libreswan 的連線訊息解析 (或是 freeswan、openswan)
Main Mode 連線關卡順序是:
[IKEv1 or IKEV2] => [phase1加密方式] => [加密金鑰(Pre-Shared Key)] =>
[ID or FQDN] => [網段參數] => [phase2加密方式] =>
[本機下連線成功的規則 (_updown)]
註:
1. 以前是 [phase2加密方式] 會優先於 [網段參數]
2. 看log連線是建立成功的,但是事實上卻是失敗的。很有可能是_updown的問題
3. Aggressive Mode 一開始就會先比對 ID
連線訊息
被動連線 phase 1
pluto[32031]: "test" #31: responding to Main Mode
pluto[32031]: "test" #31: WARNING: connection vigor PSK length of 10 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
pluto[32031]: "test" #31: sent Main Mode R1
pluto[32031]: "test" #31: sent Main Mode R2
pluto[32031]: "test" #31: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
pluto[32031]: "test" #31: Peer ID is ID_IPV4_ADDR: 'XX.XX.XX.XX'
(↑對方的連線IP,如果對方是NAT後才出來的,也在這看↑)
pluto[32031]: "test" #31: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA2_256 group=MODP1024}
(↑對方設定的 phase 1 加密方式 & 建立成功↑)
pluto[32031]: "test" #31: the peer proposed: 192.168.200.0/24 -<all>-> 192.168.100.0/24
被動連線 phase 2
pluto[32031]: "test" #32: responding to Quick Mode proposal {msgid:6fb993a9}
pluto[32031]: "test" #32: us: 192.168.200.0/24===XX.XX.XX.XX[+S?C] them: XX.XX.XX.XX[+S?C]===192.168.100.0/24
(↑對方的網段設定↑)
pluto[32031]: "test" #32: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation tunnel mode {ESP=>0x9d188d43 <0xaa47b62d xfrm=AES_CBC_128-HMAC_SHA2_256_128 DPD=active}
(↑對方 phase 2 的加密設定↑)
pluto[32031]: "test" #32: IPsec SA established tunnel mode {ESP=>0x9d188d43 <0xaa47b62d xfrm=AES_CBC_128-HMAC_SHA2_256_128 DPD=active}
(↑建立成功↑)
主動連線 phase 1
pluto[2219]: "test" #194: initiating IKEv1 Main Mode connection
pluto[2219]: "test" #194: sent Main Mode request
pluto[2219]: "test" #194: WARNING: connection test PSK length of 8 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
pluto[2219]: "test" #194: sent Main Mode I2
pluto[2219]: "test" #194: sent Main Mode I3
pluto[2219]: "test" #194: Peer ID is ID_IPV4_ADDR: '對方ip'
(↑對方的連線IP,如果對方是NAT後才出來的,也在這看↑)
pluto[2219]: "test" #194: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA2_256 group=MODP1024}
(↑建立成功 & 加密方式↑)
主動連線 phase 2
pluto[2219]: "test" #199: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+UP+ESN_NO+ESN_YES {using isakmp#198 msgid:72ade70d proposal=AES_CBC_128-HMAC_SHA2_256_128 pfsgroup=no-pfs}
pluto[2219]: "test" #199: sent Quick Mode request
pluto[2219]: "test" #199: IPsec SA established tunnel mode {ESP=>0xd6a277d1 <0x10fd9e2a xfrm=AES_CBC_128-HMAC_SHA2_256_128 DPD=active}
(↑建立成功 & 加密方式↑)
ikev2 連線
(19570是主動phase1,19571是被動phase1)
(19572是主動phase2,19574是被動phase2)
pluto[25600]: "test": IKE SA proposals (connection add):
pluto[25600]: "test": 1:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP1024
pluto[25600]: "test": Child SA proposals (connection add):
pluto[25600]: "test": 1:ESP=AES_CBC_128-HMAC_SHA2_256_128-NONE-ENABLED+DISABLED
pluto[25600]: "test": added IKEv2 connection
pluto[25600]: "test" #19570: initiating IKEv2 connection
pluto[25600]: "test" #19570: sent IKE_SA_INIT request to 對方的ip:500
pluto[25600]: "test" #19571: proposal 1:IKE=AES_CBC_128-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP1024 chosen from remote proposals 1:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1024[first-match]
pluto[25600]: "test" #19570: WARNING: '自己的ip' PSK length of 10 bytes is too short for PRF HMAC_SHA2_256 in FIPS mode (16 bytes required)
pluto[25600]: "test" #19570: sent IKE_AUTH request {cipher=AES_CBC_128 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP1024}
(phase 1 的加密方式)
pluto[25600]: "test" #19571: sent IKE_SA_INIT reply {cipher=AES_CBC_128 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP1024}
(phase 1 的加密方式)
pluto[25600]: "test" #19570: WARNING: '自己的ip' PSK length of 10 bytes is too short for PRF HMAC_SHA2_256 in FIPS mode (16 bytes required)
pluto[25600]: "test" #19570: initiator established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '對方的ip'
(phase 1 建立成功)
pluto[25600]: "test" #19572: initiator established Child SA using #19570; IPsec tunnel [192.168.16.0-192.168.16.255:0-65535 0] -> [192.168.161.0-192.168.161.255:0-65535 0] {ESP/ESN=>0x97a0fd13 <0x58707730 xfrm=AES_CBC_128-HMA
(phase 2 建立成功,並有網段資訊,也有加密方式)
pluto[25600]: "test" #19571: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr}
pluto[25600]: "test" #19571: WARNING: '自己的ip' PSK length of 10 bytes is too short for PRF HMAC_SHA2_256 in FIPS mode (16 bytes required)
pluto[25600]: "test" #19571: responder established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '對方的ip'
pluto[25600]: "test" #19571: WARNING: '自己的ip' PSK length of 10 bytes is too short for PRF HMAC_SHA2_256 in FIPS mode (16 bytes required)
pluto[25600]: "test" #19574: proposal 1:ESP=AES_CBC_128-HMAC_SHA2_256_128-ENABLED SPI=f4cb0b42 chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_256_128;ESN=ENABLED;ESN=DISABLED[first-match]
pluto[25600]: "test" #19574: responder established Child SA using #19571; IPsec tunnel [192.168.16.0-192.168.16.255:0-65535 0] -> [192.168.161.0-192.168.161.255:0-65535 0] {ESP/ESN=>0xf4cb0b42 <0xe01e4f1d xfrm=AES_CBC_128-HMA
主動斷線
pluto[2219]: "test": terminating SAs using this connection
換 key 訊息
主動換 phase 1 key
pluto[2219]: "test" #233: initiating IKEv1 Main Mode connection to replace #232
pluto[2219]: "test" #233: sent Main Mode request, replacing #232
pluto[2219]: "test" #233: WARNING: connection test PSK length of 8 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
pluto[2219]: "test" #233: sent Main Mode I2
pluto[2219]: "test" #233: sent Main Mode I3
pluto[2219]: "test" #233: Peer ID is ID_IPV4_ADDR: '對方ip'
pluto[2219]: "test" #233: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA2_256 group=MODP1024}
主動換 phase 2 key
pluto[2219]: "test" #234: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+UP+ESN_NO+ESN_YES to replace #231 {using isakmp#233 msgid:22b65fd2 proposal=AES_CBC_128-HMAC_SHA2_256_128 pfsgroup=no-pfs}
pluto[2219]: "test" #234: sent Quick Mode request, to replace #231
pluto[2219]: "test" #234: IPsec SA established tunnel mode {ESP=>0xa4c3f9f2 <0x32a86927 xfrm=AES_CBC_128-HMAC_SHA2_256_128 DPD=active}
被動換 phase 1 key
pluto[1677]: "test" #224: responding to Main Mode
pluto[1677]: "test" #224: WARNING: connection test PSK length of 8 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
pluto[1677]: "test" #224: sent Main Mode R1
pluto[1677]: "test" #224: sent Main Mode R2
pluto[1677]: "test" #224: Peer ID is ID_IPV4_ADDR: '對方ip'
pluto[1677]: "test" #224: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA2_256 group=MODP1024}
被動換 phase 2 key
pluto[1677]: "test" #225: the peer proposed: 192.168.83.0/24 -<all>-> 192.168.22.0/24
pluto[1677]: "test" #226: responding to Quick Mode proposal {msgid:0fada115}
pluto[1677]: "test" #226: us: 192.168.83.0/24===自己ip[+S?C] them: 對方ip[+S?C]===192.168.22.0/24
pluto[1677]: "test" #226: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation tunnel mode {ESP=>0xae86187a <0x786e6b10 xfrm=AES_CBC_128-HMAC_SHA2_256_128 DPD=active}
pluto[1677]: "test" #226: IPsec SA established tunnel mode {ESP=>0xae86187a <0x786e6b10 xfrm=AES_CBC_128-HMAC_SHA2_256_128 DPD=active}
錯誤訊息
對方過來的連線,沒有相符的設定
pluto[1677]: packet from 對方ip:500: initial Aggressive Mode message from 對方ip:500 but no (wildcard) connection has been configured with authby PSK
主動換 phase 1 key,但對方無回應
pluto[32031]: "test" #26: initiating IKEv1 Main Mode connection to replace #19
pluto[32031]: "test" #26: sent Main Mode request, replacing #19
pluto[32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
pluto[32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 1 seconds for response
pluto[32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 2 seconds for response
pluto[32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 4 seconds for response
pluto[32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 8 seconds for response
pluto[32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 16 seconds for response
pluto[32031]: "test" #26: STATE_MAIN_I1: retransmission; will wait 32 seconds for response
pluto[32031]: "test" #26: STATE_MAIN_I1: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our first IKEv1 message
pluto[32031]: "test" #26: starting keying attempt 2 of an unlimited number
主動換 phase 2 key,但對方無回應
pluto[32031]: "test" #34: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+UP+ESN_NO+ESN_YES to replace #33 {using isakmp#31 msgid:4cd7380f proposal=AES_CBC_128-HMAC_SHA2_256_128 pfsgroup=no-pfs}
pluto[32031]: "test" #34: sent Quick Mode request, to replace #33
pluto[32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
pluto[32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
pluto[32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
pluto[32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
pluto[32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
pluto[32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 16 seconds for response
pluto[32031]: "test" #34: STATE_QUICK_I1: retransmission; will wait 32 seconds for response
pluto[32031]: "test" #34: STATE_QUICK_I1: 60 second timeout exceeded after 7 retransmits
pluto[32031]: "test" #34: starting keying attempt 3 of an unlimited number
DPD 找不到 phase 1 的資料 (會導致斷線)
pluto[32031]: "test" #25: DPD: could not find newest phase 1 state - initiating a new one
pluto[32031]: "test" #25: DPD action - clearing connection kind CK_PERMANENT
pluto[32031]: "test" #25: deleting state (STATE_QUICK_R2) aged 620.985747s and NOT sending notification
pluto[32031]: "test" #25: ESP traffic information: in=0B out=0B
IPSec 金鑰不符 或 太短(密碼長度至少 16 個字元)
pluto[3617]: "test" #552: responding to Main Mode from unknown peer XX.XX.XX.XX:500 (被動)
pluto[3617]: "test" #552: sent Main Mode R1
pluto[3617]: "test" #552: sent Main Mode R2
pluto[3617]: "test" #552: 35129-byte length of ISAKMP Identification Payload is larger than can fit
pluto[3617]: "test" #552: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
pluto[3617]: "test" #552: STATE_MAIN_R2: retransmission; will wait 0.5 seconds for response
pluto[3617]: "test" #552: 35129-byte length of ISAKMP Identification Payload is larger than can fit
pluto[3617]: "test" #552: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
pluto[3617]: "test" #552: STATE_MAIN_R2: retransmission; will wait 1 seconds for response
pluto[3617]: "test" #552: STATE_MAIN_R2: retransmission; will wait 2 seconds for response
pluto[3617]: "test" #552: 35129-byte length of ISAKMP Identification Payload is larger than can fit
pluto[3617]: "test" #552: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
pluto[3617]: "test" #552: STATE_MAIN_R2: retransmission; will wait 4 seconds for response
pluto[3617]: "test" #552: 35129-byte length of ISAKMP Identification Payload is larger than can fit
pluto[3617]: "test" #552: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
phase 1 加密方式錯誤 (主動連線) (無法看出需要什麼加密方式)
pluto[2219]: "test" #14: initiating IKEv1 Main Mode connection
pluto[2219]: "test" #14: sent Main Mode request
pluto[2219]: "test" #14: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12
pluto[2219]: "test" #14: received and ignored notification payload: NO_PROPOSAL_CHOSEN
phase 1 加密方式錯誤 (被動連線) (可以看出需要什麼加密方式)
pluto[2219]: "test" #13: responding to Main Mode
pluto[2219]: "test" #13: WARNING: connection test PSK length of 8 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
pluto[2219]: "test" #13: Oakley Transform [AES_CBC (128), HMAC_SHA2_256, MODP1024] refused
pluto[2219]: "test" #13: no acceptable Oakley Transform
pluto[2219]: "test" #13: sending notification NO_PROPOSAL_CHOSEN to 172.19.100.83:500
phase 2 加密方式錯誤 (主動連線)
pluto[2219]: "test" #195: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+UP+ESN_NO+ESN_YES {using isakmp#194 msgid:c06ac5a5 proposal=3DES_CBC-HMAC_SHA2_256_128 pfsgroup=no-pfs}
pluto[2219]: "test" #195: sent Quick Mode request
pluto[2219]: "test" #194: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12
pluto[2219]: "test" #194: received and ignored notification payload: NO_PROPOSAL_CHOSEN
pluto[2219]: "test" #195: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
pluto[2219]: "test" #194: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12
pluto[2219]: "test" #194: received and ignored notification payload: NO_PROPOSAL_CHOSEN
pluto[2219]: "test" #195: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
pluto[2219]: "test" #194: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12
pluto[2219]: "test" #194: received and ignored notification payload: NO_PROPOSAL_CHOSEN
pluto[2219]: "test" #195: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
pluto[2219]: "test" #194: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12
pluto[2219]: "test" #194: received and ignored notification payload: NO_PROPOSAL_CHOSEN
phase 2 加密方式錯誤 (被動連線)
pluto[1677]: "test" #186: no acceptable Proposal in IPsec SA
pluto[1677]: "test" #186: sending encrypted notification NO_PROPOSAL_CHOSEN to 172.19.100.22:500
pluto[1677]: "test" #186: deleting state (STATE_QUICK_R0) aged 0.010324s and NOT sending notification
網段設定錯誤 (主動連線)
pluto[2219]: "test" #205: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+UP+ESN_NO+ESN_YES {using isakmp#204 msgid:5200adf4 proposal=AES_CBC_128-HMAC_SHA2_256_128 pfsgroup=no-pfs}
pluto[2219]: "test" #205: sent Quick Mode request
pluto[2219]: "test" #204: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
pluto[2219]: "test" #204: received and ignored notification payload: INVALID_ID_INFORMATION
pluto[2219]: "test" #205: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
網段設定錯誤 (被動連線) (可以看出需要什麼網段)
pluto[1677]: "test" #195: the peer proposed: 192.168.84.0/24 -<all>-> 192.168.22.0/24
(↑可看出對方 網設的設定↑)
pluto[1677]: "test" #195: cannot respond to IPsec SA request because no connection is known for 192.168.84.0/24===XX.XX.XX.XX[+S?C]...XX.XX.XX.XX[+S?C]===192.168.22.0/24
pluto[1677]: "test" #195: sending encrypted notification INVALID_ID_INFORMATION to 對方ip:500
ID 錯誤 (主動連線)
Nov 7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: initiating IKEv1 Main Mode connection
Nov 7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: sent Main Mode request
Nov 7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: WARNING: connection test PSK length of 8 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
Nov 7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: sent Main Mode I2
Nov 7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: sent Main Mode I3
Nov 7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
Nov 7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: received and ignored notification payload: INVALID_ID_INFORMATION
Nov 7 04:45:35 UTM authpriv.warn pluto[2219]: "test" #206: STATE_MAIN_I3: retransmission; will wait 0.5 seconds for response
ID 錯誤 (被動連線) (可以看出需要什麼ID)
pluto[1677]: "test" #196: responding to Main Mode
pluto[1677]: "test" #196: WARNING: connection test PSK length of 8 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
pluto[1677]: "test" #196: sent Main Mode R1
pluto[1677]: "test" #196: sent Main Mode R2
pluto[1677]: "test" #196: Peer ID is ID_FQDN: '@111'
(對方的ID)
pluto[1677]: "test" #196: Peer ID '@111' mismatched on first found connection and no better connection found
pluto[1677]: "test" #196: sending encrypted notification INVALID_ID_INFORMATION to 172.19.100.22:500
pluto[1677]: "test" #196: STATE_MAIN_R2: retransmission; will wait 0.5 seconds for response
其他訊息
刪除 phase 1 的 key (被動連線)
pluto[32031]: "test" #26: deleting state (STATE_MAIN_R3) aged 3600.013651s and sending notification
刪除 phase 2 的 key (被動連線)
pluto[32031]: "test" #20: deleting state (STATE_QUICK_R2) aged 3599.763442s and sending notification
刪除 phase 1 的 key (主動連線)
pluto[32031]: "test" #28: deleting state (STATE_MAIN_I1) aged 64.016067s and NOT sending notification
刪除 phase 2 的 key (主動連線)
pluto[32031]: "test" #33: deleting state (STATE_QUICK_I1) aged 64.011057s and NOT sending notification
收到對方要求斷線的封包
pluto[32031]: "test" #19: received Delete SA(0x9d188d3f) payload: deleting IPsec State #20
pluto[32031]: "test" #20: deleting state (STATE_QUICK_R2) aged 3599.763442s and sending notification
pluto[32031]: "test" #20: ESP traffic information: in=134B out=0B
pluto[32031]: "test" #19: IKE SA expired (LATEST!)
pluto[32031]: "test" #19: deleting state (STATE_MAIN_R3) aged 3600.065787s and sending notification
pluto[32031]: "test" #19: deleting ISAKMP SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS