Beruflich Dokumente
Kultur Dokumente
Configuration Instructions
for
Lobotomo Software
June 17, 2009
Legal Disclaimer
Contents
Lobotomo Software (subsequently called "Author") reserves the right not to be responsible for the
topicality, correctness, completeness or quality of the information provided. Liability claims regarding
damage caused by the use of any information provided, including any kind of information which is
incomplete or incorrect, will therefore be rejected. All oers are not-binding and without obligation.
Parts of the document or the complete publication including all oers and information might be
extended, changed or partly or completely deleted by the author without separate announcement.
Referrals
The author is not responsible for any contents referred to or any links to pages of the World Wide Web
in this document. If any damage occurs by the use of information presented there, only the author of
the respective documents or pages might be liable, not the one who has referred or linked to these
documents or pages.
Copyright
The author intended not to use any copyrighted material for the publication or, if not possible, to
indicate the copyright of the respective object. The copyright for any material created by the author is
reserved. Any duplication or use of such diagrams, sounds or texts in other electronic or printed
publications is not permitted without the author's agreement.
Legal force of this disclaimer
This disclaimer is to be regarded as part of this document. If sections or individual formulations of this
text are not legal or correct, the content or validity of the other parts remain uninfluenced by this fact.
Table of contents
Introduction
..........................................................................................................1
Cisco PIX VPN Setup (Device Manager 3.0)
....................................................1
Login
..............................................................................................................................1
Edit IPSec Policies
.......................................................................................................2
Add new IPSec Rule
....................................................................................................3
Add new Tunnel Policy
...............................................................................................4
Save new IPSec Rule
....................................................................................................5
Add IKE Policy
............................................................................................................6
Edit IKE Policy
............................................................................................................7
Add Preshared Key
......................................................................................................8
Enter Pre-Shared Key
.................................................................................................9
Enable Firewall Bypass for IPSec Trac
.................................................................10
Enable Management Access through IPSec
............................................................11
Diagnosis
.............................................................................................................16
Reachability Test
........................................................................................................16
Sample Cisco PIX Log Output
................................................................................16
Sample IPSecuritas Log Output
...............................................................................18
Cisco PIX
Introduction
This document describes the steps necessary to establish a protected VPN connection between a Mac
client and a Cisco PIX router/firewall. All information in this document is based on the following
assumed network.
Dial-Up or
Broadband
Remote LAN
10.1.12.0/24
Internet
Cisco PIX
Roadwarrior
This setup guide has been written for and tested with a Cisco PIX 501 with firmware version 6.3, but it
should also work with the other Series 500 models.
Please send comments and corrections to lobotomo@lobotomo.com.
Login
Please connect to your Cisco router with a web browser
and enter an user name and password with administrative
permissions.
In the main window appearing after login, press the
Configuration button in the toolbar.
Cisco PIX
button on the top left side to add a new IPSec rule. A new window
Cisco PIX
Cisco PIX
Cisco PIX
Cisco PIX
Cisco PIX
The new policy should now appear in the policy list. Please make the following changes to the IKE
settings:
1.
2.
3.
Cisco PIX
Cisco PIX
The new pre-shared key will now appear in the list of pre-shared keys. Press Apply to save your
changes.
Cisco PIX
10
Cisco PIX
11
Cisco PIX
Please enter your telnet password at the prompt. Next, enable the administrative commands on the
PIX:
pixfirewall> enable
Password: ***************
crypto
crypto
crypto
crypto
crypto
12
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
isakmp
Cisco PIX
enable outside
key PASSWORD address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
identity address
nat-traversal 20
policy 10 authentication pre-share
policy 10 encryption 3des
policy 10 hash sha
policy 10 group 1
policy 10 lifetime 86400
Please replace PASSWORD with a safe preshared key (a secret password) and remember it for the
setup of IPSecuritas.
Now setup the access list entry for VPN trac destined for your local network:
Omit the first line if you are not using NAT in your setup.
Enable management through IPSec tunnels. This step is optional but will allow you to ping the inside
interface and run the Device Manager GUI through a VPN tunnel from remote places:
management-access inside
icmp permit any inside
write mem
IPSecuritas Setup
This section describes the necessary steps to setup IPSecuritas to connect to the Cisco PIX router.
Start Wizard
Unless it is already running, you should start IPSecuritas now. Change to Connections menu and
select Edit Connections (or press -E). Start the Wizard by clicking on the following symbol:
13
Cisco PIX
14
Cisco PIX
15
Cisco PIX
Diagnosis
Reachability Test
To test reachability of the remote host, open an Terminal Window (Utilities -> Terminal) and enter
the command ping, followed by the Cisco PIX local IP address. If the tunnel works correctly, a
similar output is displayed (NOTE: the Cisco PIX will only respond to ping packets if management
access is enabled on the inside (or lan) interface):
[MacBook:~] root# ping 10.1.12.1
PING 10.1.12.1 (10.1.12.1): 56 data bytes
64 bytes from 10.1.12.1: icmp_seq=0 ttl=64 time=13.186 ms
64 bytes from 10.1.12.1: icmp_seq=1 ttl=64 time=19.290 ms
64 bytes from 10.1.12.1: icmp_seq=2 ttl=64 time=12.823 ms
Please enter your telnet password at the prompt. Next, enable the administrative commands on the
PIX:
pixfirewall> enable
Password: ***************
Enter the following command to enable log output for IKE and IPSec:
Now start IPSec in IPSecuritas. You should see a similar output after a successful connection attempt:
crypto_isakmp_process_block:src:192.168.215.1, dest:192.168.215.235 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:
life type in seconds
ISAKMP:
ISAKMP:
ISAKMP:
ISAKMP:
auth pre-share
hash SHA
ISAKMP:
default group 1
16
Cisco PIX
: 17
: 0
length
: 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:192.168.215.1/4500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:192.168.215.1/4500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:192.168.215.1, dest:192.168.215.235 spt:4500 dpt:4500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 3178223285
ISAKMP (0): processing notify INITIAL_CONTACT
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:192.168.215.1, dest:192.168.215.235 spt:4500 dpt:4500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3285749123
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP:
attributes in transform:
ISAKMP:
ISAKMP:
ISAKMP:
ISAKMP:
encaps is 61443
authenticator is HMAC-SHA
17
Cisco PIX
192.168.5.2 to
10.1.12.0)
10.1.12.0 to
192.168.5.2)
Debug
APP
Info
Info
APP
APP
Debug
Debug
APP
APP
Debug
Info
APP
IKE
Info
Info
IKE
IKE
Info
IKE
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
lifebyte = 0
encklen=0
18
Cisco PIX
Debug
Debug
IKE
IKE
p:1 t:1
3DES-CBC(5)
Debug
Debug
IKE
IKE
SHA(2)
768-bit MODP group(1)
Debug
Debug
IKE
IKE
pre-shared key(1)
compression algorithm can not be checked because sadb message doesn't support it.
Debug
Debug
IKE
IKE
parse successed.
open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon
management.
Jun 24, 18:30:21
Info
IKE
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Info
IKE
IKE
Debug
Info
IKE
IKE
===
initiate new phase 1 negotiation: 192.168.215.1[500]<=>192.168.215.235[500]
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
895769d61b7501f9
add payload of len 52, next type 13
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
sockname 192.168.215.1[500]
send packet from 192.168.215.1[500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
19
Cisco PIX
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
===
124 bytes message received from 192.168.215.235[500] to 192.168.215.1[500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
begin.
seen nptype=1(sa)
Debug
Debug
IKE
IKE
seen nptype=13(vid)
seen nptype=13(vid)
Debug
Info
IKE
IKE
succeed.
received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Info
Info
IKE
IKE
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
begin.
seen nptype=2(prop)
Debug
Debug
IKE
IKE
succeed.
proposal #1 len=44
Debug
Debug
IKE
IKE
begin.
seen nptype=3(trns)
Debug
Debug
IKE
IKE
succeed.
transform #1 len=36
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Compared: DB:Peer
(lifetime = 86400:86400)
Debug
Debug
IKE
IKE
(lifebyte = 0:0)
enctype = 3DES-CBC:3DES-CBC
Debug
Debug
IKE
IKE
(encklen = 0:0)
hashtype = SHA:SHA
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Info
Debug
IKE
IKE
20
Cisco PIX
Info
Debug
IKE
IKE
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
sockname 192.168.215.1[500]
send packet from 192.168.215.1[500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
31515ccd
resend phase1 packet 895769d61b7501f9:e459750f8040831f
Debug
Debug
IKE
IKE
===
272 bytes message received from 192.168.215.235[500] to 192.168.215.1[500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
seen nptype=4(ke)
seen nptype=10(nonce)
Debug
Debug
IKE
IKE
seen nptype=13(vid)
seen nptype=13(vid)
Debug
Debug
IKE
IKE
seen nptype=13(vid)
seen nptype=13(vid)
Debug
Debug
IKE
IKE
seen nptype=130(nat-d)
seen nptype=130(nat-d)
Debug
Info
IKE
IKE
succeed.
received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Info
Info
IKE
IKE
Debug
Debug
IKE
IKE
Info
Info
IKE
IKE
Info
Info
IKE
IKE
Debug
Debug
IKE
IKE
===
compute DH's shared.
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
SKEYID computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
SKEYID_d computed:
7fae617c 6de5face 6c7ee717 ac7aebce eba7b4e5
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
SKEYID_a computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
SKEYID_e computed:
06422930 f325a2e7 0ba20bf6 37563890 68ef71b3
21
Cisco PIX
Debug
Debug
IKE
IKE
encryption(3des)
hash(sha1)
Debug
Debug
IKE
IKE
len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka = K1 | K2 | ...)
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(3des)
IV computed:
Debug
Debug
IKE
IKE
2bb9c289 ba8edf7a
use ID type of IPv4_address
Debug
Debug
IKE
IKE
HASH with:
138672cf 20222f08 e4b17796 8d711915 6847741a 7bf04334 f83f36d6 fa7fa222
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
HASH (init) computed:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(3des)
pad length = 4
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(3des)
with key:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
2bb9c289 ba8edf7a
save IV for next:
Debug
Debug
IKE
IKE
76577f6d 2410a158
encrypted.
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
sockname 192.168.215.1[4500]
send packet from 192.168.215.1[4500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
76577f6d 2410a158
resend phase1 packet 895769d61b7501f9:e459750f8040831f
Debug
Debug
IKE
IKE
===
68 bytes message received from 192.168.215.235[4500] to 192.168.215.1[4500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
cc00e593
begin decryption.
Debug
Debug
IKE
IKE
encryption(3des)
IV was saved for next processing:
Debug
Debug
IKE
IKE
b79b64c1 cc00e593
encryption(3des)
Debug
Debug
IKE
IKE
with key:
cfb1ed84 4d213b48 600d05a8 db17a815 40256718 dc516947
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
730997ef 00000000
padding len=1
22
Cisco PIX
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
00000000
begin.
Debug
Debug
IKE
IKE
seen nptype=5(id)
seen nptype=8(hash)
Debug
Debug
IKE
IKE
succeed.
HASH received:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
01110000 c0a8d7eb
===
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(3des)
phase2 IV computed:
Debug
Debug
IKE
IKE
8b9ab957 8319c497
HASH with:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
HASH computed:
9073a5cb 2f3ad15e 9f924886 45309e9c 405be6f1
Debug
Debug
IKE
IKE
begin encryption.
encryption(3des)
Debug
Debug
IKE
IKE
pad length = 4
0b000018 9073a5cb 2f3ad15e 9f924886 45309e9c 405be6f1 0000001c 00000001
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
with key:
cfb1ed84 4d213b48 600d05a8 db17a815 40256718 dc516947
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encrypted.
Adding NON-ESP marker
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
===
===
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
receive Information.
compute IV for phase2
23
Cisco PIX
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hash(sha1)
encryption(3des)
Debug
Debug
IKE
IKE
phase2 IV computed:
14b2d52a e9748aef
Debug
Debug
IKE
IKE
begin decryption.
encryption(3des)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(3des)
with key:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
14b2d52a e9748aef
decrypted payload, but not trimed.
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
padding len=1
skip to trim padding.
Debug
Debug
IKE
IKE
decrypted.
895769d6 1b7501f9 e459750f 8040831f 08100501 76eeba03 00000054 0b000018
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
IV freed
HASH with:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
HASH computed:
b52701a9 4e19a2c8 01e69ed9 99841f52 b4a6d6bd
Debug
Debug
IKE
IKE
hash validated.
begin.
Debug
Debug
IKE
IKE
seen nptype=8(hash)
seen nptype=11(notify)
Debug
Debug
IKE
IKE
succeed.
call pfkey_send_dump
Info
Debug
APP
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Error
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
===
begin QUICK mode.
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hash(sha1)
encryption(3des)
Debug
Debug
IKE
IKE
phase2 IV computed:
05e2f150 a8a3bdfc
24
Cisco PIX
Debug
Debug
IKE
IKE
call pfkey_send_getspi
pfkey GETSPI sent: ESP/Tunnel 192.168.215.235[0]->192.168.215.1[0]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
spi=117097157(0x6fac2c5)
Jun 24, 18:30:22 Info
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
IDci:
01000000 c0a80502
Debug
Debug
IKE
IKE
IDcr:
04000000 0a010c00 ffffff00
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
HASH with:
c3d88d83 0a000034 00000001 00000001 00000028 01030401 06fac2c5 0000001c
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
0a010c00 ffffff00
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
HASH computed:
c37dad00 ff1dead8 7f20bd41 b82615b5 7377b2db
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(3des)
pad length = 4
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(3des)
with key:
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
05e2f150 a8a3bdfc
save IV for next:
Debug
Debug
IKE
IKE
b3e239ab be3fe574
encrypted.
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
sockname 192.168.215.1[4500]
send packet from 192.168.215.1[4500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
===
204 bytes message received from 192.168.215.235[4500] to 192.168.215.1[4500]
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(3des)
IV was saved for next processing:
Debug
Debug
IKE
IKE
c86eeda5 50715e64
encryption(3des)
Debug
Debug
IKE
IKE
with key:
cfb1ed84 4d213b48 600d05a8 db17a815 40256718 dc516947
Debug
Debug
IKE
IKE
25
Cisco PIX
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
seen nptype=8(hash)
seen nptype=1(sa)
Debug
Debug
IKE
IKE
seen nptype=10(nonce)
seen nptype=5(id)
Debug
Debug
IKE
IKE
seen nptype=5(id)
seen nptype=11(notify)
Debug
Debug
IKE
IKE
succeed.
Notify Message received
Warning
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
HASH with:
c3d88d83 c363e586 5ee352d7 e44a07e3 9fe14a43 0a000034 00000001 00000001
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
00465000
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
HASH computed:
f3bd0241 9673e747 e712c98f a3d479d4 dd7add0c
Debug
Debug
IKE
IKE
total SA len=48
00000001 00000001 00000028 01030401 06fac2c5 0000001c 01030000 80010001
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
seen nptype=2(prop)
succeed.
Debug
Debug
IKE
IKE
proposal #1 len=40
begin.
Debug
Debug
IKE
IKE
seen nptype=3(trns)
succeed.
Debug
Debug
IKE
IKE
transform #1 len=28
type=SA Life Type, flag=0x8000, lorv=seconds
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
pair 1:
0x30a0d0: next=0x0 tnext=0x0
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
begin.
seen nptype=2(prop)
Debug
Debug
IKE
IKE
succeed.
proposal #1 len=40
Debug
Debug
IKE
IKE
begin.
seen nptype=3(trns)
Debug
Debug
IKE
IKE
succeed.
transform #1 len=28
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
26
Cisco PIX
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Warning
Debug
IKE
IKE
Debug
Debug
IKE
IKE
pair[1]: 0x30a0e0
0x30a0e0: next=0x0 tnext=0x0
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
my single bundle:
(proto_id=ESP spisize=4 spi=06fac2c5 spi_p=00000000 encmode=UDP-Tunnel reqid=610:609)
Debug
Info
IKE
IKE
Info
Debug
IKE
IKE
Debug
Debug
IKE
IKE
===
HASH(3) generate
Debug
Debug
IKE
IKE
HASH with:
00c3d88d 83c363e5 865ee352 d7e44a07 e39fe14a 434ac01c 9d78ab3f 110be5f7
Debug
Debug
IKE
IKE
09bc33cd 5173d78a 0f
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
HASH computed:
edcdd5d7 2eac7fae 24ddf2a3 dfc143b5 0ff0b9d0
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encryption(3des)
pad length = 8
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
with key:
cfb1ed84 4d213b48 600d05a8 db17a815 40256718 dc516947
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
encrypted.
Adding NON-ESP marker
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
encryption(3des)
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
encklen=192 authklen=160
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
ff70919f 1a50b7bd 9ba30a6d 29535480 4380f04c befe051d 4c98d2fc 9eb1ae41
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
09bc33cd 5173d78a 0f
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
encryption(3des)
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
encklen=192 authklen=160
generating 640 bits of key (dupkeymat=4)
27
Cisco PIX
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
hmac(hmac_sha1)
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
call pk_sendupdate
encryption(3des)
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
call pfkey_send_update_nat
Debug
Debug
IKE
APP
Debug
Debug
APP
IKE
SA change detected
encryption(3des)
Debug
Debug
IKE
IKE
hmac(hmac_sha1)
call pfkey_send_add_nat
Debug
Debug
APP
APP
Received SADB message type ADD, 192.168.215.1 [4500] -> 192.168.215.235 [4500]
SA change detected
Debug
Debug
APP
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
IKE
IKE
Debug
Debug
IKE
IKE
===
get pfkey ADD message
Debug
Debug
IKE
IKE
Debug
Debug
IKE
IKE
Debug
Info
IKE
IKE
spi=2907547317(0xad4da6b5)
28