: Could not change to directory '/etc/ipsec.d/ocspcerts' Jun 19 21:57:49 kamboja pluto[6520]: Changing to directory '/etc/ipsec.d/crls' Jun 19 21:57:49 kamboja pluto[6520]: Warning: empty directory Jun 19 21:57:49 kamboja pluto[6520]: | inserting event 11??, timeout in 7331 seconds Jun 19 21:57:49 kamboja pluto[6520]: | next event EVENT_REINIT_SECRET in 3600 seconds Jun 19 21:57:49 kamboja pluto[6520]: | Jun 19 21:57:49 kamboja pluto[6520]: | *received whack message Jun 19 21:57:49 kamboja pluto[6520]: listening for IKE messages Jun 19 21:57:49 kamboja pluto[6520]: | found lo with address 192.168.2.1 Jun 19 21:57:49 kamboja pluto[6520]: | found eth0 with address 167.205.65.16 Jun 19 21:57:49 kamboja pluto[6520]: adding interface eth0/eth0 167.205.65.16 Jun 19 21:57:49 kamboja pluto[6520]: adding interface lo/lo 192.168.2.1 Jun 19 21:57:49 kamboja pluto[6520]: | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001 Jun 19 21:57:49 kamboja pluto[6520]: adding interface lo/lo ::1 Jun 19 21:57:49 kamboja pluto[6520]: loading secrets from "/etc/ipsec.secrets" Jun 19 21:57:49 kamboja pluto[6520]: | next event EVENT_REINIT_SECRET in 3600 seconds Jun 19 21:58:00 kamboja pluto[6520]: | Jun 19 21:58:00 kamboja pluto[6520]: | *received whack message Jun 19 21:58:00 kamboja pluto[6520]: | Added new connection ksi with policy PSK+ENCRYPT+TUNNEL Jun 19 21:58:00 kamboja pluto[6520]: | from whack: got --esp=3des-md5,3des-sha1 Jun 19 21:58:00 kamboja pluto[6520]: | alg_info_parse_str() ealg_buf=3des aalg_buf=md5eklen=0 aklen=0 Jun 19 21:58:00 kamboja pluto[6520]: | enum_search_prefix () calling enum_search(0x80bfe0c, "ESP_3DES") Jun 19 21:58:00 kamboja pluto[6520]: | parser_alg_info_add() ealg_getbyname("3des")=3 Jun 19 21:58:00 kamboja pluto[6520]: | enum_search_prefix () calling enum_search(0x80bfbc0, "AUTH_ALGORITHM_HMAC_MD5") Jun 19 21:58:00 kamboja pluto[6520]: | parser_alg_info_add() aalg_getbyname("md5")=1 Jun 19 21:58:00 kamboja pluto[6520]: | __alg_info_esp_add() ealg=3 aalg=1 cnt=1
- 27 -
Jun 19 21:58:00 kamboja pluto[6520]: | alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0 Jun 19 21:58:00 kamboja pluto[6520]: | enum_search_prefix () calling enum_search(0x80bfe0c, "ESP_3DES") Jun 19 21:58:00 kamboja pluto[6520]: | parser_alg_info_add() ealg_getbyname("3des")=3 Jun 19 21:58:00 kamboja pluto[6520]: | enum_search_prefix () calling enum_search(0x80bfbc0, "AUTH_ALGORITHM_HMAC_SHA1") Jun 19 21:58:00 kamboja pluto[6520]: | parser_alg_info_add() aalg_getbyname("sha1")=2 Jun 19 21:58:00 kamboja pluto[6520]: | __alg_info_esp_add() ealg=3 aalg=2 cnt=2 Jun 19 21:58:00 kamboja pluto[6520]: | esp string values: 3_000-1, 3_000-2, flags=-strict Jun 19 21:58:00 kamboja pluto[6520]: | from whack: got --ike=3des-md5,3des-sha Jun 19 21:58:00 kamboja pluto[6520]: | alg_info_parse_str() ealg_buf=3des aalg_buf=md5eklen=0 aklen=0 Jun 19 21:58:00 kamboja pluto[6520]: | enum_search_prefix () calling enum_search(0x80bf9f0, "OAKLEY_3DES") Jun 19 21:58:00 kamboja pluto[6520]: | enum_search_ppfixi () calling enum_search(0x80bf9f0, "OAKLEY_3DES_CBC") Jun 19 21:58:00 kamboja pluto[6520]: | parser_alg_info_add() ealg_getbyname("3des")=5 Jun 19 21:58:00 kamboja pluto[6520]: | enum_search_prefix () calling enum_search(0x80bf9c8, "OAKLEY_MD5") Jun 19 21:58:00 kamboja pluto[6520]: | parser_alg_info_add() aalg_getbyname("md5")=1 Jun 19 21:58:00 kamboja pluto[6520]: | __alg_info_ike_add() ealg=5 aalg=1 modp_id=5, cnt=1 Jun 19 21:58:00 kamboja pluto[6520]: | __alg_info_ike_add() ealg=5 aalg=1 modp_id=2, cnt=2 Jun 19 21:58:00 kamboja pluto[6520]: | alg_info_parse_str() ealg_buf=3des aalg_buf=shaeklen=0 aklen=0 Jun 19 21:58:00 kamboja pluto[6520]: | enum_search_prefix () calling enum_search(0x80bf9f0, "OAKLEY_3DES") Jun 19 21:58:00 kamboja pluto[6520]: | enum_search_ppfixi () calling enum_search(0x80bf9f0, "OAKLEY_3DES_CBC") Jun 19 21:58:00 kamboja pluto[6520]: | parser_alg_info_add() ealg_getbyname("3des")=5 Jun 19 21:58:00 kamboja pluto[6520]: | enum_search_prefix () calling enum_search(0x80bf9c8, "OAKLEY_SHA") Jun 19 21:58:00 kamboja pluto[6520]: | parser_alg_info_add() aalg_getbyname("sha")=2 Jun 19 21:58:00 kamboja pluto[6520]: | __alg_info_ike_add() ealg=5 aalg=2 modp_id=5, cnt=3 Jun 19 21:58:00 kamboja pluto[6520]: | __alg_info_ike_add() ealg=5 aalg=2 modp_id=2, cnt=4 Jun 19 21:58:00 kamboja pluto[6520]: | ike string values: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict Jun 19 21:58:00 kamboja pluto[6520]: | counting wild cards for (none) is 15 Jun 19 21:58:00 kamboja pluto[6520]: | sendcert is 3 Jun 19 21:58:00 kamboja pluto[6520]: | counting wild cards for (none) is 15 Jun 19 21:58:00 kamboja pluto[6520]: | sendcert is 3 Jun 19 21:58:00 kamboja pluto[6520]: | alg_info_addref() alg_info->ref_cnt=1 Jun 19 21:58:00 kamboja pluto[6520]: | alg_info_addref() alg_info->ref_cnt=1 Jun 19 21:58:00 kamboja pluto[6520]: | alg_info_addref() alg_info->ref_cnt=2 Jun 19 21:58:00 kamboja pluto[6520]: | alg_info_addref() alg_info->ref_cnt=2 Jun 19 21:58:00 kamboja pluto[6520]: added connection description "ksi" Jun 19 21:58:00 kamboja pluto[6520]: | 192.168.2.0/24===167.205.65.16---167.205.65.5...167.205.108.129---167.205.108.139===192.168.1.0/24 Jun 19 21:58:00 kamboja pluto[6520]: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL Jun 19 21:58:00 kamboja pluto[6520]: | next event EVENT_REINIT_SECRET in 3589 seconds Jun 19 21:58:04 kamboja pluto[6520]: | Jun 19 21:58:04 kamboja pluto[6520]: | *received whack message
- 28 -
Jun 19 21:58:04 kamboja pluto[6520]: | creating state object #1 at 0x80e0c40 Jun 19 21:58:04 kamboja pluto[6520]: | ICOOKIE: 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | RCOOKIE: 00 00 00 00 00 00 00 00 Jun 19 21:58:04 kamboja pluto[6520]: | peer: a7 cd 6c 8b Jun 19 21:58:04 kamboja pluto[6520]: | state hash entry 30 Jun 19 21:58:04 kamboja pluto[6520]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1 Jun 19 21:58:04 kamboja pluto[6520]: | Queuing pending Quick Mode with 167.205.108.139 "ksi" Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #1: initiating Main Mode Jun 19 21:58:04 kamboja pluto[6520]: | **emit ISAKMP Message: Jun 19 21:58:04 kamboja pluto[6520]: | initiator cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | responder cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 00 00 00 00 00 00 00 00 Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_SA Jun 19 21:58:04 kamboja pluto[6520]: | ISAKMP version: ISAKMP Version 1.0 Jun 19 21:58:04 kamboja pluto[6520]: | exchange type: ISAKMP_XCHG_IDPROT Jun 19 21:58:04 kamboja pluto[6520]: | flags: none Jun 19 21:58:04 kamboja pluto[6520]: | message ID: 00 00 00 00 Jun 19 21:58:04 kamboja pluto[6520]: | ***emit ISAKMP Security Association Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | DOI: ISAKMP_DOI_IPSEC Jun 19 21:58:04 kamboja pluto[6520]: | ****emit IPsec DOI SIT: Jun 19 21:58:04 kamboja pluto[6520]: | IPsec DOI SIT: SIT_IDENTITY_ONLY Jun 19 21:58:04 kamboja pluto[6520]: | out_sa pcn: 0 has 1 valid proposals Jun 19 21:58:04 kamboja pluto[6520]: | 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict Jun 19 21:58:04 kamboja pluto[6520]: | out_sa pcn: 0 pn: 0<1 valid_count: 1 Jun 19 21:58:04 kamboja pluto[6520]: | ****emit ISAKMP Proposal Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | proposal number: 0 Jun 19 21:58:04 kamboja pluto[6520]: | protocol ID: PROTO_ISAKMP Jun 19 21:58:04 kamboja pluto[6520]: | SPI size: 0 Jun 19 21:58:04 kamboja pluto[6520]: | number of transforms: 4 Jun 19 21:58:04 kamboja pluto[6520]: | *****emit ISAKMP Transform Payload (ISAKMP): Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_T Jun 19 21:58:04 kamboja pluto[6520]: | transform number: 0 Jun 19 21:58:04 kamboja pluto[6520]: | transform ID: KEY_IKE Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_LIFE_TYPE Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is OAKLEY_LIFE_SECONDS] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_LIFE_DURATION Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 3600 Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 5 Jun 19 21:58:04 kamboja pluto[6520]: | [5 is OAKLEY_3DES_CBC] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_HASH_ALGORITHM Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1
- 29 -
Jun 19 21:58:04 kamboja pluto[6520]: | [1 is OAKLEY_MD5] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_AUTHENTICATION_METHOD Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is OAKLEY_PRESHARED_KEY] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_GROUP_DESCRIPTION Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 5 Jun 19 21:58:04 kamboja pluto[6520]: | [5 is OAKLEY_GROUP_MODP1536] Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Transform Payload (ISAKMP): 32 Jun 19 21:58:04 kamboja pluto[6520]: | *****emit ISAKMP Transform Payload (ISAKMP): Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_T Jun 19 21:58:04 kamboja pluto[6520]: | transform number: 1 Jun 19 21:58:04 kamboja pluto[6520]: | transform ID: KEY_IKE Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_LIFE_TYPE Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is OAKLEY_LIFE_SECONDS] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_LIFE_DURATION Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 3600 Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 5 Jun 19 21:58:04 kamboja pluto[6520]: | [5 is OAKLEY_3DES_CBC] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_HASH_ALGORITHM Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is OAKLEY_MD5] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_AUTHENTICATION_METHOD Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is OAKLEY_PRESHARED_KEY] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_GROUP_DESCRIPTION Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 2 Jun 19 21:58:04 kamboja pluto[6520]: | [2 is OAKLEY_GROUP_MODP1024] Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Transform Payload (ISAKMP): 32 Jun 19 21:58:04 kamboja pluto[6520]: | *****emit ISAKMP Transform Payload (ISAKMP): Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_T Jun 19 21:58:04 kamboja pluto[6520]: | transform number: 2 Jun 19 21:58:04 kamboja pluto[6520]: | transform ID: KEY_IKE Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_LIFE_TYPE Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is OAKLEY_LIFE_SECONDS] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_LIFE_DURATION Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 3600 Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM
- 30 -
Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 5 Jun 19 21:58:04 kamboja pluto[6520]: | [5 is OAKLEY_3DES_CBC] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_HASH_ALGORITHM Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 2 Jun 19 21:58:04 kamboja pluto[6520]: | [2 is OAKLEY_SHA] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_AUTHENTICATION_METHOD Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is OAKLEY_PRESHARED_KEY] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_GROUP_DESCRIPTION Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 5 Jun 19 21:58:04 kamboja pluto[6520]: | [5 is OAKLEY_GROUP_MODP1536] Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Transform Payload (ISAKMP): 32 Jun 19 21:58:04 kamboja pluto[6520]: | *****emit ISAKMP Transform Payload (ISAKMP): Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | transform number: 3 Jun 19 21:58:04 kamboja pluto[6520]: | transform ID: KEY_IKE Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_LIFE_TYPE Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is OAKLEY_LIFE_SECONDS] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_LIFE_DURATION Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 3600 Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 5 Jun 19 21:58:04 kamboja pluto[6520]: | [5 is OAKLEY_3DES_CBC] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_HASH_ALGORITHM Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 2 Jun 19 21:58:04 kamboja pluto[6520]: | [2 is OAKLEY_SHA] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_AUTHENTICATION_METHOD Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is OAKLEY_PRESHARED_KEY] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_GROUP_DESCRIPTION Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 2 Jun 19 21:58:04 kamboja pluto[6520]: | [2 is OAKLEY_GROUP_MODP1024] Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Transform Payload (ISAKMP): 32 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Proposal Payload: 136 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Security Association Payload: 148 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Message: 176 Jun 19 21:58:04 kamboja pluto[6520]: | sending 176 bytes for main_outI1 through eth0 to 167.205.108.139:500: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 00 00 00 00 00 00 00 00 Jun 19 21:58:04 kamboja pluto[6520]: | 01 10 02 00 00 00 00 00 00 00 00 b0 00 00 00 94
- 31 -
Jun 19 21:58:04 kamboja pluto[6520]: | 00 00 00 01 00 00 00 01 00 00 00 88 00 01 00 04 Jun 19 21:58:04 kamboja pluto[6520]: | 03 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 Jun 19 21:58:04 kamboja pluto[6520]: | 80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 05 Jun 19 21:58:04 kamboja pluto[6520]: | 03 00 00 20 01 01 00 00 80 0b 00 01 80 0c 0e 10 Jun 19 21:58:04 kamboja pluto[6520]: | 80 01 00 05 80 02 00 01 80 03 00 01 80 04 00 02 Jun 19 21:58:04 kamboja pluto[6520]: | 03 00 00 20 02 01 00 00 80 0b 00 01 80 0c 0e 10 Jun 19 21:58:04 kamboja pluto[6520]: | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 05 Jun 19 21:58:04 kamboja pluto[6520]: | 00 00 00 20 03 01 00 00 80 0b 00 01 80 0c 0e 10 Jun 19 21:58:04 kamboja pluto[6520]: | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 02 Jun 19 21:58:04 kamboja pluto[6520]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 Jun 19 21:58:04 kamboja pluto[6520]: | next event EVENT_RETRANSMIT in 10 seconds for #1 Jun 19 21:58:04 kamboja pluto[6520]: | Jun 19 21:58:04 kamboja pluto[6520]: | *received 100 bytes from 167.205.108.139:500 on eth0 Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | 01 10 02 00 00 00 00 00 00 00 00 64 0d 00 00 34 Jun 19 21:58:04 kamboja pluto[6520]: | 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 Jun 19 21:58:04 kamboja pluto[6520]: | 00 00 00 20 03 01 00 00 80 0b 00 01 80 0c 0e 10 Jun 19 21:58:04 kamboja pluto[6520]: | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 02 Jun 19 21:58:04 kamboja pluto[6520]: | 00 00 00 14 70 03 cb c1 09 7d be 9c 26 00 ba 69 Jun 19 21:58:04 kamboja pluto[6520]: | 83 bc 8b 35 Jun 19 21:58:04 kamboja pluto[6520]: | **parse ISAKMP Message: Jun 19 21:58:04 kamboja pluto[6520]: | initiator cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | responder cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_SA Jun 19 21:58:04 kamboja pluto[6520]: | ISAKMP version: ISAKMP Version 1.0 Jun 19 21:58:04 kamboja pluto[6520]: | exchange type: ISAKMP_XCHG_IDPROT Jun 19 21:58:04 kamboja pluto[6520]: | flags: none Jun 19 21:58:04 kamboja pluto[6520]: | message ID: 00 00 00 00 Jun 19 21:58:04 kamboja pluto[6520]: | length: 100 Jun 19 21:58:04 kamboja pluto[6520]: | ICOOKIE: 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | RCOOKIE: 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | peer: a7 cd 6c 8b Jun 19 21:58:04 kamboja pluto[6520]: | state hash entry 24 Jun 19 21:58:04 kamboja pluto[6520]: | state object not found Jun 19 21:58:04 kamboja pluto[6520]: | ICOOKIE: 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | RCOOKIE: 00 00 00 00 00 00 00 00 Jun 19 21:58:04 kamboja pluto[6520]: | peer: a7 cd 6c 8b Jun 19 21:58:04 kamboja pluto[6520]: | state hash entry 30 Jun 19 21:58:04 kamboja pluto[6520]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000 Jun 19 21:58:04 kamboja pluto[6520]: | state object #1 found, in STATE_MAIN_I1 Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Security Association Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_VID Jun 19 21:58:04 kamboja pluto[6520]: | length: 52 Jun 19 21:58:04 kamboja pluto[6520]: | DOI: ISAKMP_DOI_IPSEC Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Vendor ID Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | length: 20 Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #1: ignoring Vendor ID payload [KAME/racoon] Jun 19 21:58:04 kamboja pluto[6520]: | ****parse IPsec DOI SIT:
- 32 -
Jun 19 21:58:04 kamboja pluto[6520]: | IPsec DOI SIT: SIT_IDENTITY_ONLY Jun 19 21:58:04 kamboja pluto[6520]: | ****parse ISAKMP Proposal Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | length: 40 Jun 19 21:58:04 kamboja pluto[6520]: | proposal number: 0 Jun 19 21:58:04 kamboja pluto[6520]: | protocol ID: PROTO_ISAKMP Jun 19 21:58:04 kamboja pluto[6520]: | SPI size: 0 Jun 19 21:58:04 kamboja pluto[6520]: | number of transforms: 1 Jun 19 21:58:04 kamboja pluto[6520]: | *****parse ISAKMP Transform Payload (ISAKMP): Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | length: 32 Jun 19 21:58:04 kamboja pluto[6520]: | transform number: 3 Jun 19 21:58:04 kamboja pluto[6520]: | transform ID: KEY_IKE Jun 19 21:58:04 kamboja pluto[6520]: | ******parse ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_LIFE_TYPE Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is OAKLEY_LIFE_SECONDS] Jun 19 21:58:04 kamboja pluto[6520]: | ******parse ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_LIFE_DURATION Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 3600 Jun 19 21:58:04 kamboja pluto[6520]: | ******parse ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_ENCRYPTION_ALGORITHM Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 5 Jun 19 21:58:04 kamboja pluto[6520]: | [5 is OAKLEY_3DES_CBC] Jun 19 21:58:04 kamboja pluto[6520]: | ike_alg_enc_ok(ealg=5,key_len=0): blocksize=8, keyminlen=192, keydeflen=192, keymaxlen=192, ret=1 Jun 19 21:58:04 kamboja pluto[6520]: | ******parse ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_HASH_ALGORITHM Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 2 Jun 19 21:58:04 kamboja pluto[6520]: | [2 is OAKLEY_SHA] Jun 19 21:58:04 kamboja pluto[6520]: | ******parse ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_AUTHENTICATION_METHOD Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is OAKLEY_PRESHARED_KEY] Jun 19 21:58:04 kamboja pluto[6520]: | looking for secret for 167.205.65.16->167.205.108.139 of kind PPK_PSK Jun 19 21:58:04 kamboja pluto[6520]: | ******parse ISAKMP Oakley attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: OAKLEY_GROUP_DESCRIPTION Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 2 Jun 19 21:58:04 kamboja pluto[6520]: | [2 is OAKLEY_GROUP_MODP1024] Jun 19 21:58:04 kamboja pluto[6520]: | Oakley Transform 3 accepted Jun 19 21:58:04 kamboja pluto[6520]: | sender checking NAT-t: 0 and 0 Jun 19 21:58:04 kamboja pluto[6520]: | **emit ISAKMP Message: Jun 19 21:58:04 kamboja pluto[6520]: | initiator cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | responder cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_KE Jun 19 21:58:04 kamboja pluto[6520]: | ISAKMP version: ISAKMP Version 1.0 Jun 19 21:58:04 kamboja pluto[6520]: | exchange type: ISAKMP_XCHG_IDPROT Jun 19 21:58:04 kamboja pluto[6520]: | flags: none Jun 19 21:58:04 kamboja pluto[6520]: | message ID: 00 00 00 00 Jun 19 21:58:04 kamboja pluto[6520]: | Local DH secret:
- 33 -
Jun 19 21:58:04 kamboja pluto[6520]: | 92 47 bc 92 c1 ae e0 7a 8e 1a 30 f7 ec 32 fd 57 Jun 19 21:58:04 kamboja pluto[6520]: | 24 f8 f2 b6 f8 9c 4a 39 66 63 35 c4 76 9a 71 49 Jun 19 21:58:04 kamboja pluto[6520]: | Public DH value sent: Jun 19 21:58:04 kamboja pluto[6520]: | a3 df 9d 51 15 8a 43 d2 c2 58 b3 45 85 51 f9 ec Jun 19 21:58:04 kamboja pluto[6520]: | 89 8a f4 63 05 be 39 4d 25 2d e9 fb 13 16 f2 f5 Jun 19 21:58:04 kamboja pluto[6520]: | 3c 36 97 6d 41 15 e1 f5 a7 e7 11 40 14 3c fb 48 Jun 19 21:58:04 kamboja pluto[6520]: | 72 ac b5 b6 e4 3b a3 9d 07 25 e7 f5 66 b6 90 d4 Jun 19 21:58:04 kamboja pluto[6520]: | ae eb 44 c1 96 d9 1a a7 19 ad fc 71 70 2b be 5b Jun 19 21:58:04 kamboja pluto[6520]: | 07 ff 61 3d 74 ec 9c 1c c0 50 ff fe 2a cc 60 31 Jun 19 21:58:04 kamboja pluto[6520]: | 7c e8 50 42 b6 3c de 2d 1a 73 26 79 c8 a5 9d f5 Jun 19 21:58:04 kamboja pluto[6520]: | 37 cf 56 ee 4c 5a 9a 75 5b 4c d1 b3 26 75 b5 e2 Jun 19 21:58:04 kamboja pluto[6520]: | ***emit ISAKMP Key Exchange Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONCE Jun 19 21:58:04 kamboja pluto[6520]: | emitting 128 raw bytes of keyex value into ISAKMP Key Exchange Payload Jun 19 21:58:04 kamboja pluto[6520]: | keyex value a3 df 9d 51 15 8a 43 d2 c2 58 b3 45 85 51 f9 ec Jun 19 21:58:04 kamboja pluto[6520]: | 89 8a f4 63 05 be 39 4d 25 2d e9 fb 13 16 f2 f5 Jun 19 21:58:04 kamboja pluto[6520]: | 3c 36 97 6d 41 15 e1 f5 a7 e7 11 40 14 3c fb 48 Jun 19 21:58:04 kamboja pluto[6520]: | 72 ac b5 b6 e4 3b a3 9d 07 25 e7 f5 66 b6 90 d4 Jun 19 21:58:04 kamboja pluto[6520]: | ae eb 44 c1 96 d9 1a a7 19 ad fc 71 70 2b be 5b Jun 19 21:58:04 kamboja pluto[6520]: | 07 ff 61 3d 74 ec 9c 1c c0 50 ff fe 2a cc 60 31 Jun 19 21:58:04 kamboja pluto[6520]: | 7c e8 50 42 b6 3c de 2d 1a 73 26 79 c8 a5 9d f5 Jun 19 21:58:04 kamboja pluto[6520]: | 37 cf 56 ee 4c 5a 9a 75 5b 4c d1 b3 26 75 b5 e2 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Key Exchange Payload: 132 Jun 19 21:58:04 kamboja pluto[6520]: | ***emit ISAKMP Nonce Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | emitting 16 raw bytes of Ni into ISAKMP Nonce Payload Jun 19 21:58:04 kamboja pluto[6520]: | Ni 54 34 53 61 81 67 8e d7 e0 45 7b bb 84 93 96 e2 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Nonce Payload: 20 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Message: 180 Jun 19 21:58:04 kamboja pluto[6520]: | ICOOKIE: 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | RCOOKIE: 00 00 00 00 00 00 00 00 Jun 19 21:58:04 kamboja pluto[6520]: | peer: a7 cd 6c 8b Jun 19 21:58:04 kamboja pluto[6520]: | state hash entry 30 Jun 19 21:58:04 kamboja pluto[6520]: | ICOOKIE: 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | RCOOKIE: 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | peer: a7 cd 6c 8b Jun 19 21:58:04 kamboja pluto[6520]: | state hash entry 24 Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jun 19 21:58:04 kamboja pluto[6520]: | sending 180 bytes for STATE_MAIN_I1 through eth0 to 167.205.108.139:500: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | 04 10 02 00 00 00 00 00 00 00 00 b4 0a 00 00 84 Jun 19 21:58:04 kamboja pluto[6520]: | a3 df 9d 51 15 8a 43 d2 c2 58 b3 45 85 51 f9 ec Jun 19 21:58:04 kamboja pluto[6520]: | 89 8a f4 63 05 be 39 4d 25 2d e9 fb 13 16 f2 f5 Jun 19 21:58:04 kamboja pluto[6520]: | 3c 36 97 6d 41 15 e1 f5 a7 e7 11 40 14 3c fb 48 Jun 19 21:58:04 kamboja pluto[6520]: | 72 ac b5 b6 e4 3b a3 9d 07 25 e7 f5 66 b6 90 d4 Jun 19 21:58:04 kamboja pluto[6520]: | ae eb 44 c1 96 d9 1a a7 19 ad fc 71 70 2b be 5b Jun 19 21:58:04 kamboja pluto[6520]: | 07 ff 61 3d 74 ec 9c 1c c0 50 ff fe 2a cc 60 31 Jun 19 21:58:04 kamboja pluto[6520]: | 7c e8 50 42 b6 3c de 2d 1a 73 26 79 c8 a5 9d f5 Jun 19 21:58:04 kamboja pluto[6520]: | 37 cf 56 ee 4c 5a 9a 75 5b 4c d1 b3 26 75 b5 e2
- 34 -
Jun 19 21:58:04 kamboja pluto[6520]: | 00 00 00 14 54 34 53 61 81 67 8e d7 e0 45 7b bb Jun 19 21:58:04 kamboja pluto[6520]: | 84 93 96 e2 Jun 19 21:58:04 kamboja pluto[6520]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 Jun 19 21:58:04 kamboja pluto[6520]: | next event EVENT_RETRANSMIT in 10 seconds for #1 Jun 19 21:58:04 kamboja pluto[6520]: | Jun 19 21:58:04 kamboja pluto[6520]: | *received 200 bytes from 167.205.108.139:500 on eth0 Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | 04 10 02 00 00 00 00 00 00 00 00 c8 0a 00 00 84 Jun 19 21:58:04 kamboja pluto[6520]: | 06 53 b7 99 1e 7a ea ea 75 09 4d 3d 0f 43 b6 1b Jun 19 21:58:04 kamboja pluto[6520]: | 84 20 9f ed 15 06 ec 75 8d 9b c3 00 3e 87 7f d6 Jun 19 21:58:04 kamboja pluto[6520]: | cc ad d6 4c e1 33 68 a0 42 61 38 12 26 df da 36 Jun 19 21:58:04 kamboja pluto[6520]: | d7 d3 16 db bc ed bb fc 99 b3 a2 d4 41 4a 98 f6 Jun 19 21:58:04 kamboja pluto[6520]: | 46 7c 54 0c 93 d7 bb 8e fa 43 23 40 ee e6 fe 5e Jun 19 21:58:04 kamboja pluto[6520]: | 06 be 58 ed 29 7c 16 d1 e8 58 36 78 fb 3d 81 b7 Jun 19 21:58:04 kamboja pluto[6520]: | 25 70 54 34 c5 a7 2e f7 06 79 68 8b 4a 92 4e 37 Jun 19 21:58:04 kamboja pluto[6520]: | be 7a d2 d4 50 c5 bc 05 06 9a a5 16 58 0d c4 14 Jun 19 21:58:04 kamboja pluto[6520]: | 0d 00 00 14 cb fb c1 7f ce a5 a8 b2 0b 8b 80 36 Jun 19 21:58:04 kamboja pluto[6520]: | 9a a2 46 3a 00 00 00 14 70 03 cb c1 09 7d be 9c Jun 19 21:58:04 kamboja pluto[6520]: | 26 00 ba 69 83 bc 8b 35 Jun 19 21:58:04 kamboja pluto[6520]: | **parse ISAKMP Message: Jun 19 21:58:04 kamboja pluto[6520]: | initiator cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | responder cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_KE Jun 19 21:58:04 kamboja pluto[6520]: | ISAKMP version: ISAKMP Version 1.0 Jun 19 21:58:04 kamboja pluto[6520]: | exchange type: ISAKMP_XCHG_IDPROT Jun 19 21:58:04 kamboja pluto[6520]: | flags: none Jun 19 21:58:04 kamboja pluto[6520]: | message ID: 00 00 00 00 Jun 19 21:58:04 kamboja pluto[6520]: | length: 200 Jun 19 21:58:04 kamboja pluto[6520]: | ICOOKIE: 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | RCOOKIE: 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | peer: a7 cd 6c 8b Jun 19 21:58:04 kamboja pluto[6520]: | state hash entry 24 Jun 19 21:58:04 kamboja pluto[6520]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000 Jun 19 21:58:04 kamboja pluto[6520]: | state object #1 found, in STATE_MAIN_I2 Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Key Exchange Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONCE Jun 19 21:58:04 kamboja pluto[6520]: | length: 132 Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Nonce Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_VID Jun 19 21:58:04 kamboja pluto[6520]: | length: 20 Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Vendor ID Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | length: 20 Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #1: ignoring Vendor ID payload [KAME/racoon] Jun 19 21:58:04 kamboja pluto[6520]: | **emit ISAKMP Message: Jun 19 21:58:04 kamboja pluto[6520]: | initiator cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | responder cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 7d 0c de af 25 ea 82 27
- 35 -
Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_ID Jun 19 21:58:04 kamboja pluto[6520]: | ISAKMP version: ISAKMP Version 1.0 Jun 19 21:58:04 kamboja pluto[6520]: | exchange type: ISAKMP_XCHG_IDPROT Jun 19 21:58:04 kamboja pluto[6520]: | flags: ISAKMP_FLAG_ENCRYPTION Jun 19 21:58:04 kamboja pluto[6520]: | message ID: 00 00 00 00 Jun 19 21:58:04 kamboja pluto[6520]: | DH public value received: Jun 19 21:58:04 kamboja pluto[6520]: | 06 53 b7 99 1e 7a ea ea 75 09 4d 3d 0f 43 b6 1b Jun 19 21:58:04 kamboja pluto[6520]: | 84 20 9f ed 15 06 ec 75 8d 9b c3 00 3e 87 7f d6 Jun 19 21:58:04 kamboja pluto[6520]: | cc ad d6 4c e1 33 68 a0 42 61 38 12 26 df da 36 Jun 19 21:58:04 kamboja pluto[6520]: | d7 d3 16 db bc ed bb fc 99 b3 a2 d4 41 4a 98 f6 Jun 19 21:58:04 kamboja pluto[6520]: | 46 7c 54 0c 93 d7 bb 8e fa 43 23 40 ee e6 fe 5e Jun 19 21:58:04 kamboja pluto[6520]: | 06 be 58 ed 29 7c 16 d1 e8 58 36 78 fb 3d 81 b7 Jun 19 21:58:04 kamboja pluto[6520]: | 25 70 54 34 c5 a7 2e f7 06 79 68 8b 4a 92 4e 37 Jun 19 21:58:04 kamboja pluto[6520]: | be 7a d2 d4 50 c5 bc 05 06 9a a5 16 58 0d c4 14 Jun 19 21:58:04 kamboja pluto[6520]: | thinking about whether to send my certificate: Jun 19 21:58:04 kamboja pluto[6520]: | I have RSA key: OAKLEY_PRESHARED_KEY cert.type: CERT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | sendcert: CERT_ALWAYSSEND and I did not get a certificate request Jun 19 21:58:04 kamboja pluto[6520]: | so do not send cert. Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #1: I did not send a certificate because I do not have one. Jun 19 21:58:04 kamboja pluto[6520]: | I am not sending a certificate request Jun 19 21:58:04 kamboja pluto[6520]: | compute_dh_shared(): time elapsed (OAKLEY_GROUP_MODP1024): 5767 usec Jun 19 21:58:04 kamboja pluto[6520]: | DH shared secret: Jun 19 21:58:04 kamboja pluto[6520]: | 79 6b 13 64 9b 53 0f 6d 92 d9 16 1f 5a 53 45 69 Jun 19 21:58:04 kamboja pluto[6520]: | 6b b9 2c 5d c8 37 32 ec 3d 2a 5d 41 f0 1d 0b e8 Jun 19 21:58:04 kamboja pluto[6520]: | 5a e5 c1 15 9e 58 7d fe 4b b0 cc 1a 7f 20 31 96 Jun 19 21:58:04 kamboja pluto[6520]: | d6 f7 96 12 2d bf 7c 67 95 b7 31 b3 d3 a0 36 8c Jun 19 21:58:04 kamboja pluto[6520]: | 00 0d a3 5c 8a 7c 0b d4 53 ad e1 f5 3c 1f 58 45 Jun 19 21:58:04 kamboja pluto[6520]: | 01 68 3d 9e 30 be 0f 88 f5 27 ba 22 21 b6 76 57 Jun 19 21:58:04 kamboja pluto[6520]: | 4c 32 ce 19 aa 35 d5 2a 53 dc b4 79 5c c5 1b ec Jun 19 21:58:04 kamboja pluto[6520]: | 11 b5 12 63 6d f7 d6 5c 8d bc 27 23 91 f3 0e 9a Jun 19 21:58:04 kamboja pluto[6520]: | looking for secret for 167.205.65.16->167.205.108.139 of kind PPK_PSK Jun 19 21:58:04 kamboja pluto[6520]: | DH_i: a3 df 9d 51 15 8a 43 d2 c2 58 b3 45 85 51 f9 ec Jun 19 21:58:04 kamboja pluto[6520]: | 89 8a f4 63 05 be 39 4d 25 2d e9 fb 13 16 f2 f5 Jun 19 21:58:04 kamboja pluto[6520]: | 3c 36 97 6d 41 15 e1 f5 a7 e7 11 40 14 3c fb 48 Jun 19 21:58:04 kamboja pluto[6520]: | 72 ac b5 b6 e4 3b a3 9d 07 25 e7 f5 66 b6 90 d4 Jun 19 21:58:04 kamboja pluto[6520]: | ae eb 44 c1 96 d9 1a a7 19 ad fc 71 70 2b be 5b Jun 19 21:58:04 kamboja pluto[6520]: | 07 ff 61 3d 74 ec 9c 1c c0 50 ff fe 2a cc 60 31 Jun 19 21:58:04 kamboja pluto[6520]: | 7c e8 50 42 b6 3c de 2d 1a 73 26 79 c8 a5 9d f5 Jun 19 21:58:04 kamboja pluto[6520]: | 37 cf 56 ee 4c 5a 9a 75 5b 4c d1 b3 26 75 b5 e2 Jun 19 21:58:04 kamboja pluto[6520]: | DH_r: 06 53 b7 99 1e 7a ea ea 75 09 4d 3d 0f 43 b6 1b Jun 19 21:58:04 kamboja pluto[6520]: | 84 20 9f ed 15 06 ec 75 8d 9b c3 00 3e 87 7f d6 Jun 19 21:58:04 kamboja pluto[6520]: | cc ad d6 4c e1 33 68 a0 42 61 38 12 26 df da 36 Jun 19 21:58:04 kamboja pluto[6520]: | d7 d3 16 db bc ed bb fc 99 b3 a2 d4 41 4a 98 f6 Jun 19 21:58:04 kamboja pluto[6520]: | 46 7c 54 0c 93 d7 bb 8e fa 43 23 40 ee e6 fe 5e Jun 19 21:58:04 kamboja pluto[6520]: | 06 be 58 ed 29 7c 16 d1 e8 58 36 78 fb 3d 81 b7 Jun 19 21:58:04 kamboja pluto[6520]: | 25 70 54 34 c5 a7 2e f7 06 79 68 8b 4a 92 4e 37
- 36 -
Jun 19 21:58:04 kamboja pluto[6520]: | be 7a d2 d4 50 c5 bc 05 06 9a a5 16 58 0d c4 14 Jun 19 21:58:04 kamboja pluto[6520]: | Skeyid: 04 e7 2d 4f c5 10 75 fd 07 fe f2 0d 6d c2 54 1e Jun 19 21:58:04 kamboja pluto[6520]: | f7 9c e6 21 Jun 19 21:58:04 kamboja pluto[6520]: | Skeyid_d: 56 eb 2a 85 f0 90 e3 68 43 c8 fb c7 89 d8 5e f8 Jun 19 21:58:04 kamboja pluto[6520]: | 82 28 d9 d6 Jun 19 21:58:04 kamboja pluto[6520]: | Skeyid_a: 31 8b 84 ad a0 52 d6 f2 6f d9 47 06 2a d3 fb d4 Jun 19 21:58:04 kamboja pluto[6520]: | 0a 25 e8 cd Jun 19 21:58:04 kamboja pluto[6520]: | Skeyid_e: cc cf 35 7a 92 d1 e6 ef 1b 32 a5 4f 6f 56 5c 4b Jun 19 21:58:04 kamboja pluto[6520]: | 4a 5e 45 20 Jun 19 21:58:04 kamboja pluto[6520]: | enc key: 59 b5 ca ff ef da a1 ff 3f d3 cb 2d de da 37 ae Jun 19 21:58:04 kamboja pluto[6520]: | 71 f4 fc 29 a1 5f df 3d Jun 19 21:58:04 kamboja pluto[6520]: | IV: cc fb 00 90 38 3d 66 92 0d 78 0b 73 35 b2 a4 17 Jun 19 21:58:04 kamboja pluto[6520]: | a0 a8 e9 6d Jun 19 21:58:04 kamboja pluto[6520]: | ***emit ISAKMP Identification Payload (IPsec DOI): Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_HASH Jun 19 21:58:04 kamboja pluto[6520]: | ID type: ID_IPV4_ADDR Jun 19 21:58:04 kamboja pluto[6520]: | Protocol ID: 0 Jun 19 21:58:04 kamboja pluto[6520]: | port: 0 Jun 19 21:58:04 kamboja pluto[6520]: | emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) Jun 19 21:58:04 kamboja pluto[6520]: | my identity a7 cd 41 10 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 Jun 19 21:58:04 kamboja pluto[6520]: | hashing 144 bytes of SA Jun 19 21:58:04 kamboja pluto[6520]: | ***emit ISAKMP Hash Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | emitting 20 raw bytes of HASH_I into ISAKMP Hash Payload Jun 19 21:58:04 kamboja pluto[6520]: | HASH_I 50 a0 65 66 03 30 fc 32 55 d4 1b e3 98 72 66 53 Jun 19 21:58:04 kamboja pluto[6520]: | f8 15 7e 54 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Hash Payload: 24 Jun 19 21:58:04 kamboja pluto[6520]: | encrypting: Jun 19 21:58:04 kamboja pluto[6520]: | 08 00 00 0c 01 00 00 00 a7 cd 41 10 00 00 00 18 Jun 19 21:58:04 kamboja pluto[6520]: | 50 a0 65 66 03 30 fc 32 55 d4 1b e3 98 72 66 53 Jun 19 21:58:04 kamboja pluto[6520]: | f8 15 7e 54 Jun 19 21:58:04 kamboja pluto[6520]: | emitting 4 zero bytes of encryption padding into ISAKMP Message Jun 19 21:58:04 kamboja pluto[6520]: | encrypting using OAKLEY_3DES_CBC Jun 19 21:58:04 kamboja pluto[6520]: | next IV: 32 bb 79 e8 40 0b 22 33 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Message: 68 Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jun 19 21:58:04 kamboja pluto[6520]: | sending 68 bytes for STATE_MAIN_I2 through eth0 to 167.205.108.139:500: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | 05 10 02 01 00 00 00 00 00 00 00 44 ff 78 ad d1 Jun 19 21:58:04 kamboja pluto[6520]: | 95 f3 f3 05 fc 8d 29 b4 86 c7 9b 66 9a 7d 22 1b
- 37 -
Jun 19 21:58:04 kamboja pluto[6520]: | a0 77 53 f1 19 cf 91 fa cb 44 c8 7e 32 bb 79 e8 Jun 19 21:58:04 kamboja pluto[6520]: | 40 0b 22 33 Jun 19 21:58:04 kamboja pluto[6520]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 Jun 19 21:58:04 kamboja pluto[6520]: | next event EVENT_RETRANSMIT in 10 seconds for #1 Jun 19 21:58:04 kamboja pluto[6520]: | Jun 19 21:58:04 kamboja pluto[6520]: | *received 68 bytes from 167.205.108.139:500 on eth0 Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | 05 10 02 01 00 00 00 00 00 00 00 44 42 27 89 ed Jun 19 21:58:04 kamboja pluto[6520]: | 6e 93 29 52 81 09 47 c1 d1 fc 92 1a df 0c f5 c5 Jun 19 21:58:04 kamboja pluto[6520]: | db 73 1d f2 76 45 83 89 86 de 58 5a 42 3e c5 f3 Jun 19 21:58:04 kamboja pluto[6520]: | ba ab c1 7c Jun 19 21:58:04 kamboja pluto[6520]: | **parse ISAKMP Message: Jun 19 21:58:04 kamboja pluto[6520]: | initiator cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | responder cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_ID Jun 19 21:58:04 kamboja pluto[6520]: | ISAKMP version: ISAKMP Version 1.0 Jun 19 21:58:04 kamboja pluto[6520]: | exchange type: ISAKMP_XCHG_IDPROT Jun 19 21:58:04 kamboja pluto[6520]: | flags: ISAKMP_FLAG_ENCRYPTION Jun 19 21:58:04 kamboja pluto[6520]: | message ID: 00 00 00 00 Jun 19 21:58:04 kamboja pluto[6520]: | length: 68 Jun 19 21:58:04 kamboja pluto[6520]: | ICOOKIE: 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | RCOOKIE: 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | peer: a7 cd 6c 8b Jun 19 21:58:04 kamboja pluto[6520]: | state hash entry 24 Jun 19 21:58:04 kamboja pluto[6520]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000 Jun 19 21:58:04 kamboja pluto[6520]: | state object #1 found, in STATE_MAIN_I3 Jun 19 21:58:04 kamboja pluto[6520]: | received encrypted packet from 167.205.108.139:500 Jun 19 21:58:04 kamboja pluto[6520]: | decrypting 40 bytes using algorithm OAKLEY_3DES_CBC Jun 19 21:58:04 kamboja pluto[6520]: | decrypted: Jun 19 21:58:04 kamboja pluto[6520]: | 08 00 00 0c 01 11 01 f4 a7 cd 6c 8b 00 00 00 18 Jun 19 21:58:04 kamboja pluto[6520]: | c8 ca 3f 87 05 45 86 f0 a8 9d 7e e7 ec 15 8a c2 Jun 19 21:58:04 kamboja pluto[6520]: | 2d 95 f3 80 00 00 00 04 Jun 19 21:58:04 kamboja pluto[6520]: | next IV: 42 3e c5 f3 ba ab c1 7c Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Identification Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_HASH Jun 19 21:58:04 kamboja pluto[6520]: | length: 12 Jun 19 21:58:04 kamboja pluto[6520]: | ID type: ID_IPV4_ADDR Jun 19 21:58:04 kamboja pluto[6520]: | DOI specific A: 17 Jun 19 21:58:04 kamboja pluto[6520]: | DOI specific B: 500 Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Hash Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | length: 24 Jun 19 21:58:04 kamboja pluto[6520]: | removing 4 bytes of padding Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #1: Peer ID is ID_IPV4_ADDR: '167.205.108.139' Jun 19 21:58:04 kamboja pluto[6520]: | hashing 144 bytes of SA Jun 19 21:58:04 kamboja pluto[6520]: | authentication succeeded Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
- 38 -
Jun 19 21:58:04 kamboja pluto[6520]: | inserting event EVENT_SA_REPLACE, timeout in 2583 seconds for #1 Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #1: ISAKMP SA established Jun 19 21:58:04 kamboja pluto[6520]: | unqueuing pending Quick Mode with 167.205.108.139 "ksi" Jun 19 21:58:04 kamboja pluto[6520]: | duplicating state object #1 Jun 19 21:58:04 kamboja pluto[6520]: | creating state object #2 at 0x80e1e10 Jun 19 21:58:04 kamboja pluto[6520]: | ICOOKIE: 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | RCOOKIE: 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | peer: a7 cd 6c 8b Jun 19 21:58:04 kamboja pluto[6520]: | state hash entry 24 Jun 19 21:58:04 kamboja pluto[6520]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2 Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1} Jun 19 21:58:04 kamboja pluto[6520]: | **emit ISAKMP Message: Jun 19 21:58:04 kamboja pluto[6520]: | initiator cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | responder cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_HASH Jun 19 21:58:04 kamboja pluto[6520]: | ISAKMP version: ISAKMP Version 1.0 Jun 19 21:58:04 kamboja pluto[6520]: | exchange type: ISAKMP_XCHG_QUICK Jun 19 21:58:04 kamboja pluto[6520]: | flags: ISAKMP_FLAG_ENCRYPTION Jun 19 21:58:04 kamboja pluto[6520]: | message ID: 16 20 a2 b4 Jun 19 21:58:04 kamboja pluto[6520]: | ***emit ISAKMP Hash Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_SA Jun 19 21:58:04 kamboja pluto[6520]: | emitting 20 zero bytes of HASH into ISAKMP Hash Payload Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Hash Payload: 24 Jun 19 21:58:04 kamboja pluto[6520]: | ***emit ISAKMP Security Association Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONCE Jun 19 21:58:04 kamboja pluto[6520]: | DOI: ISAKMP_DOI_IPSEC Jun 19 21:58:04 kamboja pluto[6520]: | ****emit IPsec DOI SIT: Jun 19 21:58:04 kamboja pluto[6520]: | IPsec DOI SIT: SIT_IDENTITY_ONLY Jun 19 21:58:04 kamboja pluto[6520]: | kernel_alg_db_new() initial trans_cnt=28 Jun 19 21:58:04 kamboja pluto[6520]: | kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=2 Jun 19 21:58:04 kamboja pluto[6520]: | kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=1 Jun 19 21:58:04 kamboja pluto[6520]: | kernel_alg_db_new() trans[1]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2 Jun 19 21:58:04 kamboja pluto[6520]: | out_sa pcn: 0 has 1 valid proposals Jun 19 21:58:04 kamboja pluto[6520]: | 3_000-1, 3_000-2, flags=-strict Jun 19 21:58:04 kamboja pluto[6520]: | kernel_alg_db_new() initial trans_cnt=28 Jun 19 21:58:04 kamboja pluto[6520]: | kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=2 Jun 19 21:58:04 kamboja pluto[6520]: | kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=1 Jun 19 21:58:04 kamboja pluto[6520]: | kernel_alg_db_new() trans[1]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2 Jun 19 21:58:04 kamboja pluto[6520]: | out_sa pcn: 0 pn: 0<1 valid_count: 1 Jun 19 21:58:04 kamboja pluto[6520]: | ****emit ISAKMP Proposal Payload:
- 39 -
Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | proposal number: 0 Jun 19 21:58:04 kamboja pluto[6520]: | protocol ID: PROTO_IPSEC_ESP Jun 19 21:58:04 kamboja pluto[6520]: | SPI size: 4 Jun 19 21:58:04 kamboja pluto[6520]: | number of transforms: 2 Jun 19 21:58:04 kamboja pluto[6520]: | netlink_get_spi: allocated 0xacb06afe for [email protected] Jun 19 21:58:04 kamboja pluto[6520]: | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload Jun 19 21:58:04 kamboja pluto[6520]: | SPI ac b0 6a fe Jun 19 21:58:04 kamboja pluto[6520]: | *****emit ISAKMP Transform Payload (ESP): Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_T Jun 19 21:58:04 kamboja pluto[6520]: | transform number: 0 Jun 19 21:58:04 kamboja pluto[6520]: | transform ID: ESP_3DES Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP IPsec DOI attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: ENCAPSULATION_MODE Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is ENCAPSULATION_MODE_TUNNEL] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP IPsec DOI attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: SA_LIFE_TYPE Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is SA_LIFE_TYPE_SECONDS] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP IPsec DOI attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: SA_LIFE_DURATION Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 28800 Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP IPsec DOI attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: AUTH_ALGORITHM Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is AUTH_ALGORITHM_HMAC_MD5] Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Transform Payload (ESP): 24 Jun 19 21:58:04 kamboja pluto[6520]: | *****emit ISAKMP Transform Payload (ESP): Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | transform number: 1 Jun 19 21:58:04 kamboja pluto[6520]: | transform ID: ESP_3DES Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP IPsec DOI attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: ENCAPSULATION_MODE Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is ENCAPSULATION_MODE_TUNNEL] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP IPsec DOI attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: SA_LIFE_TYPE Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is SA_LIFE_TYPE_SECONDS] Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP IPsec DOI attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: SA_LIFE_DURATION Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 28800 Jun 19 21:58:04 kamboja pluto[6520]: | ******emit ISAKMP IPsec DOI attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: AUTH_ALGORITHM Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 2 Jun 19 21:58:04 kamboja pluto[6520]: | [2 is AUTH_ALGORITHM_HMAC_SHA1] Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Transform Payload (ESP): 24 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Proposal Payload: 60 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Security Association Payload: 72
- 40 -
Jun 19 21:58:04 kamboja pluto[6520]: | ***emit ISAKMP Nonce Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_ID Jun 19 21:58:04 kamboja pluto[6520]: | emitting 16 raw bytes of Ni into ISAKMP Nonce Payload Jun 19 21:58:04 kamboja pluto[6520]: | Ni c1 ac d2 3f dd 44 d7 99 b8 65 de a2 43 ae e2 b7 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Nonce Payload: 20 Jun 19 21:58:04 kamboja pluto[6520]: | ***emit ISAKMP Identification Payload (IPsec DOI): Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_ID Jun 19 21:58:04 kamboja pluto[6520]: | ID type: ID_IPV4_ADDR_SUBNET Jun 19 21:58:04 kamboja pluto[6520]: | Protocol ID: 0 Jun 19 21:58:04 kamboja pluto[6520]: | port: 0 Jun 19 21:58:04 kamboja pluto[6520]: | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI) Jun 19 21:58:04 kamboja pluto[6520]: | client network c0 a8 02 00 Jun 19 21:58:04 kamboja pluto[6520]: | emitting 4 raw bytes of client mask into ISAKMP Identification Payload (IPsec DOI) Jun 19 21:58:04 kamboja pluto[6520]: | client mask ff ff ff 00 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 Jun 19 21:58:04 kamboja pluto[6520]: | ***emit ISAKMP Identification Payload (IPsec DOI): Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | ID type: ID_IPV4_ADDR_SUBNET Jun 19 21:58:04 kamboja pluto[6520]: | Protocol ID: 0 Jun 19 21:58:04 kamboja pluto[6520]: | port: 0 Jun 19 21:58:04 kamboja pluto[6520]: | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI) Jun 19 21:58:04 kamboja pluto[6520]: | client network c0 a8 01 00 Jun 19 21:58:04 kamboja pluto[6520]: | emitting 4 raw bytes of client mask into ISAKMP Identification Payload (IPsec DOI) Jun 19 21:58:04 kamboja pluto[6520]: | client mask ff ff ff 00 Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 Jun 19 21:58:04 kamboja pluto[6520]: | HASH(1) computed: Jun 19 21:58:04 kamboja pluto[6520]: | 5e 49 55 fa f0 b1 f3 9b 9d 36 4c a8 ff 9d 90 be Jun 19 21:58:04 kamboja pluto[6520]: | 3d 6d a3 37 Jun 19 21:58:04 kamboja pluto[6520]: | last Phase 1 IV: 42 3e c5 f3 ba ab c1 7c Jun 19 21:58:04 kamboja pluto[6520]: | last Phase 1 IV: 42 3e c5 f3 ba ab c1 7c Jun 19 21:58:04 kamboja pluto[6520]: | computed Phase 2 IV: Jun 19 21:58:04 kamboja pluto[6520]: | fb f5 7a 5a 56 2a a1 df 24 ea f4 14 89 7f a3 ef Jun 19 21:58:04 kamboja pluto[6520]: | 9c 04 50 44 Jun 19 21:58:04 kamboja pluto[6520]: | encrypting: Jun 19 21:58:04 kamboja pluto[6520]: | 01 00 00 18 5e 49 55 fa f0 b1 f3 9b 9d 36 4c a8 Jun 19 21:58:04 kamboja pluto[6520]: | ff 9d 90 be 3d 6d a3 37 0a 00 00 48 00 00 00 01 Jun 19 21:58:04 kamboja pluto[6520]: | 00 00 00 01 00 00 00 3c 00 03 04 02 ac b0 6a fe Jun 19 21:58:04 kamboja pluto[6520]: | 03 00 00 18 00 03 00 00 80 04 00 01 80 01 00 01 Jun 19 21:58:04 kamboja pluto[6520]: | 80 02 70 80 80 05 00 01 00 00 00 18 01 03 00 00 Jun 19 21:58:04 kamboja pluto[6520]: | 80 04 00 01 80 01 00 01 80 02 70 80 80 05 00 02 Jun 19 21:58:04 kamboja pluto[6520]: | 05 00 00 14 c1 ac d2 3f dd 44 d7 99 b8 65 de a2 Jun 19 21:58:04 kamboja pluto[6520]: | 43 ae e2 b7 05 00 00 10 04 00 00 00 c0 a8 02 00 Jun 19 21:58:04 kamboja pluto[6520]: | ff ff ff 00 00 00 00 10 04 00 00 00 c0 a8 01 00 Jun 19 21:58:04 kamboja pluto[6520]: | ff ff ff 00 Jun 19 21:58:04 kamboja pluto[6520]: | emitting 4 zero bytes of encryption padding into ISAKMP Message Jun 19 21:58:04 kamboja pluto[6520]: | encrypting using OAKLEY_3DES_CBC
- 41 -
Jun 19 21:58:04 kamboja pluto[6520]: | next IV: 6a 09 8c de 17 d2 8d 7b Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Message: 180 Jun 19 21:58:04 kamboja pluto[6520]: | sending 180 bytes for quick_outI1 through eth0 to 167.205.108.139:500: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | 08 10 20 01 16 20 a2 b4 00 00 00 b4 16 d0 bd cf Jun 19 21:58:04 kamboja pluto[6520]: | 46 e7 5d e0 fc ad ef df 28 65 a2 73 09 8e 18 e9 Jun 19 21:58:04 kamboja pluto[6520]: | d1 f3 dd 0a a0 e9 27 01 9b 96 dc 28 7c 75 f0 71 Jun 19 21:58:04 kamboja pluto[6520]: | fa 43 e0 36 6a cf 86 f9 89 03 13 cc 74 a2 3c 1d Jun 19 21:58:04 kamboja pluto[6520]: | 44 83 3b 23 9b fc 23 ad f9 4d 86 3f ab b4 97 02 Jun 19 21:58:04 kamboja pluto[6520]: | 4a b2 dd 4e 57 4e 3c ed 77 36 e4 6b b2 8f 44 47 Jun 19 21:58:04 kamboja pluto[6520]: | 78 08 da a4 73 72 0a 05 87 70 87 5d dd 39 48 59 Jun 19 21:58:04 kamboja pluto[6520]: | 0c b9 b7 93 03 3d 2c 8f 46 74 4b d7 f5 3a 74 4f Jun 19 21:58:04 kamboja pluto[6520]: | 00 7d 78 00 5b 04 79 89 d1 a3 a2 2f de 49 87 76 Jun 19 21:58:04 kamboja pluto[6520]: | 47 b5 9a b9 b6 bf 4d 72 6b 8f 91 1d 6a 09 8c de Jun 19 21:58:04 kamboja pluto[6520]: | 17 d2 8d 7b Jun 19 21:58:04 kamboja pluto[6520]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2 Jun 19 21:58:04 kamboja pluto[6520]: | next event EVENT_RETRANSMIT in 10 seconds for #2 Jun 19 21:58:04 kamboja pluto[6520]: | Jun 19 21:58:04 kamboja pluto[6520]: | *received 84 bytes from 167.205.108.139:500 on eth0 Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | 08 10 05 01 64 dc f6 c7 00 00 00 54 17 0b 41 aa Jun 19 21:58:04 kamboja pluto[6520]: | a5 82 f0 ed a2 f8 5e 5d 9e 54 fc 8a 5f 4f 72 73 Jun 19 21:58:04 kamboja pluto[6520]: | 74 79 67 f8 37 3a b5 9c 7b f4 d7 90 ef d1 e5 2b Jun 19 21:58:04 kamboja pluto[6520]: | 67 63 9a f5 d0 66 3c d8 de ed e0 2f 7c e0 47 7b Jun 19 21:58:04 kamboja pluto[6520]: | bb 71 86 94 Jun 19 21:58:04 kamboja pluto[6520]: | **parse ISAKMP Message: Jun 19 21:58:04 kamboja pluto[6520]: | initiator cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | responder cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_HASH Jun 19 21:58:04 kamboja pluto[6520]: | ISAKMP version: ISAKMP Version 1.0 Jun 19 21:58:04 kamboja pluto[6520]: | exchange type: ISAKMP_XCHG_INFO Jun 19 21:58:04 kamboja pluto[6520]: | flags: ISAKMP_FLAG_ENCRYPTION Jun 19 21:58:04 kamboja pluto[6520]: | message ID: 64 dc f6 c7 Jun 19 21:58:04 kamboja pluto[6520]: | length: 84 Jun 19 21:58:04 kamboja pluto[6520]: | ICOOKIE: 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | RCOOKIE: 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | peer: a7 cd 6c 8b Jun 19 21:58:04 kamboja pluto[6520]: | state hash entry 24 Jun 19 21:58:04 kamboja pluto[6520]: | peer and cookies match on #2, provided msgid 00000000 vs 1620a2b4 Jun 19 21:58:04 kamboja pluto[6520]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000 Jun 19 21:58:04 kamboja pluto[6520]: | state object #1 found, in STATE_MAIN_I4 Jun 19 21:58:04 kamboja pluto[6520]: | last Phase 1 IV: 42 3e c5 f3 ba ab c1 7c Jun 19 21:58:04 kamboja pluto[6520]: | last Phase 1 IV: 42 3e c5 f3 ba ab c1 7c Jun 19 21:58:04 kamboja pluto[6520]: | computed Phase 2 IV: Jun 19 21:58:04 kamboja pluto[6520]: | 32 53 ab b6 86 3d a0 4f 0b ed f0 1c f2 be 77 f3 Jun 19 21:58:04 kamboja pluto[6520]: | 6e 7a 8a 64 Jun 19 21:58:04 kamboja pluto[6520]: | received encrypted packet from 167.205.108.139:500
- 42 -
Jun 19 21:58:04 kamboja pluto[6520]: | decrypting 56 bytes using algorithm OAKLEY_3DES_CBC Jun 19 21:58:04 kamboja pluto[6520]: | decrypted: Jun 19 21:58:04 kamboja pluto[6520]: | 0b 00 00 18 8a 3c f5 c3 83 07 b0 13 6b d8 cd a8 Jun 19 21:58:04 kamboja pluto[6520]: | 33 2c 0a 2d d0 f7 bd 29 00 00 00 1c 00 00 00 01 Jun 19 21:58:04 kamboja pluto[6520]: | 01 10 60 02 0c 89 ca 4d c9 89 84 63 7d 0c de af Jun 19 21:58:04 kamboja pluto[6520]: | 25 ea 82 27 00 00 00 04 Jun 19 21:58:04 kamboja pluto[6520]: | next IV: 7c e0 47 7b bb 71 86 94 Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Hash Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_N Jun 19 21:58:04 kamboja pluto[6520]: | length: 24 Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Notification Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | length: 28 Jun 19 21:58:04 kamboja pluto[6520]: | DOI: ISAKMP_DOI_IPSEC Jun 19 21:58:04 kamboja pluto[6520]: | protocol ID: 1 Jun 19 21:58:04 kamboja pluto[6520]: | SPI size: 16 Jun 19 21:58:04 kamboja pluto[6520]: | Notify Message Type: IPSEC_INITIAL_CONTACT Jun 19 21:58:04 kamboja pluto[6520]: | removing 4 bytes of padding Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT Jun 19 21:58:04 kamboja pluto[6520]: | info: 0c 89 ca 4d c9 89 84 63 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #1: received and ignored informational message Jun 19 21:58:04 kamboja pluto[6520]: | next event EVENT_RETRANSMIT in 10 seconds for #2 Jun 19 21:58:04 kamboja pluto[6520]: | Jun 19 21:58:04 kamboja pluto[6520]: | *received 156 bytes from 167.205.108.139:500 on eth0 Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | 08 10 20 01 16 20 a2 b4 00 00 00 9c 25 1d be f6 Jun 19 21:58:04 kamboja pluto[6520]: | 93 56 7f 2f ee 76 8e ed 69 12 59 aa 30 36 59 38 Jun 19 21:58:04 kamboja pluto[6520]: | 2e de 1e a8 82 c3 c5 55 17 f3 4d 65 82 53 c8 fe Jun 19 21:58:04 kamboja pluto[6520]: | 63 d3 52 49 ea 12 03 b6 b0 40 c3 1c 6e b8 41 ce Jun 19 21:58:04 kamboja pluto[6520]: | 6f 0c e1 9b 1f 49 5d e1 8c 5f de 58 20 f7 6a 7f Jun 19 21:58:04 kamboja pluto[6520]: | 04 e6 b5 25 c8 63 d6 82 2b 2d da e2 e7 0f 79 0d Jun 19 21:58:04 kamboja pluto[6520]: | a4 80 97 7e 54 7d 71 f2 19 ee ea e0 c6 e9 e2 d0 Jun 19 21:58:04 kamboja pluto[6520]: | 67 cf dc 5c b5 30 b6 61 31 0c f6 9e 5b 52 f4 ac Jun 19 21:58:04 kamboja pluto[6520]: | cf b0 4f b8 0c b2 fc 16 1a 8a ef a8 Jun 19 21:58:04 kamboja pluto[6520]: | **parse ISAKMP Message: Jun 19 21:58:04 kamboja pluto[6520]: | initiator cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | responder cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_HASH Jun 19 21:58:04 kamboja pluto[6520]: | ISAKMP version: ISAKMP Version 1.0 Jun 19 21:58:04 kamboja pluto[6520]: | exchange type: ISAKMP_XCHG_QUICK Jun 19 21:58:04 kamboja pluto[6520]: | flags: ISAKMP_FLAG_ENCRYPTION Jun 19 21:58:04 kamboja pluto[6520]: | message ID: 16 20 a2 b4 Jun 19 21:58:04 kamboja pluto[6520]: | length: 156 Jun 19 21:58:04 kamboja pluto[6520]: | ICOOKIE: 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | RCOOKIE: 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | peer: a7 cd 6c 8b Jun 19 21:58:04 kamboja pluto[6520]: | state hash entry 24 Jun 19 21:58:04 kamboja pluto[6520]: | peer and cookies match on #2, provided msgid 1620a2b4 vs 1620a2b4
- 43 -
Jun 19 21:58:04 kamboja pluto[6520]: | state object #2 found, in STATE_QUICK_I1 Jun 19 21:58:04 kamboja pluto[6520]: | received encrypted packet from 167.205.108.139:500 Jun 19 21:58:04 kamboja pluto[6520]: | decrypting 128 bytes using algorithm OAKLEY_3DES_CBC Jun 19 21:58:04 kamboja pluto[6520]: | decrypted: Jun 19 21:58:04 kamboja pluto[6520]: | 01 00 00 18 04 bb fc be d3 42 da 4c 1e 77 cc ba Jun 19 21:58:04 kamboja pluto[6520]: | b5 48 a5 2b 1e 4e 18 ee 0a 00 00 30 00 00 00 01 Jun 19 21:58:04 kamboja pluto[6520]: | 00 00 00 01 00 00 00 24 00 03 04 01 0e ab 7e a0 Jun 19 21:58:04 kamboja pluto[6520]: | 00 00 00 18 01 03 00 00 80 04 00 01 80 01 00 01 Jun 19 21:58:04 kamboja pluto[6520]: | 80 02 70 80 80 05 00 02 05 00 00 14 d9 74 b7 79 Jun 19 21:58:04 kamboja pluto[6520]: | 10 0e b5 13 23 69 f0 f7 86 42 89 13 05 00 00 10 Jun 19 21:58:04 kamboja pluto[6520]: | 04 00 00 00 c0 a8 02 00 ff ff ff 00 00 00 00 10 Jun 19 21:58:04 kamboja pluto[6520]: | 04 00 00 00 c0 a8 01 00 ff ff ff 00 00 00 00 04 Jun 19 21:58:04 kamboja pluto[6520]: | next IV: 0c b2 fc 16 1a 8a ef a8 Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Hash Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_SA Jun 19 21:58:04 kamboja pluto[6520]: | length: 24 Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Security Association Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONCE Jun 19 21:58:04 kamboja pluto[6520]: | length: 48 Jun 19 21:58:04 kamboja pluto[6520]: | DOI: ISAKMP_DOI_IPSEC Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Nonce Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_ID Jun 19 21:58:04 kamboja pluto[6520]: | length: 20 Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Identification Payload (IPsec DOI): Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_ID Jun 19 21:58:04 kamboja pluto[6520]: | length: 16 Jun 19 21:58:04 kamboja pluto[6520]: | ID type: ID_IPV4_ADDR_SUBNET Jun 19 21:58:04 kamboja pluto[6520]: | Protocol ID: 0 Jun 19 21:58:04 kamboja pluto[6520]: | port: 0 Jun 19 21:58:04 kamboja pluto[6520]: | ***parse ISAKMP Identification Payload (IPsec DOI): Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | length: 16 Jun 19 21:58:04 kamboja pluto[6520]: | ID type: ID_IPV4_ADDR_SUBNET Jun 19 21:58:04 kamboja pluto[6520]: | Protocol ID: 0 Jun 19 21:58:04 kamboja pluto[6520]: | port: 0 Jun 19 21:58:04 kamboja pluto[6520]: | removing 4 bytes of padding Jun 19 21:58:04 kamboja pluto[6520]: | **emit ISAKMP Message: Jun 19 21:58:04 kamboja pluto[6520]: | initiator cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 Jun 19 21:58:04 kamboja pluto[6520]: | responder cookie: Jun 19 21:58:04 kamboja pluto[6520]: | 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_HASH Jun 19 21:58:04 kamboja pluto[6520]: | ISAKMP version: ISAKMP Version 1.0 Jun 19 21:58:04 kamboja pluto[6520]: | exchange type: ISAKMP_XCHG_QUICK Jun 19 21:58:04 kamboja pluto[6520]: | flags: ISAKMP_FLAG_ENCRYPTION Jun 19 21:58:04 kamboja pluto[6520]: | message ID: 16 20 a2 b4 Jun 19 21:58:04 kamboja pluto[6520]: | HASH(2) computed: Jun 19 21:58:04 kamboja pluto[6520]: | 04 bb fc be d3 42 da 4c 1e 77 cc ba b5 48 a5 2b Jun 19 21:58:04 kamboja pluto[6520]: | 1e 4e 18 ee Jun 19 21:58:04 kamboja pluto[6520]: | ****parse IPsec DOI SIT: Jun 19 21:58:04 kamboja pluto[6520]: | IPsec DOI SIT: SIT_IDENTITY_ONLY Jun 19 21:58:04 kamboja pluto[6520]: | ****parse ISAKMP Proposal Payload:
- 44 -
Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | length: 36 Jun 19 21:58:04 kamboja pluto[6520]: | proposal number: 0 Jun 19 21:58:04 kamboja pluto[6520]: | protocol ID: PROTO_IPSEC_ESP Jun 19 21:58:04 kamboja pluto[6520]: | SPI size: 4 Jun 19 21:58:04 kamboja pluto[6520]: | number of transforms: 1 Jun 19 21:58:04 kamboja pluto[6520]: | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI Jun 19 21:58:04 kamboja pluto[6520]: | SPI 0e ab 7e a0 Jun 19 21:58:04 kamboja pluto[6520]: | *****parse ISAKMP Transform Payload (ESP): Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | length: 24 Jun 19 21:58:04 kamboja pluto[6520]: | transform number: 1 Jun 19 21:58:04 kamboja pluto[6520]: | transform ID: ESP_3DES Jun 19 21:58:04 kamboja pluto[6520]: | ******parse ISAKMP IPsec DOI attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: ENCAPSULATION_MODE Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is ENCAPSULATION_MODE_TUNNEL] Jun 19 21:58:04 kamboja pluto[6520]: | ******parse ISAKMP IPsec DOI attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: SA_LIFE_TYPE Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 1 Jun 19 21:58:04 kamboja pluto[6520]: | [1 is SA_LIFE_TYPE_SECONDS] Jun 19 21:58:04 kamboja pluto[6520]: | ******parse ISAKMP IPsec DOI attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: SA_LIFE_DURATION Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 28800 Jun 19 21:58:04 kamboja pluto[6520]: | ******parse ISAKMP IPsec DOI attribute: Jun 19 21:58:04 kamboja pluto[6520]: | af+type: AUTH_ALGORITHM Jun 19 21:58:04 kamboja pluto[6520]: | length/value: 2 Jun 19 21:58:04 kamboja pluto[6520]: | [2 is AUTH_ALGORITHM_HMAC_SHA1] Jun 19 21:58:04 kamboja pluto[6520]: | kernel_alg_esp_enc_ok(3,0): alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1 Jun 19 21:58:04 kamboja pluto[6520]: | kernel_alg_esp_enc_keylen():alg_id=3, keylen=24 Jun 19 21:58:04 kamboja pluto[6520]: | our client is subnet 192.168.2.0/24 Jun 19 21:58:04 kamboja pluto[6520]: | our client protocol/port is 0/0 Jun 19 21:58:04 kamboja pluto[6520]: | peer client is subnet 192.168.1.0/24 Jun 19 21:58:04 kamboja pluto[6520]: | peer client protocol/port is 0/0 Jun 19 21:58:04 kamboja pluto[6520]: | ***emit ISAKMP Hash Payload: Jun 19 21:58:04 kamboja pluto[6520]: | next payload type: ISAKMP_NEXT_NONE Jun 19 21:58:04 kamboja pluto[6520]: | emitting 20 zero bytes of HASH into ISAKMP Hash Payload Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Hash Payload: 24 Jun 19 21:58:04 kamboja pluto[6520]: | HASH(3) computed: 4c c1 0e a6 64 dc 91 d4 29 d6 b6 4f ee 1b ad f3 Jun 19 21:58:04 kamboja pluto[6520]: | f2 91 a1 2d Jun 19 21:58:04 kamboja pluto[6520]: | compute_proto_keymat:needed_len (after ESP enc)=24 Jun 19 21:58:04 kamboja pluto[6520]: | compute_proto_keymat:needed_len (after ESP auth)=44 Jun 19 21:58:04 kamboja pluto[6520]: | KEYMAT computed: Jun 19 21:58:04 kamboja pluto[6520]: | 73 de 9e 78 a6 e9 09 b4 46 b6 e8 1e 76 d2 b1 b1 Jun 19 21:58:04 kamboja pluto[6520]: | 22 6b c9 7e 49 6e 8a 4a 33 a3 61 8e c2 43 71 1b Jun 19 21:58:04 kamboja pluto[6520]: | e2 75 8f ae bc e3 38 f6 f9 7f 43 f1 Jun 19 21:58:04 kamboja pluto[6520]: | Peer KEYMAT computed: Jun 19 21:58:04 kamboja pluto[6520]: | cf 0f dc cf 11 14 94 05 77 6c 2b 3a bb 71 05 c8
- 45 -
Jun 19 21:58:04 kamboja pluto[6520]: | e5 99 91 2e c4 36 6a 39 ca 97 32 84 79 0a 2d a5 Jun 19 21:58:04 kamboja pluto[6520]: | e0 c9 5a b2 88 3f 57 ed 3d 92 b8 95 Jun 19 21:58:04 kamboja pluto[6520]: | install_ipsec_sa() for #2: inbound and outbound Jun 19 21:58:04 kamboja pluto[6520]: | route owner of "ksi" unrouted: NULL; eroute owner: NULL Jun 19 21:58:04 kamboja pluto[6520]: | could_route called for ksi (kind=CK_PERMANENT) Jun 19 21:58:04 kamboja pluto[6520]: | add inbound eroute 192.168.1.0/24:0 --0-> 192.168.2.0/24:0 => [email protected] (raw_eroute) Jun 19 21:58:04 kamboja pluto[6520]: | sr for #2: unrouted Jun 19 21:58:04 kamboja pluto[6520]: | route owner of "ksi" unrouted: NULL; eroute owner: NULL Jun 19 21:58:04 kamboja pluto[6520]: | route_and_eroute with c: ksi (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 2 Jun 19 21:58:04 kamboja pluto[6520]: | eroute_connection add eroute 192.168.2.0/24:0 --0-> 192.168.1.0/24:0 => [email protected] (raw_eroute) Jun 19 21:58:04 kamboja pluto[6520]: | executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='ksi' PLUTO_NEXT_HOP='167.205.65.5' PLUTO_INTERFACE='eth0' PLUTO_ME='167.205.65.16' PLUTO_MY_ID='167.205.65.16' PLUTO_MY_CLIENT='192.168.2.0/24' PLUTO_MY_CLIENT_NET='192.168.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='167.205.108.139' PLUTO_PEER_ID='167.205.108.139' PLUTO_PEER_CLIENT='192.168.1.0/24' PLUTO_PEER_CLIENT_NET='192.168.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+UP' ipsec _updown Jun 19 21:58:04 kamboja pluto[6520]: | route_and_eroute: firewall_notified: true Jun 19 21:58:04 kamboja pluto[6520]: | executing prepare-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='ksi' PLUTO_NEXT_HOP='167.205.65.5' PLUTO_INTERFACE='eth0' PLUTO_ME='167.205.65.16' PLUTO_MY_ID='167.205.65.16' PLUTO_MY_CLIENT='192.168.2.0/24' PLUTO_MY_CLIENT_NET='192.168.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='167.205.108.139' PLUTO_PEER_ID='167.205.108.139' PLUTO_PEER_CLIENT='192.168.1.0/24' PLUTO_PEER_CLIENT_NET='192.168.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+UP' ipsec _updown Jun 19 21:58:04 kamboja pluto[6520]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='ksi' PLUTO_NEXT_HOP='167.205.65.5' PLUTO_INTERFACE='eth0' PLUTO_ME='167.205.65.16' PLUTO_MY_ID='167.205.65.16' PLUTO_MY_CLIENT='192.168.2.0/24' PLUTO_MY_CLIENT_NET='192.168.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='167.205.108.139' PLUTO_PEER_ID='167.205.108.139' PLUTO_PEER_CLIENT='192.168.1.0/24' PLUTO_PEER_CLIENT_NET='192.168.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+UP' ipsec _updown Jun 19 21:58:04 kamboja pluto[6520]: | route_and_eroute: instance "ksi", setting eroute_owner {spd=0x80e01c4,sr=0x80e01c4} to #2 (was #0) (newest_ipsec_sa=#0) Jun 19 21:58:04 kamboja pluto[6520]: | encrypting: Jun 19 21:58:04 kamboja pluto[6520]: | 00 00 00 18 4c c1 0e a6 64 dc 91 d4 29 d6 b6 4f Jun 19 21:58:04 kamboja pluto[6520]: | ee 1b ad f3 f2 91 a1 2d Jun 19 21:58:04 kamboja pluto[6520]: | encrypting using OAKLEY_3DES_CBC Jun 19 21:58:04 kamboja pluto[6520]: | next IV: d2 9f b6 80 0a e5 48 3e
- 46 -
Jun 19 21:58:04 kamboja pluto[6520]: | emitting length of ISAKMP Message: 52 Jun 19 21:58:04 kamboja pluto[6520]: | inR1_outI2: instance ksi[0], setting newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Jun 19 21:58:04 kamboja pluto[6520]: | sending 52 bytes for STATE_QUICK_I1 through eth0 to 167.205.108.139:500: Jun 19 21:58:04 kamboja pluto[6520]: | 0c 89 ca 4d c9 89 84 63 7d 0c de af 25 ea 82 27 Jun 19 21:58:04 kamboja pluto[6520]: | 08 10 20 01 16 20 a2 b4 00 00 00 34 9f 29 b4 9d Jun 19 21:58:04 kamboja pluto[6520]: | ea 1f 0b a5 fb e9 d9 24 b6 e0 30 37 d2 9f b6 80 Jun 19 21:58:04 kamboja pluto[6520]: | 0a e5 48 3e Jun 19 21:58:04 kamboja pluto[6520]: | inserting event EVENT_SA_REPLACE, timeout in 28013 seconds for #2 Jun 19 21:58:04 kamboja pluto[6520]: "ksi" #2: sent QI2, IPsec SA established {ESP=>0x0eab7ea0 <0xacb06afe} Jun 19 21:58:04 kamboja pluto[6520]: | next event EVENT_SA_REPLACE in 2583 seconds for #1
Log Racoon 2005-06-19 21:57:58: DEBUG: isakmp.c:233:isakmp_handler(): === 2005-06-19 21:57:58: DEBUG: isakmp.c:234:isakmp_handler(): 176 bytes message received from 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 00000000 00000000 01100200 00000000 000000b0 00000094 00000001 00000001 00000088 00010004 03000020 00010000 800b0001 800c0e10 80010005 80020001 80030001 80040005 03000020 01010000 800b0001 800c0e10 80010005 80020001 80030001 80040002 03000020 02010000 800b0001 800c0e10 80010005 80020002 80030001 80040005 00000020 03010000 800b0001 800c0e10 80010005 80020002 80030001 80040002 2005-06-19 21:57:58: DEBUG: remoteconf.c:129:getrmconf(): anonymous configuration selected for 167.205.65.16[500]. 2005-06-19 21:57:58: DEBUG: isakmp.c:899:isakmp_ph1begin_r(): === 2005-06-19 21:57:58: INFO: isakmp.c:904:isakmp_ph1begin_r(): respond new phase 1 negotiation: 167.205.108.139[500]<=>167.205.6 5.16[500] 2005-06-19 21:57:58: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin Identity Protection mode. 2005-06-19 21:57:58: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=1(sa) 2005-06-19 21:57:58: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1116:get_proppair(): total SA len=144 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 00000001 00000001 00000088 00010004 03000020 00010000 800b0001 800c0e10 80010005 80020001 80030001 80040005 03000020 01010000 800b0001 800c0e10 80010005 80020001 80030001 80040002 03000020 02010000 800b0001 800c0e10 80010005 80020002 80030001 80040005 00000020 03010000 800b0001 800c0e10 80010005 80020002 80030001 80040002 2005-06-19 21:57:58: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=2(prop) 2005-06-19 21:57:58: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1169:get_proppair(): proposal #0 len=136 2005-06-19 21:57:58: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin.
- 47 -
2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=3(trns) 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=3(trns) 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=3(trns) 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=3(trns) 2005-06-19 21:57:58: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1310:get_transform(): transform #0 len=32 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Life Type, flag=0x8000, lorv=seconds 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Life Duration, flag=0x8000, lorv=3600 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Hash Algorithm, flag=0x8000, lorv=MD5 2005-06-19 21:57:58: DEBUG: algorithm.c:256:alg_oakley_hashdef(): hash(md5) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Authentication Method, flag=0x8000, lorv=pre-shared key 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Group Description, flag=0x8000, lorv=1536-bit MODP grou p 2005-06-19 21:57:58: DEBUG: algorithm.c:614:alg_oakley_dhdef(): hmac(modp1536) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1310:get_transform(): transform #1 len=32 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Life Type, flag=0x8000, lorv=seconds 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Life Duration, flag=0x8000, lorv=3600 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Hash Algorithm, flag=0x8000, lorv=MD5 2005-06-19 21:57:58: DEBUG: algorithm.c:256:alg_oakley_hashdef(): hash(md5) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Authentication Method, flag=0x8000, lorv=pre-shared key 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Group Description, flag=0x8000, lorv=1024-bit MODP grou p 2005-06-19 21:57:58: DEBUG: algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1310:get_transform(): transform #2 len=32 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Life Type, flag=0x8000, lorv=seconds 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Life Duration, flag=0x8000, lorv=3600 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Hash Algorithm, flag=0x8000, lorv=SHA 2005-06-19 21:57:58: DEBUG: algorithm.c:256:alg_oakley_hashdef(): hash(sha1) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Authentication Method, flag=0x8000, lorv=pre-shared key
- 48 -
2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Group Description, flag=0x8000, lorv=1536-bit MODP grou p 2005-06-19 21:57:58: DEBUG: algorithm.c:614:alg_oakley_dhdef(): hmac(modp1536) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1310:get_transform(): transform #3 len=32 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Life Type, flag=0x8000, lorv=seconds 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Life Duration, flag=0x8000, lorv=3600 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Hash Algorithm, flag=0x8000, lorv=SHA 2005-06-19 21:57:58: DEBUG: algorithm.c:256:alg_oakley_hashdef(): hash(sha1) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Authentication Method, flag=0x8000, lorv=pre-shared key 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1869:check_attr_isakmp(): type=Group Description, flag=0x8000, lorv=1024-bit MODP grou p 2005-06-19 21:57:58: DEBUG: algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1212:get_proppair(): pair 0: 2005-06-19 21:57:58: DEBUG: proposal.c:891:print_proppair0(): 0x80a3da0: next=0x0 tnext=0x80a3db0 2005-06-19 21:57:58: DEBUG: proposal.c:891:print_proppair0(): 0x80a3db0: next=0x0 tnext=0x80a3dc0 2005-06-19 21:57:58: DEBUG: proposal.c:891:print_proppair0(): 0x80a3dc0: next=0x0 tnext=0x80a3dd0 2005-06-19 21:57:58: DEBUG: proposal.c:891:print_proppair0(): 0x80a3dd0: next=0x0 tnext=0x0 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1247:get_proppair(): proposal #0: 4 transform 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:322:get_ph1approvalx(): prop#=0, prot-id=ISAKMP, spi-size=0, #trns=4 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:327:get_ph1approvalx(): trns#=0, trns-id=IKE 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life Type, flag=0x8000, lorv=seconds 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life Duration, flag=0x8000, lorv=3600 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Hash Algorithm, flag=0x8000, lorv=MD5 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Authentication Method, flag=0x8000, lorv=pre-shared key 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Group Description, flag=0x8000, lorv=1536-bit MODP group 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:338:get_ph1approvalx(): Compared: DB:Peer 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:339:get_ph1approvalx(): (lifetime = 28800:3600) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:341:get_ph1approvalx(): (lifebyte = 0:0) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:343:get_ph1approvalx(): enctype = 3DES-CBC:3DES-CBC 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:348:get_ph1approvalx(): (encklen = 0:0) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:350:get_ph1approvalx(): hashtype = SHA:MD5
- 49 -
2005-06-19 21:57:58: DEBUG: ipsec_doi.c:355:get_ph1approvalx(): authmethod = pre-shared key:pre-shared key 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:360:get_ph1approvalx(): dh_group = 1024-bit MODP group:1536-bit MODP group 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:322:get_ph1approvalx(): prop#=0, prot-id=ISAKMP, spi-size=0, #trns=4 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:327:get_ph1approvalx(): trns#=1, trns-id=IKE 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life Type, flag=0x8000, lorv=seconds 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life Duration, flag=0x8000, lorv=3600 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Hash Algorithm, flag=0x8000, lorv=MD5 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Authentication Method, flag=0x8000, lorv=pre-shared key 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Group Description, flag=0x8000, lorv=1024-bit MODP group 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:338:get_ph1approvalx(): Compared: DB:Peer 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:339:get_ph1approvalx(): (lifetime = 28800:3600) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:341:get_ph1approvalx(): (lifebyte = 0:0) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:343:get_ph1approvalx(): enctype = 3DES-CBC:3DES-CBC 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:348:get_ph1approvalx(): (encklen = 0:0) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:350:get_ph1approvalx(): hashtype = SHA:MD5 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:355:get_ph1approvalx(): authmethod = pre-shared key:pre-shared key 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:360:get_ph1approvalx(): dh_group = 1024-bit MODP group:1024-bit MODP group 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:322:get_ph1approvalx(): prop#=0, prot-id=ISAKMP, spi-size=0, #trns=4 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:327:get_ph1approvalx(): trns#=2, trns-id=IKE 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life Type, flag=0x8000, lorv=seconds 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life Duration, flag=0x8000, lorv=3600 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Hash Algorithm, flag=0x8000, lorv=SHA 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Authentication Method, flag=0x8000, lorv=pre-shared key 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Group Description, flag=0x8000, lorv=1536-bit MODP group 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:338:get_ph1approvalx(): Compared: DB:Peer 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:339:get_ph1approvalx(): (lifetime = 28800:3600) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:341:get_ph1approvalx(): (lifebyte = 0:0) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:343:get_ph1approvalx(): enctype = 3DES-CBC:3DES-CBC 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:348:get_ph1approvalx(): (encklen = 0:0) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:350:get_ph1approvalx(): hashtype = SHA:SHA
- 50 -
2005-06-19 21:57:58: DEBUG: ipsec_doi.c:355:get_ph1approvalx(): authmethod = pre-shared key:pre-shared key 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:360:get_ph1approvalx(): dh_group = 1024-bit MODP group:1536-bit MODP group 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:322:get_ph1approvalx(): prop#=0, prot-id=ISAKMP, spi-size=0, #trns=4 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:327:get_ph1approvalx(): trns#=3, trns-id=IKE 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life Type, flag=0x8000, lorv=seconds 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Life Duration, flag=0x8000, lorv=3600 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Hash Algorithm, flag=0x8000, lorv=SHA 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Authentication Method, flag=0x8000, lorv=pre-shared key 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:491:t2isakmpsa(): type=Group Description, flag=0x8000, lorv=1024-bit MODP group 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:338:get_ph1approvalx(): Compared: DB:Peer 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:339:get_ph1approvalx(): (lifetime = 28800:3600) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:341:get_ph1approvalx(): (lifebyte = 0:0) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:343:get_ph1approvalx(): enctype = 3DES-CBC:3DES-CBC 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:348:get_ph1approvalx(): (encklen = 0:0) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:350:get_ph1approvalx(): hashtype = SHA:SHA 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:355:get_ph1approvalx(): authmethod = pre-shared key:pre-shared key 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:360:get_ph1approvalx(): dh_group = 1024-bit MODP group:1024-bit MODP group 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:248:get_ph1approval(): an acceptable proposal found. 2005-06-19 21:57:58: DEBUG: algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024) 2005-06-19 21:57:58: DEBUG: isakmp.c:2006:isakmp_newcookie(): new cookie: 7d0cdeaf25ea8227 2005-06-19 21:57:58: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 48, next type 1 2005-06-19 21:57:58: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 16, next type 13 2005-06-19 21:57:58: DEBUG: sockmisc.c:421:sendfromto(): sockname 167.205.108.139[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:423:sendfromto(): send packet from 167.205.108.139[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:425:sendfromto(): send packet to 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 100 bytes message will be sent to 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 7d0cdeaf 25ea8227 01100200 00000000 00000064 0d000034 00000001 00000001 00000028 00010001 00000020 03010000 800b0001 800c0e10 80010005 80020002 80030001 80040002 00000014 7003cbc1 097dbe9c 2600ba69 83bc8b35 2005-06-19 21:57:58: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 0c89ca4dc9898463:7d0cdeaf25ea8227 2005-06-19 21:57:58: DEBUG: isakmp.c:233:isakmp_handler(): ===
- 51 -
2005-06-19 21:57:58: DEBUG: isakmp.c:234:isakmp_handler(): 180 bytes message received from 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 7d0cdeaf 25ea8227 04100200 00000000 000000b4 0a000084 a3df9d51 158a43d2 c258b345 8551f9ec 898af463 05be394d 252de9fb 1316f2f5 3c36976d 4115e1f5 a7e71140 143cfb48 72acb5b6 e43ba39d 0725e7f5 66b690d4 aeeb44c1 96d91aa7 19adfc71 702bbe5b 07ff613d 74ec9c1c c050fffe 2acc6031 7ce85042 b63cde2d 1a732679 c8a59df5 37cf56ee 4c5a9a75 5b4cd1b3 2675b5e2 00000014 54345361 81678ed7 e0457bbb 849396e2 2005-06-19 21:57:58: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=4(ke) 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=10(nonce) 2005-06-19 21:57:58: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2005-06-19 21:57:58: DEBUG: isakmp.c:633:ph1_main(): === 2005-06-19 21:57:58: DEBUG: oakley.c:314:oakley_dh_generate(): compute DH's private. 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 77aed7b2 988c8f31 5678b591 a2685633 88054a23 3dc885ae b31825c6 b4277837 71812406 98838ca5 3b65aa51 be87d268 ea09dfa0 4c952bf9 089c5405 d431d815 92d7ed10 702f2dd2 39e26926 5a993aff eb607b3c 323d95b6 4261fca3 83bd5b49 04016f7b 305079f0 2dfbcf3e 89c1e3c4 bf4cdf64 95b3292c 05b18a00 e41cb573 2005-06-19 21:57:58: DEBUG: oakley.c:316:oakley_dh_generate(): compute DH's public. 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0653b799 1e7aeaea 75094d3d 0f43b61b 84209fed 1506ec75 8d9bc300 3e877fd6 ccadd64c e13368a0 42613812 26dfda36 d7d316db bcedbbfc 99b3a2d4 414a98f6 467c540c 93d7bb8e fa432340 eee6fe5e 06be58ed 297c16d1 e8583678 fb3d81b7 25705434 c5a72ef7 0679688b 4a924e37 be7ad2d4 50c5bc05 069aa516 580dc414 2005-06-19 21:57:58: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 128, next type 4 2005-06-19 21:57:58: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 16, next type 10 2005-06-19 21:57:58: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 16, next type 13 2005-06-19 21:57:58: DEBUG: sockmisc.c:421:sendfromto(): sockname 167.205.108.139[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:423:sendfromto(): send packet from 167.205.108.139[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:425:sendfromto(): send packet to 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 200 bytes message will be sent to 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 7d0cdeaf 25ea8227 04100200 00000000 000000c8 0a000084 0653b799 1e7aeaea 75094d3d 0f43b61b 84209fed 1506ec75 8d9bc300 3e877fd6 ccadd64c e13368a0 42613812 26dfda36 d7d316db bcedbbfc 99b3a2d4 414a98f6 467c540c 93d7bb8e fa432340 eee6fe5e 06be58ed 297c16d1 e8583678 fb3d81b7 25705434 c5a72ef7 0679688b 4a924e37 be7ad2d4 50c5bc05 069aa516 580dc414 0d000014 cbfbc17f cea5a8b2 0b8b8036 9aa2463a 00000014 7003cbc1 097dbe9c 2600ba69 83bc8b35 2005-06-19 21:57:58: DEBUG: isakmp.c:1459:isakmp_ph1resend(): resend phase1 packet 0c89ca4dc9898463:7d0cdeaf25ea8227 2005-06-19 21:57:58: DEBUG: oakley.c:264:oakley_dh_compute(): compute DH's shared. 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 796b1364 9b530f6d 92d9161f 5a534569 6bb92c5d c83732ec 3d2a5d41 f01d0be8 5ae5c115 9e587dfe 4bb0cc1a 7f203196 d6f79612 2dbf7c67 95b731b3 d3a0368c 000da35c 8a7c0bd4 53ade1f5 3c1f5845 01683d9e 30be0f88 f527ba22 21b67657
- 52 -
4c32ce19 aa35d52a 53dcb479 5cc51bec 11b51263 6df7d65c 8dbc2723 91f30e9a 2005-06-19 21:57:58: DEBUG: oakley.c:2122:oakley_skeyid(): the psk found. 2005-06-19 21:57:58: DEBUG: oakley.c:2137:oakley_skeyid(): nonce 1: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 54345361 81678ed7 e0457bbb 849396e2 2005-06-19 21:57:58: DEBUG: oakley.c:2143:oakley_skeyid(): nonce 2: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): cbfbc17f cea5a8b2 0b8b8036 9aa2463a 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:2196:oakley_skeyid(): SKEYID computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 04e72d4f c51075fd 07fef20d 6dc2541e f79ce621 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:2253:oakley_skeyid_dae(): SKEYID_d computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 56eb2a85 f090e368 43c8fbc7 89d85ef8 8228d9d6 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:2282:oakley_skeyid_dae(): SKEYID_a computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 318b84ad a052d6f2 6fd94706 2ad3fbd4 0a25e8cd 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:2311:oakley_skeyid_dae(): SKEYID_e computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): cccf357a 92d1e6ef 1b32a54f 6f565c4b 4a5e4520 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: algorithm.c:256:alg_oakley_hashdef(): hash(sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:2380:oakley_compute_enckey(): len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka = K1 | K2 | ...) 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:2405:oakley_compute_enckey(): compute intermediate encryption key K1 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 00 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 59b5caff efdaa1ff 3fd3cb2d deda37ae 71f4fc29 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:2405:oakley_compute_enckey(): compute intermediate encryption key K2 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 59b5caff efdaa1ff 3fd3cb2d deda37ae 71f4fc29 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): a15fdf3d ef3862be c551371e 672ba5af fbb64969 2005-06-19 21:57:58: DEBUG: oakley.c:2453:oakley_compute_enckey(): final encryption key computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 59b5caff efdaa1ff 3fd3cb2d deda37ae 71f4fc29 a15fdf3d 2005-06-19 21:57:58: DEBUG: algorithm.c:256:alg_oakley_hashdef(): hash(sha1) 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2564:oakley_newiv(): IV computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): ccfb0090 383d6692 2005-06-19 21:57:58: DEBUG: isakmp.c:233:isakmp_handler(): ===
- 53 -
2005-06-19 21:57:58: DEBUG: isakmp.c:234:isakmp_handler(): 68 bytes message received from 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 7d0cdeaf 25ea8227 05100201 00000000 00000044 ff78add1 95f3f305 fc8d29b4 86c79b66 9a7d221b a07753f1 19cf91fa cb44c87e 32bb79e8 400b2233 2005-06-19 21:57:58: DEBUG: oakley.c:2684:oakley_do_decrypt(): begin decryption. 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2698:oakley_do_decrypt(): IV was saved for next processing: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 32bb79e8 400b2233 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2723:oakley_do_decrypt(): with key: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 59b5caff efdaa1ff 3fd3cb2d deda37ae 71f4fc29 a15fdf3d 2005-06-19 21:57:58: DEBUG: oakley.c:2731:oakley_do_decrypt(): decrypted payload by IV: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 32bb79e8 400b2233 2005-06-19 21:57:58: DEBUG: oakley.c:2734:oakley_do_decrypt(): decrypted payload, but not trimed. 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0800000c 01000000 a7cd4110 00000018 50a06566 0330fc32 55d41be3 98726653 f8157e54 00000000 2005-06-19 21:57:58: DEBUG: oakley.c:2743:oakley_do_decrypt(): padding len=0 2005-06-19 21:57:58: DEBUG: oakley.c:2757:oakley_do_decrypt(): skip to trim padding. 2005-06-19 21:57:58: DEBUG: oakley.c:2772:oakley_do_decrypt(): decrypted. 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 7d0cdeaf 25ea8227 05100201 00000000 00000044 0800000c 01000000 a7cd4110 00000018 50a06566 0330fc32 55d41be3 98726653 f8157e54 00000000 2005-06-19 21:57:58: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=5(id) 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=8(hash) 2005-06-19 21:57:58: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2005-06-19 21:57:58: DEBUG: oakley.c:1220:oakley_validate_auth(): HASH received:2005-06-19 21:57:58: DEBUG: plog.c:193:plogdum p():2005-06-19 21:57:58: DEBUG: oakley.c:925:oakley_ph1hash_common(): HASH with: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): a3df9d51 158a43d2 c258b345 8551f9ec 898af463 05be394d 252de9fb 1316f2f5 3c36976d 4115e1f5 a7e71140 143cfb48 72acb5b6 e43ba39d 0725e7f5 66b690d4 aeeb44c1 96d91aa7 19adfc71 702bbe5b 07ff613d 74ec9c1c c050fffe 2acc6031 7ce85042 b63cde2d 1a732679 c8a59df5 37cf56ee 4c5a9a75 5b4cd1b3 2675b5e2 0653b799 1e7aeaea 75094d3d 0f43b61b 84209fed 1506ec75 8d9bc300 3e877fd6 ccadd64c e13368a0 42613812 26dfda36 d7d316db bcedbbfc 99b3a2d4 414a98f6 467c540c 93d7bb8e fa432340 eee6fe5e 06be58ed 297c16d1 e8583678 fb3d81b7 25705434 c5a72ef7 0679688b 4a924e37 be7ad2d4 50c5bc05 069aa516 580dc414 0c89ca4d c9898463 7d0cdeaf 25ea8227 00000001 00000001 00000088 00010004 03000020 00010000 800b0001 800c0e10 80010005 80020001 80030001 80040005 03000020 01010000 800b0001 800c0e10 80010005 80020001 80030001 80040002 03000020 02010000 800b0001 800c0e10 80010005 80020002 80030001 80040005 00000020 03010000 800b0001 800c0e10 80010005 80020002 80030001 80040002 01000000 a7cd4110
- 54 -
2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:935:oakley_ph1hash_common(): HASH computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 50a06566 0330fc32 55d41be3 98726653 f8157e54 2005-06-19 21:57:58: DEBUG: oakley.c:1251:oakley_validate_auth(): HASH for PSK validated. 2005-06-19 21:57:58: DEBUG: isakmp_ident.c:1242:ident_r3recv(): peer's ID 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 01000000 a7cd4110 2005-06-19 21:57:58: DEBUG: isakmp.c:633:ph1_main(): === 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:3241:ipsecdoi_setid1(): use ID type of IPv4_address 2005-06-19 21:57:58: DEBUG: isakmp_ident.c:1322:ident_r3send(): generate HASH_R 2005-06-19 21:57:58: DEBUG: oakley.c:925:oakley_ph1hash_common(): HASH with: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0653b799 1e7aeaea 75094d3d 0f43b61b 84209fed 1506ec75 8d9bc300 3e877fd6 ccadd64c e13368a0 42613812 26dfda36 d7d316db bcedbbfc 99b3a2d4 414a98f6 467c540c 93d7bb8e fa432340 eee6fe5e 06be58ed 297c16d1 e8583678 fb3d81b7 25705434 c5a72ef7 0679688b 4a924e37 be7ad2d4 50c5bc05 069aa516 580dc414 a3df9d51 158a43d2 c258b345 8551f9ec 898af463 05be394d 252de9fb 1316f2f5 3c36976d 4115e1f5 a7e71140 143cfb48 72acb5b6 e43ba39d 0725e7f5 66b690d4 aeeb44c1 96d91aa7 19adfc71 702bbe5b 07ff613d 74ec9c1c c050fffe 2acc6031 7ce85042 b63cde2d 1a732679 c8a59df5 37cf56ee 4c5a9a75 5b4cd1b3 2675b5e2 7d0cdeaf 25ea8227 0c89ca4d c9898463 00000001 00000001 00000088 00010004 03000020 00010000 800b0001 800c0e10 80010005 80020001 80030001 80040005 03000020 01010000 800b0001 800c0e10 80010005 80020001 80030001 80040002 03000020 02010000 800b0001 800c0e10 80010005 80020002 80030001 80040005 00000020 03010000 800b0001 800c0e10 80010005 80020002 80030001 80040002 50a06566 0330fc32 55d41be3 98726653 f8157e54 011101f4 a7cd6c8b 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:935:oakley_ph1hash_common(): HASH computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): c8ca3f87 054586f0 a89d7ee7 ec158ac2 2d95f380 2005-06-19 21:57:58: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 8, next type 5 2005-06-19 21:57:58: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 20, next type 8 2005-06-19 21:57:58: DEBUG: oakley.c:2807:oakley_do_encrypt(): begin encryption. 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2823:oakley_do_encrypt(): pad length = 4 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0800000c 011101f4 a7cd6c8b 00000018 c8ca3f87 054586f0 a89d7ee7 ec158ac2 2d95f380 00000004 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2858:oakley_do_encrypt(): with key: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 59b5caff efdaa1ff 3fd3cb2d deda37ae 71f4fc29 a15fdf3d 2005-06-19 21:57:58: DEBUG: oakley.c:2866:oakley_do_encrypt(): encrypted payload by IV: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 423ec5f3 baabc17c 2005-06-19 21:57:58: DEBUG: oakley.c:2873:oakley_do_encrypt(): save IV for next: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 423ec5f3 baabc17c 2005-06-19 21:57:58: DEBUG: oakley.c:2890:oakley_do_encrypt(): encrypted.
- 55 -
2005-06-19 21:57:58: DEBUG: sockmisc.c:421:sendfromto(): sockname 167.205.108.139[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:423:sendfromto(): send packet from 167.205.108.139[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:425:sendfromto(): send packet to 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 68 bytes message will be sent to 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 7d0cdeaf 25ea8227 05100201 00000000 00000044 422789ed 6e932952 810947c1 d1fc921a df0cf5c5 db731df2 76458389 86de585a 423ec5f3 baabc17c 2005-06-19 21:57:58: DEBUG: oakley.c:2608:oakley_newiv2(): compute IV for phase2 2005-06-19 21:57:58: DEBUG: oakley.c:2609:oakley_newiv2(): phase1 last IV: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 423ec5f3 baabc17c 64dcf6c7 2005-06-19 21:57:58: DEBUG: algorithm.c:256:alg_oakley_hashdef(): hash(sha1) 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2641:oakley_newiv2(): phase2 IV computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 3253abb6 863da04f 2005-06-19 21:57:58: DEBUG: oakley.c:806:oakley_compute_hash1(): HASH with: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 64dcf6c7 0000001c 00000001 01106002 0c89ca4d c9898463 7d0cdeaf 25ea8227 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:816:oakley_compute_hash1(): HASH computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 8a3cf5c3 8307b013 6bd8cda8 332c0a2d d0f7bd29 2005-06-19 21:57:58: DEBUG: isakmp_inf.c:681:isakmp_info_send_common(): outgoing packet dump 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 7d0cdeaf 25ea8227 08100501 64dcf6c7 00000050 0b000018 8a3cf5c3 8307b013 6bd8cda8 332c0a2d d0f7bd29 0000001c 00000001 01106002 0c89ca4d c9898463 7d0cdeaf 25ea8227 2005-06-19 21:57:58: DEBUG: oakley.c:2807:oakley_do_encrypt(): begin encryption. 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2823:oakley_do_encrypt(): pad length = 4 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0b000018 8a3cf5c3 8307b013 6bd8cda8 332c0a2d d0f7bd29 0000001c 00000001 01106002 0c89ca4d c9898463 7d0cdeaf 25ea8227 00000004 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2858:oakley_do_encrypt(): with key: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 59b5caff efdaa1ff 3fd3cb2d deda37ae 71f4fc29 a15fdf3d 2005-06-19 21:57:58: DEBUG: oakley.c:2866:oakley_do_encrypt(): encrypted payload by IV: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 7ce0477b bb718694 2005-06-19 21:57:58: DEBUG: oakley.c:2873:oakley_do_encrypt(): save IV for next: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 7ce0477b bb718694 2005-06-19 21:57:58: DEBUG: oakley.c:2890:oakley_do_encrypt(): encrypted. 2005-06-19 21:57:58: DEBUG: sockmisc.c:421:sendfromto(): sockname 167.205.108.139[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:423:sendfromto(): send packet from 167.205.108.139[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:425:sendfromto(): send packet to 167.205.65.16[500]
- 56 -
2005-06-19 21:57:58: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 84 bytes message will be sent to 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 7d0cdeaf 25ea8227 08100501 64dcf6c7 00000054 170b41aa a582f0ed a2f85e5d 9e54fc8a 5f4f7273 747967f8 373ab59c 7bf4d790 efd1e52b 67639af5 d0663cd8 deede02f 7ce0477b bb718694 2005-06-19 21:57:58: DEBUG: isakmp_inf.c:702:isakmp_info_send_common(): sendto Information notify. 2005-06-19 21:57:58: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA established 167.205.108.139[500]-167.205.65.16[500] s pi:0c89ca4dc9898463:7d0cdeaf25ea8227 2005-06-19 21:57:58: DEBUG: isakmp.c:680:ph1_main(): === 2005-06-19 21:57:58: DEBUG: isakmp.c:233:isakmp_handler(): === 2005-06-19 21:57:58: DEBUG: isakmp.c:234:isakmp_handler(): 180 bytes message received from 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 7d0cdeaf 25ea8227 08102001 1620a2b4 000000b4 16d0bdcf 46e75de0 fcadefdf 2865a273 098e18e9 d1f3dd0a a0e92701 9b96dc28 7c75f071 fa43e036 6acf86f9 890313cc 74a23c1d 44833b23 9bfc23ad f94d863f abb49702 4ab2dd4e 574e3ced 7736e46b b28f4447 7808daa4 73720a05 8770875d dd394859 0cb9b793 033d2c8f 46744bd7 f53a744f 007d7800 5b047989 d1a3a22f de498776 47b59ab9 b6bf4d72 6b8f911d 6a098cde 17d28d7b 2005-06-19 21:57:58: DEBUG: oakley.c:2608:oakley_newiv2(): compute IV for phase2 2005-06-19 21:57:58: DEBUG: oakley.c:2609:oakley_newiv2(): phase1 last IV: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 423ec5f3 baabc17c 1620a2b4 2005-06-19 21:57:58: DEBUG: algorithm.c:256:alg_oakley_hashdef(): hash(sha1) 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2641:oakley_newiv2(): phase2 IV computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): fbf57a5a 562aa1df 2005-06-19 21:57:58: DEBUG: isakmp.c:1054:isakmp_ph2begin_r(): === 2005-06-19 21:57:58: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new phase 2 negotiation: 167.205.108.139[0]<=>167.205.65 .16[0] 2005-06-19 21:57:58: DEBUG: oakley.c:2684:oakley_do_decrypt(): begin decryption. 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2698:oakley_do_decrypt(): IV was saved for next processing: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 6a098cde 17d28d7b 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2723:oakley_do_decrypt(): with key: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 59b5caff efdaa1ff 3fd3cb2d deda37ae 71f4fc29 a15fdf3d 2005-06-19 21:57:58: DEBUG: oakley.c:2731:oakley_do_decrypt(): decrypted payload by IV: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 6a098cde 17d28d7b 2005-06-19 21:57:58: DEBUG: oakley.c:2734:oakley_do_decrypt(): decrypted payload, but not trimed. 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 01000018 5e4955fa f0b1f39b 9d364ca8 ff9d90be 3d6da337 0a000048 00000001 00000001 0000003c 00030402 acb06afe 03000018 00030000 80040001 80010001
- 57 -
80027080 80050001 00000018 01030000 80040001 80010001 80027080 80050002 05000014 c1acd23f dd44d799 b865dea2 43aee2b7 05000010 04000000 c0a80200 ffffff00 00000010 04000000 c0a80100 ffffff00 00000000 2005-06-19 21:57:58: DEBUG: oakley.c:2743:oakley_do_decrypt(): padding len=0 2005-06-19 21:57:58: DEBUG: oakley.c:2757:oakley_do_decrypt(): skip to trim padding. 2005-06-19 21:57:58: DEBUG: oakley.c:2772:oakley_do_decrypt(): decrypted. 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 7d0cdeaf 25ea8227 08102001 1620a2b4 000000b4 01000018 5e4955fa f0b1f39b 9d364ca8 ff9d90be 3d6da337 0a000048 00000001 00000001 0000003c 00030402 acb06afe 03000018 00030000 80040001 80010001 80027080 80050001 00000018 01030000 80040001 80010001 80027080 80050002 05000014 c1acd23f dd44d799 b865dea2 43aee2b7 05000010 04000000 c0a80200 ffffff00 00000010 04000000 c0a80100 ffffff00 00000000 2005-06-19 21:57:58: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=8(hash) 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=1(sa) 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=10(nonce) 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=5(id) 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=5(id) 2005-06-19 21:57:58: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2005-06-19 21:57:58: DEBUG: isakmp_quick.c:1006:quick_r1recv(): received IDci2:2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump (): 04000000 c0a80200 ffffff00 2005-06-19 21:57:58: DEBUG: isakmp_quick.c:1010:quick_r1recv(): received IDcr2:2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump (): 04000000 c0a80100 ffffff00 2005-06-19 21:57:58: DEBUG: isakmp_quick.c:1025:quick_r1recv(): HASH(1) validate:2005-06-19 21:57:58: DEBUG: plog.c:193:plogdu mp(): 5e4955fa f0b1f39b 9d364ca8 ff9d90be 3d6da337 2005-06-19 21:57:58: DEBUG: oakley.c:806:oakley_compute_hash1(): HASH with: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 1620a2b4 0a000048 00000001 00000001 0000003c 00030402 acb06afe 03000018 00030000 80040001 80010001 80027080 80050001 00000018 01030000 80040001 80010001 80027080 80050002 05000014 c1acd23f dd44d799 b865dea2 43aee2b7 05000010 04000000 c0a80200 ffffff00 00000010 04000000 c0a80100 ffffff00 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:816:oakley_compute_hash1(): HASH computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 5e4955fa f0b1f39b 9d364ca8 ff9d90be 3d6da337 2005-06-19 21:57:58: DEBUG: sainfo.c:112:getsainfo(): anonymous sainfo selected. 2005-06-19 21:57:58: DEBUG: isakmp_quick.c:1817:get_sainfo_r(): get sa info: anonymous 2005-06-19 21:57:58: DEBUG: isakmp_quick.c:1995:get_proposal_r(): get a src address from ID payload 192.168.2.0[0] prefixlen=2 4 ul_proto=255 2005-06-19 21:57:58: DEBUG: isakmp_quick.c:2000:get_proposal_r(): get dst address from ID payload 192.168.1.0[0] prefixlen=24 ul_proto=255 2005-06-19 21:57:58: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbfe830: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
- 58 -
2005-06-19 21:57:58: DEBUG: policy.c:217:cmpspidxwild(): db: 0x809d808: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in 2005-06-19 21:57:58: DEBUG: policy.c:244:cmpspidxwild(): 0xbfbfe830 masked with /24: 192.168.2.0[0] 2005-06-19 21:57:58: DEBUG: policy.c:246:cmpspidxwild(): 0x809d808 masked with /24: 192.168.2.0[0] 2005-06-19 21:57:58: DEBUG: policy.c:260:cmpspidxwild(): 0xbfbfe830 masked with /24: 192.168.1.0[0] 2005-06-19 21:57:58: DEBUG: policy.c:262:cmpspidxwild(): 0x809d808 masked with /24: 192.168.1.0[0] 2005-06-19 21:57:58: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbfe830: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out 2005-06-19 21:57:58: DEBUG: policy.c:217:cmpspidxwild(): db: 0x809d808: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in 2005-06-19 21:57:58: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbfe830: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out 2005-06-19 21:57:58: DEBUG: policy.c:217:cmpspidxwild(): db: 0x809dc08: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out 2005-06-19 21:57:58: DEBUG: policy.c:244:cmpspidxwild(): 0xbfbfe830 masked with /24: 192.168.1.0[0] 2005-06-19 21:57:58: DEBUG: policy.c:246:cmpspidxwild(): 0x809dc08 masked with /24: 192.168.1.0[0] 2005-06-19 21:57:58: DEBUG: policy.c:260:cmpspidxwild(): 0xbfbfe830 masked with /24: 192.168.2.0[0] 2005-06-19 21:57:58: DEBUG: policy.c:262:cmpspidxwild(): 0x809dc08 masked with /24: 192.168.2.0[0] 2005-06-19 21:57:58: DEBUG: isakmp_quick.c:2056:get_proposal_r(): suitable SP found:192.168.1.0/24[0] 192.168.2.0/24[0] proto= any dir=out 2005-06-19 21:57:58: DEBUG: proposal.c:824:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 2005-06-19 21:57:58: DEBUG: proposal.c:858:printsatrns(): (trns_id=3DES encklen=0 authtype=hmac-sha) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1116:get_proppair(): total SA len=68 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 00000001 00000001 0000003c 00030402 acb06afe 03000018 00030000 80040001 80010001 80027080 80050001 00000018 01030000 80040001 80010001 80027080 80050002 2005-06-19 21:57:58: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=2(prop) 2005-06-19 21:57:58: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1169:get_proppair(): proposal #0 len=60 2005-06-19 21:57:58: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=3(trns) 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=3(trns) 2005-06-19 21:57:58: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1310:get_transform(): transform #0 len=24 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2066:check_attr_ipsec(): type=Encryption Mode, flag=0x8000, lorv=Tunnel 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2066:check_attr_ipsec(): type=SA Life Type, flag=0x8000, lorv=seconds
- 59 -
2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2066:check_attr_ipsec(): type=SA Life Duration, flag=0x8000, lorv=28800 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2154:check_attr_ipsec(): life duration was in TLV. 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2066:check_attr_ipsec(): type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1310:get_transform(): transform #1 len=24 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2066:check_attr_ipsec(): type=Encryption Mode, flag=0x8000, lorv=Tunnel 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2066:check_attr_ipsec(): type=SA Life Type, flag=0x8000, lorv=seconds 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2066:check_attr_ipsec(): type=SA Life Duration, flag=0x8000, lorv=28800 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2154:check_attr_ipsec(): life duration was in TLV. 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2066:check_attr_ipsec(): type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1212:get_proppair(): pair 0: 2005-06-19 21:57:58: DEBUG: proposal.c:891:print_proppair0(): 0x80b31b0: next=0x0 tnext=0x80b31c0 2005-06-19 21:57:58: DEBUG: proposal.c:891:print_proppair0(): 0x80b31c0: next=0x0 tnext=0x0 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1247:get_proppair(): proposal #0: 2 transform 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:947:get_ph2approval(): begin compare proposals. 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:953:get_ph2approval(): pair[0]: 0x80b31b0 2005-06-19 21:57:58: DEBUG: proposal.c:891:print_proppair0(): 0x80b31b0: next=0x0 tnext=0x80b31c0 2005-06-19 21:57:58: DEBUG: proposal.c:891:print_proppair0(): 0x80b31c0: next=0x0 tnext=0x0 2005-06-19 21:57:58: DEBUG: proposal.c:680:aproppair2saprop(): prop#=0 prot-id=ESP spi-size=4 #trns=2 trns#=0 trns-id=3DES 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:3666:ipsecdoi_t2satrns(): type=Encryption Mode, flag=0x8000, lorv=Tunnel 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:3666:ipsecdoi_t2satrns(): type=SA Life Type, flag=0x8000, lorv=seconds 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:3666:ipsecdoi_t2satrns(): type=SA Life Duration, flag=0x8000, lorv=28800 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:3666:ipsecdoi_t2satrns(): type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5 2005-06-19 21:57:58: DEBUG: proposal.c:680:aproppair2saprop(): prop#=0 prot-id=ESP spi-size=4 #trns=2 trns#=1 trns-id=3DES 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:3666:ipsecdoi_t2satrns(): type=Encryption Mode, flag=0x8000, lorv=Tunnel 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:3666:ipsecdoi_t2satrns(): type=SA Life Type, flag=0x8000, lorv=seconds 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:3666:ipsecdoi_t2satrns(): type=SA Life Duration, flag=0x8000, lorv=28800 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:3666:ipsecdoi_t2satrns(): type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:989:get_ph2approvalx(): peer's single bundle: 2005-06-19 21:57:58: DEBUG: proposal.c:824:printsaproto(): (proto_id=ESP spisize=4 spi=acb06afe spi_p=00000000 encmode=Tunnel reqid=0:0) 2005-06-19 21:57:58: DEBUG: proposal.c:858:printsatrns(): (trns_id=3DES encklen=0 authtype=hmac-md5)
- 60 -
2005-06-19 21:57:58: DEBUG: proposal.c:858:printsatrns(): (trns_id=3DES encklen=0 authtype=hmac-sha) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:992:get_ph2approvalx(): my single bundle: 2005-06-19 21:57:58: DEBUG: proposal.c:824:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) 2005-06-19 21:57:58: DEBUG: proposal.c:858:printsatrns(): (trns_id=3DES encklen=0 authtype=hmac-sha) 2005-06-19 21:57:58: ERROR: proposal.c:494:cmpsatrns(): authtype mismatched: my:hmac-sha peer:hmac-md5 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1011:get_ph2approvalx(): matched 2005-06-19 21:57:58: DEBUG: isakmp.c:1088:isakmp_ph2begin_r(): === 2005-06-19 21:57:58: DEBUG: pfkey.c:872:pk_sendgetspi(): call pfkey_send_getspi 2005-06-19 21:57:58: DEBUG: pfkey.c:885:pk_sendgetspi(): pfkey GETSPI sent: ESP/Tunnel 167.205.65.16->167.205.108.139 2005-06-19 21:57:58: DEBUG: isakmp_quick.c:1143:quick_r1prep(): pfkey getspi sent. 2005-06-19 21:57:58: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey GETSPI message 2005-06-19 21:57:58: DEBUG: pfkey.c:956:pk_recvgetspi(): pfkey GETSPI succeeded: ESP/Tunnel 167.205.65.16->167.205.108.139 spi =246120096(0xeab7ea0) 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1116:get_proppair(): total SA len=44 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 00000001 00000001 00000024 00030401 00000000 00000018 01030000 80040001 80010001 80027080 80050002 2005-06-19 21:57:58: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=2(prop) 2005-06-19 21:57:58: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1169:get_proppair(): proposal #0 len=36 2005-06-19 21:57:58: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=3(trns) 2005-06-19 21:57:58: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1310:get_transform(): transform #1 len=24 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2066:check_attr_ipsec(): type=Encryption Mode, flag=0x8000, lorv=Tunnel 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2066:check_attr_ipsec(): type=SA Life Type, flag=0x8000, lorv=seconds 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2066:check_attr_ipsec(): type=SA Life Duration, flag=0x8000, lorv=28800 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2154:check_attr_ipsec(): life duration was in TLV. 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:2066:check_attr_ipsec(): type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1212:get_proppair(): pair 0: 2005-06-19 21:57:58: DEBUG: proposal.c:891:print_proppair0(): 0x80b3100: next=0x0 tnext=0x0 2005-06-19 21:57:58: DEBUG: ipsec_doi.c:1247:get_proppair(): proposal #0: 1 transform 2005-06-19 21:57:58: DEBUG: isakmp.c:2159:set_isakmp_payload(): add payload of len 44, next type 10 2005-06-19 21:57:58: DEBUG: isakmp.c:2159:set_isakmp_payload(): add payload of len 16, next type 5 2005-06-19 21:57:58: DEBUG: isakmp.c:2159:set_isakmp_payload(): add payload of len 12, next type 5 2005-06-19 21:57:58: DEBUG: isakmp.c:2159:set_isakmp_payload(): add payload of len 12, next type 0
- 61 -
2005-06-19 21:57:58: DEBUG: oakley.c:806:oakley_compute_hash1(): HASH with: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 1620a2b4 c1acd23f dd44d799 b865dea2 43aee2b7 0a000030 00000001 00000001 00000024 00030401 0eab7ea0 00000018 01030000 80040001 80010001 80027080 80050002 05000014 d974b779 100eb513 2369f0f7 86428913 05000010 04000000 c0a80200 ffffff00 00000010 04000000 c0a80100 ffffff00 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:816:oakley_compute_hash1(): HASH computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 04bbfcbe d342da4c 1e77ccba b548a52b 1e4e18ee 2005-06-19 21:57:58: DEBUG: isakmp.c:2159:set_isakmp_payload(): add payload of len 20, next type 1 2005-06-19 21:57:58: DEBUG: oakley.c:2807:oakley_do_encrypt(): begin encryption. 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2823:oakley_do_encrypt(): pad length = 4 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 01000018 04bbfcbe d342da4c 1e77ccba b548a52b 1e4e18ee 0a000030 00000001 00000001 00000024 00030401 0eab7ea0 00000018 01030000 80040001 80010001 80027080 80050002 05000014 d974b779 100eb513 2369f0f7 86428913 05000010 04000000 c0a80200 ffffff00 00000010 04000000 c0a80100 ffffff00 00000004 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2858:oakley_do_encrypt(): with key: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 59b5caff efdaa1ff 3fd3cb2d deda37ae 71f4fc29 a15fdf3d 2005-06-19 21:57:58: DEBUG: oakley.c:2866:oakley_do_encrypt(): encrypted payload by IV: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0cb2fc16 1a8aefa8 2005-06-19 21:57:58: DEBUG: oakley.c:2873:oakley_do_encrypt(): save IV for next: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0cb2fc16 1a8aefa8 2005-06-19 21:57:58: DEBUG: oakley.c:2890:oakley_do_encrypt(): encrypted. 2005-06-19 21:57:58: DEBUG: sockmisc.c:421:sendfromto(): sockname 167.205.108.139[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:423:sendfromto(): send packet from 167.205.108.139[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:425:sendfromto(): send packet to 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 156 bytes message will be sent to 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 7d0cdeaf 25ea8227 08102001 1620a2b4 0000009c 251dbef6 93567f2f ee768eed 691259aa 30365938 2ede1ea8 82c3c555 17f34d65 8253c8fe 63d35249 ea1203b6 b040c31c 6eb841ce 6f0ce19b 1f495de1 8c5fde58 20f76a7f 04e6b525 c863d682 2b2ddae2 e70f790d a480977e 547d71f2 19eeeae0 c6e9e2d0 67cfdc5c b530b661 310cf69e 5b52f4ac cfb04fb8 0cb2fc16 1a8aefa8 2005-06-19 21:57:58: DEBUG: isakmp.c:1497:isakmp_ph2resend(): resend phase2 packet 0c89ca4dc9898463:7d0cdeaf25ea8227:00001620 2005-06-19 21:57:58: DEBUG: isakmp.c:233:isakmp_handler(): === 2005-06-19 21:57:58: DEBUG: isakmp.c:234:isakmp_handler(): 52 bytes message received from 167.205.65.16[500] 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 7d0cdeaf 25ea8227 08102001 1620a2b4 00000034 9f29b49d ea1f0ba5 fbe9d924 b6e03037 d29fb680 0ae5483e 2005-06-19 21:57:58: DEBUG: oakley.c:2684:oakley_do_decrypt(): begin decryption. 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des)
- 62 -
2005-06-19 21:57:58: DEBUG: oakley.c:2698:oakley_do_decrypt(): IV was saved for next processing: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): d29fb680 0ae5483e 2005-06-19 21:57:58: DEBUG: algorithm.c:386:alg_oakley_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: oakley.c:2723:oakley_do_decrypt(): with key: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 59b5caff efdaa1ff 3fd3cb2d deda37ae 71f4fc29 a15fdf3d 2005-06-19 21:57:58: DEBUG: oakley.c:2731:oakley_do_decrypt(): decrypted payload by IV: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): d29fb680 0ae5483e 2005-06-19 21:57:58: DEBUG: oakley.c:2734:oakley_do_decrypt(): decrypted payload, but not trimed. 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 00000018 4cc10ea6 64dc91d4 29d6b64f ee1badf3 f291a12d 2005-06-19 21:57:58: DEBUG: oakley.c:2743:oakley_do_decrypt(): padding len=45 2005-06-19 21:57:58: DEBUG: oakley.c:2757:oakley_do_decrypt(): skip to trim padding. 2005-06-19 21:57:58: DEBUG: oakley.c:2772:oakley_do_decrypt(): decrypted. 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 0c89ca4d c9898463 7d0cdeaf 25ea8227 08102001 1620a2b4 00000034 00000018 4cc10ea6 64dc91d4 29d6b64f ee1badf3 f291a12d 2005-06-19 21:57:58: DEBUG: isakmp.c:1122:isakmp_parsewoh(): begin. 2005-06-19 21:57:58: DEBUG: isakmp.c:1149:isakmp_parsewoh(): seen nptype=8(hash) 2005-06-19 21:57:58: DEBUG: isakmp.c:1188:isakmp_parsewoh(): succeed. 2005-06-19 21:57:58: DEBUG: isakmp_quick.c:1430:quick_r3recv(): HASH(3) validate:2005-06-19 21:57:58: DEBUG: plog.c:193:plogdu mp(): 4cc10ea6 64dc91d4 29d6b64f ee1badf3 f291a12d 2005-06-19 21:57:58: DEBUG: oakley.c:750:oakley_compute_hash3(): HASH with: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 001620a2 b4c1acd2 3fdd44d7 99b865de a243aee2 b7d974b7 79100eb5 132369f0 f7864289 13 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:760:oakley_compute_hash3(): HASH computed: 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 4cc10ea6 64dc91d4 29d6b64f ee1badf3 f291a12d 2005-06-19 21:57:58: DEBUG: isakmp.c:746:quick_main(): === 2005-06-19 21:57:58: DEBUG: oakley.c:522:oakley_compute_keymat_x(): KEYMAT compute with 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 030eab7e a0c1acd2 3fdd44d7 99b865de a243aee2 b7d974b7 79100eb5 132369f0 f7864289 13 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: algorithm.c:513:alg_ipsec_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: algorithm.c:556:alg_ipsec_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:555:oakley_compute_keymat_x(): encklen=192 authklen=160 2005-06-19 21:57:58: DEBUG: oakley.c:562:oakley_compute_keymat_x(): generating 640 bits of key (dupkeymat=4) 2005-06-19 21:57:58: DEBUG: oakley.c:580:oakley_compute_keymat_x(): generating K1...K4 for KEYMAT. 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1)
- 63 -
2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): cf0fdccf 11149405 776c2b3a bb7105c8 e599912e c4366a39 ca973284 790a2da5 e0c95ab2 883f57ed 3d92b895 c4a6ca1f d78c26d1 34a0eded 6795d931 dacbcbe8 aabefa8c ef4ba1c3 85a0c88f 6cde4fe5 2005-06-19 21:57:58: DEBUG: oakley.c:522:oakley_compute_keymat_x(): KEYMAT compute with 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 03acb06a fec1acd2 3fdd44d7 99b865de a243aee2 b7d974b7 79100eb5 132369f0 f7864289 13 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: algorithm.c:513:alg_ipsec_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: algorithm.c:556:alg_ipsec_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: oakley.c:555:oakley_compute_keymat_x(): encklen=192 authklen=160 2005-06-19 21:57:58: DEBUG: oakley.c:562:oakley_compute_keymat_x(): generating 640 bits of key (dupkeymat=4) 2005-06-19 21:57:58: DEBUG: oakley.c:580:oakley_compute_keymat_x(): generating K1...K4 for KEYMAT. 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: algorithm.c:326:alg_oakley_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: plog.c:193:plogdump(): 73de9e78 a6e909b4 46b6e81e 76d2b1b1 226bc97e 496e8a4a 33a3618e c243711b e2758fae bce338f6 f97f43f1 ae48c307 9507086a ae762e7d 4825d71d fe7eb1a4 db093df2 783e6c99 3eee6037 624b385d 2005-06-19 21:57:58: DEBUG: oakley.c:450:oakley_compute_keymat(): KEYMAT computed. 2005-06-19 21:57:58: DEBUG: isakmp_quick.c:1613:quick_r3prep(): call pk_sendupdate 2005-06-19 21:57:58: DEBUG: algorithm.c:513:alg_ipsec_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: algorithm.c:556:alg_ipsec_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: pfkey.c:1061:pk_sendupdate(): call pfkey_send_update 2005-06-19 21:57:58: DEBUG: isakmp_quick.c:1618:quick_r3prep(): pfkey update sent. 2005-06-19 21:57:58: DEBUG: algorithm.c:513:alg_ipsec_encdef(): encription(3des) 2005-06-19 21:57:58: DEBUG: algorithm.c:556:alg_ipsec_hmacdef(): hmac(hmac_sha1) 2005-06-19 21:57:58: DEBUG: pfkey.c:1313:pk_sendadd(): call pfkey_send_add 2005-06-19 21:57:58: DEBUG: isakmp_quick.c:1625:quick_r3prep(): pfkey add sent. 2005-06-19 21:57:58: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey UPDATE message 2005-06-19 21:57:58: DEBUG: pfkey.c:1190:pk_recvupdate(): pfkey UPDATE succeeded: ESP/Tunnel 167.205.65.16->167.205.108.139 sp i=246120096(0xeab7ea0) 2005-06-19 21:57:58: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 167.205.65.16->167.205.108.139 spi=2 46120096(0xeab7ea0) 2005-06-19 21:57:58: DEBUG: pfkey.c:1239:pk_recvupdate(): === 2005-06-19 21:57:58: DEBUG: pfkey.c:197:pfkey_handler(): get pfkey ADD message 2005-06-19 21:57:58: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA established: ESP/Tunnel 167.205.108.139->167.205.65.16 spi=2897 242878(0xacb06afe) 2005-06-19 21:57:58: DEBUG: pfkey.c:1425:pk_recvadd(): ===
Related Documents
