I've just wrote a lenghty email on Fedora ML as reply to Phillip who
seems to be in the same trouble as myself... Found that while searching
all mailing list archives and bugzillas I could think off (not really
successfully, many people with same problems, no answers other than
"works for me" -- glad to hear it works for somebody else, but it would
be nice if he/she was a bit more elaborate why it "works for me").
I'd really like to get IPSec VPN working. I know about OpenVPN, and I
know it works very well, and all that. But being userland application
based on SSL, it works only between Linux and Windows machines. While
it would do as temporary solution for short period of time, I might need
something that has possiblity to interoperate with things such as Cisco
routers and/or dedicated VPN boxes too, if need for it arises in the
future (and I see it comming, since I do have some Cisco routers around,
and some dedicated VPN boxes, all capable of IPSec). So, OpenVPN
woudn't be a good way to go (maybe as temporary solution, until I'm able
to get IPSec stuff working).
Anyhow, the machines in question are CentOS 4.0 with all updates
installed. And since what I actually use is labeled CentOS, thought
about asking here also...
It seems something is broken in IPSec implementation. Either as
distributed by RedHat (and therefore present in CentOS), or maybe in the
upstream kernel or userland tools. By searching the archives of various
mailing lists, I found many people having problems with it.
I'm attempting to setup IPSec (host2host for now, VPN when I'm done with
simpler host2host setup) as I write this. Using native 2.6 kernel
implementation, between two fully updated CentOS 4.0 boxes.
I found this bug report that affects VPN configuration, not really
relevant to my case (host 2 host). I've applied the patches since
configuring VPN is going to be my next step anyhow:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146169
There are two proposed patches for ifup-ipsec and ifdown-ipsec scripts
that will go into RHEL3 U6 and RHEL4 U2. Probably Fedora Core has the
same issues.
Looking at log files and monitoring the network with tcpdump (when doing
"ping host-b" from host-a), this seems to be happening. The first
packet from host-a doesn't fly anywhere, as expected. Subsequent
packets are sent, but no response is ever received from host-b. Pinging
from host-b doesn't work at all (no packet leaving host-b, ever).
Sumarized:
- host-a attempts to negotiate automatic keying with host-b (success)
- sends encrypted ICMP echo packet to host-b
- host-b attempts to negotiate automatic keying with host-a (looks
like success)
- host-b repeats previous step indefinetly and never sends back
encrypted ICMP echo-reply packet to host-a
Looking at the output of "setkey -D" on both hosts, the key tables are
huge after some time. Something doesn't look righ, and I can't pinpoint
down what's wrong. It looks like new pair of keys is generate each time
host-b is supposed to send packet to host-a.
The /etc/sysconfig/network-scripts/ifcfg-IPSecToHostB on host-a looks
something like this:
DST=192.168.1.100
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=X509
IKE_CERTFILE=/etc/racoon/certs/host-a
IKE_PEER_CERTFILE=/etc/racoon/certs/host-b
The /etc/sysconfig/network-scripts/ifcfg-IPSecToHostA on host-b looks
similar (DST and IKE_*CERTFILE pointing the other way). Keys and
certificates for host-a are stored in host-a.private (no passphrase, so
that racoon can read the key) and host-a.public and likewise for host-b,
just the way ifup-ipsec script expects them to be.
After doing "ifup IPSecToHostB" on host-a, and "ifup IPSecToHostA" on
host-b, the generated racoon configuration looks good (long
certificate_type line might get wrapped around by my mail client, but it
is a single line in the configuration file). This is store in
/etc/racoon/192.168.1.100.conf, which is included from racoon.conf.
remote 192.168.1.100
{
exchange_mode aggressive, main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "/etc/racoon/certs/host-a.public"
"/etc/racoon/certs/host-a.private";
peers_certfile "/etc/racoon/certs/host-b.public";
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
The racoon.conf file looks like this (I made no changes to it, as
installed by ipsec-tools, include statement added by ifup-ipsec script):
# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
include "/etc/racoon/192.168.120.165.conf";
Configuration on host-b looks similar, referencing back to host-a.
When I ping host-b, the first packet is dropped, as expected (while
Racoon does its job with automatic keying). I've included excerpt from
/var/log/message from both host-a and host-b as attachments
(messages-host-*.txt), as well as output of "tcpdump host-b" that was
running on host-a (tcpdump-host-a.txt). I've put them as attachments to
avoid my mail client making them unreadable by wrapping around long lines.
All in all, either I'm missing something really obvious, or something is
really broken as distributed in Fedora/RHEL (and clones)...
--
Aleksandar Milivojevic
amilivojevic@pbl.ca Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
May 12 10:11:54 host-a kernel: NET: Registered protocol family 15
May 12 10:11:54 host-a racoon: INFO: @(#)ipsec-tools 0.3.3 (
http://ipsec-tools.sourceforge.net)
May 12 10:11:54 host-a racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (
http://www.openssl.org/)
May 12 10:11:55 host-a racoon: INFO: 192.168.0.100[500] used as isakmp port (fd=8)
May 12 10:11:55 host-a racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9)
May 12 10:12:32 host-a racoon: INFO: IPsec-SA request for 192.168.1.100 queued due to no phase1 found.
May 12 10:12:32 host-a racoon: INFO: initiate new phase 1 negotiation: 192.168.0.100[500]<=>192.168.1.100[500]
May 12 10:12:32 host-a racoon: INFO: begin Aggressive mode.
May 12 10:12:32 host-a racoon: INFO: ISAKMP-SA established 192.168.0.100[500]-192.168.1.100[500] spi:b962c618a3d1137c:d99254c172eb5de5
May 12 10:12:33 host-a racoon: INFO: initiate new phase 2 negotiation: 192.168.0.100[0]<=>192.168.1.100[0]
May 12 10:12:33 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=165105177(0x9d74e19)
May 12 10:12:33 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=65841791(0x3ecaa7f)
May 12 10:12:33 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=197556428(0xbc678cc)
May 12 10:12:33 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=227305975(0xd8c69f7)
May 12 10:12:59 host-a racoon: INFO: respond new phase 2 negotiation: 192.168.0.100[0]<=>192.168.1.100[0]
May 12 10:12:59 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=80675908(0x4cf0444)
May 12 10:12:59 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=198278184(0xbd17c28)
May 12 10:12:59 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=142149191(0x8790647)
May 12 10:12:59 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=220511737(0xd24bdf9)
May 12 10:13:00 host-a racoon: INFO: respond new phase 2 negotiation: 192.168.0.100[0]<=>192.168.1.100[0]
May 12 10:13:00 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=236322388(0xe15fe54)
May 12 10:13:00 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=23039671(0x15f8eb7)
May 12 10:13:00 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=168473301(0xa0ab2d5)
May 12 10:13:00 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=34968109(0x215922d)
May 12 10:13:01 host-a racoon: INFO: respond new phase 2 negotiation: 192.168.0.100[0]<=>192.168.1.100[0]
May 12 10:13:01 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=129055629(0x7b13b8d)
May 12 10:13:01 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=97213500(0x5cb5c3c)
May 12 10:13:01 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=12584766(0xc0073e)
May 12 10:13:01 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=113731845(0x6c76905)
May 12 10:12:02 host-b kernel: NET: Registered protocol family 15
May 12 10:12:03 host-b racoon: INFO: @(#)ipsec-tools 0.3.3 (
http://ipsec-tools.sourceforge.net)
May 12 10:12:03 host-b racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (
http://www.openssl.org/)
May 12 10:12:03 host-b racoon: INFO: 192.168.1.100[500] used as isakmp port (fd=8)
May 12 10:12:03 host-b racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9)
May 12 10:12:31 host-b racoon: INFO: respond new phase 1 negotiation: 192.168.1.100[500]<=>192.168.0.100[500]
May 12 10:12:31 host-b racoon: INFO: begin Aggressive mode.
May 12 10:12:31 host-b racoon: INFO: ISAKMP-SA established 192.168.1.100[500]-192.168.0.100[500] spi:b962c618a3d1137c:d99254c172eb5de5
May 12 10:12:32 host-b racoon: INFO: respond new phase 2 negotiation: 192.168.1.100[0]<=>192.168.0.100[0]
May 12 10:12:33 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=197556428(0xbc678cc)
May 12 10:12:33 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=227305975(0xd8c69f7)
May 12 10:12:33 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=165105177(0x9d74e19)
May 12 10:12:33 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=65841791(0x3ecaa7f)
May 12 10:12:58 host-b racoon: INFO: initiate new phase 2 negotiation: 192.168.1.100[0]<=>192.168.0.100[0]
May 12 10:12:59 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=142149191(0x8790647)
May 12 10:12:59 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=220511737(0xd24bdf9)
May 12 10:12:59 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=80675908(0x4cf0444)
May 12 10:12:59 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=198278184(0xbd17c28)
May 12 10:12:59 host-b racoon: INFO: initiate new phase 2 negotiation: 192.168.1.100[0]<=>192.168.0.100[0]
May 12 10:13:00 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=168473301(0xa0ab2d5)
May 12 10:13:00 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=34968109(0x215922d)
May 12 10:13:00 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=236322388(0xe15fe54)
May 12 10:13:00 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=23039671(0x15f8eb7)
May 12 10:13:00 host-b racoon: INFO: initiate new phase 2 negotiation: 192.168.1.100[0]<=>192.168.0.100[0]
May 12 10:13:01 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=12584766(0xc0073e)
May 12 10:13:01 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=113731845(0x6c76905)
May 12 10:13:01 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=129055629(0x7b13b8d)
May 12 10:13:01 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=97213500(0x5cb5c3c)
10:12:32.116735 IP host-a.isakmp > host-b.isakmp: isakmp: phase 1 I agg
10:12:32.266347 IP host-b.isakmp > host-a.isakmp: isakmp: phase 1 R agg
10:12:32.266374 IP host-b > host-a: udp
10:12:32.370155 IP host-a.isakmp > host-b.isakmp: isakmp: phase 1 I agg
10:12:32.370228 IP host-a > host-b: udp
10:12:32.370944 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I inf[E]
10:12:32.389413 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R inf[E]
10:12:33.411478 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E]
10:12:33.435885 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E]
10:12:33.436808 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E]
10:12:59.369421 IP host-a > host-b: AH(spi=0x0bc678cc,seq=0x1): ESP(spi=0x0d8c69f7,seq=0x1)
10:12:59.393050 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E]
10:12:59.416746 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E]
10:12:59.418339 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E]
10:13:00.369018 IP host-a > host-b: AH(spi=0x0bc678cc,seq=0x2): ESP(spi=0x0d8c69f7,seq=0x2)
10:13:00.392529 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E]
10:13:00.413340 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E]
10:13:00.414949 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E]
10:13:01.369325 IP host-a > host-b: AH(spi=0x0bc678cc,seq=0x3): ESP(spi=0x0d8c69f7,seq=0x3)
10:13:01.392868 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E]
10:13:01.415756 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E]
10:13:01.417302 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E]
11:00:33.407722 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E]
11:00:33.432074 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E]
11:00:33.433031 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E]
host-a# setkey -D
192.168.1.100 192.168.0.100
esp mode=transport spi=97213500(0x05cb5c3c) reqid=0(0x00000000)
E: 3des-cbc 985da9c3 28e552dc c477cdce 66512651 13afbca9 a1984bcf
A: hmac-sha1 71458a89 4717fcf1 781c4588 930e9b5f 98f3376a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:02 2005
diff: 241(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=15 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
ah mode=transport spi=129055629(0x07b13b8d) reqid=0(0x00000000)
A: hmac-sha1 7dba1ffc aedf1719 8fb451c7 ee81826a 67b1be0a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:02 2005
diff: 241(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=14 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
esp mode=transport spi=23039671(0x015f8eb7) reqid=0(0x00000000)
E: 3des-cbc dc20f03c 9c483a84 f4b28e0e 42def71a e88720f1 9c0ac34f
A: hmac-sha1 64caede6 fda16b7d 0a94c78c a0da465d 72421e78
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:03 2005
diff: 243(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=13 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
ah mode=transport spi=236322388(0x0e15fe54) reqid=0(0x00000000)
A: hmac-sha1 2c01e096 86e02e30 59d16c86 3adcd917 d94a6bba
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:03 2005
diff: 243(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=12 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
esp mode=transport spi=198278184(0x0bd17c28) reqid=0(0x00000000)
E: 3des-cbc b6a82412 4263eca7 276e33a7 2c170e4c 36391465 2e808e08
A: hmac-sha1 3eae5cc8 83896894 53ccb18e bfa23ba0 d4c8fdb8
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:03 2005
diff: 244(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=11 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
ah mode=transport spi=80675908(0x04cf0444) reqid=0(0x00000000)
A: hmac-sha1 6dda1c62 afb2e99e d55e320e 7245fdf9 df1a8c61
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:03 2005
diff: 244(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=10 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
esp mode=transport spi=65841791(0x03ecaa7f) reqid=0(0x00000000)
E: 3des-cbc 899e241e db481177 88e14620 3fc0eaad dbc3d769 6d10c818
A: hmac-sha1 150afe5b bbd82d7d fb9917cc 28891bb5 828d5315
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:03 2005
diff: 270(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=9 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
ah mode=transport spi=165105177(0x09d74e19) reqid=0(0x00000000)
A: hmac-sha1 ce7cc6b4 86b9dfab 67928a3a 71d1b074 d2703603
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:03 2005
diff: 270(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=8 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=113731845(0x06c76905) reqid=0(0x00000000)
E: 3des-cbc 38b74d9c 71b443d6 23f383db b63f7c19 ef6b506f adf34372
A: hmac-sha1 34884873 8e20a3b3 5dd9a80a 07b7597e 6d578b8b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:03 2005
diff: 242(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=7 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=12584766(0x00c0073e) reqid=0(0x00000000)
A: hmac-sha1 617f44e0 f22ab543 9728e3cd 3739d7b7 11e73e02
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:03 2005
diff: 242(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=6 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=34968109(0x0215922d) reqid=0(0x00000000)
E: 3des-cbc 5ed41af5 e628d951 6ca215e2 3b82e59f 86e09e5b b4a156bf
A: hmac-sha1 2aa99103 66c4332c b3b15a5c 032b1b69 4d23b730
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:04 2005
diff: 244(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=5 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=168473301(0x0a0ab2d5) reqid=0(0x00000000)
A: hmac-sha1 dc9ebbf3 c3e56d7c 0ee1a666 389952f0 86b4ac91
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:04 2005
diff: 244(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=4 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=220511737(0x0d24bdf9) reqid=0(0x00000000)
E: 3des-cbc cb79158c 491dad95 6641aea1 efebd408 72499132 caeb2692
A: hmac-sha1 5b5b2a54 a40b8b84 3899e885 2f2bfd0a dbbe71a0
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:04 2005
diff: 245(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=142149191(0x08790647) reqid=0(0x00000000)
A: hmac-sha1 4ed8c044 b86f1911 53894bee 2260bd8a 0fb04d51
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:04 2005
diff: 245(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=227305975(0x0d8c69f7) reqid=0(0x00000000)
E: 3des-cbc 562387fe f3e94364 36132d0c 9ab1380d 252026c0 3644312a
A: hmac-sha1 3c358c51 6aa4cec0 dca37231 28398fec c1838efa
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:04 2005
diff: 271(s) hard: 3600(s) soft: 2880(s)
last: May 12 10:12:59 2005 hard: 0(s) soft: 0(s)
current: 360(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=1 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=197556428(0x0bc678cc) reqid=0(0x00000000)
A: hmac-sha1 144d8dca 0554524c 99eb29e7 fd697910 f5dfadef
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:04 2005
diff: 271(s) hard: 3600(s) soft: 2880(s)
last: May 12 10:12:59 2005 hard: 0(s) soft: 0(s)
current: 432(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=0 pid=4067 refcnt=0
host-b# setkey -D
192.168.1.100 192.168.0.100
esp mode=transport spi=97213500(0x05cb5c3c) reqid=0(0x00000000)
E: 3des-cbc 985da9c3 28e552dc c477cdce 66512651 13afbca9 a1984bcf
A: hmac-sha1 71458a89 4717fcf1 781c4588 930e9b5f 98f3376a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:11 2005
diff: 250(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=11 pid=2730 refcnt=0
192.168.1.100 192.168.0.100
esp mode=transport spi=23039671(0x015f8eb7) reqid=0(0x00000000)
E: 3des-cbc dc20f03c 9c483a84 f4b28e0e 42def71a e88720f1 9c0ac34f
A: hmac-sha1 64caede6 fda16b7d 0a94c78c a0da465d 72421e78
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:11 2005
diff: 251(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=10 pid=2730 refcnt=0
192.168.1.100 192.168.0.100
esp mode=transport spi=198278184(0x0bd17c28) reqid=0(0x00000000)
E: 3des-cbc b6a82412 4263eca7 276e33a7 2c170e4c 36391465 2e808e08
A: hmac-sha1 3eae5cc8 83896894 53ccb18e bfa23ba0 d4c8fdb8
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:11 2005
diff: 252(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=9 pid=2730 refcnt=0
192.168.1.100 192.168.0.100
esp mode=transport spi=65841791(0x03ecaa7f) reqid=0(0x00000000)
E: 3des-cbc 899e241e db481177 88e14620 3fc0eaad dbc3d769 6d10c818
A: hmac-sha1 150afe5b bbd82d7d fb9917cc 28891bb5 828d5315
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:11 2005
diff: 278(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=8 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=113731845(0x06c76905) reqid=0(0x00000000)
E: 3des-cbc 38b74d9c 71b443d6 23f383db b63f7c19 ef6b506f adf34372
A: hmac-sha1 34884873 8e20a3b3 5dd9a80a 07b7597e 6d578b8b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:11 2005
diff: 250(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=7 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=12584766(0x00c0073e) reqid=0(0x00000000)
A: hmac-sha1 617f44e0 f22ab543 9728e3cd 3739d7b7 11e73e02
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:11 2005
diff: 250(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=6 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=34968109(0x0215922d) reqid=0(0x00000000)
E: 3des-cbc 5ed41af5 e628d951 6ca215e2 3b82e59f 86e09e5b b4a156bf
A: hmac-sha1 2aa99103 66c4332c b3b15a5c 032b1b69 4d23b730
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:11 2005
diff: 251(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=5 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=168473301(0x0a0ab2d5) reqid=0(0x00000000)
A: hmac-sha1 dc9ebbf3 c3e56d7c 0ee1a666 389952f0 86b4ac91
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:11 2005
diff: 251(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=4 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=220511737(0x0d24bdf9) reqid=0(0x00000000)
E: 3des-cbc cb79158c 491dad95 6641aea1 efebd408 72499132 caeb2692
A: hmac-sha1 5b5b2a54 a40b8b84 3899e885 2f2bfd0a dbbe71a0
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:11 2005
diff: 252(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=142149191(0x08790647) reqid=0(0x00000000)
A: hmac-sha1 4ed8c044 b86f1911 53894bee 2260bd8a 0fb04d51
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:11 2005
diff: 252(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=227305975(0x0d8c69f7) reqid=0(0x00000000)
E: 3des-cbc 562387fe f3e94364 36132d0c 9ab1380d 252026c0 3644312a
A: hmac-sha1 3c358c51 6aa4cec0 dca37231 28398fec c1838efa
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:11 2005
diff: 278(s) hard: 3600(s) soft: 2880(s)
last: May 12 10:12:58 2005 hard: 0(s) soft: 0(s)
current: 192(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=1 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=197556428(0x0bc678cc) reqid=0(0x00000000)
A: hmac-sha1 144d8dca 0554524c 99eb29e7 fd697910 f5dfadef
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:11 2005
diff: 278(s) hard: 3600(s) soft: 2880(s)
last: May 12 10:12:58 2005 hard: 0(s) soft: 0(s)
current: 300(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=0 pid=2730 refcnt=0
Aleksandar Milivojevic
Joe Pruett