This is page a reference setup listing, meant as an update to the previously described setup of a Cisco PIX 501 and Linux, using 3DES. Read the article here.

Network Layout


VPN network layout PIX 501 to OpenSwan

Cisco Pix 501 OS version


pixfirewall(config)# sho ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

pixfirewall up 3 hours 34 mins

Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: address is 0009.7cb7.4d32, irq 9
1: ethernet1: address is 0009.7cb7.4d33, irq 10
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          2
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                10
Throughput:                  Unlimited
IKE peers:                   10

Linux OS and VPN version


OpenSuse 10.1 http://www.opensuse.org
uname -a: Linux tensu 2.6.16.13-4-default #1 Wed May 3 04:53:23 UTC 2006
i686 i686 i386 GNU/Linux
ipsec --version: Linux Openswan U2.4.4/K2.6.16.13-4-default (netkey)
rpm --query openswan: openswan-2.4.4-18

3DES-MD5-HMAC setup Pix 501


ip address inside 192.168.1.103 255.255.255.0
ip address outside 128.12.1.155 255.255.255.0
route outside 0.0.0.0 0.0.0.0 128.12.1.10
sysopt connection permit-ipsec 
access-list 100 permit ip 192.168.1.0 255.255.255.0 128.12.3.0 255.255.255.0
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 128.12.2.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp key dobsekred address 128.12.2.10 netmask 255.255.255.255
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800
access-list 101 permit ip 192.168.1.0 255.255.255.0 128.12.3.0 255.255.255.0
nat (inside) 0 access-list 101

3DES-MD5-HMAC setup Linux Side


eth1      Link encap:Ethernet  HWaddr 00:0C:29:DE:D1:13  
          inet addr:128.12.2.10  Bcast:128.12.2.255  Mask:255.255.255.0

eth0      Link encap:Ethernet  HWaddr 00:0C:29:DE:D1:09  
          inet addr:128.12.3.1  Bcast:128.12.3.255  Mask:255.255.255.0

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     128.12.2.1      255.255.255.0   UG        0 0          0 eth1
128.12.3.0      0.0.0.0         255.255.255.0   U         0 0          0 eth0
128.12.2.0      0.0.0.0         255.255.255.0   U         0 0          0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         128.12.2.1      0.0.0.0         UG        0 0          0 eth1

/etc/ipsec.conf:
----------------
version 2

config setup
  interfaces="ipsec0=eth1"
  klipsdebug=none
  plutodebug=none

conn pix501
  #af=inet
  type=tunnel
  auth=esp
  authby=secret
  left=128.12.2.10
  leftsubnet=128.12.3.0/24
  leftnexthop=128.12.2.1
  right=128.12.1.155
  rightsubnet=192.168.1.0/24
  rightnexthop=128.12.1.10
  esp=3des-md5-96
  ah=hmac-md5-96
  auto=start

/etc/ipsec.secrets
------------------
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
#
# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
: RSA	{
	# RSA 2048 bits   192.168.174.134   Sun Jul  2 18:39:34 2006
	# for signatures only, UNSAFE FOR ENCRYPTION
	#pubkey=0sAQOBc8bupa9fsTtShzNuVuOEW3t3jSm9yniRakwH1shu4ioUoPpf9n6scHU
...
0da2f29f2d0b472265e7d333ffd432751a1b2f9b89dd2d84b88758a0dff39706b8a513055
  }
# do not change the indenting of that "}"
128.12.2.10 128.12.1.155: PSK "dobsekred"
important is the colon ":" in /etc/ipsec.secrets, this is a new syntax introduced with OpenSwan and is not needed with FreeSwan.

AES-256 setup Cisco PIX 501


ip address inside 192.168.1.103 255.255.255.0
ip address outside 128.12.1.155 255.255.255.0
route outside 0.0.0.0 0.0.0.0 128.12.1.10
sysopt connection permit-ipsec 
access-list 100 permit ip 192.168.1.0 255.255.255.0 128.12.3.0 255.255.255.0
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 128.12.2.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp key dobsekred address 128.12.2.10 netmask 255.255.255.255
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash md5
isakmp policy 5 group 5
isakmp policy 5 lifetime 28800
access-list 101 permit ip 192.168.1.0 255.255.255.0 128.12.3.0 255.255.255.0
nat (inside) 0 access-list 101

AES-256 setup Linux Side


/etc/ipsec.conf:
----------------
version 2

config setup
  interfaces="ipsec0=eth1"
  klipsdebug=none
  plutodebug=none

conn pix501
  #af=inet
  type=tunnel
  auth=esp
  authby=secret
  left=128.12.2.10
  leftsubnet=128.12.3.0/24
  leftnexthop=128.12.2.1
  right=128.12.1.155
  rightsubnet=192.168.1.0/24
  rightnexthop=128.12.1.10
  esp=aes256-md5
  auto=start
after /etc/init.d/ipsec start, it takes quite a while until the tunnel comes up (30-45 secs).

PIX tunnel information

pixfirewall(config)# show crypto sa

interface: outside
    Crypto map tag: mymap, local addr. 128.12.1.155

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (128.12.3.0/255.255.255.0/0/0)
   current_peer: 128.12.2.10:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 16, #pkts encrypt: 16, #pkts digest 16
    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify 16
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 53, #recv errors 0

     local crypto endpt.: 128.12.1.155, remote crypto endpt.: 128.12.2.10
     path mtu 1500, ipsec overhead 72, media mtu 1500
     current outbound spi: 8a1723b9

     inbound esp sas:
      spi: 0xcddac3d0(3453666256)
        transform: esp-aes-256 esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4607998/28735)
        IV size: 16 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x8a1723b9(2316772281)
        transform: esp-aes-256 esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4607998/28733)
        IV size: 16 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:


pixfirewall(config)#

3DES-MD5-HMAC Logs Cisco side - connection start

crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 0 against priority 5 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600

ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      auth pre-share
ISAKMP:      default group 5
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 1 against priority 5 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 5
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 5 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 5 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      auth pre-share
ISAKMP:      default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:128.12.2.10/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:128.12.2.10/500 Ref cnt incremented to:1 Total VPN
 Peers:1
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1650817722

ISAKMP : Checking IPSec proposal 0

ISAKMP: transform 0, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      group is 2
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP (0): processing NONCE payload. message ID = 1650817722

ISAKMP (0): processing KE payload. message ID = 1650817722

ISAKMP (0): retransmitting phase 1 (3)...
ISAKMP (0): processing ID payload. message ID = 1650817722
ISAKMP (0): ID_IPV4_ADDR_SUBNET src 128.12.3.0/255.255.255.0 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 1650817722
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 192.168.1.0/255.255.255.0 prot 0 port 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1760234288

ISAKMP : Checking IPSec proposal 0

ISAKMP: transform 0, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      group is 2
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP (0): processing NONCE payload. message ID = 1760234288

ISAKMP (0): processing KE payload. message ID = 1760234288

ISAKMP (0): processing ID payload. message ID = 1760234288
ISAKMP (0): ID_IPV4_ADDR_SUBNET src 128.12.3.0/255.255.255.0 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 1760234288
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 192.168.1.0/255.255.255.0 prot 0 port 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 5 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
        inbound SA from     128.12.2.10 to    128.12.1.155 (proxy      128.12.3.
0 to     192.168.1.0)
        has spi 3925191902 and conn_id 7 and flags 25
        lifetime of 28800 seconds
        outbound SA from    128.12.1.155 to     128.12.2.10 (proxy     192.168.1
.0 to      128.12.3.0)
        has spi 3293852659 and conn_id 8 and flags 25
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_QM exchange
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_MM exchange
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 1
        spi 0, message ID = 3220768692
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x5b2c1627
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 9 protocol 1
        spi 0, message ID = 2958373577
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x5b2c1627
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 9 protocol 1
        spi 0, message ID = 1027708493
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x5b2c1627
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 9 protocol 1
        spi 0, message ID = 3484140146
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x5b2c1627
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 9 protocol 1
        spi 0, message ID = 605111463
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x5b2c1627
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 9 protocol 1
        spi 0, message ID = 4214817545
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (5/0)... mess_id 0x5b2c1627
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 9 protocol 1
        spi 0, message ID = 650903749
return status is IKMP_NO_ERR_NO_TRANS

3DES-MD5-HMAC Logs Cisco side - connection end


 crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500 
ISAKMP (0): processing DELETE payload. message ID = 83978638, spi size = 4
VPN Peer: IPSEC: Peer ip:128.12.2.10/500 Decrementing Ref cnt to:5 Total VPN
 Peers:1
VPN Peer: IPSEC: Peer ip:128.12.2.10/500 Decrementing Ref cnt to:4 Total VPN
 Peers:1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 131175463, spi size = 4
VPN Peer: IPSEC: Peer ip:128.12.2.10/500 Decrementing Ref cnt to:3 Total VPN
 Peers:1
VPN Peer: IPSEC: Peer ip:128.12.2.10/500 Decrementing Ref cnt to:2 Total VPN
 Peers:1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 1438949591, spi size = 16
ISAKMP (0): deleting SA: src 128.12.2.10, dst 128.12.1.155
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3224698833, spi size = 16
ISAKMP (0): deleting SA: src 128.12.1.155, dst 128.12.2.10
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xa2f45c, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:128.12.2.10/500 Ref cnt decremented to:1 Total VPN
 Peers:1
ISADB: reaper checking SA 0xa2e7c4, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:128.12.2.10/500 Ref cnt decremented to:0 Total VPN
 Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:128.12.2.10/500 Total VPN peers:0

3DES-MD5-HMAC Logs Linux side


Jul  8 12:07:50 tensu pluto[4532]: Starting Pluto (Openswan Version 2.4.4
 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Jul  8 12:07:50 tensu pluto[4532]: Setting NAT-Traversal port-4500 floating to off
Jul  8 12:07:50 tensu pluto[4532]:    port floating activation criteria
 nat_t=0/port_fload=1
Jul  8 12:07:50 tensu pluto[4532]:   including NAT-Traversal patch (Version 0.6c)
 [disabled]
Jul  8 12:07:50 tensu pluto[4532]: ike_alg_register_enc(): Activating
 OAKLEY_AES_CBC: Ok (ret=0)
Jul  8 12:07:50 tensu pluto[4532]: starting up 1 cryptographic helpers
Jul  8 12:07:50 tensu pluto[4532]: started helper pid=4545 (fd:6)
Jul  8 12:07:50 tensu pluto[4532]: Using Linux 2.6 IPsec interface code on
 2.6.16.13-4-default
Jul  8 12:07:50 tensu pluto[4532]: Changing to directory '/etc/ipsec.d/cacerts'
Jul  8 12:07:50 tensu pluto[4532]: Changing to directory '/etc/ipsec.d/crls'
Jul  8 12:07:50 tensu pluto[4532]:   Warning: empty directory
Jul  8 12:07:50 tensu ipsec_setup: Starting Openswan IPsec 2.4.4...
Jul  8 12:07:50 tensu ipsec_setup: insmod /lib/modules/2.6.16.13-4-default/kernel/
net/key/af_key.ko 
Jul  8 12:07:50 tensu ipsec_setup: insmod /lib/modules/2.6.16.13-4-default/kernel/
net/ipv4/xfrm4_tunnel.ko 
Jul  8 12:07:50 tensu ipsec_setup: insmod /lib/modules/2.6.16.13-4-default/kernel/
net/xfrm/xfrm_user.ko 
Jul  8 12:07:50 tensu ipsec__plutorun: ipsec_auto: fatal error in "packetdefault":
 %defaultroute requested but not known
Jul  8 12:07:50 tensu ipsec__plutorun: ipsec_auto: fatal error in "block":
 %defaultroute requested but not known
Jul  8 12:07:51 tensu ipsec__plutorun: ipsec_auto: fatal error in
 "clear-or-private": %defaultroute requested but not known
Jul  8 12:07:51 tensu ipsec__plutorun: ipsec_auto: fatal error in "clear":
 %defaultroute requested but not known
Jul  8 12:07:51 tensu pluto[4532]: added connection description "pix501"
Jul  8 12:07:51 tensu ipsec__plutorun: ipsec_auto: fatal error in
 "private-or-clear": %defaultroute requested but not known
Jul  8 12:07:51 tensu ipsec__plutorun: ipsec_auto: fatal error in "private":
 %defaultroute requested but not known
Jul  8 12:07:51 tensu pluto[4532]: listening for IKE messages
Jul  8 12:07:51 tensu pluto[4532]: adding interface eth1/eth1 128.12.2.10:500
Jul  8 12:07:51 tensu pluto[4532]: adding interface eth0/eth0 128.12.3.1:500
Jul  8 12:07:51 tensu pluto[4532]: adding interface lo/lo 127.0.0.1:500
Jul  8 12:07:51 tensu pluto[4532]: adding interface lo/lo ::1:500
Jul  8 12:07:51 tensu pluto[4532]: loading secrets from "/etc/ipsec.secrets"
Jul  8 12:07:52 tensu ipsec__plutorun: 021 no connection named "packetdefault"
Jul  8 12:07:52 tensu ipsec__plutorun: ...could not route conn "packetdefault"
Jul  8 12:07:52 tensu ipsec__plutorun: 021 no connection named "block"
Jul  8 12:07:52 tensu ipsec__plutorun: ...could not route conn "block"
Jul  8 12:07:52 tensu ipsec__plutorun: 021 no connection named "clear-or-private"
Jul  8 12:07:52 tensu ipsec__plutorun: ...could not route conn "clear-or-private"
Jul  8 12:07:52 tensu ipsec__plutorun: 021 no connection named "clear"
Jul  8 12:07:52 tensu ipsec__plutorun: ...could not route conn "clear"
Jul  8 12:07:52 tensu ipsec__plutorun: 021 no connection named "private-or-clear"
Jul  8 12:07:52 tensu ipsec__plutorun: ...could not route conn "private-or-clear"
Jul  8 12:07:52 tensu ipsec__plutorun: 021 no connection named "private"
Jul  8 12:07:52 tensu ipsec__plutorun: ...could not route conn "private"
Jul  8 12:07:52 tensu pluto[4532]: "pix501" #1: initiating Main Mode
Jul  8 12:07:52 tensu ipsec__plutorun: 104 "pix501" #1: STATE_MAIN_I1: initiate
Jul  8 12:07:52 tensu ipsec__plutorun: ...could not start conn "pix501"
Jul  8 12:07:53 tensu pluto[4532]: "pix501" #2: responding to Main Mode
Jul  8 12:07:53 tensu pluto[4532]: "pix501" #2: transition from state
 STATE_MAIN_R0 to state STATE_MAIN_R1
Jul  8 12:07:53 tensu pluto[4532]: "pix501" #2: STATE_MAIN_R1: sent MR1, expecting
 MI2
Jul  8 12:07:53 tensu pluto[4532]: initiate on demand from 128.12.3.10:0 to
 192.168.1.106:0
 proto=0 state: fos_start because: acquire
Jul  8 12:07:53 tensu pluto[4532]: "pix501" #1: transition from state
 STATE_MAIN_I1 to state STATE_MAIN_I2
Jul  8 12:07:53 tensu pluto[4532]: "pix501" #1: STATE_MAIN_I2: sent MI2, expecting
 MR2
Jul  8 12:07:53 tensu pluto[4532]: "pix501" #2: ignoring Vendor ID payload [XAUTH]
Jul  8 12:07:53 tensu pluto[4532]: "pix501" #2: received Vendor ID payload [Dead
 Peer Detection]
Jul  8 12:07:53 tensu pluto[4532]: "pix501" #2: ignoring Vendor ID payload
 [Cisco-Unity]
Jul  8 12:07:53 tensu pluto[4532]: "pix501" #2: ignoring unknown Vendor ID payload
 [aa6a3e9da46f0756218da36efb5f4cb0]
Jul  8 12:07:53 tensu pluto[4532]: "pix501" #2: transition from state
 STATE_MAIN_R1 to state STATE_MAIN_R2
Jul  8 12:07:53 tensu pluto[4532]: "pix501" #2: STATE_MAIN_R2: sent MR2, expecting
 MI3
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #1: ignoring Vendor ID payload [XAUTH]
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #1: received Vendor ID payload [Dead
 Peer Detection]
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #1: ignoring Vendor ID payload
 [Cisco-Unity]
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #1: ignoring unknown Vendor ID payload
 [f15669e577c3a60ea48e9dcec5d0dc8c]
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #1: I did not send a certificate
 because I do not have one.
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #1: transition from state
 STATE_MAIN_I2 to state STATE_MAIN_I3
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #1: STATE_MAIN_I3: sent MI3, expecting
 MR3
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #1: Main mode peer ID is ID_IPV4_ADDR:
 '128.12.1.155'
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #1: transition from state STATE_MAIN_I3
 to state STATE_MAIN_I4
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #1: STATE_MAIN_I4: ISAKMP SA
 established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
 group=modp1024}
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #3: initiating Quick Mode
 PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #4: initiating Quick Mode
 PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #1: ignoring informational payload,
 type IPSEC_INITIAL_CONTACT
Jul  8 12:07:54 tensu pluto[4532]: "pix501" #1: received and ignored informational
 message
Jul  8 12:07:56 tensu pluto[4532]: "pix501" #4: ignoring informational payload,
 type IPSEC_RESPONDER_LIFETIME
Jul  8 12:07:56 tensu pluto[4532]: "pix501" #4: transition from state
 STATE_QUICK_I1 to state STATE_QUICK_I2
Jul  8 12:07:56 tensu pluto[4532]: "pix501" #4: STATE_QUICK_I2: sent QI2, IPsec
 SA established {ESP=>0xa1ab1604 <0x831ee6c2 xfrm=3DES_0-HMAC_MD5 NATD=none
 DPD=none}
Jul  8 12:07:57 tensu pluto[4532]: "pix501" #3: ignoring informational payload,
 type IPSEC_RESPONDER_LIFETIME
Jul  8 12:07:57 tensu pluto[4532]: "pix501" #3: transition from state
 STATE_QUICK_I1 to state STATE_QUICK_I2
Jul  8 12:07:57 tensu pluto[4532]: "pix501" #3: STATE_QUICK_I2: sent QI2, IPsec
 SA established {ESP=>0xb7a3ca47 <0x55dd27df xfrm=3DES_0-HMAC_MD5 NATD=none
 DPD=none}

Topics:

Topics: