DMVPN b/w Hub and Spoke Behind Nat not working.
Open, HighPublic

Description

Hi Experts,

Tried to create DMVPN b/w Hub on Softlayer and Spoke behind NAT on VMware Fusion.

vyatta@gw-seattle1-02-06-2016:~$ show configuration commands | grep tunnel
set interfaces tunnel tun0 address '172.16.200.1/24'
set interfaces tunnel tun0 encapsulation 'gre-multipoint'
set interfaces tunnel tun0 local-ip '50.23.185.53'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 nhrp 'redirect'
set vpn ipsec profile DMVPN bind tunnel 'tun0'
vyatta@gw-seattle1-02-06-2016:~$
vyatta@gw-seattle1-02-06-2016:~$
vyatta@gw-seattle1-02-06-2016:~$ show configuration commands | grep vpn
set vpn ipsec esp-group ESP-1H compression 'disable'
set vpn ipsec esp-group ESP-1H lifetime '30'
set vpn ipsec esp-group ESP-1H mode 'transport'
set vpn ipsec esp-group ESP-1H pfs 'dh-group5'
set vpn ipsec esp-group ESP-1H proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-1H proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-1H proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-1H proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-1H lifetime '30'
set vpn ipsec ike-group IKE-1H proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-1H proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-1H proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE-1H proposal 2 hash 'md5'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile DMVPN authentication pre-shared-secret 'NET123'
set vpn ipsec profile DMVPN bind tunnel 'tun0'
set vpn ipsec profile DMVPN esp-group 'ESP-1H'
set vpn ipsec profile DMVPN ike-group 'IKE-1H'

vyatta@gw-seattle1-02-06-2016:~$ show ip nhrp
Status: ok

Interface: lo
Type: local
Protocol-Address: 192.168.175.0/24
Flags: up

Interface: lo
Type: local
Protocol-Address: 192.168.170.0/24
Flags: up

Interface: tun0
Type: local
Protocol-Address: 172.16.200.255/32
Alias-Address: 172.16.200.1
Flags: up

Interface: tun0
Type: local
Protocol-Address: 172.16.200.1/32
Flags: up

vyatta@gw-seattle1-02-06-2016:~$
vyatta@gw-seattle1-02-06-2016:~$
vyatta@gw-seattle1-02-06-2016:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP


0.0.0.0 50.23.185.53

Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
------  -----  -------------  -------  ----  -----  ------  ------  -----
tun0    down   n/a            n/a      n/a   no     0       30      gre

vyatta@gw-seattle1-02-06-2016:~$ show log tail
Aug 4 18:28:36 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:28:36 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:28:36 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:28:36 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:28:36 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:28:56 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:28:56 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:28:56 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:28:56 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:28:56 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK

vyatta@gw-seattle1-02-06-2016:~$ show vpn debug detail
Unable to find IKEv2 messages. Strongswan might be running with IKEv2 turned off or alternatively, your log files have been emptied (ie, logwatch)
gw-seattle1-02-06-2016
Thu Aug 4 18:10:34 CDT 2016
+ _________________________ version
+ ipsec --version
Linux strongSwan U4.5.2/K3.10.94-1-amd64-vyatta
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
+ _________________________ /proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ ip-xfrm-state
+ ip -s xfrm state
+ _________________________ ip-xfrm-policy
+ ip -s xfrm policy
src ::/0 dst ::/0 uid 0

socket out action allow index 30260 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src ::/0 dst ::/0 uid 0

socket in action allow index 30251 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src ::/0 dst ::/0 uid 0

socket out action allow index 30244 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)

:src ::/0 dst ::/0 uid 0

socket in action allow index 30235 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket out action allow index 30228 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket in action allow index 30219 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket out action allow index 30212 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket out action allow index 30148 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket in action allow index 30139 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use 2016-08-04 18:10:17

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket out action allow index 30132 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket in action allow index 30123 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket out action allow index 30116 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket in action allow index 30107 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src ::/0 dst ::/0 uid 0

socket in action allow index 30099 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft 0(bytes), hard 0(bytes)
  limit: soft 0(packets), hard 0(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src ::/0 dst ::/0 uid 0

socket out action allow index 30092 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft 0(bytes), hard 0(bytes)
  limit: soft 0(packets), hard 0(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src ::/0 dst ::/0 uid 0

socket in action allow index 30083 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft 0(bytes), hard 0(bytes)
  limit: soft 0(packets), hard 0(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src ::/0 dst ::/0 uid 0

socket out action allow index 30076 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft 0(bytes), hard 0(bytes)
  limit: soft 0(packets), hard 0(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src ::/0 dst ::/0 uid 0

socket in action allow index 30067 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft 0(bytes), hard 0(bytes)
  limit: soft 0(packets), hard 0(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src ::/0 dst ::/0 uid 0

socket out action allow index 30060 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft 0(bytes), hard 0(bytes)
  limit: soft 0(packets), hard 0(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket in action allow index 30051 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft 0(bytes), hard 0(bytes)
  limit: soft 0(packets), hard 0(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket out action allow index 30044 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft 0(bytes), hard 0(bytes)
  limit: soft 0(packets), hard 0(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket in action allow index 30035 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft 0(bytes), hard 0(bytes)
  limit: soft 0(packets), hard 0(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket out action allow index 30028 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft 0(bytes), hard 0(bytes)
  limit: soft 0(packets), hard 0(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket in action allow index 30019 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft 0(bytes), hard 0(bytes)
  limit: soft 0(packets), hard 0(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use 2016-08-04 18:10:31

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket out action allow index 30012 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft 0(bytes), hard 0(bytes)
  limit: soft 0(packets), hard 0(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 17:59:57 use -

+ _________________________ /proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface eth1/eth1 2607:f0d0:2002:182::2:500
000 interface lo/lo 127.0.0.1:500
000 interface lo/lo 192.168.170.1:500
000 interface lo/lo 192.168.175.1:500
000 interface eth0/eth0 10.28.103.98:500
000 interface eth1/eth1 50.23.185.54:500
000 interface eth1v1/eth1v1 50.23.185.53:500
000 interface eth0v1/eth0v1 10.28.103.84:500
000 interface tun0/tun0 172.16.200.1:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "vpnprof-tunnel-tun0": 50.23.185.53[50.23.185.53]:47/0...%any[%any]:47/0; unrouted; eroute owner: #0
000 "vpnprof-tunnel-tun0": ike_life: 30s; ipsec_life: 30s; rekey_margin: 14s; rekey_fuzz: 100%; keyingtries: 0
000 "vpnprof-tunnel-tun0": policy: PSK+ENCRYPT+PFS+DONTREKEY; prio: 32,32; interface: eth1v1;
000 "vpnprof-tunnel-tun0": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):

uptime: 10 minutes, since Aug 04 17:59:57 2016
malloc: sbrk 270336, mmap 0, used 225488, free 44848
worker threads: 8 idle of 16, job queue load: 1, scheduled events: 0
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock

Listening IP addresses:

10.28.103.98
50.23.185.54
2607:f0d0:2002:182::2
50.23.185.53
10.28.103.84
172.16.200.1

Connections:
Security Associations:

none

+ _________________________ routing/tables
+ ip rule list
0: from all lookup local
32766: from all lookup main
32766: from all lookup main
32766: from all lookup main
32767: from all lookup default
+ _________________________ ip/route
+ /opt/vyatta/bin/vtyshow.pl show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Gateway of last resort is 50.23.185.49 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 50.23.185.49, eth1
S 10.0.0.0/8 [1/0] via 10.28.103.65, eth0
C 10.28.103.64/26 is directly connected, eth0
C 50.23.185.48/29 is directly connected, eth1
C 127.0.0.0/8 is directly connected, lo
C 172.16.200.0/24 is directly connected, tun0
C 192.168.170.0/24 is directly connected, lo
C 192.168.175.0/24 is directly connected, lo
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
4 0 23835 23834 20 0 23088 1236 - S+ pts/0 0:00 | \_ sudo /usr/lib/ipsec/barf
4 0 23836 23835 20 0 9216 1392 - S+ pts/0 0:00 | \_ /bin/sh /usr/lib/ipsec/barf
0 0 23904 23836 20 0 6116 576 - S+ pts/0 0:00 | \_ egrep -i ppid|pluto|ipsec|klips
1 0 22869 1 20 0 14744 880 - Ss ? 0:00 /usr/lib/ipsec/starter
4 0 22870 22869 20 0 147112 3984 - Ssl ? 0:00 \_ /usr/lib/ipsec/pluto --nofork --uniqueids
0 0 22942 22870 20 0 8020 340 - S ? 0:00 | \_ _pluto_adns
4 0 22918 22869 20 0 367428 4416 - Ssl ? 0:00 \_ /usr/lib/ipsec/charon --use-syslog
+ _________________________ ipsec/conf
+ /usr/lib/ipsec/_include /etc/ipsec.conf
+ /usr/lib/ipsec/_keycensor

#< /etc/ipsec.conf 1

generated by /opt/vyatta/sbin/vpn-config.pl

version 2.0

config setup

charonstart=no
interfaces="%none"

conn clear

auto=ignore

conn clear-or-private

auto=ignore

conn private-or-clear

auto=ignore

conn private

auto=ignore

conn block

auto=ignore

conn packetdefault

auto=ignore

conn %default

keyexchange=ikev1

#< /etc/dmvpn.conf 1

generated by /opt/vyatta/sbin/dmvpn-config.pl

conn vpnprof-tunnel-tun0

left=50.23.185.53
right=%any
rekey=no
leftprotoport=gre
rightprotoport=gre
ike=aes256-sha1,aes256-md5!
ikelifetime=30s
esp=aes256-sha1,3des-md5!
keylife=30s
rekeymargin=14s
type=transport
pfs=yes
pfsgroup=modp1536
compress=no
authby=secret
auto=add
keyingtries=%forever

#conn vpnprof-tunnel-tun0

#> /etc/ipsec.conf 32
+ _________________________ ipsec/secrets
+ /usr/lib/ipsec/_include /etc/ipsec.secrets
+ /usr/lib/ipsec/_secretcensor

#< /etc/ipsec.secrets 1

generated by /opt/vyatta/sbin/vpn-config.pl

#< /etc/dmvpn.secrets 1

generated by /opt/vyatta/sbin/dmvpn-config.pl

50.23.185.53 %any : PSK "[sums to df5b...]"

#> /etc/ipsec.secrets 5
+ _________________________ ipsec/listall
+ ipsec listall
000
000 List of registered IKEv1 Algorithms:
000
000 encryption: BLOWFISH_CBC[openssl] 3DES_CBC[des] AES_CBC[aes] CAMELLIA_CBC[openssl]
000 integrity: HMAC_MD5[md5] HMAC_SHA1[sha1] HMAC_SHA2_256[sha2] HMAC_SHA2_384[sha2] HMAC_SHA2_512[sha2]
000 dh-group: MODP_1024[openssl] MODP_1536[openssl] MODP_2048[openssl] MODP_3072[openssl] MODP_4096[openssl]
000 MODP_6144[openssl] MODP_8192[openssl] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl]
000 MODP_1024_160[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] ECP_192[openssl] ECP_224[openssl]
000 random-gen: RNG_STRONG[random] RNG_TRUE[random]
000
000 List of registered ESP Algorithms:
000
000 encryption: DES_CBC 3DES_CBC CAST_CBC BLOWFISH_CBC NULL AES_CBC AES_CTR AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8
000 AES_GCM_12 AES_GCM_16 CAMELLIA_CBC AES_GMAC SERPENT_CBC TWOFISH_CBC
000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512 HMAC_RIPEMD AES_XCBC_96 NULL HMAC_SHA2_256_96

List of registered IKEv2 Algorithms:

encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des] CAMELLIA_CBC[openssl] RC5_CBC[openssl]
            IDEA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl] NULL[openssl] AES_CTR[ctr]
integrity:  AES_XCBC_96[xcbc] HMAC_SHA1_96[hmac] HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac] HMAC_SHA2_256_128[hmac]
            HMAC_SHA2_256_256[hmac] HMAC_MD5_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA2_384_192[hmac]
            HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_256[hmac]
aead:       AES_CCM_8[ccm] AES_CCM_12[ccm] AES_CCM_16[ccm] AES_GCM_8[gcm] AES_GCM_12[gcm] AES_GCM_16[gcm]
hasher:     HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5]
            HASH_MD2[openssl] HASH_MD4[openssl]
prf:        PRF_KEYED_SHA1[sha1] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc] PRF_HMAC_SHA1[hmac]
            PRF_HMAC_SHA2_256[hmac] PRF_HMAC_MD5[hmac] PRF_HMAC_SHA2_384[hmac] PRF_HMAC_SHA2_512[hmac]
dh-group:   MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] MODP_1536[openssl] ECP_256[openssl]
            ECP_384[openssl] ECP_521[openssl] ECP_224[openssl] ECP_192[openssl] MODP_3072[openssl] MODP_4096[openssl]
            MODP_6144[openssl] MODP_8192[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl]
            MODP_CUSTOM[openssl]
random-gen: RNG_STRONG[random] RNG_TRUE[random]

+ '[' ']'
+ _________________________ /proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'NETKEY (3.10.94-1-amd64-vyatta) support detected '
NETKEY (3.10.94-1-amd64-vyatta) support detected
+ _________________________ /proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ plutolog
+ sed -n '1286,$p' /var/log/messages
+ egrep -i pluto
+ case "$1" in
+ cat
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: including NAT-Traversal patch (Version 0.6c) [disabled]
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: failed to load pkcs11 module '/usr/lib/opensc-pkcs11.so'
Aug 4 17:59:57 gw-seattle1-02-06-2016 ipsec_starter[22869]: pluto (22870) started after 20 ms
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: Changing to directory '/etc/ipsec.d/crls'
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: listening for IKE messages
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface tun0/tun0 172.16.200.1:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface eth0v1/eth0v1 10.28.103.84:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface eth1v1/eth1v1 50.23.185.53:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface eth1/eth1 50.23.185.54:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface eth0/eth0 10.28.103.98:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface lo/lo 192.168.175.1:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface lo/lo 192.168.170.1:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface lo/lo 127.0.0.1:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface eth1/eth1 2607:f0d0:2002:182::2:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: adding interface lo/lo ::1:500
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loading secrets from "/etc/ipsec.secrets"
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loading secrets from "/etc/dmvpn.secrets"
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loaded PSK secret for 50.23.185.53 %any
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: forgetting secrets
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loading secrets from "/etc/ipsec.secrets"
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loading secrets from "/etc/dmvpn.secrets"
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loaded PSK secret for 50.23.185.53 %any
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: Changing to directory '/etc/ipsec.d/crls'
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: forgetting secrets
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loading secrets from "/etc/ipsec.secrets"
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loading secrets from "/etc/dmvpn.secrets"
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: loaded PSK secret for 50.23.185.53 %any
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: Changing to directory '/etc/ipsec.d/crls'
Aug 4 17:59:57 gw-seattle1-02-06-2016 pluto[22870]: added connection description "vpnprof-tunnel-tun0"
Aug 4 18:01:08 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:01:08 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:01:08 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:01:08 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:01:08 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:01:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:01:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:01:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:01:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:01:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:01:38 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:01:38 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:01:38 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:01:38 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:01:38 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:02:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:02:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:02:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:02:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:02:18 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:02:51 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:02:51 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:02:51 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:02:51 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:02:51 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:03:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:03:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:03:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:03:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:03:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:03:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:03:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:03:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:03:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:03:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:04:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:04:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:04:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:04:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:04:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:04:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:04:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:04:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:04:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:04:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:05:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:05:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:05:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:05:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:05:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:06:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:06:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:06:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:06:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:06:01 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:06:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:06:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:06:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:06:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:06:41 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:07:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:07:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:07:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:07:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:07:21 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:07:47 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:07:47 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:07:47 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:07:47 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:07:47 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:07:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:07:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:07:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:07:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:07:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:08:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:08:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:08:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:08:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:08:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:08:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:08:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:08:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:08:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:08:57 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:09:37 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:09:37 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:09:37 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:09:37 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:09:37 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
Aug 4 18:10:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [strongSwan]
Aug 4 18:10:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 18:10:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [XAUTH]
Aug 4 18:10:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: received Vendor ID payload [Dead Peer Detection]
Aug 4 18:10:17 gw-seattle1-02-06-2016 pluto[22870]: packet from 73.220.149.55:55728: initial Main Mode message received on 50.23.185.53:500 but no connection has been authorized with policy=PSK
+ _________________________ charonlog
+ sed -n '1,$p' /dev/null
+ egrep -i charon
+ case "$1" in
+ cat
+ _________________________ date
+ date
Thu Aug 4 18:10:34 CDT 2016
vyatta@gw-seattle1-02-06-2016:~$

VYATTA ON VMWARE FUSION:

vyatta@vyatta:~$ show version
Version: 4.1R2
Description: Brocade Vyatta Network OS 4.1 R2
Built on: Wed Dec 16 22:05:39 UTC 2015
System type: Intel 64bit
Boot via: image
Hypervisor: VMware
HW model: VMware Virtual Platform
HW S/N: VMware-56 4d a2 87 5f c4 ea 85-19 e1 4b 9f 37 1f d4 5c
HW UUID: 564DA287-5FC4-EA85-19E1-4B9F371FD45C
Uptime: 23:02:41 up 15 min, 2 users, load average: 0.29, 0.16, 0.10
vyatta@vyatta:~$
vyatta@vyatta:~$
vyatta@vyatta:~$ show configuration commands | grep tunnel
set interfaces tunnel tun0 address '172.16.200.4/24'
set interfaces tunnel tun0 encapsulation 'gre-multipoint'
set interfaces tunnel tun0 local-ip '192.168.166.139'
set interfaces tunnel tun0 multicast 'disable'
set interfaces tunnel tun0 nhrp map 172.16.200.1/24 nbma-address '50.23.185.53'
set interfaces tunnel tun0 nhrp map 172.16.200.1/24 'register'
set interfaces tunnel tun0 nhrp 'redirect'
set interfaces tunnel tun0 nhrp 'shortcut'
set security vpn ipsec profile DMVPN bind tunnel 'tun0'
vyatta@vyatta:~$ show configuration commands | grep vpn
set security vpn ipsec esp-group ESP-1H compression 'disable'
set security vpn ipsec esp-group ESP-1H lifetime '30'
set security vpn ipsec esp-group ESP-1H mode 'transport'
set security vpn ipsec esp-group ESP-1H pfs 'dh-group5'
set security vpn ipsec esp-group ESP-1H proposal 1 encryption 'aes256'
set security vpn ipsec esp-group ESP-1H proposal 1 hash 'sha1'
set security vpn ipsec esp-group ESP-1H proposal 2 encryption '3des'
set security vpn ipsec esp-group ESP-1H proposal 2 hash 'md5'
set security vpn ipsec ike-group IKE-1H lifetime '30'
set security vpn ipsec ike-group IKE-1H proposal 1 encryption 'aes256'
set security vpn ipsec ike-group IKE-1H proposal 1 hash 'sha1'
set security vpn ipsec ike-group IKE-1H proposal 2 encryption 'aes256'
set security vpn ipsec ike-group IKE-1H proposal 2 hash 'md5'
set security vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'
set security vpn ipsec profile DMVPN authentication pre-shared-secret 'NET123'
set security vpn ipsec profile DMVPN bind tunnel 'tun0'
set security vpn ipsec profile DMVPN esp-group 'ESP-1H'
set security vpn ipsec profile DMVPN ike-group 'IKE-1H'
vyatta@vyatta:~$
vyatta@vyatta:~$
vyatta@vyatta:~$
vyatta@vyatta:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description


dp0p160p1 192.168.166.139/24 u/u
tun0 172.16.200.4/24 u/u
vyatta@vyatta:~$
vyatta@vyatta:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP


0.0.0.0 192.168.166.139

Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
------  -----  -------------  -------  ----  -----  ------  ------  -----
tun0    down   n/a            n/a      n/a   no     0       30      gre

Peer ID / IP Local ID / IP


50.23.185.53 192.168.166.139

Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
------  -----  -------------  -------  ----  -----  ------  ------  -----
tun0    down   n/a            n/a      n/a   no     0       30      gre

vyatta@vyatta:~$ show vpn debug detail
IPsec version
Linux strongSwan U4.5.2/K4.1.14-1-amd64-vyatta
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
IPsec working directory
/usr/lib/ipsec
IPsec status
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface dp0p160p1/dp0p160p1 192.168.166.139:500
000 interface tun0/tun0 172.16.200.4:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "tun0-192.168.166.139-to-50.23.185.53": 192.168.166.139[192.168.166.139]:47/0...50.23.185.53[50.23.185.53]:47/0; unrouted; eroute owner: #0
000 "tun0-192.168.166.139-to-50.23.185.53": ike_life: 30s; ipsec_life: 30s; rekey_margin: 14s; rekey_fuzz: 100%; keyingtries: 0
000 "tun0-192.168.166.139-to-50.23.185.53": policy: PSK+ENCRYPT+PFS+UP; prio: 32,32; interface: dp0p160p1;
000 "tun0-192.168.166.139-to-50.23.185.53": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpnprof-tunnel-tun0": 192.168.166.139[192.168.166.139]:47/0...%any[%any]:47/0; unrouted; eroute owner: #0
000 "vpnprof-tunnel-tun0": ike_life: 30s; ipsec_life: 30s; rekey_margin: 14s; rekey_fuzz: 100%; keyingtries: 0
000 "vpnprof-tunnel-tun0": policy: PSK+ENCRYPT+PFS+DONTREKEY; prio: 32,32; interface: dp0p160p1;
000 "vpnprof-tunnel-tun0": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "tun0-192.168.166.139-to-50.23.185.53" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 20s
000 #2: pending Phase 2 for "tun0-192.168.166.139-to-50.23.185.53" replacing #0
000
Info about all certificates/groups/plugins
000
000 List of registered IKEv1 Algorithms:
000
000 encryption: BLOWFISH_CBC[openssl] 3DES_CBC[des] AES_CBC[aes] CAMELLIA_CBC[openssl]
000 integrity: HMAC_MD5[md5] HMAC_SHA1[sha1] HMAC_SHA2_256[sha2] HMAC_SHA2_384[sha2] HMAC_SHA2_512[sha2]
000 dh-group: MODP_1024[openssl] MODP_1536[openssl] MODP_2048[openssl] MODP_3072[openssl] MODP_4096[openssl]
000 MODP_6144[openssl] MODP_8192[openssl] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl]
000 MODP_1024_160[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] ECP_192[openssl] ECP_224[openssl]
000 random-gen: RNG_STRONG[random] RNG_TRUE[random]
000
000 List of registered ESP Algorithms:
000
000 encryption: DES_CBC 3DES_CBC CAST_CBC BLOWFISH_CBC NULL AES_CBC AES_CTR AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8
000 AES_GCM_12 AES_GCM_16 CAMELLIA_CBC AES_GMAC SERPENT_CBC TWOFISH_CBC
000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512 HMAC_RIPEMD AES_XCBC_96 NULL HMAC_SHA2_256_96
sk RefCnt Rmem Wmem User Inode
src ::/0 dst ::/0 uid 0

socket out action allow index 60 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 23:01:04 use -

src ::/0 dst ::/0 uid 0

socket in action allow index 51 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 23:01:04 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket out action allow index 44 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 23:01:04 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket in action allow index 35 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 23:01:04 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket out action allow index 28 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 23:01:04 use 2016-08-04 23:03:21

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket in action allow index 19 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 23:01:04 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket out action allow index 12 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 23:01:04 use -

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

socket in action allow index 3 priority 0 ptype main share any flag  (0x00000000)
lifetime config:
  limit: soft (INF)(bytes), hard (INF)(bytes)
  limit: soft (INF)(packets), hard (INF)(packets)
  expire add: soft 0(sec), hard 0(sec)
  expire use: soft 0(sec), hard 0(sec)
lifetime current:
  0(bytes), 0(packets)
  add 2016-08-04 23:01:04 use -

routing rule set
0: from all lookup local
32765: from all iif tun0 lookup 230
32766: from all lookup main
32766: from all lookup main
32767: from all lookup default

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

IP Route Table for VRF "default"
Gateway of last resort is 192.168.166.2 to network 0.0.0.0

K* 0.0.0.0/0 via 192.168.166.2, dp0p160p1
C 127.0.0.0/8 is directly connected, lo
C 172.16.200.0/24 is directly connected, tun0
C 192.168.166.0/24 is directly connected, dp0p160p1

#:cannot open configuration file \'/ipsec.conf\'
#:cannot open configuration file \'/ipsec.secrets\'
NETKEY (4.1.14-1-amd64-vyatta) support detected
vyatta
Thu Aug 4 23:03:41 UTC 2016
vyatta@vyatta:~$ show ip nhrp
Status: ok

Interface: tun0
Type: local
Protocol-Address: 172.16.200.255/32
Alias-Address: 172.16.200.4
Flags: up

Interface: tun0
Type: local
Protocol-Address: 172.16.200.4/32
Flags: up

Interface: tun0
Type: static
Protocol-Address: 172.16.200.1/24
NBMA-Address: 50.23.185.53

vyatta@vyatta:~$ ping 50.23.185.53
PING 50.23.185.53 (50.23.185.53) 56(84) bytes of data.
64 bytes from 50.23.185.53: icmp_seq=1 ttl=128 time=39.5 ms
64 bytes from 50.23.185.53: icmp_seq=2 ttl=128 time=38.8 ms
64 bytes from 50.23.185.53: icmp_seq=3 ttl=128 time=39.8 ms
64 bytes from 50.23.185.53: icmp_seq=4 ttl=128 time=39.3 ms
^C

  • 50.23.185.53 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 38.876/39.392/39.839/0.423 ms
vyatta@vyatta:~$ ping 172.16.200.1
PING 172.16.200.1 (172.16.200.1) 56(84) bytes of data.
From 172.16.200.4 icmp_seq=7 Destination Host Unreachable
From 172.16.200.4 icmp_seq=8 Destination Host Unreachable
From 172.16.200.4 icmp_seq=9 Destination Host Unreachable
From 172.16.200.4 icmp_seq=10 Destination Host Unreachable
^C

  • 172.16.200.1 ping statistics ---

11 packets transmitted, 0 received, +4 errors, 100% packet loss, time 10060ms
pipe 2
vyatta@vyatta:~$

vyatta@vyatta:~$ show log tail
2016-08-04T23:24:50.266689+00:00 localhost pluto[3902]: "tun0-192.168.166.139-to-50.23.185.53": deleting connection
2016-08-04T23:24:50.267037+00:00 localhost pluto[3902]: "tun0-192.168.166.139-to-50.23.185.53" #7: deleting state (STATE_MAIN_I1)
2016-08-04T23:24:50.271767+00:00 localhost pluto[3902]: added connection description "tun0-192.168.166.139-to-50.23.185.53"
2016-08-04T23:24:50.281342+00:00 localhost pluto[3902]: "tun0-192.168.166.139-to-50.23.185.53" #8: initiating Main Mode
2016-08-04T23:26:50.243061+00:00 localhost opennhrp[3625]: [172.16.200.1] Peer up script failed: timeout
2016-08-04T23:28:26.272709+00:00 localhost pluto[3902]: "tun0-192.168.166.139-to-50.23.185.53": deleting connection
2016-08-04T23:28:26.272960+00:00 localhost pluto[3902]: "tun0-192.168.166.139-to-50.23.185.53" #8: deleting state (STATE_MAIN_I1)
2016-08-04T23:28:26.278012+00:00 localhost pluto[3902]: added connection description "tun0-192.168.166.139-to-50.23.185.53"
2016-08-04T23:28:26.287641+00:00 localhost pluto[3902]: "tun0-192.168.166.139-to-50.23.185.53" #9: initiating Main Mode
2016-08-04T23:30:26.250374+00:00 localhost opennhrp[3625]: [172.16.200.1] Peer up script failed: timeout

Details

Difficulty level
Easy (less than an hour)
sfaiz13 created this task.Aug 5 2016, 12:36 AM

I've never tried DMVPN but have done many P-to-P IPSec configs. IPSec behind NAT is not straight forward, your tunnel configuration is wrong, the local-ip of the tunnel needs to be your NAT'ed IP (IE. Something from RFC1918) not your external IP otherwise the ESP Policies will not match.

As for IKEv2, you are not using it. The default is to use IKEv1 unless otherwise configured, its the key-exchange option inside the ike-group settings. Once done, all IKEv2 logs appear in the auth log file (we should probably fix that!)