Site-to-site VPN between Cisco PIX 501 and Linux OpenSwan ========================================================= 20060705 fm[at]frank4dd.com network layout see: http://www.frank4dd.com/pixvpn/ 1. OS and software versions --------------------------- 1.1 Pix Side ------------ pixfirewall(config)# sho ver Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(4) Compiled on Thu 04-Aug-05 21:40 by morlee pixfirewall up 3 hours 34 mins Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz Flash E28F640J3 @ 0x3000000, 8MB BIOS Flash E28F640J3 @ 0xfffd8000, 128KB 0: ethernet0: address is 0009.7cb7.4d32, irq 9 1: ethernet1: address is 0009.7cb7.4d33, irq 10 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 2 Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: 10 Throughput: Unlimited IKE peers: 10 1.2 Linux Side -------------- OpenSuse 10.1 - http://www.opensuse.org uname -a: Linux tensu 2.6.16.13-4-default #1 Wed May 3 04:53:23 UTC 2006 i686 i686 i386 GNU/Linux ipsec --version: Linux Openswan U2.4.4/K2.6.16.13-4-default (netkey) rpm --query openswan: openswan-2.4.4-18 2. 3DES-MD5-HMAC configuration ------------------------------ 2.1 Settings Pix 501 side ------------------------- ip address inside 192.168.1.103 255.255.255.0 ip address outside 128.12.1.155 255.255.255.0 route outside 0.0.0.0 0.0.0.0 128.12.1.10 sysopt connection permit-ipsec access-list 100 permit ip 192.168.1.0 255.255.255.0 128.12.3.0 255.255.255.0 crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 100 crypto map mymap 10 set peer 128.12.2.10 crypto map mymap 10 set transform-set myset crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp key dobsekred address 128.12.2.10 netmask 255.255.255.255 isakmp policy 5 authentication pre-share isakmp policy 5 encryption 3des isakmp policy 5 hash md5 isakmp policy 5 group 2 isakmp policy 5 lifetime 28800 access-list 101 permit ip 192.168.1.0 255.255.255.0 128.12.3.0 255.255.255.0 nat (inside) 0 access-list 101 2.2 Settings Linux Side: ------------------------ eth1 Link encap:Ethernet HWaddr 00:0C:29:DE:D1:13 inet addr:128.12.2.10 Bcast:128.12.2.255 Mask:255.255.255.0 eth0 Link encap:Ethernet HWaddr 00:0C:29:DE:D1:09 inet addr:128.12.3.1 Bcast:128.12.3.255 Mask:255.255.255.0 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 128.12.2.1 255.255.255.0 UG 0 0 0 eth1 128.12.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 128.12.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 128.12.2.1 0.0.0.0 UG 0 0 0 eth1 /etc/ipsec.conf: ---------------- version 2 config setup interfaces="ipsec0=eth1" klipsdebug=none plutodebug=none conn pix501 #af=inet type=tunnel auth=esp authby=secret left=128.12.2.10 leftsubnet=128.12.3.0/24 leftnexthop=128.12.2.1 right=128.12.1.155 rightsubnet=192.168.1.0/24 rightnexthop=128.12.1.10 esp=3des-md5-96 ah=hmac-md5-96 auto=start /etc/ipsec.secrets ------------------ # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". : RSA { # RSA 2048 bits 192.168.174.134 Sun Jul 2 18:39:34 2006 # for signatures only, UNSAFE FOR ENCRYPTION #pubkey=0sAQOBc8bupa9fsTtShzNuVuOEW3t3jSm9yniRakwH1shhyuw4vioUoPpf9n6scHU ... 0da2f29f2d0b472265e7d333ffd432751a1b2f9b89dd2d84b88758a0dff39706b8a513055 } # do not change the indenting of that "}" 128.12.2.10 128.12.1.155: PSK "dobsekred" important is the colon ":", this is a new syntax introduced with OpenSwan and is not needed with FreeSwan. 3. AES-256 Settings ------------------- 3.1 Cisco PIX 501 Side ---------------------- ip address inside 192.168.1.103 255.255.255.0 ip address outside 128.12.1.155 255.255.255.0 route outside 0.0.0.0 0.0.0.0 128.12.1.10 sysopt connection permit-ipsec access-list 100 permit ip 192.168.1.0 255.255.255.0 128.12.3.0 255.255.255.0 crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 100 crypto map mymap 10 set peer 128.12.2.10 crypto map mymap 10 set transform-set myset crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp key dobsekred address 128.12.2.10 netmask 255.255.255.255 isakmp policy 5 authentication pre-share isakmp policy 5 encryption aes-256 isakmp policy 5 hash md5 isakmp policy 5 group 5 isakmp policy 5 lifetime 28800 access-list 101 permit ip 192.168.1.0 255.255.255.0 128.12.3.0 255.255.255.0 nat (inside) 0 access-list 101 3.2 Linux Side -------------- /etc/ipsec.conf: ---------------- version 2 config setup interfaces="ipsec0=eth1" klipsdebug=none plutodebug=none conn pix501 #af=inet type=tunnel auth=esp authby=secret left=128.12.2.10 leftsubnet=128.12.3.0/24 leftnexthop=128.12.2.1 right=128.12.1.155 rightsubnet=192.168.1.0/24 rightnexthop=128.12.1.10 esp=aes256-md5 #ah=aes256-md5 auto=start after /etc/init.d/ipsec start, it takes quite a while until the tunnel comes up (30-45 secs). PIX tunnel information: pixfirewall(config)# show crypto sa interface: outside Crypto map tag: mymap, local addr. 128.12.1.155 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (128.12.3.0/255.255.255.0/0/0) current_peer: 128.12.2.10:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 16, #pkts encrypt: 16, #pkts digest 16 #pkts decaps: 16, #pkts decrypt: 16, #pkts verify 16 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 53, #recv errors 0 local crypto endpt.: 128.12.1.155, remote crypto endpt.: 128.12.2.10 path mtu 1500, ipsec overhead 72, media mtu 1500 current outbound spi: 8a1723b9 inbound esp sas: spi: 0xcddac3d0(3453666256) transform: esp-aes-256 esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 1, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4607998/28735) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8a1723b9(2316772281) transform: esp-aes-256 esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4607998/28733) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas: pixfirewall(config)# 4. Logs ------- 4.1 3DES-MD5-HMAC Logs Cisco side --------------------------------- 4.1.1 Connection start ---------------------- crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 0 against priority 5 policy ISAKMP: life type in seconds ISAKMP: life duration (basic) of 3600 ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 5 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 1 against priority 5 policy ISAKMP: life type in seconds ISAKMP: life duration (basic) of 3600 ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 5 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 5 policy ISAKMP: life type in seconds ISAKMP: life duration (basic) of 3600 ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 5 policy ISAKMP: life type in seconds ISAKMP: life duration (basic) of 3600 ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 VPN Peer: ISAKMP: Added new peer: ip:128.12.2.10/500 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:128.12.2.10/500 Ref cnt incremented to:1 Total VPN Peers:1 crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 1650817722 ISAKMP : Checking IPSec proposal 0 ISAKMP: transform 0, ESP_3DES ISAKMP: attributes in transform: ISAKMP: group is 2 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: authenticator is HMAC-MD5 ISAKMP (0): atts are acceptable. ISAKMP (0): processing NONCE payload. message ID = 1650817722 ISAKMP (0): processing KE payload. message ID = 1650817722 ISAKMP (0): retransmitting phase 1 (3)... ISAKMP (0): processing ID payload. message ID = 1650817722 ISAKMP (0): ID_IPV4_ADDR_SUBNET src 128.12.3.0/255.255.255.0 prot 0 port 0 ISAKMP (0): processing ID payload. message ID = 1650817722 ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 192.168.1.0/255.255.255.0 prot 0 port 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 1760234288 ISAKMP : Checking IPSec proposal 0 ISAKMP: transform 0, ESP_3DES ISAKMP: attributes in transform: ISAKMP: group is 2 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: authenticator is HMAC-MD5 ISAKMP (0): atts are acceptable. ISAKMP (0): processing NONCE payload. message ID = 1760234288 ISAKMP (0): processing KE payload. message ID = 1760234288 ISAKMP (0): processing ID payload. message ID = 1760234288 ISAKMP (0): ID_IPV4_ADDR_SUBNET src 128.12.3.0/255.255.255.0 prot 0 port 0 ISAKMP (0): processing ID payload. message ID = 1760234288 ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 192.168.1.0/255.255.255.0 prot 0 port 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 5 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 28800 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_AUTH_AWAIT ISAKMP (0): Creating IPSec SAs inbound SA from 128.12.2.10 to 128.12.1.155 (proxy 128.12.3. 0 to 192.168.1.0) has spi 3925191902 and conn_id 7 and flags 25 lifetime of 28800 seconds outbound SA from 128.12.1.155 to 128.12.2.10 (proxy 192.168.1 .0 to 128.12.3.0) has spi 3293852659 and conn_id 8 and flags 25 crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 OAK_QM exchange crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 OAK_MM exchange crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 14 protocol 1 spi 0, message ID = 3220768692 ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x5b2c1627 crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 9 protocol 1 spi 0, message ID = 2958373577 return status is IKMP_NO_ERR_NO_TRANS ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x5b2c1627 crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 9 protocol 1 spi 0, message ID = 1027708493 return status is IKMP_NO_ERR_NO_TRANS ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x5b2c1627 crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 9 protocol 1 spi 0, message ID = 3484140146 return status is IKMP_NO_ERR_NO_TRANS ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x5b2c1627 crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 9 protocol 1 spi 0, message ID = 605111463 return status is IKMP_NO_ERR_NO_TRANS ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x5b2c1627 crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 9 protocol 1 spi 0, message ID = 4214817545 return status is IKMP_NO_ERR_NO_TRANS ISAKMP (0): retransmitting phase 2 (5/0)... mess_id 0x5b2c1627 crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 9 protocol 1 spi 0, message ID = 650903749 return status is IKMP_NO_ERR_NO_TRANS 4.1.2 Connection end -------------------- crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 83978638, spi size = 4 VPN Peer: IPSEC: Peer ip:128.12.2.10/500 Decrementing Ref cnt to:5 Total VPN Pee rs:1 VPN Peer: IPSEC: Peer ip:128.12.2.10/500 Decrementing Ref cnt to:4 Total VPN Pee rs:1 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 131175463, spi size = 4 VPN Peer: IPSEC: Peer ip:128.12.2.10/500 Decrementing Ref cnt to:3 Total VPN Pee rs:1 VPN Peer: IPSEC: Peer ip:128.12.2.10/500 Decrementing Ref cnt to:2 Total VPN Pee rs:1 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 1438949591, spi size = 16 ISAKMP (0): deleting SA: src 128.12.2.10, dst 128.12.1.155 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 3224698833, spi size = 16 ISAKMP (0): deleting SA: src 128.12.1.155, dst 128.12.2.10 return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0xa2f45c, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:128.12.2.10/500 Ref cnt decremented to:1 Total VPN Pee rs:1 ISADB: reaper checking SA 0xa2e7c4, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:128.12.2.10/500 Ref cnt decremented to:0 Total VPN Pee rs:1 VPN Peer: ISAKMP: Deleted peer: ip:128.12.2.10/500 Total VPN peers:0 4.2 3DES-MD5-HMAC Logs Linux side --------------------------------- Jul 8 12:07:50 tensu pluto[4532]: Starting Pluto (Openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e) Jul 8 12:07:50 tensu pluto[4532]: Setting NAT-Traversal port-4500 floating to off Jul 8 12:07:50 tensu pluto[4532]: port floating activation criteria nat_t=0/port_fload=1 Jul 8 12:07:50 tensu pluto[4532]: including NAT-Traversal patch (Version 0.6c) [disabled] Jul 8 12:07:50 tensu pluto[4532]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Jul 8 12:07:50 tensu pluto[4532]: starting up 1 cryptographic helpers Jul 8 12:07:50 tensu pluto[4532]: started helper pid=4545 (fd:6) Jul 8 12:07:50 tensu pluto[4532]: Using Linux 2.6 IPsec interface code on 2.6.16.13-4-default Jul 8 12:07:50 tensu pluto[4532]: Changing to directory '/etc/ipsec.d/cacerts' Jul 8 12:07:50 tensu pluto[4532]: Could not change to directory '/etc/ipsec.d/aacerts' Jul 8 12:07:50 tensu pluto[4532]: Could not change to directory '/etc/ipsec.d/ocspcerts' Jul 8 12:07:50 tensu pluto[4532]: Changing to directory '/etc/ipsec.d/crls' Jul 8 12:07:50 tensu pluto[4532]: Warning: empty directory Jul 8 12:07:50 tensu ipsec_setup: Starting Openswan IPsec 2.4.4... Jul 8 12:07:50 tensu ipsec_setup: insmod /lib/modules/2.6.16.13-4-default/kernel/net/key/af_key.ko Jul 8 12:07:50 tensu ipsec_setup: insmod /lib/modules/2.6.16.13-4-default/kernel/net/ipv4/xfrm4_tunnel.ko Jul 8 12:07:50 tensu ipsec_setup: insmod /lib/modules/2.6.16.13-4-default/kernel/net/xfrm/xfrm_user.ko Jul 8 12:07:50 tensu ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known Jul 8 12:07:50 tensu ipsec__plutorun: ipsec_auto: fatal error in "block": %defaultroute requested but not known Jul 8 12:07:51 tensu ipsec__plutorun: ipsec_auto: fatal error in "clear-or-private": %defaultroute requested but not known Jul 8 12:07:51 tensu ipsec__plutorun: ipsec_auto: fatal error in "clear": %defaultroute requested but not known Jul 8 12:07:51 tensu pluto[4532]: added connection description "pix501" Jul 8 12:07:51 tensu ipsec__plutorun: ipsec_auto: fatal error in "private-or-clear": %defaultroute requested but not known Jul 8 12:07:51 tensu ipsec__plutorun: ipsec_auto: fatal error in "private": %defaultroute requested but not known Jul 8 12:07:51 tensu pluto[4532]: listening for IKE messages Jul 8 12:07:51 tensu pluto[4532]: adding interface eth1/eth1 128.12.2.10:500 Jul 8 12:07:51 tensu pluto[4532]: adding interface eth0/eth0 128.12.3.1:500 Jul 8 12:07:51 tensu pluto[4532]: adding interface lo/lo 127.0.0.1:500 Jul 8 12:07:51 tensu pluto[4532]: adding interface lo/lo ::1:500 Jul 8 12:07:51 tensu pluto[4532]: loading secrets from "/etc/ipsec.secrets" Jul 8 12:07:52 tensu ipsec__plutorun: 021 no connection named "packetdefault" Jul 8 12:07:52 tensu ipsec__plutorun: ...could not route conn "packetdefault" Jul 8 12:07:52 tensu ipsec__plutorun: 021 no connection named "block" Jul 8 12:07:52 tensu ipsec__plutorun: ...could not route conn "block" Jul 8 12:07:52 tensu ipsec__plutorun: 021 no connection named "clear-or-private" Jul 8 12:07:52 tensu ipsec__plutorun: ...could not route conn "clear-or-private" Jul 8 12:07:52 tensu ipsec__plutorun: 021 no connection named "clear" Jul 8 12:07:52 tensu ipsec__plutorun: ...could not route conn "clear" Jul 8 12:07:52 tensu ipsec__plutorun: 021 no connection named "private-or-clear" Jul 8 12:07:52 tensu ipsec__plutorun: ...could not route conn "private-or-clear" Jul 8 12:07:52 tensu ipsec__plutorun: 021 no connection named "private" Jul 8 12:07:52 tensu ipsec__plutorun: ...could not route conn "private" Jul 8 12:07:52 tensu pluto[4532]: "pix501" #1: initiating Main Mode Jul 8 12:07:52 tensu ipsec__plutorun: 104 "pix501" #1: STATE_MAIN_I1: initiate Jul 8 12:07:52 tensu ipsec__plutorun: ...could not start conn "pix501" Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: responding to Main Mode Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: STATE_MAIN_R1: sent MR1, expecting MI2 Jul 8 12:07:53 tensu pluto[4532]: initiate on demand from 128.12.3.10:0 to 192.168.1.106:0 proto=0 state: fos_start because: acquire Jul 8 12:07:53 tensu pluto[4532]: "pix501" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jul 8 12:07:53 tensu pluto[4532]: "pix501" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: ignoring Vendor ID payload [XAUTH] Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: received Vendor ID payload [Dead Peer Detection] Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: ignoring Vendor ID payload [Cisco-Unity] Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: ignoring unknown Vendor ID payload [aa6a3e9da46f0756218da36efb5f4cb0] Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: STATE_MAIN_R2: sent MR2, expecting MI3 Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: ignoring Vendor ID payload [XAUTH] Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: received Vendor ID payload [Dead Peer Detection] Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: ignoring Vendor ID payload [Cisco-Unity] Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: ignoring unknown Vendor ID payload [f15669e577c3a60ea48e9dcec5d0dc8c] Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: I did not send a certificate because I do not have one. Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: Main mode peer ID is ID_IPV4_ADDR: '128.12.1.155' Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024} Jul 8 12:07:54 tensu pluto[4532]: "pix501" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} Jul 8 12:07:54 tensu pluto[4532]: "pix501" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: received and ignored informational message Jul 8 12:07:56 tensu pluto[4532]: "pix501" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME Jul 8 12:07:56 tensu pluto[4532]: "pix501" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Jul 8 12:07:56 tensu pluto[4532]: "pix501" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xa1ab1604 <0x831ee6c2 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none} Jul 8 12:07:57 tensu pluto[4532]: "pix501" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME Jul 8 12:07:57 tensu pluto[4532]: "pix501" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Jul 8 12:07:57 tensu pluto[4532]: "pix501" #3: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xb7a3ca47 <0x55dd27df xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}