This is page a reference setup listing, meant as an update to the previously described setup of a Cisco PIX 501 and Linux, using 3DES. Read the article here.
Frank4DD, @2006
Network Layout
Cisco Pix 501 OS version
pixfirewall(config)# sho ver Cisco PIX Firewall Version 6.3(5) Cisco PIX Device Manager Version 3.0(4) Compiled on Thu 04-Aug-05 21:40 by morlee pixfirewall up 3 hours 34 mins Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz Flash E28F640J3 @ 0x3000000, 8MB BIOS Flash E28F640J3 @ 0xfffd8000, 128KB 0: ethernet0: address is 0009.7cb7.4d32, irq 9 1: ethernet1: address is 0009.7cb7.4d33, irq 10 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 2 Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: 10 Throughput: Unlimited IKE peers: 10
Linux OS and VPN version
OpenSuse 10.1 http://www.opensuse.org
uname -a: Linux tensu 2.6.16.13-4-default #1 Wed May 3 04:53:23 UTC 2006
i686 i686 i386 GNU/Linux
ipsec --version: Linux Openswan U2.4.4/K2.6.16.13-4-default (netkey)
rpm --query openswan: openswan-2.4.4-18
3DES-MD5-HMAC setup Pix 501
ip address inside 192.168.1.103 255.255.255.0
ip address outside 128.12.1.155 255.255.255.0
route outside 0.0.0.0 0.0.0.0 128.12.1.10
sysopt connection permit-ipsec
access-list 100 permit ip 192.168.1.0 255.255.255.0 128.12.3.0 255.255.255.0
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 128.12.2.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp key dobsekred address 128.12.2.10 netmask 255.255.255.255
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800
access-list 101 permit ip 192.168.1.0 255.255.255.0 128.12.3.0 255.255.255.0
nat (inside) 0 access-list 101
3DES-MD5-HMAC setup Linux Side
eth1 Link encap:Ethernet HWaddr 00:0C:29:DE:D1:13
inet addr:128.12.2.10 Bcast:128.12.2.255 Mask:255.255.255.0
eth0 Link encap:Ethernet HWaddr 00:0C:29:DE:D1:09
inet addr:128.12.3.1 Bcast:128.12.3.255 Mask:255.255.255.0
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 128.12.2.1 255.255.255.0 UG 0 0 0 eth1
128.12.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
128.12.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 128.12.2.1 0.0.0.0 UG 0 0 0 eth1
/etc/ipsec.conf:
----------------
version 2
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
conn pix501
#af=inet
type=tunnel
auth=esp
authby=secret
left=128.12.2.10
leftsubnet=128.12.3.0/24
leftnexthop=128.12.2.1
right=128.12.1.155
rightsubnet=192.168.1.0/24
rightnexthop=128.12.1.10
esp=3des-md5-96
ah=hmac-md5-96
auto=start
/etc/ipsec.secrets
------------------
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
#
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
: RSA {
# RSA 2048 bits 192.168.174.134 Sun Jul 2 18:39:34 2006
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQOBc8bupa9fsTtShzNuVuOEW3t3jSm9yniRakwH1shu4ioUoPpf9n6scHU
...
0da2f29f2d0b472265e7d333ffd432751a1b2f9b89dd2d84b88758a0dff39706b8a513055
}
# do not change the indenting of that "}"
128.12.2.10 128.12.1.155: PSK "dobsekred"
important is the colon ":" in /etc/ipsec.secrets, this is a new syntax introduced with OpenSwan and is not needed with FreeSwan.
AES-256 setup Cisco PIX 501
ip address inside 192.168.1.103 255.255.255.0
ip address outside 128.12.1.155 255.255.255.0
route outside 0.0.0.0 0.0.0.0 128.12.1.10
sysopt connection permit-ipsec
access-list 100 permit ip 192.168.1.0 255.255.255.0 128.12.3.0 255.255.255.0
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 128.12.2.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp key dobsekred address 128.12.2.10 netmask 255.255.255.255
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash md5
isakmp policy 5 group 5
isakmp policy 5 lifetime 28800
access-list 101 permit ip 192.168.1.0 255.255.255.0 128.12.3.0 255.255.255.0
nat (inside) 0 access-list 101
AES-256 setup Linux Side
/etc/ipsec.conf:
----------------
version 2
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
conn pix501
#af=inet
type=tunnel
auth=esp
authby=secret
left=128.12.2.10
leftsubnet=128.12.3.0/24
leftnexthop=128.12.2.1
right=128.12.1.155
rightsubnet=192.168.1.0/24
rightnexthop=128.12.1.10
esp=aes256-md5
auto=start
after /etc/init.d/ipsec start, it takes quite a while until the tunnel comes up (30-45 secs).
PIX tunnel information
pixfirewall(config)# show crypto sa interface: outside Crypto map tag: mymap, local addr. 128.12.1.155 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (128.12.3.0/255.255.255.0/0/0) current_peer: 128.12.2.10:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 16, #pkts encrypt: 16, #pkts digest 16 #pkts decaps: 16, #pkts decrypt: 16, #pkts verify 16 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 53, #recv errors 0 local crypto endpt.: 128.12.1.155, remote crypto endpt.: 128.12.2.10 path mtu 1500, ipsec overhead 72, media mtu 1500 current outbound spi: 8a1723b9 inbound esp sas: spi: 0xcddac3d0(3453666256) transform: esp-aes-256 esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 1, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4607998/28735) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8a1723b9(2316772281) transform: esp-aes-256 esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4607998/28733) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas: pixfirewall(config)#
3DES-MD5-HMAC Logs Cisco side - connection start
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 0 against priority 5 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 5
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 1 against priority 5 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 5
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 5 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 5 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:128.12.2.10/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:128.12.2.10/500 Ref cnt incremented to:1 Total VPN
Peers:1
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1650817722
ISAKMP : Checking IPSec proposal 0
ISAKMP: transform 0, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: group is 2
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP (0): processing NONCE payload. message ID = 1650817722
ISAKMP (0): processing KE payload. message ID = 1650817722
ISAKMP (0): retransmitting phase 1 (3)...
ISAKMP (0): processing ID payload. message ID = 1650817722
ISAKMP (0): ID_IPV4_ADDR_SUBNET src 128.12.3.0/255.255.255.0 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 1650817722
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 192.168.1.0/255.255.255.0 prot 0 port 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1760234288
ISAKMP : Checking IPSec proposal 0
ISAKMP: transform 0, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: group is 2
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP (0): processing NONCE payload. message ID = 1760234288
ISAKMP (0): processing KE payload. message ID = 1760234288
ISAKMP (0): processing ID payload. message ID = 1760234288
ISAKMP (0): ID_IPV4_ADDR_SUBNET src 128.12.3.0/255.255.255.0 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 1760234288
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 192.168.1.0/255.255.255.0 prot 0 port 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 5 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
inbound SA from 128.12.2.10 to 128.12.1.155 (proxy 128.12.3.
0 to 192.168.1.0)
has spi 3925191902 and conn_id 7 and flags 25
lifetime of 28800 seconds
outbound SA from 128.12.1.155 to 128.12.2.10 (proxy 192.168.1
.0 to 128.12.3.0)
has spi 3293852659 and conn_id 8 and flags 25
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_QM exchange
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
OAK_MM exchange
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 1
spi 0, message ID = 3220768692
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x5b2c1627
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 9 protocol 1
spi 0, message ID = 2958373577
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x5b2c1627
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 9 protocol 1
spi 0, message ID = 1027708493
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x5b2c1627
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 9 protocol 1
spi 0, message ID = 3484140146
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x5b2c1627
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 9 protocol 1
spi 0, message ID = 605111463
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x5b2c1627
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 9 protocol 1
spi 0, message ID = 4214817545
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (5/0)... mess_id 0x5b2c1627
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 9 protocol 1
spi 0, message ID = 650903749
return status is IKMP_NO_ERR_NO_TRANS
3DES-MD5-HMAC Logs Cisco side - connection end
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 83978638, spi size = 4
VPN Peer: IPSEC: Peer ip:128.12.2.10/500 Decrementing Ref cnt to:5 Total VPN
Peers:1
VPN Peer: IPSEC: Peer ip:128.12.2.10/500 Decrementing Ref cnt to:4 Total VPN
Peers:1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 131175463, spi size = 4
VPN Peer: IPSEC: Peer ip:128.12.2.10/500 Decrementing Ref cnt to:3 Total VPN
Peers:1
VPN Peer: IPSEC: Peer ip:128.12.2.10/500 Decrementing Ref cnt to:2 Total VPN
Peers:1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 1438949591, spi size = 16
ISAKMP (0): deleting SA: src 128.12.2.10, dst 128.12.1.155
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:128.12.2.10, dest:128.12.1.155 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3224698833, spi size = 16
ISAKMP (0): deleting SA: src 128.12.1.155, dst 128.12.2.10
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xa2f45c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:128.12.2.10/500 Ref cnt decremented to:1 Total VPN
Peers:1
ISADB: reaper checking SA 0xa2e7c4, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:128.12.2.10/500 Ref cnt decremented to:0 Total VPN
Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:128.12.2.10/500 Total VPN peers:0
3DES-MD5-HMAC Logs Linux side
Jul 8 12:07:50 tensu pluto[4532]: Starting Pluto (Openswan Version 2.4.4
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEz}FFFfgr_e)
Jul 8 12:07:50 tensu pluto[4532]: Setting NAT-Traversal port-4500 floating to off
Jul 8 12:07:50 tensu pluto[4532]: port floating activation criteria
nat_t=0/port_fload=1
Jul 8 12:07:50 tensu pluto[4532]: including NAT-Traversal patch (Version 0.6c)
[disabled]
Jul 8 12:07:50 tensu pluto[4532]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jul 8 12:07:50 tensu pluto[4532]: starting up 1 cryptographic helpers
Jul 8 12:07:50 tensu pluto[4532]: started helper pid=4545 (fd:6)
Jul 8 12:07:50 tensu pluto[4532]: Using Linux 2.6 IPsec interface code on
2.6.16.13-4-default
Jul 8 12:07:50 tensu pluto[4532]: Changing to directory '/etc/ipsec.d/cacerts'
Jul 8 12:07:50 tensu pluto[4532]: Changing to directory '/etc/ipsec.d/crls'
Jul 8 12:07:50 tensu pluto[4532]: Warning: empty directory
Jul 8 12:07:50 tensu ipsec_setup: Starting Openswan IPsec 2.4.4...
Jul 8 12:07:50 tensu ipsec_setup: insmod /lib/modules/2.6.16.13-4-default/kernel/
net/key/af_key.ko
Jul 8 12:07:50 tensu ipsec_setup: insmod /lib/modules/2.6.16.13-4-default/kernel/
net/ipv4/xfrm4_tunnel.ko
Jul 8 12:07:50 tensu ipsec_setup: insmod /lib/modules/2.6.16.13-4-default/kernel/
net/xfrm/xfrm_user.ko
Jul 8 12:07:50 tensu ipsec__plutorun: ipsec_auto: fatal error in "packetdefault":
%defaultroute requested but not known
Jul 8 12:07:50 tensu ipsec__plutorun: ipsec_auto: fatal error in "block":
%defaultroute requested but not known
Jul 8 12:07:51 tensu ipsec__plutorun: ipsec_auto: fatal error in
"clear-or-private": %defaultroute requested but not known
Jul 8 12:07:51 tensu ipsec__plutorun: ipsec_auto: fatal error in "clear":
%defaultroute requested but not known
Jul 8 12:07:51 tensu pluto[4532]: added connection description "pix501"
Jul 8 12:07:51 tensu ipsec__plutorun: ipsec_auto: fatal error in
"private-or-clear": %defaultroute requested but not known
Jul 8 12:07:51 tensu ipsec__plutorun: ipsec_auto: fatal error in "private":
%defaultroute requested but not known
Jul 8 12:07:51 tensu pluto[4532]: listening for IKE messages
Jul 8 12:07:51 tensu pluto[4532]: adding interface eth1/eth1 128.12.2.10:500
Jul 8 12:07:51 tensu pluto[4532]: adding interface eth0/eth0 128.12.3.1:500
Jul 8 12:07:51 tensu pluto[4532]: adding interface lo/lo 127.0.0.1:500
Jul 8 12:07:51 tensu pluto[4532]: adding interface lo/lo ::1:500
Jul 8 12:07:51 tensu pluto[4532]: loading secrets from "/etc/ipsec.secrets"
Jul 8 12:07:52 tensu ipsec__plutorun: 021 no connection named "packetdefault"
Jul 8 12:07:52 tensu ipsec__plutorun: ...could not route conn "packetdefault"
Jul 8 12:07:52 tensu ipsec__plutorun: 021 no connection named "block"
Jul 8 12:07:52 tensu ipsec__plutorun: ...could not route conn "block"
Jul 8 12:07:52 tensu ipsec__plutorun: 021 no connection named "clear-or-private"
Jul 8 12:07:52 tensu ipsec__plutorun: ...could not route conn "clear-or-private"
Jul 8 12:07:52 tensu ipsec__plutorun: 021 no connection named "clear"
Jul 8 12:07:52 tensu ipsec__plutorun: ...could not route conn "clear"
Jul 8 12:07:52 tensu ipsec__plutorun: 021 no connection named "private-or-clear"
Jul 8 12:07:52 tensu ipsec__plutorun: ...could not route conn "private-or-clear"
Jul 8 12:07:52 tensu ipsec__plutorun: 021 no connection named "private"
Jul 8 12:07:52 tensu ipsec__plutorun: ...could not route conn "private"
Jul 8 12:07:52 tensu pluto[4532]: "pix501" #1: initiating Main Mode
Jul 8 12:07:52 tensu ipsec__plutorun: 104 "pix501" #1: STATE_MAIN_I1: initiate
Jul 8 12:07:52 tensu ipsec__plutorun: ...could not start conn "pix501"
Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: responding to Main Mode
Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: STATE_MAIN_R1: sent MR1, expecting
MI2
Jul 8 12:07:53 tensu pluto[4532]: initiate on demand from 128.12.3.10:0 to
192.168.1.106:0
proto=0 state: fos_start because: acquire
Jul 8 12:07:53 tensu pluto[4532]: "pix501" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 8 12:07:53 tensu pluto[4532]: "pix501" #1: STATE_MAIN_I2: sent MI2, expecting
MR2
Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: ignoring Vendor ID payload [XAUTH]
Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: received Vendor ID payload [Dead
Peer Detection]
Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: ignoring Vendor ID payload
[Cisco-Unity]
Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: ignoring unknown Vendor ID payload
[aa6a3e9da46f0756218da36efb5f4cb0]
Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 8 12:07:53 tensu pluto[4532]: "pix501" #2: STATE_MAIN_R2: sent MR2, expecting
MI3
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: ignoring Vendor ID payload [XAUTH]
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: received Vendor ID payload [Dead
Peer Detection]
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: ignoring Vendor ID payload
[Cisco-Unity]
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: ignoring unknown Vendor ID payload
[f15669e577c3a60ea48e9dcec5d0dc8c]
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: I did not send a certificate
because I do not have one.
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: STATE_MAIN_I3: sent MI3, expecting
MR3
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: Main mode peer ID is ID_IPV4_ADDR:
'128.12.1.155'
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: transition from state STATE_MAIN_I3
to state STATE_MAIN_I4
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #3: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: ignoring informational payload,
type IPSEC_INITIAL_CONTACT
Jul 8 12:07:54 tensu pluto[4532]: "pix501" #1: received and ignored informational
message
Jul 8 12:07:56 tensu pluto[4532]: "pix501" #4: ignoring informational payload,
type IPSEC_RESPONDER_LIFETIME
Jul 8 12:07:56 tensu pluto[4532]: "pix501" #4: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 8 12:07:56 tensu pluto[4532]: "pix501" #4: STATE_QUICK_I2: sent QI2, IPsec
SA established {ESP=>0xa1ab1604 <0x831ee6c2 xfrm=3DES_0-HMAC_MD5 NATD=none
DPD=none}
Jul 8 12:07:57 tensu pluto[4532]: "pix501" #3: ignoring informational payload,
type IPSEC_RESPONDER_LIFETIME
Jul 8 12:07:57 tensu pluto[4532]: "pix501" #3: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 8 12:07:57 tensu pluto[4532]: "pix501" #3: STATE_QUICK_I2: sent QI2, IPsec
SA established {ESP=>0xb7a3ca47 <0x55dd27df xfrm=3DES_0-HMAC_MD5 NATD=none
DPD=none}