Hello,
Does anyone seem to be having any trouble with using IPSec in FC3? I've tried using the network tool provided, but it doesn't seem to want to connect. I also tried using my own configuration files (ipsec.conf and ipsec.secrets) and that didn't seem to get anywhere. Here are the results in the logs:
May 2 13:36:24 testimax ipsec: Starting Openswan IPsec U2.1.5/K2.6.9-1.667...
May 2 13:36:25 testimax ipsec: /usr/lib/ipsec/_startklips: KLIPS ipsec0 on eth1 70.182.220.68/255.255.255.224 broadcast 70.182.220.95
May 2 13:36:25 testimax ipsec_setup: KLIPS ipsec0 on eth1 70.182.220.68/255.255.255.224 broadcast 70.182.220.95
May 2 13:36:25 testimax ipsec: /usr/lib/ipsec/_plutorun: Starting Pluto subsystem...
May 2 13:36:25 testimax ipsec_setup: Starting Pluto subsystem...
May 2 13:36:25 testimax ipsec_setup: ...Openswan IPsec started
May 2 13:36:25 testimax ipsec: Starting IPsec: succeeded
IS there some new log file or some new trick I need to know about? I also didn't see ipsec0 listed in /sbin/ifconfig ... seems odd to me. I'm used to openswan on Red Hat 7.3...seemed to work great once I had it configured :) If anyone could provide me with a good link to documenation specifically for FC3 and ipsec, I'd very much appreciate it. I did update openswan and the ipsec-tools to the latest versions.
It seems something is broken in IPSec implementation. Either as distributed by RedHat, or maybe in the upstream kernel or userland tools. If you search the archives, you'll see many people having issues it.
I'm attempting to setup IPSec (host2host for now, VPN when I'm done with simpler host2host setup) as I write this. Using native 2.6 kernel implementation. This is between two RHEL4 clones (CentOS 4.0), and I found this email of yours while searching the archives (I only found questions about the same problem as mine, but absolutely no answers other than "works for me").
First of all, if setting VPN (network 2 network), check this RHEL bug report, and see if it applies to you:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146169
There are two proposed patches for ifup-ipsec and ifdown-ipsec scripts that will go into RHEL3 U6 and RHEL4 U2. Probably Fedora Core has the same issues.
When done with that, and if it still doesn't work, you most likely have similar problem as myself with automatic keying. Looking at log files and looking with tcpdump what's going on on the wire (when doing "ping host-b" from host-a):
- host-a attempts to negotiate automatic keying with host-b (success)
- sends encrypted ICMP echo packet to host-b
- host-b attempts to negotiate automatic keying with host-a (looks like success)
- host-b repeats previous step indefinetly and never sends back encrypted ICMP echo-reply packet to host-a
Looking at the output of "setkey -D" on both hosts, the key tables are huge after some time. Something doesn't look righ, and I can't pinpoint down what's wrong. It looks like new pair of keys is generate each time host-b is supposed to send packet to host-a.
The /etc/sysconfig/network-scripts/ifcfg-IPSecToHostB on host-a looks something like this:
DST=192.168.1.100 TYPE=IPSEC ONBOOT=no IKE_METHOD=X509 IKE_CERTFILE=/etc/racoon/certs/host-a IKE_PEER_CERTFILE=/etc/racoon/certs/host-b
The /etc/sysconfig/network-scripts/ifcfg-IPSecToHostA on host-b looks similar (DST and IKE_*CERTFILE pointing the other way). Keys and certificates for host-a are stored in host-a.private (no passphrase, so that racoon can read the key) and host-a.public and likewise for host-b, just the way ifup-ipsec script expects them to be.
After doing "ifup IPSecToHostB" on host-a, and "ifup IPSecToHostA" on host-b, the generated racoon configuration looks good (long certificate_type line might get wrapped around by my mail client, but it is a single line in the configuration file). This is store in /etc/racoon/192.168.1.100.conf, which is included from racoon.conf.
remote 192.168.1.100
{
exchange_mode aggressive, main;
my_identifier asn1dn;
peers_identifier asn1dn;
certificate_type x509 "/etc/racoon/certs/host-a.public" "/etc/racoon/certs/host-a.private";
peers_certfile "/etc/racoon/certs/host-b.public";
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
The racoon.conf file looks like this (I made no changes to it, as installed by ipsec-tools, include statement added by ifup-ipsec script):
# Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs";
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
include "/etc/racoon/192.168.120.165.conf";Configuration on host-b looks similar, referencing back to host-a.
When I ping host-b, the first packet is dropped, as expected (while Racoon does its job with automatic keying). I've included excerpt from /var/log/message from both host-a and host-b as attachments (messages-host-*.txt), as well as output of "tcpdump host-b" that was running on host-a (tcpdump-host-a.txt). I've put them as attachments to avoid my mail client making them unreadable by wrapping around long lines.
All in all, either I'm missing something really obvious, or something is really broken as distributed in Fedora/RHEL (and clones)...
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
May 12 10:11:54 host-a kernel: NET: Registered protocol family 15 May 12 10:11:54 host-a racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net) May 12 10:11:54 host-a racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/) May 12 10:11:55 host-a racoon: INFO: 192.168.0.100[500] used as isakmp port (fd=8) May 12 10:11:55 host-a racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) May 12 10:12:30 host-a ntpd[2504]: synchronized to LOCAL(0), stratum 10 May 12 10:12:30 host-a ntpd[2504]: kernel time sync disabled 0041 May 12 10:12:32 host-a racoon: INFO: IPsec-SA request for 192.168.1.100 queued due to no phase1 found. May 12 10:12:32 host-a racoon: INFO: initiate new phase 1 negotiation: 192.168.0.100[500]<=>192.168.1.100[500] May 12 10:12:32 host-a racoon: INFO: begin Aggressive mode. May 12 10:12:32 host-a racoon: INFO: ISAKMP-SA established 192.168.0.100[500]-192.168.1.100[500] spi:b962c618a3d1137c:d99254c172eb5de5 May 12 10:12:33 host-a racoon: INFO: initiate new phase 2 negotiation: 192.168.0.100[0]<=>192.168.1.100[0] May 12 10:12:33 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=165105177(0x9d74e19) May 12 10:12:33 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=65841791(0x3ecaa7f) May 12 10:12:33 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=197556428(0xbc678cc) May 12 10:12:33 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=227305975(0xd8c69f7) May 12 10:12:59 host-a racoon: INFO: respond new phase 2 negotiation: 192.168.0.100[0]<=>192.168.1.100[0] May 12 10:12:59 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=80675908(0x4cf0444) May 12 10:12:59 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=198278184(0xbd17c28) May 12 10:12:59 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=142149191(0x8790647) May 12 10:12:59 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=220511737(0xd24bdf9) May 12 10:13:00 host-a racoon: INFO: respond new phase 2 negotiation: 192.168.0.100[0]<=>192.168.1.100[0] May 12 10:13:00 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=236322388(0xe15fe54) May 12 10:13:00 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=23039671(0x15f8eb7) May 12 10:13:00 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=168473301(0xa0ab2d5) May 12 10:13:00 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=34968109(0x215922d) May 12 10:13:01 host-a racoon: INFO: respond new phase 2 negotiation: 192.168.0.100[0]<=>192.168.1.100[0] May 12 10:13:01 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=129055629(0x7b13b8d) May 12 10:13:01 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=97213500(0x5cb5c3c) May 12 10:13:01 host-a racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=12584766(0xc0073e) May 12 10:13:01 host-a racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=113731845(0x6c76905)
May 12 10:12:02 host-b kernel: NET: Registered protocol family 15 May 12 10:12:03 host-b racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net) May 12 10:12:03 host-b racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/) May 12 10:12:03 host-b racoon: INFO: 192.168.1.100[500] used as isakmp port (fd=8) May 12 10:12:03 host-b racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) May 12 10:12:31 host-b racoon: INFO: respond new phase 1 negotiation: 192.168.1.100[500]<=>192.168.0.100[500] May 12 10:12:31 host-b racoon: INFO: begin Aggressive mode. May 12 10:12:31 host-b racoon: INFO: ISAKMP-SA established 192.168.1.100[500]-192.168.0.100[500] spi:b962c618a3d1137c:d99254c172eb5de5 May 12 10:12:32 host-b racoon: INFO: respond new phase 2 negotiation: 192.168.1.100[0]<=>192.168.0.100[0] May 12 10:12:33 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=197556428(0xbc678cc) May 12 10:12:33 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=227305975(0xd8c69f7) May 12 10:12:33 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=165105177(0x9d74e19) May 12 10:12:33 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=65841791(0x3ecaa7f) May 12 10:12:58 host-b racoon: INFO: initiate new phase 2 negotiation: 192.168.1.100[0]<=>192.168.0.100[0] May 12 10:12:59 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=142149191(0x8790647) May 12 10:12:59 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=220511737(0xd24bdf9) May 12 10:12:59 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=80675908(0x4cf0444) May 12 10:12:59 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=198278184(0xbd17c28) May 12 10:12:59 host-b racoon: INFO: initiate new phase 2 negotiation: 192.168.1.100[0]<=>192.168.0.100[0] May 12 10:13:00 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=168473301(0xa0ab2d5) May 12 10:13:00 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=34968109(0x215922d) May 12 10:13:00 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=236322388(0xe15fe54) May 12 10:13:00 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=23039671(0x15f8eb7) May 12 10:13:00 host-b racoon: INFO: initiate new phase 2 negotiation: 192.168.1.100[0]<=>192.168.0.100[0] May 12 10:13:01 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.0.100->192.168.1.100 spi=12584766(0xc0073e) May 12 10:13:01 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.0.100->192.168.1.100 spi=113731845(0x6c76905) May 12 10:13:01 host-b racoon: INFO: IPsec-SA established: AH/Transport 192.168.1.100->192.168.0.100 spi=129055629(0x7b13b8d) May 12 10:13:01 host-b racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.100->192.168.0.100 spi=97213500(0x5cb5c3c)
10:12:32.116735 IP host-a.isakmp > host-b.isakmp: isakmp: phase 1 I agg 10:12:32.266347 IP host-b.isakmp > host-a.isakmp: isakmp: phase 1 R agg 10:12:32.266374 IP host-b > host-a: udp 10:12:32.370155 IP host-a.isakmp > host-b.isakmp: isakmp: phase 1 I agg 10:12:32.370228 IP host-a > host-b: udp 10:12:32.370944 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I inf[E] 10:12:32.389413 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R inf[E] 10:12:33.411478 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E] 10:12:33.435885 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E] 10:12:33.436808 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E] 10:12:59.369421 IP host-a > host-b: AH(spi=0x0bc678cc,seq=0x1): ESP(spi=0x0d8c69f7,seq=0x1) 10:12:59.393050 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E] 10:12:59.416746 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E] 10:12:59.418339 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E] 10:13:00.369018 IP host-a > host-b: AH(spi=0x0bc678cc,seq=0x2): ESP(spi=0x0d8c69f7,seq=0x2) 10:13:00.392529 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E] 10:13:00.413340 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E] 10:13:00.414949 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E] 10:13:01.369325 IP host-a > host-b: AH(spi=0x0bc678cc,seq=0x3): ESP(spi=0x0d8c69f7,seq=0x3) 10:13:01.392868 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E] 10:13:01.415756 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E] 10:13:01.417302 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E] 11:00:33.407722 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E] 11:00:33.432074 IP host-b.isakmp > host-a.isakmp: isakmp: phase 2/others R oakley-quick[E] 11:00:33.433031 IP host-a.isakmp > host-b.isakmp: isakmp: phase 2/others I oakley-quick[E]
host-a# setkey -D
192.168.1.100 192.168.0.100
esp mode=transport spi=97213500(0x05cb5c3c) reqid=0(0x00000000)
E: 3des-cbc 985da9c3 28e552dc c477cdce 66512651 13afbca9 a1984bcf
A: hmac-sha1 71458a89 4717fcf1 781c4588 930e9b5f 98f3376a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:02 2005
diff: 241(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=15 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
ah mode=transport spi=129055629(0x07b13b8d) reqid=0(0x00000000)
A: hmac-sha1 7dba1ffc aedf1719 8fb451c7 ee81826a 67b1be0a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:02 2005
diff: 241(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=14 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
esp mode=transport spi=23039671(0x015f8eb7) reqid=0(0x00000000)
E: 3des-cbc dc20f03c 9c483a84 f4b28e0e 42def71a e88720f1 9c0ac34f
A: hmac-sha1 64caede6 fda16b7d 0a94c78c a0da465d 72421e78
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:03 2005
diff: 243(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=13 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
ah mode=transport spi=236322388(0x0e15fe54) reqid=0(0x00000000)
A: hmac-sha1 2c01e096 86e02e30 59d16c86 3adcd917 d94a6bba
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:03 2005
diff: 243(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=12 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
esp mode=transport spi=198278184(0x0bd17c28) reqid=0(0x00000000)
E: 3des-cbc b6a82412 4263eca7 276e33a7 2c170e4c 36391465 2e808e08
A: hmac-sha1 3eae5cc8 83896894 53ccb18e bfa23ba0 d4c8fdb8
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:03 2005
diff: 244(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=11 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
ah mode=transport spi=80675908(0x04cf0444) reqid=0(0x00000000)
A: hmac-sha1 6dda1c62 afb2e99e d55e320e 7245fdf9 df1a8c61
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:03 2005
diff: 244(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=10 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
esp mode=transport spi=65841791(0x03ecaa7f) reqid=0(0x00000000)
E: 3des-cbc 899e241e db481177 88e14620 3fc0eaad dbc3d769 6d10c818
A: hmac-sha1 150afe5b bbd82d7d fb9917cc 28891bb5 828d5315
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:03 2005
diff: 270(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=9 pid=4067 refcnt=0
192.168.1.100 192.168.0.100
ah mode=transport spi=165105177(0x09d74e19) reqid=0(0x00000000)
A: hmac-sha1 ce7cc6b4 86b9dfab 67928a3a 71d1b074 d2703603
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:03 2005
diff: 270(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=8 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=113731845(0x06c76905) reqid=0(0x00000000)
E: 3des-cbc 38b74d9c 71b443d6 23f383db b63f7c19 ef6b506f adf34372
A: hmac-sha1 34884873 8e20a3b3 5dd9a80a 07b7597e 6d578b8b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:03 2005
diff: 242(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=7 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=12584766(0x00c0073e) reqid=0(0x00000000)
A: hmac-sha1 617f44e0 f22ab543 9728e3cd 3739d7b7 11e73e02
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:03 2005
diff: 242(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=6 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=34968109(0x0215922d) reqid=0(0x00000000)
E: 3des-cbc 5ed41af5 e628d951 6ca215e2 3b82e59f 86e09e5b b4a156bf
A: hmac-sha1 2aa99103 66c4332c b3b15a5c 032b1b69 4d23b730
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:04 2005
diff: 244(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=5 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=168473301(0x0a0ab2d5) reqid=0(0x00000000)
A: hmac-sha1 dc9ebbf3 c3e56d7c 0ee1a666 389952f0 86b4ac91
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:04 2005
diff: 244(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=4 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=220511737(0x0d24bdf9) reqid=0(0x00000000)
E: 3des-cbc cb79158c 491dad95 6641aea1 efebd408 72499132 caeb2692
A: hmac-sha1 5b5b2a54 a40b8b84 3899e885 2f2bfd0a dbbe71a0
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:04 2005
diff: 245(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=142149191(0x08790647) reqid=0(0x00000000)
A: hmac-sha1 4ed8c044 b86f1911 53894bee 2260bd8a 0fb04d51
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:04 2005
diff: 245(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=227305975(0x0d8c69f7) reqid=0(0x00000000)
E: 3des-cbc 562387fe f3e94364 36132d0c 9ab1380d 252026c0 3644312a
A: hmac-sha1 3c358c51 6aa4cec0 dca37231 28398fec c1838efa
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:04 2005
diff: 271(s) hard: 3600(s) soft: 2880(s)
last: May 12 10:12:59 2005 hard: 0(s) soft: 0(s)
current: 360(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=1 pid=4067 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=197556428(0x0bc678cc) reqid=0(0x00000000)
A: hmac-sha1 144d8dca 0554524c 99eb29e7 fd697910 f5dfadef
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:04 2005
diff: 271(s) hard: 3600(s) soft: 2880(s)
last: May 12 10:12:59 2005 hard: 0(s) soft: 0(s)
current: 432(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=0 pid=4067 refcnt=0
host-b# setkey -D
192.168.1.100 192.168.0.100
esp mode=transport spi=97213500(0x05cb5c3c) reqid=0(0x00000000)
E: 3des-cbc 985da9c3 28e552dc c477cdce 66512651 13afbca9 a1984bcf
A: hmac-sha1 71458a89 4717fcf1 781c4588 930e9b5f 98f3376a
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:11 2005
diff: 250(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=11 pid=2730 refcnt=0
192.168.1.100 192.168.0.100
esp mode=transport spi=23039671(0x015f8eb7) reqid=0(0x00000000)
E: 3des-cbc dc20f03c 9c483a84 f4b28e0e 42def71a e88720f1 9c0ac34f
A: hmac-sha1 64caede6 fda16b7d 0a94c78c a0da465d 72421e78
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:11 2005
diff: 251(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=10 pid=2730 refcnt=0
192.168.1.100 192.168.0.100
esp mode=transport spi=198278184(0x0bd17c28) reqid=0(0x00000000)
E: 3des-cbc b6a82412 4263eca7 276e33a7 2c170e4c 36391465 2e808e08
A: hmac-sha1 3eae5cc8 83896894 53ccb18e bfa23ba0 d4c8fdb8
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:11 2005
diff: 252(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=9 pid=2730 refcnt=0
192.168.1.100 192.168.0.100
esp mode=transport spi=65841791(0x03ecaa7f) reqid=0(0x00000000)
E: 3des-cbc 899e241e db481177 88e14620 3fc0eaad dbc3d769 6d10c818
A: hmac-sha1 150afe5b bbd82d7d fb9917cc 28891bb5 828d5315
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:11 2005
diff: 278(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=8 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=113731845(0x06c76905) reqid=0(0x00000000)
E: 3des-cbc 38b74d9c 71b443d6 23f383db b63f7c19 ef6b506f adf34372
A: hmac-sha1 34884873 8e20a3b3 5dd9a80a 07b7597e 6d578b8b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:11 2005
diff: 250(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=7 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=12584766(0x00c0073e) reqid=0(0x00000000)
A: hmac-sha1 617f44e0 f22ab543 9728e3cd 3739d7b7 11e73e02
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:01 2005 current: May 12 10:17:11 2005
diff: 250(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=6 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=34968109(0x0215922d) reqid=0(0x00000000)
E: 3des-cbc 5ed41af5 e628d951 6ca215e2 3b82e59f 86e09e5b b4a156bf
A: hmac-sha1 2aa99103 66c4332c b3b15a5c 032b1b69 4d23b730
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:11 2005
diff: 251(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=5 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=168473301(0x0a0ab2d5) reqid=0(0x00000000)
A: hmac-sha1 dc9ebbf3 c3e56d7c 0ee1a666 389952f0 86b4ac91
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:13:00 2005 current: May 12 10:17:11 2005
diff: 251(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=4 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=220511737(0x0d24bdf9) reqid=0(0x00000000)
E: 3des-cbc cb79158c 491dad95 6641aea1 efebd408 72499132 caeb2692
A: hmac-sha1 5b5b2a54 a40b8b84 3899e885 2f2bfd0a dbbe71a0
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:11 2005
diff: 252(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=142149191(0x08790647) reqid=0(0x00000000)
A: hmac-sha1 4ed8c044 b86f1911 53894bee 2260bd8a 0fb04d51
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:59 2005 current: May 12 10:17:11 2005
diff: 252(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
esp mode=transport spi=227305975(0x0d8c69f7) reqid=0(0x00000000)
E: 3des-cbc 562387fe f3e94364 36132d0c 9ab1380d 252026c0 3644312a
A: hmac-sha1 3c358c51 6aa4cec0 dca37231 28398fec c1838efa
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:11 2005
diff: 278(s) hard: 3600(s) soft: 2880(s)
last: May 12 10:12:58 2005 hard: 0(s) soft: 0(s)
current: 192(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=1 pid=2730 refcnt=0
192.168.0.100 192.168.1.100
ah mode=transport spi=197556428(0x0bc678cc) reqid=0(0x00000000)
A: hmac-sha1 144d8dca 0554524c 99eb29e7 fd697910 f5dfadef
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 12 10:12:33 2005 current: May 12 10:17:11 2005
diff: 278(s) hard: 3600(s) soft: 2880(s)
last: May 12 10:12:58 2005 hard: 0(s) soft: 0(s)
current: 300(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=0 pid=2730 refcnt=0
