/testing/guestbin/swan-prep west # ipsec start Redirecting to: [initsystem] west # ../../guestbin/wait-until-pluto-started west # ipsec auto --add west-east 002 "west-east": added IKEv1 connection west # ipsec auto --add float-east 002 "float-east": added IKEv1 connection west # ipsec auto --add west-float 002 "west-float": added IKEv1 connection west # echo "initdone" initdone west # ipsec auto --up west-east 002 "west-east" #1: initiating IKEv1 Main Mode connection 1v1 "west-east" #1: sent Main Mode request 1v1 "west-east" #1: sent Main Mode I2 1v1 "west-east" #1: sent Main Mode I3 002 "west-east" #1: Peer ID is ID_FQDN: '@east' 003 "west-east" #1: authenticated peer '2nnn-bit RSA with SHA1' signature using preloaded certificate '@east' 004 "west-east" #1: IKE SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} 002 "west-east" #2: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES 1v1 "west-east" #2: sent Quick Mode request 004 "west-east" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 DPD=passive} west # ip addr add 192.1.2.66/24 dev eth1 west # arping -c 1 -U -I eth1 192.1.2.66 ARPING 192.1.2.66 from 192.1.2.66 eth1 Sent 1 probes (1 broadcast(s)) Received 0 response(s) west # ipsec auto --ready 002 listening for IKE messages 002 adding UDP interface eth1 192.1.2.66:500 002 adding UDP interface eth1 192.1.2.66:4500 003 two interfaces match "west-float" (eth1 192.1.2.66, eth1 192.1.2.45) 002 "west-float": terminating SAs using this connection 002 forgetting secrets 002 loading secrets from "/etc/ipsec.secrets" 002 no secrets filename matched "/etc/ipsec.d/*.secrets" west # ipsec auto --up float-east #retransmits 002 "float-east" #3: initiating IKEv1 Main Mode connection 1v1 "float-east" #3: sent Main Mode request 1v1 "float-east" #3: sent Main Mode I2 1v1 "float-east" #3: sent Main Mode I3 002 "float-east" #3: Peer ID is ID_FQDN: '@east' 003 "float-east" #3: authenticated peer '2nnn-bit RSA with SHA1' signature using preloaded certificate '@east' 004 "float-east" #3: IKE SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} 002 "float-east" #4: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES 1v1 "float-east" #4: sent Quick Mode request 004 "float-east" #4: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 DPD=passive} west # ip addr del 192.1.2.66/24 dev eth1 west # # filter the error, it sometimes changes which network error happens (22 vs 101) west # ipsec auto --ready | sed "s/failed in delete notify.*$/failed in delete notify [...]/" 002 listening for IKE messages 002 shutting down interface eth1 192.1.2.66:4500 002 shutting down interface eth1 192.1.2.66:500 002 "float-east" #4: deleting state (STATE_QUICK_I2) and sending notification 005 "float-east" #4: ESP traffic information: in=0B out=0B 002 "float-east" #3: deleting state (STATE_MAIN_I4) and sending notification 003 ERROR: "float-east" #3: send on eth1 from 192.1.2.66:500 to 192.1.2.23:500 using UDP failed in delete notify [...] 002 "float-east" #3: deleting ISAKMP SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS 002 "float-east": unroute-host output: RTNETLINK answers: Network is unreachable 002 forgetting secrets 002 loading secrets from "/etc/ipsec.secrets" 002 no secrets filename matched "/etc/ipsec.d/*.secrets" west # ipsec auto --up west-float #retransmits 002 "west-float" #5: initiating IKEv1 Main Mode connection 1v1 "west-float" #5: sent Main Mode request 010 "west-float" #5: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response 010 "west-float" #5: STATE_MAIN_I1: retransmission; will wait 1 seconds for response 010 "west-float" #5: STATE_MAIN_I1: retransmission; will wait 2 seconds for response 010 "west-float" #5: STATE_MAIN_I1: retransmission; will wait 4 seconds for response 010 "west-float" #5: STATE_MAIN_I1: retransmission; will wait 8 seconds for response 010 "west-float" #5: STATE_MAIN_I1: retransmission; will wait 16 seconds for response 010 "west-float" #5: STATE_MAIN_I1: retransmission; will wait 32 seconds for response 031 "west-float" #5: STATE_MAIN_I1: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our first IKEv1 message 000 "west-float" #5: starting keying attempt 2 of an unlimited number, but releasing whack west # # wait for pending cleanups west # sleep 30 west # sleep 30 west # echo done done west # ../../guestbin/ipsec-look.sh west NOW XFRM state: src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec auth-trunc hmac(sha1) 0xHASHKEY 96 enc cbc(aes) 0xENCKEY anti-replay esn context: seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX replay_window 128, bitmap-length 4 00000000 00000000 00000000 XXXXXXXX src 192.1.2.45 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec auth-trunc hmac(sha1) 0xHASHKEY 96 enc cbc(aes) 0xENCKEY anti-replay esn context: seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX replay_window 128, bitmap-length 4 00000000 00000000 00000000 XXXXXXXX XFRM policy: src 192.1.2.23/32 dst 192.1.2.45/32 dir fwd priority PRIORITY ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid REQID mode tunnel src 192.1.2.23/32 dst 192.1.2.45/32 dir in priority PRIORITY ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid REQID mode tunnel src 192.1.2.45/32 dst 192.1.2.23/32 dir out priority PRIORITY ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto esp reqid REQID mode tunnel XFRM done IPSEC mangle TABLES iptables filter TABLE Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ROUTING TABLES default via 192.1.2.254 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI west #