Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens. ../parentR1dcookie ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0) ../parentR1dcookie ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0) ../parentR1dcookie ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0) ../parentR1dcookie ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) ../parentR1dcookie ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0) ../parentR1dcookie ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) ../parentR1dcookie ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) | interface "eth0" matched right side ../parentR1dcookie added connection description "westnet--eastnet-ikev2" Pre-amble: #!-pluto-whack-file- recorded on east on 2008-01-17 15:33:58 ../parentR1dcookie listening for IKE messages RC=0 "westnet--eastnet-ikev2": 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east,S=C]...192.1.2.45<192.1.2.45>[@west,S=C]===192.0.1.0/24; unrouted; eroute owner: #0 RC=0 "westnet--eastnet-ikev2": myip=unset; hisip=unset; RC=0 "westnet--eastnet-ikev2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 RC=0 "westnet--eastnet-ikev2": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_DISABLE+IKEv2ALLOW+IKEV2_PROPOSE; prio: 24,24; interface: eth0; RC=0 "westnet--eastnet-ikev2": newest ISAKMP SA: #0; newest IPsec SA: #0; | *received 668 bytes from 192.1.2.45:500 on eth0 (port=500) | 00 01 02 03 04 05 06 07 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 02 9c 22 80 01 94 | 02 00 00 28 01 01 00 04 03 00 00 08 01 00 00 0c | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02 | 00 00 00 08 04 00 00 05 02 00 00 28 02 01 00 04 | 03 00 00 08 01 00 00 0c 03 00 00 08 03 00 00 02 | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05 | 02 00 00 28 03 01 00 04 03 00 00 08 01 00 00 03 | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02 | 00 00 00 08 04 00 00 05 02 00 00 28 04 01 00 04 | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02 | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05 | 02 00 00 28 05 01 00 04 03 00 00 08 01 00 00 03 | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02 | 00 00 00 08 04 00 00 02 02 00 00 28 06 01 00 04 | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02 | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 02 | 02 00 00 28 07 01 00 04 03 00 00 08 01 00 00 0c | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02 | 00 00 00 08 04 00 00 0e 02 00 00 28 08 01 00 04 | 03 00 00 08 01 00 00 0c 03 00 00 08 03 00 00 02 | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 0e | 02 00 00 28 09 01 00 04 03 00 00 08 01 00 00 03 | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02 | 00 00 00 08 04 00 00 0e 00 00 00 28 0a 01 00 04 | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02 | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 0e | 28 00 00 c8 00 05 00 00 ff bc 6a 92 a6 b9 55 9b | 05 fa 96 a7 a4 35 07 b4 c1 e1 c0 86 1a 58 71 d9 | ba 73 a1 63 11 37 88 c0 de bb 39 79 e7 ff 0c 52 | b4 ce 60 50 eb 05 36 9e a4 30 0d 2b ff 3b 1b 29 | 9f 3b 80 2c cb 13 31 8c 2a b9 e3 b5 62 7c b4 b3 | 5e b9 39 98 20 76 b5 7c 05 0d 7b 35 c3 c5 c7 cc | 8c 0f ea b7 b6 4a 7d 7b 6b 8f 6b 4d ab f4 ac 40 | 6d d2 01 26 b9 0a 98 ac 76 6e fa 37 a7 89 0c 43 | 94 ff 9a 77 61 5b 58 f5 2d 65 1b bf a5 8d 2a 54 | 9a f8 b0 1a a4 bc a3 d7 62 42 66 63 b1 55 d4 eb | da 9f 60 a6 a1 35 73 e6 a8 88 13 5c dc 67 3d d4 | 83 02 99 03 f3 a9 0e ca 23 e1 ec 1e 27 03 31 b2 | d0 50 f4 f7 58 f4 99 27 2b 80 00 14 b5 ce 84 19 | 09 5c 6e 2b 6b 62 d3 05 53 05 b3 c4 00 00 00 10 | 4f 45 VENDOR | **parse ISAKMP Message: | initiator cookie: | 00 01 02 03 04 05 06 07 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2SA | ISAKMP version: IKEv2 version 2.0 (rfc4306) | exchange type: ISAKMP_v2_SA_INIT | flags: ISAKMP_FLAG_INIT | message ID: 00 00 00 00 | length: 668 | processing version=2.0 packet with exchange type=ISAKMP_v2_SA_INIT (34) | ICOOKIE: 00 01 02 03 04 05 06 07 | RCOOKIE: 00 00 00 00 00 00 00 00 | state hash entry 4 | v2 state object not found | ICOOKIE: 00 01 02 03 04 05 06 07 | RCOOKIE: 00 00 00 00 00 00 00 00 | state hash entry 4 | v2 state object not found | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE | critical bit: Payload-Critical | length: 404 | processing payload: ISAKMP_NEXT_v2SA (len=404) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni | length: 200 | transform type: 5 | processing payload: ISAKMP_NEXT_v2KE (len=200) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2V | critical bit: Payload-Critical | length: 20 | processing payload: ISAKMP_NEXT_v2Ni (len=20) | ***parse IKEv2 Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE | critical bit: Payload-Non-Critical | length: 16 | processing payload: ISAKMP_NEXT_v2V (len=16) | find_host_connection called from ikev2parent_inI1outR1, me=192.1.2.23:500 him=192.1.2.45:500 policy=IKEv2ALLOW | find_host_pair: comparing to 192.1.2.23:500 192.1.2.45:500 | find_host_pair_conn (find_host_connection2): 192.1.2.23:500 192.1.2.45:500 -> hp:westnet--eastnet-ikev2 | searching for policy=IKEv2ALLOW, found=IKEv2ALLOW (westnet--eastnet-ikev2) | find_host_connection returns westnet--eastnet-ikev2 | found connection: westnet--eastnet-ikev2 | creating state object #1 at ADDR | interface "eth0" matched right side | ICOOKIE: 00 01 02 03 04 05 06 07 | RCOOKIE: 00 00 00 00 00 00 00 00 | state hash entry 4 | inserting state object #1 on chain 4 | ikev2 secret_of_the_day used abcdabcdabcd, length 20 | busy mode on. receieved I1 without a valid dcookie | send a dcookie and forget this state ../parentR1dcookie sending notification v2N_COOKIE to 192.1.2.45:500 | **emit ISAKMP Message: | initiator cookie: | 00 01 02 03 04 05 06 07 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2N | ISAKMP version: IKEv2 version 2.0 (rfc4306) | exchange type: ISAKMP_v2_SA_INIT | flags: ISAKMP_FLAG_RESPONSE | message ID: 00 00 00 00 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_NONE | critical bit: Payload-Critical | Protocol ID: PROTO_ISAKMP | SPI size: 0 | Notify Message Type: v2N_COOKIE | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data 1e f3 91 b5 a5 e2 49 40 b9 31 35 70 9f a1 19 3d | 44 2d 0a bc | emitting length of IKEv2 Notify Payload: 28 | emitting length of ISAKMP Message: 56 sending 56 bytes for send_v2_notification through eth0:500 to 192.1.2.45:500 (using #1) | 00 01 02 03 04 05 06 07 00 00 00 00 00 00 00 00 | 29 20 22 20 00 00 00 00 00 00 00 38 00 80 00 1c | 01 00 40 06 1e f3 91 b5 a5 e2 49 40 b9 31 35 70 | 9f a1 19 3d 44 2d 0a bc | complete v2 state transition with (null) RC=200 STATE_PARENT_R1: (null) | state transition function for STATE_PARENT_R1 failed: (null) | ICOOKIE: 00 01 02 03 04 05 06 07 | RCOOKIE: 00 00 00 00 00 00 00 00 | state hash entry 4 ../parentR1dcookie leak: msg_digest ../parentR1dcookie leak: myid string ../parentR1dcookie leak: my FQDN ../parentR1dcookie leak: host_pair ../parentR1dcookie leak: host ip ../parentR1dcookie leak: keep id name ../parentR1dcookie leak: host ip ../parentR1dcookie leak: keep id name ../parentR1dcookie leak: connection name ../parentR1dcookie leak: struct connection ../parentR1dcookie leak: policies path ../parentR1dcookie leak: ocspcerts path ../parentR1dcookie leak: aacerts path ../parentR1dcookie leak: certs path ../parentR1dcookie leak: private path ../parentR1dcookie leak: crls path ../parentR1dcookie leak: cacert path ../parentR1dcookie leak: acert path ../parentR1dcookie leak: 7 * default conf ../parentR1dcookie leak: 2 * hasher name TCPDUMP output reading from file parentR1dcookie.pcap, link-type NULL (BSD loopback) 20:00:00.000000 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 84, bad cksum 0 (->f652)!) 192.1.2.23.500 > 192.1.2.45.500: [no cksum] isakmp 2.0 msgid 00000000 cookie 0001020304050607->0000000000000000: parent_sa ikev2_init[]: (n[C]: prot_id=isakmp type=16390(cookie) data=(1ef391b5a5e24940b93135709fa1193d442d0abc))