openswanでIPsecVPN(トランスポート・X.509認証) [Fedora14]

[サーバの実験室 Redhat/Fedora]

作成 : 2011/05/XX

"サーバの実験室"の検索


openswanでIPsecVPN

トランスポートモードのIPsecVPNを試す。

トランスポートモードのIPsecVPN

通信はVPNクライアントであるclient2、client3から開始する。 VPNサーバであるrouter1は任意のIPアドレスのクライアントからの接続を受け付ける。 VPNサーバから見ると、VPNクライアントはNATの向こう側にある。 IKEの認証方式は、X.509証明書を利用する。


ホストのファイアウォール設定

○ router1(VPNサーバ)

500/udpと4500/udpだけ受信可能にする。 NAT-Tを使用する前提なので、ESPは開けていない。

[root@router1 ~]# more /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp --dport 500 -j ACCEPT
-A INPUT -p udp --dport 4500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

○ router2(NAT箱)

natテーブルで、eth0から出るパケットはすべてマスカレードよう設定する。 FORWARD設定は、NAT内側からNAT外側への通信はすべて許可、NAT外側からNAT内側へは新規通信を拒否。 NAT内側にあるVPNクライアントから通信を開始する前提なので、NAT外側からNAT内側への500/udpと4500/udpは明示的には開けていない。

[root@router2 ~]# more /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

インタフェース間のパケット転送を有効にするため、/etc/sysctl.confnet.ipv4.ip_forwardを"1"に修正して、変更を反映する。

[root@router2 ~]# more /etc/sysctl.conf
# Kernel sysctl configuration file
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

[root@router2 ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key

○ client2、client3(VPNクライアント)

デフォルト設定のまま。 自分から通信を開始する前提なので、500/udpと4500/udpは明示的には開けていない。 また、NAT-Tを使用する前提なので、ESPは開けていない。

[root@client2 ~]# more /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

openswanのインストール

openswanのインストールは、openswan インストール [Fedora14]を参照。 X.509認証を利用するので、nss-toolsもインストールしておく。

X.509証明書の作成と配置

認証に使用する証明書は、/etc/ipsec.dディレクトリに配置する。 /etc/ipsec.d/certsディレクトリや/etc/ipsec.d/privateディレクトリに証明書ファイルを置くのではなく、certutilで証明書DB(cert8.db)、鍵DB(key3.db)に格納する。 certutilを使った証明書の管理方法については、certutilによる証明書管理 [Fedora14]にまとめたのでそちらを参照。

一度ipsecを起動すると、証明書DBと鍵DBが自動生成されるようだが、鍵DBにアクセスするとエラーになってしまったため、

[root@router1 ~]# certutil -K -d /etc/ipsec.d/
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
certutil: could not authenticate to token NSS Certificate DB.: An I/O error occurred during security authorization.

削除して手動で作成し直した。

○ router1(VPNサーバ)

はじめに証明書DBと鍵DBを/etc/ipsec.dディレクトリに作成する。 鍵DBにアクセスするためのパスワード入力を求められるが、設定しない。 (パスワード設定してもよいが、追加手順が必要になるのでパス)

[root@router1 ~]# certutil -N -d /etc/ipsec.d
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:(そのままEnter)
Re-enter password:(そのままEnter)

CAの証明書と秘密鍵のペアを作成して、CAを開設する。

[root@router1 ~]# certutil -S -n router1-ca -s "CN=router1-ca" -1 -2 -v 12 -t "C,C,C" -x -d /etc/ipsec.d

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|鍵を生成するためランダムにキー入力(*で表示される)|

Finished.  Press enter to continue:(Enter)


Generating key.  This may take a few moments...

                0 - Digital Signature
                1 - Non-repudiation
                2 - Key encipherment
                3 - Data encipherment
                4 - Key agreement
                5 - Cert signing key
                6 - CRL signing key
                Other to finish
 > 5
                0 - Digital Signature
                1 - Non-repudiation
                2 - Key encipherment
                3 - Data encipherment
                4 - Key agreement
                5 - Cert signing key
                6 - CRL signing key
                Other to finish
 > 6
                0 - Digital Signature
                1 - Non-repudiation
                2 - Key encipherment
                3 - Data encipherment
                4 - Key agreement
                5 - Cert signing key
                6 - CRL signing key
                Other to finish
 > 9
Is this a critical extension [y/N]?
n

Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > 0
Is this a critical extension [y/N]?
n

ユーザの証明書と秘密鍵のペアを作成する。

[root@router1 ~]# certutil -S -c router1-ca -n router1 -s "CN=router1.nina.jp" -v 12 -t "u,u,u" -d /etc/ipsec.d

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|鍵を生成するためランダムにキー入力(*で表示される)|

Finished.  Press enter to continue:(Enter)


Generating key.  This may take a few moments...

証明書と秘密鍵の一覧を見てみる。

[root@router1 ~]# certutil -K -d /etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      2e345b07521eee7f0760a20a2b85ee0d0fba37a8   NSS Certificate DB:router1-ca
< 1> rsa      990cc21f924513151ba065721cdce68190e8e224   NSS Certificate DB:router1

[root@router1 ~]# certutil -L -d /etc/ipsec.d

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

router1                                                      u,u,u
router1-ca                                                   Cu,Cu,Cu

CAの証明書をファイルにエクスポートして、client2とclient3に渡しておく。 IKEの認証で渡すrouter1の証明書を検証してもらうときに必要になる。

[root@router1 ~]# certutil -L -n router1-ca -a -d /etc/ipsec.d/ > /etc/ipsec.d/router1-ca.pem

○ client2(VPNクライアント)

クライアント側の証明書を、サーバとは別のCAで発行してみる。 本当は、サーバ側と同じCAで発行した方が手順が少なくて楽。

証明書DBと鍵DBを/etc/ipsec.dディレクトリに作成する。 鍵DBにアクセスするためのパスワード入力を求められるが、設定しない。

[root@client2 ~]# certutil -N -d /etc/ipsec.d
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:(そのままEnter)
Re-enter password:(そのままEnter)

CAの証明書と秘密鍵のペアを作成して、CAを開設する。

[root@client2 ~]# certutil -S -n client2-ca -s "CN=client2-ca" -v 12 -t "C,C,C" -x -d /etc/ipsec.d

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|鍵を生成するためランダムにキー入力(*で表示される)|

Finished.  Press enter to continue:(Enter)


Generating key.  This may take a few moments...

client2の証明書と秘密鍵のペアを作成する。

[root@client2 ~]# certutil -S -c client2-ca -n client2 -s "CN=client2.nina.jp" -v 12 -t "u,u,u" -d /etc/ipsec.d

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|鍵を生成するためランダムにキー入力(*で表示される)|

Finished.  Press enter to continue:(Enter)


Generating key.  This may take a few moments...

client3の証明書と秘密鍵のペアを作成する。

[root@client2 ~]# certutil -S -c client2-ca -n client3 -s "CN=client3.nina.jp" -v 12 -t "u,u,u" -d /etc/ipsec.d

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|鍵を生成するためランダムにキー入力(*で表示される)|

Finished.  Press enter to continue:(Enter)


Generating key.  This may take a few moments...

対向のrouter1から提示される証明書を検証するため、router1の証明書を発行したCAの証明書をインポートする。

[root@client2 ~]# certutil -A -n router1-ca -t "C,C,C" -i router1-ca.pem -a -d /etc/ipsec.d

証明書と秘密鍵の一覧を見てみる。

[root@client2 ~]# certutil -K -d /etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      1888adaa0c5f9f50dd745f0a06b7040ca025041c   NSS Certificate DB:client2
< 1> rsa      558e414a1d9cbed7ae29af9bbe7aee7078afe9d0   NSS Certificate DB:client2-ca
< 2> rsa      276aa4a0b230a39791ed53226b1d76d5100ea4eb   NSS Certificate DB:client3

[root@client2 ~]# certutil -L -d /etc/ipsec.d

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

client2                                                      u,u,u
client3                                                      u,u,u
client2-ca                                                   Cu,Cu,Cu
router1-ca                                                   C,C,C

CAの証明書をファイルにエクスポートして、router1に渡しておく。 IKEの認証で渡すclient2とclient3の証明書を検証してもらうときに必要になる。

[root@client2 ~]# certutil -L -n client2-ca -a -d /etc/ipsec.d/ > /etc/ipsec.d/client2-ca.pem

client3の証明書と鍵のペアををPKCS12形式でファイルにエクスポートして、client3に渡しておく。

[root@client2 ~]# pk12util -o /etc/ipsec.d/client3.p12 -n client3 -d /etc/ipsec.d
Enter password for PKCS12 file:出力するPKCS12形式ファイルに設定するパスワード
Re-enter password:出力するPKCS12形式ファイルに設定するパスワード(再入力)
pk12util: PKCS12 EXPORT SUCCESSFUL

○ client3(VPNクライアント)

証明書DBと鍵DBを/etc/ipsec.dディレクトリに作成する。 鍵DBにアクセスするためのパスワード入力を求められるが、設定しない。

[root@client3 ~]# certutil -N -d /etc/ipsec.d
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:(そのままEnter)
Re-enter password:(そのままEnter)

client3の証明書と秘密鍵をインポートする。

[root@client3 ~]# certutil -A -n router1-ca -t "C,C,C" -i router1-ca.pem -d /etc/ipsec.d
[root@client3 ~]# pk12util -i /etc/ipsec.d/client3.p12 -d /etc/ipsec.d
Enter password for PKCS12 file:PKCS12形式ファイルのパスワード
pk12util: PKCS12 IMPORT SUCCESSFUL

対向のrouter1から提示される証明書を検証するため、router1の証明書を発行したCAの証明書をインポートする。

[root@client3 ~]# certutil -A -n router1-ca -t "C,C,C" -i router1-ca.pem -a -d /etc/ipsec.d

証明書と秘密鍵の一覧を見てみる。

[root@client3 ~]# certutil -K -d /etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      276aa4a0b230a39791ed53226b1d76d5100ea4eb   client3


[root@client3 ~]# certutil -L -d /etc/ipsec.d

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

client3                                                      u,u,u
router1-ca                                                   C,C,C

○ router1(VPNサーバ)

対向のclient2とclient3から提示される証明書を検証するため、証明書を発行したCAの証明書をインポートする。

[root@router1 ~]# certutil -A -n client2-ca -t "C,C,C" -i client2-ca.pem -a -d /etc/ipsec.d

証明書の一覧を見てみる。

[root@router1 ~]# certutil -L -d /etc/ipsec.d

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

router1                                                      u,u,u
router1-ca                                                   Cu,Cu,Cu
client2-ca                                                   C,C,C

openswanの設定

openswanの設定は/etc/ipsec.conf、認証の設定は/etc/ipsec.secretsに記述する。

○ router1(VPNサーバ)

/etc/ipsec.confを修正する。

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        # NAT-Tを使う場合はyes。
        nat_traversal=yes
        # 対向がNATの向こう側にある場合、対向の真のIPアドレスを指定。
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        oe=off
        # Enable this if you see "failed to find any available worker"
        nhelpers=0

conn PEER
        # トランスポートモード。
        type=transport
        # RSA署名認証する。
        authby=rsasig
        # ipsecサービス起動時の挙動を指定。
        # addは対向からの接続を待ち受ける状態にする。
        auto=add

        ## left*に自分側の設定を書く。
        # 自分のIPアドレス。
        left=192.168.1.202
        # 相手に提示する自分のID。
        # デフォルトはleftで指定した値。
        # 明示的に指定しないとだめみたい…
        leftid="CN=router1.nina.jp"
        # RSA署名の認証に使用する公開鍵を指定する。
        # leftrsasigkey=%certを指定すると、leftcertで指定した証明書を使用する。
        # (対向に提示するのだと思う)
        leftrsasigkey=%cert
        # 使用する証明書をニックネームで指定する。
        leftcert=router1

        ## right*に対向側の設定を書く。
        # 任意のクライアントからの接続を受け付ける
        right=%any
        # 対向がNATの向こう側にあるとき、サーバ側でvhost:%privを指定。
        # %privには、virtual_privateで指定した値が反映される。
        # %noを指定すると、NATの向こう側にないクライアントからの接続も許容する。
        rightsubnet=vhost:%priv,%no
        # RSA署名の認証に使用する公開鍵を指定する。
        # rightrsasigkey=%certを指定すると、対向から提示された証明書を使用する。
        rightrsasigkey=%cert

#You may put your configuration (.conf) file in the "/etc/ipsec.d/"
#include /etc/ipsec.d/*.conf

/etc/ipsec.secretsを修正する。

# /etc/ipsec.secrets
# ": RSA"の後に、使用する秘密鍵をニックネームで指定。
: RSA router1

設定ファイルを編集したら、ipsecサービスを起動(または再起動)する。

[root@router1 ~]# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.33/K2.6.35.12-90.fc14.i686.PAE...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

起動ログを見てみる。

[root@router1 ~]# tail -f /var/log/secure
May 21 16:18:01 router1 ipsec__plutorun: Starting Pluto subsystem...
May 21 16:18:01 router1 pluto[2296]: nss directory plutomain: /etc/ipsec.d
May 21 16:18:01 router1 pluto[2296]: NSS Initialized
May 21 16:18:01 router1 pluto[2296]: Non-fips mode set in /proc/sys/crypto/fips_enabled
May 21 16:18:01 router1 pluto[2296]: Starting Pluto (Openswan Version 2.6.33; Vendor ID OEghI_w\134ALFy) pid:2296
May 21 16:18:01 router1 pluto[2296]: Non-fips mode set in /proc/sys/crypto/fips_enabled
May 21 16:18:01 router1 pluto[2296]: LEAK_DETECTIVE support [disabled]
May 21 16:18:01 router1 pluto[2296]: OCF support for IKE [disabled]
May 21 16:18:01 router1 pluto[2296]: SAref support [disabled]: Protocol not available
May 21 16:18:01 router1 pluto[2296]: SAbind support [disabled]: Protocol not available
May 21 16:18:01 router1 pluto[2296]: NSS support [enabled]
May 21 16:18:01 router1 pluto[2296]: HAVE_STATSD notification support not compiled in
May 21 16:18:01 router1 pluto[2296]: Setting NAT-Traversal port-4500 floating to on
May 21 16:18:01 router1 pluto[2296]:    port floating activation criteria nat_t=1/port_float=1
May 21 16:18:01 router1 pluto[2296]:    NAT-Traversal support  [enabled]
May 21 16:18:01 router1 pluto[2296]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
May 21 16:18:01 router1 pluto[2296]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
May 21 16:18:01 router1 pluto[2296]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
May 21 16:18:01 router1 pluto[2296]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
May 21 16:18:01 router1 pluto[2296]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
May 21 16:18:01 router1 pluto[2296]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
May 21 16:18:01 router1 pluto[2296]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
May 21 16:18:01 router1 pluto[2296]: no helpers will be started, all cryptographic operations will be done inline
May 21 16:18:01 router1 pluto[2296]: Using Linux 2.6 IPsec interface code on 2.6.35.12-90.fc14.i686.PAE (experimental code)
May 21 16:18:01 router1 pluto[2296]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
May 21 16:18:01 router1 pluto[2296]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:18:01 router1 pluto[2296]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
May 21 16:18:01 router1 pluto[2296]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:18:01 router1 pluto[2296]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
May 21 16:18:01 router1 pluto[2296]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:18:01 router1 pluto[2296]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
May 21 16:18:01 router1 pluto[2296]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:18:01 router1 pluto[2296]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
May 21 16:18:01 router1 pluto[2296]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:18:01 router1 pluto[2296]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
May 21 16:18:01 router1 pluto[2296]: Could not change to directory '/etc/ipsec.d/cacerts': /
May 21 16:18:01 router1 pluto[2296]: Could not change to directory '/etc/ipsec.d/aacerts': /
May 21 16:18:01 router1 pluto[2296]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
May 21 16:18:01 router1 pluto[2296]: Could not change to directory '/etc/ipsec.d/crls'
May 21 16:18:01 router1 pluto[2296]: loading certificate from router1
May 21 16:18:01 router1 pluto[2296]: added connection description "PEER"
May 21 16:18:01 router1 pluto[2296]: listening for IKE messages
May 21 16:18:01 router1 pluto[2296]: adding interface eth1/eth1 192.168.2.1:500
May 21 16:18:01 router1 pluto[2296]: adding interface eth1/eth1 192.168.2.1:4500
May 21 16:18:01 router1 pluto[2296]: adding interface eth0/eth0 192.168.1.202:500
May 21 16:18:01 router1 pluto[2296]: adding interface eth0/eth0 192.168.1.202:4500
May 21 16:18:01 router1 pluto[2296]: adding interface lo/lo 127.0.0.1:500
May 21 16:18:01 router1 pluto[2296]: adding interface lo/lo 127.0.0.1:4500
May 21 16:18:01 router1 pluto[2296]: adding interface lo/lo ::1:500
May 21 16:18:01 router1 pluto[2296]: adding interface eth1/eth1 2001:c90:1324:200d:20c:29ff:fe0c:f6a4:500
May 21 16:18:01 router1 pluto[2296]: adding interface eth0/eth0 2001:c90:1324:200d:20c:29ff:fe0c:f69a:500
May 21 16:18:01 router1 pluto[2296]: loading secrets from "/etc/ipsec.secrets"
May 21 16:18:01 router1 pluto[2296]: loaded private key for keyid: PPK_RSA:AwEAAdvBO

ステータスを見てみる。

[root@router1 ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface eth0/eth0 2001:c90:1324:200d:20c:29ff:fe0c:f69a
000 interface eth1/eth1 2001:c90:1324:200d:20c:29ff:fe0c:f6a4
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.202
000 interface eth0/eth0 192.168.1.202
000 interface eth1/eth1 192.168.2.1
000 interface eth1/eth1 192.168.2.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "PEER": 192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]...%virtual[+S=C]===?; unrouted; eroute owner: #0
000 "PEER":     myip=unset; hisip=unset; mycert=router1;
000 "PEER":   CAs: 'CN=router1-ca'...'%any'
000 "PEER":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER":   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000

○ client2(VPNクライアント)

/etc/ipsec.confを修正する。

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        # NAT-Tを使う場合はyes。
        nat_traversal=yes
        virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        nhelpers=0

conn PEER_192.168.1.202
        # トランスポートモード。
        type=transport
        # RSA署名認証する。
        authby=rsasig
        # ipsecサービス起動時の挙動を指定。
        # addは対向からの接続を待ち受ける状態にする。
        auto=add

        ## left*に自分側の設定を書く。
        # 自分のIPアドレス。
        left=192.168.3.254
        # 相手に提示する自分のID。
        # デフォルトはleftで指定した値。
        # 明示的に指定しないとだめみたい…
        leftid="CN=client2.nina.jp"
        # RSA署名の認証に使用する公開鍵を指定する。
        # leftrsasigkey=%certを指定すると、leftcertで指定した証明書を使用する。
        # (対向に提示するのだと思う)
        leftrsasigkey=%cert
        # 使用する証明書をニックネームで指定する。
        leftcert=client2

        ## right*に対向側の設定を書く。
        # VPNサーバのIPアドレスを指定。
        right=192.168.1.202
        # 対向が提示することを期待するID。
        # デフォルトはrightで指定した値。
        # 対向側/etc/ipsec.confのleftidと一致しないと接続できない。
        rightid="CN=router1.nina.jp"
        # RSA署名の認証に使用する公開鍵を指定する。
        # rightrsasigkey=%certを指定すると、対向から提示された証明書を使用する。
        rightrsasigkey=%cert

#You may put your configuration (.conf) file in the "/etc/ipsec.d/"
#include /etc/ipsec.d/*.conf

/etc/ipsec.secretsを修正する。

# /etc/ipsec.secrets
# ": RSA"の後に、使用する秘密鍵をニックネームで指定。
: RSA client2

設定ファイルを編集したら、ipsecサービスを起動(または再起動)する。

[root@client2 ~]# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.33/K2.6.35.12-90.fc14.i686.PAE...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

起動ログを見てみる。

[root@client2 ~]# tail -f /var/log/secure
May 21 16:33:05 client2 ipsec__plutorun: Starting Pluto subsystem...
May 21 16:33:06 client2 pluto[2232]: nss directory plutomain: /etc/ipsec.d
May 21 16:33:06 client2 pluto[2232]: NSS Initialized
May 21 16:33:06 client2 pluto[2232]: Non-fips mode set in /proc/sys/crypto/fips_enabled
May 21 16:33:06 client2 pluto[2232]: Starting Pluto (Openswan Version 2.6.33; Vendor ID OEghI_w\134ALFy) pid:2232
May 21 16:33:06 client2 pluto[2232]: Non-fips mode set in /proc/sys/crypto/fips_enabled
May 21 16:33:06 client2 pluto[2232]: LEAK_DETECTIVE support [disabled]
May 21 16:33:06 client2 pluto[2232]: OCF support for IKE [disabled]
May 21 16:33:06 client2 pluto[2232]: SAref support [disabled]: Protocol not available
May 21 16:33:06 client2 pluto[2232]: SAbind support [disabled]: Protocol not available
May 21 16:33:06 client2 pluto[2232]: NSS support [enabled]
May 21 16:33:06 client2 pluto[2232]: HAVE_STATSD notification support not compiled in
May 21 16:33:06 client2 pluto[2232]: Setting NAT-Traversal port-4500 floating to on
May 21 16:33:06 client2 pluto[2232]:    port floating activation criteria nat_t=1/port_float=1
May 21 16:33:06 client2 pluto[2232]:    NAT-Traversal support  [enabled]
May 21 16:33:06 client2 pluto[2232]: 1 bad entries in virtual_private - none loaded
May 21 16:33:06 client2 pluto[2232]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
May 21 16:33:06 client2 pluto[2232]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
May 21 16:33:06 client2 pluto[2232]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
May 21 16:33:06 client2 pluto[2232]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
May 21 16:33:06 client2 pluto[2232]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
May 21 16:33:06 client2 pluto[2232]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
May 21 16:33:06 client2 pluto[2232]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
May 21 16:33:06 client2 pluto[2232]: no helpers will be started, all cryptographic operations will be done inline
May 21 16:33:06 client2 pluto[2232]: Using Linux 2.6 IPsec interface code on 2.6.35.12-90.fc14.i686.PAE (experimental code)
May 21 16:33:06 client2 pluto[2232]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
May 21 16:33:06 client2 pluto[2232]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:33:06 client2 pluto[2232]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
May 21 16:33:06 client2 pluto[2232]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:33:06 client2 pluto[2232]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
May 21 16:33:06 client2 pluto[2232]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:33:06 client2 pluto[2232]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
May 21 16:33:06 client2 pluto[2232]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:33:06 client2 pluto[2232]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
May 21 16:33:06 client2 pluto[2232]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:33:06 client2 pluto[2232]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
May 21 16:33:06 client2 pluto[2232]: Could not change to directory '/etc/ipsec.d/cacerts': /
May 21 16:33:06 client2 pluto[2232]: Could not change to directory '/etc/ipsec.d/aacerts': /
May 21 16:33:06 client2 pluto[2232]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
May 21 16:33:06 client2 pluto[2232]: Could not change to directory '/etc/ipsec.d/crls'
May 21 16:33:06 client2 pluto[2232]: loading certificate from client2
May 21 16:33:06 client2 pluto[2232]: added connection description "PEER_192.168.1.202"
May 21 16:33:06 client2 pluto[2232]: listening for IKE messages
May 21 16:33:06 client2 pluto[2232]: adding interface eth0/eth0 192.168.3.254:500
May 21 16:33:06 client2 pluto[2232]: adding interface eth0/eth0 192.168.3.254:4500
May 21 16:33:06 client2 pluto[2232]: adding interface lo/lo 127.0.0.1:500
May 21 16:33:06 client2 pluto[2232]: adding interface lo/lo 127.0.0.1:4500
May 21 16:33:06 client2 pluto[2232]: adding interface lo/lo ::1:500
May 21 16:33:06 client2 pluto[2232]: adding interface eth0/eth0 2001:c90:1324:200d:20c:29ff:fe34:c3db:500
May 21 16:33:06 client2 pluto[2232]: loading secrets from "/etc/ipsec.secrets"
May 21 16:33:06 client2 pluto[2232]: loaded private key for keyid: PPK_RSA:AwEAAbxO1

ステータスを見てみる。

[root@client2 ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface eth0/eth0 2001:c90:1324:200d:20c:29ff:fe34:c3db
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.3.254
000 interface eth0/eth0 192.168.3.254
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "PEER_192.168.1.202": 192.168.3.254<192.168.3.254>[CN=client2.nina.jp,+S=C]...192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]; unrouted; eroute owner: #0
000 "PEER_192.168.1.202":     myip=unset; hisip=unset; mycert=client2;
000 "PEER_192.168.1.202":   CAs: 'CN=client2-ca'...'%any'
000 "PEER_192.168.1.202":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER_192.168.1.202":   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER_192.168.1.202":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000

○ client3(VPNクライアント)

/etc/ipsec.confを修正する。

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        # NAT-Tを使う場合はyes。
        nat_traversal=yes
        virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        nhelpers=0

conn PEER_192.168.1.202
        # トランスポートモード。
        type=transport
        # RSA署名認証する。
        authby=rsasig
        # ipsecサービス起動時の挙動を指定。
        # addは対向からの接続を待ち受ける状態にする。
        auto=add

        ## left*に自分側の設定を書く。
        # 自分のIPアドレス。
        left=192.168.3.253
        # 相手に提示する自分のID。
        # デフォルトはleftで指定した値。
        # 明示的に指定しないとだめみたい…
        leftid="CN=client3.nina.jp"
        # RSA署名の認証に使用する公開鍵を指定する。
        # leftrsasigkey=%certを指定すると、leftcertで指定した証明書を使用する。
        # (対向に提示するのだと思う)
        leftrsasigkey=%cert
        # 使用する証明書をニックネームで指定する。
        leftcert=client3

        ## right*に対向側の設定を書く。
        # VPNサーバのIPアドレスを指定。
        right=192.168.1.202
        # 対向が提示することを期待するID。
        # デフォルトはrightで指定した値。
        # 対向側/etc/ipsec.confのleftidと一致しないと接続できない。
        rightid="CN=router1.nina.jp"
        # RSA署名の認証に使用する公開鍵を指定する。
        # rightrsasigkey=%certを指定すると、対向から提示された証明書を使用する。
        rightrsasigkey=%cert

#You may put your configuration (.conf) file in the "/etc/ipsec.d/"
#include /etc/ipsec.d/*.conf

/etc/ipsec.secretsを修正する。

# /etc/ipsec.secrets
# ": RSA"の後に、使用する秘密鍵をニックネームで指定。
: RSA client3

設定ファイルを編集したら、ipsecサービスを起動(または再起動)する。

[root@client3 ~]# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.33/K2.6.35.12-90.fc14.i686.PAE...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

起動ログを見てみる。

[root@client3 ~]# tail -f /var/log/secure
May 21 16:49:32 client3 ipsec__plutorun: Starting Pluto subsystem...
May 21 16:49:32 client3 pluto[5324]: nss directory plutomain: /etc/ipsec.d
May 21 16:49:32 client3 pluto[5324]: NSS Initialized
May 21 16:49:32 client3 pluto[5324]: Non-fips mode set in /proc/sys/crypto/fips_enabled
May 21 16:49:32 client3 pluto[5324]: Starting Pluto (Openswan Version 2.6.33; Vendor ID OEghI_w\134ALFy) pid:5324
May 21 16:49:32 client3 pluto[5324]: Non-fips mode set in /proc/sys/crypto/fips_enabled
May 21 16:49:32 client3 pluto[5324]: LEAK_DETECTIVE support [disabled]
May 21 16:49:32 client3 pluto[5324]: OCF support for IKE [disabled]
May 21 16:49:32 client3 pluto[5324]: SAref support [disabled]: Protocol not available
May 21 16:49:32 client3 pluto[5324]: SAbind support [disabled]: Protocol not available
May 21 16:49:32 client3 pluto[5324]: NSS support [enabled]
May 21 16:49:32 client3 pluto[5324]: HAVE_STATSD notification support not compiled in
May 21 16:49:32 client3 pluto[5324]: Setting NAT-Traversal port-4500 floating to on
May 21 16:49:32 client3 pluto[5324]:    port floating activation criteria nat_t=1/port_float=1
May 21 16:49:32 client3 pluto[5324]:    NAT-Traversal support  [enabled]
May 21 16:49:32 client3 pluto[5324]: 1 bad entries in virtual_private - none loaded
May 21 16:49:32 client3 pluto[5324]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
May 21 16:49:32 client3 pluto[5324]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
May 21 16:49:32 client3 pluto[5324]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
May 21 16:49:32 client3 pluto[5324]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
May 21 16:49:32 client3 pluto[5324]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
May 21 16:49:32 client3 pluto[5324]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
May 21 16:49:32 client3 pluto[5324]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
May 21 16:49:32 client3 pluto[5324]: no helpers will be started, all cryptographic operations will be done inline
May 21 16:49:32 client3 pluto[5324]: Using Linux 2.6 IPsec interface code on 2.6.35.12-90.fc14.i686.PAE (experimental code)
May 21 16:49:32 client3 pluto[5324]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
May 21 16:49:32 client3 pluto[5324]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:49:32 client3 pluto[5324]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
May 21 16:49:32 client3 pluto[5324]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:49:32 client3 pluto[5324]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
May 21 16:49:32 client3 pluto[5324]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:49:32 client3 pluto[5324]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
May 21 16:49:32 client3 pluto[5324]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:49:32 client3 pluto[5324]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
May 21 16:49:32 client3 pluto[5324]: ike_alg_add(): ERROR: Algorithm already exists
May 21 16:49:32 client3 pluto[5324]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
May 21 16:49:32 client3 pluto[5324]: Could not change to directory '/etc/ipsec.d/cacerts': /
May 21 16:49:32 client3 pluto[5324]: Could not change to directory '/etc/ipsec.d/aacerts': /
May 21 16:49:32 client3 pluto[5324]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
May 21 16:49:32 client3 pluto[5324]: Could not change to directory '/etc/ipsec.d/crls'
May 21 16:49:32 client3 pluto[5324]: loading certificate from client3
May 21 16:49:32 client3 pluto[5324]: added connection description "PEER_192.168.1.202"
May 21 16:49:32 client3 pluto[5324]: listening for IKE messages
May 21 16:49:32 client3 pluto[5324]: adding interface eth0/eth0 192.168.3.253:500
May 21 16:49:32 client3 pluto[5324]: adding interface eth0/eth0 192.168.3.253:4500
May 21 16:49:32 client3 pluto[5324]: adding interface lo/lo 127.0.0.1:500
May 21 16:49:32 client3 pluto[5324]: adding interface lo/lo 127.0.0.1:4500
May 21 16:49:32 client3 pluto[5324]: adding interface lo/lo ::1:500
May 21 16:49:32 client3 pluto[5324]: adding interface eth0/eth0 2001:c90:1324:200d:20c:29ff:fe12:6a14:500
May 21 16:49:32 client3 pluto[5324]: loading secrets from "/etc/ipsec.secrets"
May 21 16:49:32 client3 pluto[5324]: loaded private key for keyid: PPK_RSA:AwEAAcr1s

ステータスを見てみる。

[root@client3 ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface eth0/eth0 2001:c90:1324:200d:20c:29ff:fe12:6a14
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.3.253
000 interface eth0/eth0 192.168.3.253
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "PEER_192.168.1.202": 192.168.3.253<192.168.3.253>[CN=client3.nina.jp,+S=C]...192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]; unrouted; eroute owner: #0
000 "PEER_192.168.1.202":     myip=unset; hisip=unset; mycert=client3;
000 "PEER_192.168.1.202":   CAs: 'CN=client2-ca'...'%any'
000 "PEER_192.168.1.202":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER_192.168.1.202":   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER_192.168.1.202":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000

VPN接続

○ client2からrouter1へ接続

client2から接続する。

[root@client2 ~]# ipsec auto --up PEER_192.168.1.202
104 "PEER_192.168.1.202" #1: STATE_MAIN_I1: initiate
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Openswan (this version) 2.6.33 ]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Dead Peer Detection]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "PEER_192.168.1.202" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "PEER_192.168.1.202" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "PEER_192.168.1.202" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "PEER_192.168.1.202" #1: received Vendor ID payload [CAN-IKEv2]
004 "PEER_192.168.1.202" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "PEER_192.168.1.202" #2: STATE_QUICK_I1: initiate
004 "PEER_192.168.1.202" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x1dfa41f2 <0x90c3042a xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

client2の接続ログを見てみる。

[root@client2 ~]# tail -f /var/log/secure
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: initiating Main Mode
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: received Vendor ID payload [Openswan (this version) 2.6.33 ]
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: received Vendor ID payload [Dead Peer Detection]
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: received Vendor ID payload [RFC 3947] method set to=109
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: enabling possible NAT-traversal with method 4
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: STATE_MAIN_I2: sent MI2, expecting MR2
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: I am sending my cert
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: I am sending a certificate request
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: STATE_MAIN_I3: sent MI3, expecting MR3
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: received Vendor ID payload [CAN-IKEv2]
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: Main mode peer ID is ID_DER_ASN1_DN: 'CN=router1.nina.jp'
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: no crl from issuer "CN=router1-ca" found (strict=no)
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #2: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:162cf320 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
May 21 20:58:51 client2 pluto[2232]: "PEER_192.168.1.202" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x1dfa41f2 <0x90c3042a xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

client2のステータスを見てみる。

[root@client2 ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface eth0/eth0 2001:c90:1324:200d:20c:29ff:fe34:c3db
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.3.254
000 interface eth0/eth0 192.168.3.254
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "PEER_192.168.1.202": 192.168.3.254<192.168.3.254>[CN=client2.nina.jp,+S=C]...192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]; erouted; eroute owner: #2
000 "PEER_192.168.1.202":     myip=unset; hisip=unset; mycert=client2;
000 "PEER_192.168.1.202":   CAs: 'CN=client2-ca'...'%any'
000 "PEER_192.168.1.202":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER_192.168.1.202":   policy: RSASIG+ENCRYPT+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER_192.168.1.202":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "PEER_192.168.1.202":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #2: "PEER_192.168.1.202":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27889s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "PEER_192.168.1.202" esp.1dfa41f2@192.168.1.202 esp.90c3042a@192.168.3.254 ref=0 refhim=4294901761
000 #1: "PEER_192.168.1.202":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2448s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000

router1の接続ログを見てみる。

[root@router1 ~]# tail -f /var/log/secure
May 21 20:58:04 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [Openswan (this version) 2.6.33 ]
May 21 20:58:04 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [Dead Peer Detection]
May 21 20:58:04 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [RFC 3947] method set to=109
May 21 20:58:04 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
May 21 20:58:04 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
May 21 20:58:04 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
May 21 20:58:04 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May 21 20:58:04 router1 pluto[2526]: "PEER"[3] 192.168.1.203 #3: responding to Main Mode from unknown peer 192.168.1.203
May 21 20:58:04 router1 pluto[2526]: "PEER"[3] 192.168.1.203 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 21 20:58:04 router1 pluto[2526]: "PEER"[3] 192.168.1.203 #3: STATE_MAIN_R1: sent MR1, expecting MI2
May 21 20:58:04 router1 pluto[2526]: "PEER"[3] 192.168.1.203 #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
May 21 20:58:04 router1 pluto[2526]: "PEER"[3] 192.168.1.203 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 21 20:58:04 router1 pluto[2526]: "PEER"[3] 192.168.1.203 #3: STATE_MAIN_R2: sent MR2, expecting MI3
May 21 20:58:04 router1 pluto[2526]: "PEER"[3] 192.168.1.203 #3: Main mode peer ID is ID_DER_ASN1_DN: 'CN=client2.nina.jp'
May 21 20:58:04 router1 pluto[2526]: "PEER"[3] 192.168.1.203 #3: no crl from issuer "CN=client2-ca" found (strict=no)
May 21 20:58:04 router1 pluto[2526]: "PEER"[3] 192.168.1.203 #3: switched from "PEER" to "PEER"
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #3: deleting connection "PEER" instance with peer 192.168.1.203 {isakmp=#0/ipsec=#0}
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #3: I am sending my cert
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #3: new NAT mapping for #3, was 192.168.1.203:500, now 192.168.1.203:4500
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #3: the peer proposed: 192.168.1.202/32:0/0 -> 192.168.3.254/32:0/0
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #3: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #4: responding to Quick Mode proposal {msgid:162cf320}
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #4:     us: 192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #4:   them: 192.168.1.203[CN=client2.nina.jp,+S=C]===192.168.3.254/32
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #4: netlink_raw_eroute: WARNING: that_client port 0 and that_host port 4500 don't match. Using that_client port.
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 21 20:58:04 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x90c3042a <0x1dfa41f2 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.3.254 NATD=192.168.1.203:4500 DPD=none}

router1のステータスを見てみる。

[root@router1 ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface eth0/eth0 2001:c90:1324:200d:20c:29ff:fe0c:f69a
000 interface eth1/eth1 2001:c90:1324:200d:20c:29ff:fe0c:f6a4
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.202
000 interface eth0/eth0 192.168.1.202
000 interface eth1/eth1 192.168.2.1
000 interface eth1/eth1 192.168.2.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "PEER": 192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]...%virtual[+S=C]===?; unrouted; eroute owner: #0
000 "PEER":     myip=unset; hisip=unset; mycert=router1;
000 "PEER":   CAs: 'CN=router1-ca'...'%any'
000 "PEER":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER":   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "PEER"[4]: 192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]...192.168.1.203[CN=client2.nina.jp,+S=C]===192.168.3.254/32; erouted; eroute owner: #4
000 "PEER"[4]:     myip=unset; hisip=unset; mycert=router1;
000 "PEER"[4]:   CAs: 'CN=router1-ca'...'%any'
000 "PEER"[4]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER"[4]:   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER"[4]:   newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "PEER"[4]:   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #4: "PEER"[4] 192.168.1.203:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28147s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
000 #4: "PEER"[4] 192.168.1.203 esp.90c3042a@192.168.1.203 esp.1dfa41f2@192.168.1.202 ref=0 refhim=4294901761
000 #3: "PEER"[4] 192.168.1.203:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2947s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000

パケットをキャプチャしてみる。 clinet2〜router2、router2〜router1のパケットを同時に見ているイメージ。

[root@router1 ~]# tcpdump
20:58:04.296907 IP 192.168.3.254.500 > 192.168.1.202.500: isakmp: phase 1 I ident
20:58:04.297376 IP 192.168.1.203.500 > 192.168.1.202.500: isakmp: phase 1 ? ident
20:58:04.298613 IP 192.168.1.202.500 > 192.168.1.203.500: isakmp: phase 1 R ident
20:58:04.299206 IP 192.168.1.202.500 > 192.168.3.254.500: isakmp: phase 1 R ident
20:58:04.308051 IP 192.168.3.254.500 > 192.168.1.202.500: isakmp: phase 1 I ident
20:58:04.308056 IP 192.168.1.203.500 > 192.168.1.202.500: isakmp: phase 1 ? ident
20:58:04.330728 IP 192.168.1.202.500 > 192.168.1.203.500: isakmp: phase 1 R ident
20:58:04.331254 IP 192.168.1.202.500 > 192.168.3.254.500: isakmp: phase 1 R ident
20:58:04.350324 IP 192.168.3.254.4500 > 192.168.1.202.4500: NONESP-encap: isakmp: phase 1 I ident[E]
20:58:04.350485 IP 192.168.1.203.4500 > 192.168.1.202.4500: NONESP-encap: isakmp: phase 1 ? ident[E]
20:58:04.362898 IP 192.168.1.202.4500 > 192.168.1.203.4500: NONESP-encap: isakmp: phase 1 R ident[E]
20:58:04.363309 IP 192.168.1.202.4500 > 192.168.3.254.4500: NONESP-encap: isakmp: phase 1 R ident[E]
20:58:04.375840 IP 192.168.3.254.4500 > 192.168.1.202.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
20:58:04.375850 IP 192.168.1.203.4500 > 192.168.1.202.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
20:58:04.393818 IP 192.168.1.202.4500 > 192.168.1.203.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
20:58:04.394407 IP 192.168.1.202.4500 > 192.168.3.254.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
20:58:04.482748 IP 192.168.3.254.4500 > 192.168.1.202.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
20:58:04.482885 IP 192.168.1.203.4500 > 192.168.1.202.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
20:58:10.859715 IP 192.168.3.254.4500 > 192.168.1.202.4500: UDP-encap: ESP(spi=0x1dfa41f2,seq=0x1), length 116
20:58:10.859726 IP 192.168.1.203.4500 > 192.168.1.202.4500: UDP-encap: ESP(spi=0x1dfa41f2,seq=0x1), length 116
20:58:10.859943 IP 192.168.1.202.4500 > 192.168.1.203.4500: UDP-encap: ESP(spi=0x90c3042a,seq=0x1), length 116
20:58:10.860417 IP 192.168.1.202.4500 > 192.168.3.254.4500: UDP-encap: ESP(spi=0x90c3042a,seq=0x1), length 116
20:58:11.862236 IP 192.168.3.254.4500 > 192.168.1.202.4500: UDP-encap: ESP(spi=0x1dfa41f2,seq=0x2), length 116
20:58:11.862243 IP 192.168.1.203.4500 > 192.168.1.202.4500: UDP-encap: ESP(spi=0x1dfa41f2,seq=0x2), length 116
20:58:11.862384 IP 192.168.1.202.4500 > 192.168.1.203.4500: UDP-encap: ESP(spi=0x90c3042a,seq=0x2), length 116
20:58:11.862657 IP 192.168.1.202.4500 > 192.168.3.254.4500: UDP-encap: ESP(spi=0x90c3042a,seq=0x2), length 116
20:58:12.865014 IP 192.168.3.254.4500 > 192.168.1.202.4500: UDP-encap: ESP(spi=0x1dfa41f2,seq=0x3), length 116
20:58:12.865275 IP 192.168.1.203.4500 > 192.168.1.202.4500: UDP-encap: ESP(spi=0x1dfa41f2,seq=0x3), length 116
20:58:12.865345 IP 192.168.1.202.4500 > 192.168.1.203.4500: UDP-encap: ESP(spi=0x90c3042a,seq=0x3), length 116
20:58:12.865997 IP 192.168.1.202.4500 > 192.168.3.254.4500: UDP-encap: ESP(spi=0x90c3042a,seq=0x3), length 116
20:58:13.867182 IP 192.168.3.254.4500 > 192.168.1.202.4500: UDP-encap: ESP(spi=0x1dfa41f2,seq=0x4), length 116
20:58:13.867187 IP 192.168.1.203.4500 > 192.168.1.202.4500: UDP-encap: ESP(spi=0x1dfa41f2,seq=0x4), length 116
20:58:13.867276 IP 192.168.1.202.4500 > 192.168.1.203.4500: UDP-encap: ESP(spi=0x90c3042a,seq=0x4), length 116
20:58:13.867499 IP 192.168.1.202.4500 > 192.168.3.254.4500: UDP-encap: ESP(spi=0x90c3042a,seq=0x4), length 116

○ client3からrouter1へ接続

client3から接続する。

[root@client3 ~]# ipsec auto --up PEER_192.168.1.202
104 "PEER_192.168.1.202" #1: STATE_MAIN_I1: initiate
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Openswan (this version) 2.6.33 ]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Dead Peer Detection]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "PEER_192.168.1.202" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "PEER_192.168.1.202" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "PEER_192.168.1.202" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "PEER_192.168.1.202" #1: received Vendor ID payload [CAN-IKEv2]
004 "PEER_192.168.1.202" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "PEER_192.168.1.202" #2: STATE_QUICK_I1: initiate
004 "PEER_192.168.1.202" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode

client3の接続ログを見てみる。

[root@client3 ~]# tail -f /var/log/secure
May 21 21:17:48 client3 pluto[5324]: "PEER_192.168.1.202" #1: initiating Main Mode
May 21 21:17:48 client3 pluto[5324]: "PEER_192.168.1.202" #1: received Vendor ID payload [Openswan (this version) 2.6.33 ]
May 21 21:17:48 client3 pluto[5324]: "PEER_192.168.1.202" #1: received Vendor ID payload [Dead Peer Detection]
May 21 21:17:48 client3 pluto[5324]: "PEER_192.168.1.202" #1: received Vendor ID payload [RFC 3947] method set to=109
May 21 21:17:48 client3 pluto[5324]: "PEER_192.168.1.202" #1: enabling possible NAT-traversal with method 4
May 21 21:17:48 client3 pluto[5324]: "PEER_192.168.1.202" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
May 21 21:17:48 client3 pluto[5324]: "PEER_192.168.1.202" #1: STATE_MAIN_I2: sent MI2, expecting MR2
May 21 21:17:49 client3 pluto[5324]: "PEER_192.168.1.202" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
May 21 21:17:49 client3 pluto[5324]: "PEER_192.168.1.202" #1: I am sending my cert
May 21 21:17:49 client3 pluto[5324]: "PEER_192.168.1.202" #1: I am sending a certificate request
May 21 21:17:49 client3 pluto[5324]: "PEER_192.168.1.202" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
May 21 21:17:49 client3 pluto[5324]: "PEER_192.168.1.202" #1: STATE_MAIN_I3: sent MI3, expecting MR3
May 21 21:17:49 client3 pluto[5324]: "PEER_192.168.1.202" #1: received Vendor ID payload [CAN-IKEv2]
May 21 21:17:49 client3 pluto[5324]: "PEER_192.168.1.202" #1: Main mode peer ID is ID_DER_ASN1_DN: 'CN=router1.nina.jp'
May 21 21:17:49 client3 pluto[5324]: "PEER_192.168.1.202" #1: no crl from issuer "CN=router1-ca" found (strict=no)
May 21 21:17:49 client3 pluto[5324]: "PEER_192.168.1.202" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
May 21 21:17:49 client3 pluto[5324]: "PEER_192.168.1.202" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
May 21 21:17:49 client3 pluto[5324]: "PEER_192.168.1.202" #2: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:38c011e2 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
May 21 21:17:49 client3 pluto[5324]: "PEER_192.168.1.202" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
May 21 21:17:49 client3 pluto[5324]: "PEER_192.168.1.202" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xa9df5d97 <0xc7f9ac6b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

client3のステータスを見てみる。

[root@client3 ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface eth0/eth0 2001:c90:1324:200d:20c:29ff:fe12:6a14
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.3.253
000 interface eth0/eth0 192.168.3.253
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "PEER_192.168.1.202": 192.168.3.253<192.168.3.253>[CN=client3.nina.jp,+S=C]...192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]; erouted; eroute owner: #2
000 "PEER_192.168.1.202":     myip=unset; hisip=unset; mycert=client3;
000 "PEER_192.168.1.202":   CAs: 'CN=client2-ca'...'%any'
000 "PEER_192.168.1.202":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER_192.168.1.202":   policy: RSASIG+ENCRYPT+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER_192.168.1.202":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "PEER_192.168.1.202":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #2: "PEER_192.168.1.202":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27963s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "PEER_192.168.1.202" esp.a9df5d97@192.168.1.202 esp.c7f9ac6b@192.168.3.253 ref=0 refhim=4294901761
000 #1: "PEER_192.168.1.202":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2522s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000

router1の接続ログを見てみる。

[root@router1 ~]# tail -f /var/log/secure
May 21 21:17:03 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [Openswan (this version) 2.6.33 ]
May 21 21:17:03 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [Dead Peer Detection]
May 21 21:17:03 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [RFC 3947] method set to=109
May 21 21:17:03 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
May 21 21:17:03 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
May 21 21:17:03 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
May 21 21:17:03 router1 pluto[2526]: packet from 192.168.1.203:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May 21 21:17:03 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #5: responding to Main Mode from unknown peer 192.168.1.203
May 21 21:17:03 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 21 21:17:03 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #5: STATE_MAIN_R1: sent MR1, expecting MI2
May 21 21:17:03 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #5: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
May 21 21:17:03 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 21 21:17:03 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #5: STATE_MAIN_R2: sent MR2, expecting MI3
May 21 21:17:03 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #5: Main mode peer ID is ID_DER_ASN1_DN: 'CN=client3.nina.jp'
May 21 21:17:03 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #5: no crl from issuer "CN=client2-ca" found (strict=no)
May 21 21:17:03 router1 pluto[2526]: "PEER"[4] 192.168.1.203 #5: switched from "PEER" to "PEER"
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #5: I am sending my cert
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #5: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #5: new NAT mapping for #5, was 192.168.1.203:500, now 192.168.1.203:1024
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #5: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #5: the peer proposed: 192.168.1.202/32:0/0 -> 192.168.3.253/32:0/0
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #5: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #6: responding to Quick Mode proposal {msgid:38c011e2}
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #6:     us: 192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #6:   them: 192.168.1.203[CN=client3.nina.jp,+S=C]===192.168.3.253/32
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #6: netlink_raw_eroute: WARNING: that_client port 0 and that_host port 1024 don't match. Using that_client port.
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 21 21:17:03 router1 pluto[2526]: "PEER"[5] 192.168.1.203 #6: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xc7f9ac6b <0xa9df5d97 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.3.253 NATD=192.168.1.203:1024 DPD=none}

router1のステータスを見てみる。

[root@router1 ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface eth0/eth0 2001:c90:1324:200d:20c:29ff:fe0c:f69a
000 interface eth1/eth1 2001:c90:1324:200d:20c:29ff:fe0c:f6a4
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.202
000 interface eth0/eth0 192.168.1.202
000 interface eth1/eth1 192.168.2.1
000 interface eth1/eth1 192.168.2.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "PEER": 192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]...%virtual[+S=C]===?; unrouted; eroute owner: #0
000 "PEER":     myip=unset; hisip=unset; mycert=router1;
000 "PEER":   CAs: 'CN=router1-ca'...'%any'
000 "PEER":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER":   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "PEER"[4]: 192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]...192.168.1.203[CN=client2.nina.jp,+S=C]===192.168.3.254/32; erouted; eroute owner: #4
000 "PEER"[4]:     myip=unset; hisip=unset; mycert=router1;
000 "PEER"[4]:   CAs: 'CN=router1-ca'...'%any'
000 "PEER"[4]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER"[4]:   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER"[4]:   newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "PEER"[4]:   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000 "PEER"[5]: 192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]...192.168.1.203[CN=client3.nina.jp,+S=C]===192.168.3.253/32; erouted; eroute owner: #6
000 "PEER"[5]:     myip=unset; hisip=unset; mycert=router1;
000 "PEER"[5]:   CAs: 'CN=router1-ca'...'%any'
000 "PEER"[5]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER"[5]:   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER"[5]:   newest ISAKMP SA: #5; newest IPsec SA: #6;
000 "PEER"[5]:   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #4: "PEER"[4] 192.168.1.203:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 27212s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
000 #4: "PEER"[4] 192.168.1.203 esp.90c3042a@192.168.1.203 esp.1dfa41f2@192.168.1.202 ref=0 refhim=4294901761
000 #3: "PEER"[4] 192.168.1.203:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2012s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #6: "PEER"[5] 192.168.1.203:1024 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28351s; newest IPSEC; eroute owner; isakmp#5; idle; import:not set
000 #6: "PEER"[5] 192.168.1.203 esp.c7f9ac6b@192.168.1.203 esp.a9df5d97@192.168.1.202 ref=0 refhim=4294901761
000 #5: "PEER"[5] 192.168.1.203:1024 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3151s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000

パケットをキャプチャしてみる。 clinet3〜router2、router2〜router1のパケットを同時に見ているイメージ。

[root@router1 ~]# tcpdump
21:17:03.392841 IP 192.168.3.253.500 > 192.168.1.202.500: isakmp: phase 1 I ident
21:17:03.392851 IP 192.168.1.203.500 > 192.168.1.202.500: isakmp: phase 1 ? ident
21:17:03.393913 IP 192.168.1.202.500 > 192.168.1.203.500: isakmp: phase 1 R ident
21:17:03.395230 IP 192.168.1.202.500 > 192.168.3.253.500: isakmp: phase 1 R ident
21:17:03.405055 IP 192.168.3.253.500 > 192.168.1.202.500: isakmp: phase 1 I ident
21:17:03.405143 IP 192.168.1.203.500 > 192.168.1.202.500: isakmp: phase 1 ? ident
21:17:03.420252 IP 192.168.1.202.500 > 192.168.1.203.500: isakmp: phase 1 R ident
21:17:03.421128 IP 192.168.1.202.500 > 192.168.3.253.500: isakmp: phase 1 R ident
21:17:03.439840 IP 192.168.3.253.4500 > 192.168.1.202.4500: NONESP-encap: isakmp: phase 1 I ident[E]
21:17:03.439848 IP 192.168.1.203.1024 > 192.168.1.202.4500: NONESP-encap: isakmp: phase 1 ? ident[E]
21:17:03.450034 IP 192.168.1.202.4500 > 192.168.1.203.1024: NONESP-encap: isakmp: phase 1 R ident[E]
21:17:03.450615 IP 192.168.1.202.4500 > 192.168.3.253.4500: NONESP-encap: isakmp: phase 1 R ident[E]
21:17:03.461506 IP 192.168.3.253.4500 > 192.168.1.202.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:17:03.461664 IP 192.168.1.203.1024 > 192.168.1.202.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
21:17:03.478402 IP 192.168.1.202.4500 > 192.168.1.203.1024: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:17:03.478813 IP 192.168.1.202.4500 > 192.168.3.253.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
21:17:03.576522 IP 192.168.3.253.4500 > 192.168.1.202.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
21:17:03.576587 IP 192.168.1.203.1024 > 192.168.1.202.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
21:17:12.954168 IP 192.168.3.253.4500 > 192.168.1.202.4500: UDP-encap: ESP(spi=0xa9df5d97,seq=0x1), length 116
21:17:12.954211 IP 192.168.1.203.1024 > 192.168.1.202.4500: UDP-encap: ESP(spi=0xa9df5d97,seq=0x1), length 116
21:17:12.954366 IP 192.168.1.202.4500 > 192.168.1.203.1024: UDP-encap: ESP(spi=0xc7f9ac6b,seq=0x1), length 116
21:17:12.955788 IP 192.168.1.202.4500 > 192.168.3.253.4500: UDP-encap: ESP(spi=0xc7f9ac6b,seq=0x1), length 116
21:17:13.955773 IP 192.168.3.253.4500 > 192.168.1.202.4500: UDP-encap: ESP(spi=0xa9df5d97,seq=0x2), length 116
21:17:13.955792 IP 192.168.1.203.1024 > 192.168.1.202.4500: UDP-encap: ESP(spi=0xa9df5d97,seq=0x2), length 116
21:17:13.955869 IP 192.168.1.202.4500 > 192.168.1.203.1024: UDP-encap: ESP(spi=0xc7f9ac6b,seq=0x2), length 116
21:17:13.956129 IP 192.168.1.202.4500 > 192.168.3.253.4500: UDP-encap: ESP(spi=0xc7f9ac6b,seq=0x2), length 116
21:17:14.957807 IP 192.168.3.253.4500 > 192.168.1.202.4500: UDP-encap: ESP(spi=0xa9df5d97,seq=0x3), length 116
21:17:14.957813 IP 192.168.1.203.1024 > 192.168.1.202.4500: UDP-encap: ESP(spi=0xa9df5d97,seq=0x3), length 116
21:17:14.957911 IP 192.168.1.202.4500 > 192.168.1.203.1024: UDP-encap: ESP(spi=0xc7f9ac6b,seq=0x3), length 116
21:17:14.958183 IP 192.168.1.202.4500 > 192.168.3.253.4500: UDP-encap: ESP(spi=0xc7f9ac6b,seq=0x3), length 116
21:17:15.959624 IP 192.168.3.253.4500 > 192.168.1.202.4500: UDP-encap: ESP(spi=0xa9df5d97,seq=0x4), length 116
21:17:15.959809 IP 192.168.1.203.1024 > 192.168.1.202.4500: UDP-encap: ESP(spi=0xa9df5d97,seq=0x4), length 116
21:17:15.959885 IP 192.168.1.202.4500 > 192.168.1.203.1024: UDP-encap: ESP(spi=0xc7f9ac6b,seq=0x4), length 116
21:17:15.960115 IP 192.168.1.202.4500 > 192.168.3.253.4500: UDP-encap: ESP(spi=0xc7f9ac6b,seq=0x4), length 116

VPN切断

○ client2でVPN切断

client2でVPNを切断する。

[root@client2 ~]# ipsec auto --down PEER_192.168.1.202

client2でステータスを見てみる。

[root@client2 ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface eth0/eth0 2001:c90:1324:200d:20c:29ff:fe34:c3db
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.3.254
000 interface eth0/eth0 192.168.3.254
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "PEER_192.168.1.202": 192.168.3.254<192.168.3.254>[CN=client2.nina.jp,+S=C]...192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]; prospective erouted; eroute owner: #0
000 "PEER_192.168.1.202":     myip=unset; hisip=unset; mycert=client2;
000 "PEER_192.168.1.202":   CAs: 'CN=client2-ca'...'%any'
000 "PEER_192.168.1.202":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER_192.168.1.202":   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER_192.168.1.202":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000

○ client3でVPN切断

client3でVPNを切断する。

[root@client3 ~]# ipsec auto --down PEER_192.168.1.202

client3でステータスを見てみる。

[root@client3 ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface eth0/eth0 2001:c90:1324:200d:20c:29ff:fe12:6a14
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.3.253
000 interface eth0/eth0 192.168.3.253
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "PEER_192.168.1.202": 192.168.3.253<192.168.3.253>[CN=client3.nina.jp,+S=C]...192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]; prospective erouted; eroute owner: #0
000 "PEER_192.168.1.202":     myip=unset; hisip=unset; mycert=client3;
000 "PEER_192.168.1.202":   CAs: 'CN=client2-ca'...'%any'
000 "PEER_192.168.1.202":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER_192.168.1.202":   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER_192.168.1.202":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000

失敗例

● client2のleftcertで証明書ファイルを指定した

client2のleftcertで、ニックネームではなく証明書ファイルを指定した場合、

# client2の/etc/ipsec.conf
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
        nhelpers=0

conn PEER_192.168.1.202
        type=transport
        left=192.168.3.254
        leftid="CN=client2.nina.jp"
        leftrsasigkey=%cert
        # leftcertで証明書ファイルを指定
        leftcert=/etc/ipsec.d/certs/client2.pem
        right=192.168.1.202
        rightid="CN=router1.nina.jp"
        rightrsasigkey=%cert
        authby=rsasig
        auto=add

ipsecサービス起動時にエラーが出力される。 ipsecサービスは起動する。

[root@client2 ~]# tail -f /var/log/secure
May 21 22:21:57 client2 pluto[3350]: loading certificate from /etc/ipsec.d/certs/client2.pem
May 21 22:21:57 client2 pluto[3350]:     could not open host cert with nick name '/etc/ipsec.d/certs/client2.pem' in NSS DB

接続しようとすると失敗して、

[root@client2 ~]# ipsec auto --up PEER_192.168.1.202
104 "PEER_192.168.1.202" #1: STATE_MAIN_I1: initiate
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Openswan (this version) 2.6.33 ]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Dead Peer Detection]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "PEER_192.168.1.202" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "PEER_192.168.1.202" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "PEER_192.168.1.202" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "PEER_192.168.1.202" #1: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
003 "PEER_192.168.1.202" #1: received and ignored informational message

router1のログに以下のようなエラーが出力される。

[root@router1 ~]# tail -f /var/log/secure
May 21 22:29:47 router1 pluto[2526]: "PEER"[7] 192.168.1.203 #13: STATE_MAIN_R2: sent MR2, expecting MI3
May 21 22:29:47 router1 pluto[2526]: "PEER"[7] 192.168.1.203 #13: Main mode peer ID is ID_IPV4_ADDR: '192.168.3.254'
May 21 22:29:47 router1 pluto[2526]: "PEER"[7] 192.168.1.203 #13: switched from "PEER" to "PEER"
May 21 22:29:47 router1 pluto[2526]: "PEER"[10] 192.168.1.203 #13: no RSA public key known for '192.168.3.254'
May 21 22:29:47 router1 pluto[2526]: "PEER"[10] 192.168.1.203 #13: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.1.203:500

● client2でleftidを指定しなかった

client2でleftidを指定しなかった場合、

# client2の/etc/ipsec.conf
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
        nhelpers=0

conn PEER_192.168.1.202
        type=transport
        left=192.168.3.254
        # leftidをコメントアウト
        # leftid="CN=client2.nina.jp"
        leftrsasigkey=%cert
        leftcert=client2
        right=192.168.1.202
        rightid="CN=router1.nina.jp"
        rightrsasigkey=%cert
        authby=rsasig
        auto=add

接続しようとすると失敗して、

[root@client2 ~]# ipsec auto --up PEER_192.168.1.202
104 "PEER_192.168.1.202" #1: STATE_MAIN_I1: initiate
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Openswan (this version) 2.6.33 ]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Dead Peer Detection]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "PEER_192.168.1.202" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "PEER_192.168.1.202" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "PEER_192.168.1.202" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "PEER_192.168.1.202" #1: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
003 "PEER_192.168.1.202" #1: received and ignored informational message

router1のログに以下のようなエラーが出力される。

[root@router1 ~]# tail -f /var/log/secure
May 21 22:09:19 router1 pluto[2526]: "PEER"[7] 192.168.1.203 #11: STATE_MAIN_R2: sent MR2, expecting MI3
May 21 22:09:19 router1 pluto[2526]: "PEER"[7] 192.168.1.203 #11: Main mode peer ID is ID_IPV4_ADDR: '192.168.3.254'
May 21 22:09:20 router1 pluto[2526]: "PEER"[7] 192.168.1.203 #11: no crl from issuer "CN=client2-ca" found (strict=no)
May 21 22:09:20 router1 pluto[2526]: "PEER"[7] 192.168.1.203 #11: switched from "PEER" to "PEER"
May 21 22:09:20 router1 pluto[2526]: "PEER"[8] 192.168.1.203 #11: no RSA public key known for '192.168.3.254'
May 21 22:09:20 router1 pluto[2526]: "PEER"[8] 192.168.1.203 #11: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.1.203:500

● client2のleftcertで指定した証明書のsubjectとleftidが不一致

client2でleftcertで指定した証明書のSubjectとleftidが不一致の場合、

# client2の/etc/ipsec.conf
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
        nhelpers=0

conn PEER_192.168.1.202
        type=transport
        left=192.168.3.254
        # 証明書のSubjectは"CN=client2.nina.jp"
        leftid="CN=client20.nina.jp"
        leftrsasigkey=%cert
        leftcert=client2
        right=192.168.1.202
        rightid="CN=router1.nina.jp"
        rightrsasigkey=%cert
        authby=rsasig
        auto=add

接続しようとすると失敗して、

[root@client2 ~]# ipsec auto --up PEER_192.168.1.202
104 "PEER_192.168.1.202" #1: STATE_MAIN_I1: initiate
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Openswan (this version) 2.6.33 ]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Dead Peer Detection]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "PEER_192.168.1.202" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "PEER_192.168.1.202" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "PEER_192.168.1.202" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "PEER_192.168.1.202" #1: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
003 "PEER_192.168.1.202" #1: received and ignored informational message

router1のログに以下のようなエラーが出力される。

[root@router1 ~]# tail -f /var/log/secure
May 21 22:51:57 router1 pluto[2924]: "PEER"[1] 192.168.1.203 #1: STATE_MAIN_R2: sent MR2, expecting MI3
May 21 22:51:57 router1 pluto[2924]: "PEER"[1] 192.168.1.203 #1: Main mode peer ID is ID_DER_ASN1_DN: 'CN=client20.nina.jp'
May 21 22:51:57 router1 pluto[2924]: "PEER"[1] 192.168.1.203 #1: no crl from issuer "CN=client2-ca" found (strict=no)
May 21 22:51:57 router1 pluto[2924]: "PEER"[1] 192.168.1.203 #1: switched from "PEER" to "PEER"
May 21 22:51:57 router1 pluto[2924]: "PEER"[2] 192.168.1.203 #1: deleting connection "PEER" instance with peer 192.168.1.203 {isakmp=#0/ipsec=#0}
May 21 22:51:57 router1 pluto[2924]: "PEER"[2] 192.168.1.203 #1: no RSA public key known for 'CN=client20.nina.jp'
May 21 22:51:57 router1 pluto[2924]: "PEER"[2] 192.168.1.203 #1: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.1.203:500

● router1のleftidとclient2のrightidが不一致

router1のleftidとclient2のrightidが不一致の場合、

# client2の/etc/ipsec.conf
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
        nhelpers=0

conn PEER_192.168.1.202
        type=transport
        left=192.168.3.254
        leftid="CN=client2.nina.jp"
        leftrsasigkey=%cert
        leftcert=client2
        right=192.168.1.202
        # router1ではleftid="CN=router1.nina.jp"と指定
        rightid="CN=router10.nina.jp"
        rightrsasigkey=%cert
        authby=rsasig
        auto=add

接続しようとすると失敗して、

[root@client2 ~]# ipsec auto --up PEER_192.168.1.202
104 "PEER_192.168.1.202" #1: STATE_MAIN_I1: initiate
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Openswan (this version) 2.6.33 ]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Dead Peer Detection]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "PEER_192.168.1.202" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "PEER_192.168.1.202" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "PEER_192.168.1.202" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "PEER_192.168.1.202" #1: received Vendor ID payload [CAN-IKEv2]
003 "PEER_192.168.1.202" #1: we require peer to have ID 'CN=router10.nina.jp', but peer declares 'CN=router1.nina.jp'
218 "PEER_192.168.1.202" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION

client2のログに以下のようなエラーが出力される。

[root@client2 ~]# tail -f /var/log/secure
May 21 23:02:51 client2 pluto[4488]: "PEER_192.168.1.202" #1: Main mode peer ID is ID_DER_ASN1_DN: 'CN=router1.nina.jp'
May 21 23:02:51 client2 pluto[4488]: "PEER_192.168.1.202" #1: no crl from issuer "CN=router1-ca" found (strict=no)
May 21 23:02:51 client2 pluto[4488]: "PEER_192.168.1.202" #1: we require peer to have ID 'CN=router10.nina.jp', but peer declares 'CN=router1.nina.jp'
May 21 23:02:51 client2 pluto[4488]: "PEER_192.168.1.202" #1: sending encrypted notification INVALID_ID_INFORMATION to 192.168.1.202:4500

● client2の証明書DBに、router1の証明書を発行したCAの証明書がない

client2の証明書DBに、router1の証明書を発行したCAの証明書がない場合、

[root@client2 ~]# certutil -L -d /etc/ipsec.d

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

client2                                                      u,u,u
client3                                                      u,u,u
client2-ca                                                   Cu,Cu,Cu

接続しようとすると失敗して、

[root@client2 ~]# ipsec auto --up PEER_192.168.1.202
104 "PEER_192.168.1.202" #1: STATE_MAIN_I1: initiate
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Openswan (this version) 2.6.33 ]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [Dead Peer Detection]
003 "PEER_192.168.1.202" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "PEER_192.168.1.202" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "PEER_192.168.1.202" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "PEER_192.168.1.202" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "PEER_192.168.1.202" #1: received Vendor ID payload [CAN-IKEv2]
003 "PEER_192.168.1.202" #1: no RSA public key known for 'CN=router1.nina.jp'
217 "PEER_192.168.1.202" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION

client2のログに以下のようなエラーが出力される。

[root@client2 ~]# tail -f /var/log/secure
May 21 23:06:30 client2 pluto[4711]: "PEER_192.168.1.202" #1: Main mode peer ID is ID_DER_ASN1_DN: 'CN=router1.nina.jp'
May 21 23:06:30 client2 pluto[4711]: "PEER_192.168.1.202" #1: issuer cacert not found
May 21 23:06:30 client2 pluto[4711]: "PEER_192.168.1.202" #1: X.509 certificate rejected
May 21 23:06:30 client2 pluto[4711]: "PEER_192.168.1.202" #1: no RSA public key known for 'CN=router1.nina.jp'
May 21 23:06:30 client2 pluto[4711]: "PEER_192.168.1.202" #1: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.1.202:4500

● client2のauthbyでsecretを指定した

client2のauthbyでsecretを指定した場合、

# client2の/etc/ipsec.conf
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
        nhelpers=0

conn PEER_192.168.1.202
        type=transport
        left=192.168.3.254
        leftid="CN=client2.nina.jp"
        leftrsasigkey=%cert
        leftcert=client2
        right=192.168.1.202
        rightid="CN=router1.nina.jp"
        rightrsasigkey=%cert
        # router1ではauthby=rsasigと指定
        authby=secret
        auto=add

接続しようとすると失敗して、

[root@client2 ~]# ipsec auto --up PEER_192.168.1.202
104 "PEER_192.168.1.202" #1: STATE_MAIN_I1: initiate
003 "PEER_192.168.1.202" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
003 "PEER_192.168.1.202" #1: received and ignored informational message

router1のログに以下のようなエラーが出力される。

[root@router1 ~]# tail -f /var/log/secure
May 21 23:16:55 router1 pluto[2924]: "PEER"[4] 192.168.1.203 #7: policy does not allow OAKLEY_PRESHARED_KEY authentication.  Attribute OAKLEY_AUTHENTICATION_METHOD
May 21 23:16:55 router1 pluto[2924]: "PEER"[4] 192.168.1.203 #7: no acceptable Oakley Transform
May 21 23:16:55 router1 pluto[2924]: "PEER"[4] 192.168.1.203 #7: sending notification NO_PROPOSAL_CHOSEN to 192.168.1.203:500

● router1でrightsubnetを指定しなかった

router1でrightsubnetを指定しなかった場合、

# router1の/etc/ipsec.conf
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        oe=off
        nhelpers=0

conn PEER
        type=transport
        left=192.168.1.202
        leftid="CN=router1.nina.jp"
        leftrsasigkey=%cert
        leftcert=router1
        right=%any
        # rightsubnetをコメントアウト
        # rightsubnet=vhost:%priv,%no
        rightrsasigkey=%cert
        authby=rsasig
        auto=add

同一NATの向こう側にある1台目のクライアントからの接続は成功するが、

[root@client2 ~]# ipsec auto --up PEER_192.168.1.202
104 "PEER_192.168.1.202" #3: STATE_MAIN_I1: initiate
003 "PEER_192.168.1.202" #3: received Vendor ID payload [Openswan (this version) 2.6.33 ]
003 "PEER_192.168.1.202" #3: received Vendor ID payload [Dead Peer Detection]
003 "PEER_192.168.1.202" #3: received Vendor ID payload [RFC 3947] method set to=109
106 "PEER_192.168.1.202" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "PEER_192.168.1.202" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "PEER_192.168.1.202" #3: STATE_MAIN_I3: sent MI3, expecting MR3
003 "PEER_192.168.1.202" #3: received Vendor ID payload [CAN-IKEv2]
004 "PEER_192.168.1.202" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "PEER_192.168.1.202" #4: STATE_QUICK_I1: initiate
004 "PEER_192.168.1.202" #4: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xb7be14e9 <0xc2f44ddc xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

2台目のクライアントからの接続は失敗して、

[root@client3 ~]# ipsec auto --up PEER_192.168.1.202
104 "PEER_192.168.1.202" #5: STATE_MAIN_I1: initiate
003 "PEER_192.168.1.202" #5: received Vendor ID payload [Openswan (this version) 2.6.33 ]
003 "PEER_192.168.1.202" #5: received Vendor ID payload [Dead Peer Detection]
003 "PEER_192.168.1.202" #5: received Vendor ID payload [RFC 3947] method set to=109
106 "PEER_192.168.1.202" #5: STATE_MAIN_I2: sent MI2, expecting MR2
003 "PEER_192.168.1.202" #5: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "PEER_192.168.1.202" #5: STATE_MAIN_I3: sent MI3, expecting MR3
003 "PEER_192.168.1.202" #5: received Vendor ID payload [CAN-IKEv2]
004 "PEER_192.168.1.202" #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "PEER_192.168.1.202" #6: STATE_QUICK_I1: initiate

router1のログに以下のようなエラーが出力される。

[root@router1 ~]# tail -f /var/log/secure
May 21 23:23:28 router1 pluto[3186]: packet from 192.168.1.203:1: received Vendor ID payload [Openswan (this version) 2.6.33 ]
May 21 23:23:28 router1 pluto[3186]: packet from 192.168.1.203:1: received Vendor ID payload [Dead Peer Detection]
May 21 23:23:28 router1 pluto[3186]: packet from 192.168.1.203:1: received Vendor ID payload [RFC 3947] method set to=109
May 21 23:23:28 router1 pluto[3186]: packet from 192.168.1.203:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
May 21 23:23:28 router1 pluto[3186]: packet from 192.168.1.203:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
May 21 23:23:28 router1 pluto[3186]: packet from 192.168.1.203:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
May 21 23:23:28 router1 pluto[3186]: packet from 192.168.1.203:1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May 21 23:23:28 router1 pluto[3186]: "PEER"[2] 192.168.1.203 #3: responding to Main Mode from unknown peer 192.168.1.203
May 21 23:23:28 router1 pluto[3186]: "PEER"[2] 192.168.1.203 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 21 23:23:28 router1 pluto[3186]: "PEER"[2] 192.168.1.203 #3: STATE_MAIN_R1: sent MR1, expecting MI2
May 21 23:23:28 router1 pluto[3186]: "PEER"[2] 192.168.1.203 #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
May 21 23:23:28 router1 pluto[3186]: "PEER"[2] 192.168.1.203 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 21 23:23:28 router1 pluto[3186]: "PEER"[2] 192.168.1.203 #3: STATE_MAIN_R2: sent MR2, expecting MI3
May 21 23:23:28 router1 pluto[3186]: "PEER"[2] 192.168.1.203 #3: Main mode peer ID is ID_DER_ASN1_DN: 'CN=client3.nina.jp'
May 21 23:23:28 router1 pluto[3186]: "PEER"[2] 192.168.1.203 #3: no crl from issuer "CN=client2-ca" found (strict=no)
May 21 23:23:28 router1 pluto[3186]: "PEER"[2] 192.168.1.203 #3: switched from "PEER" to "PEER"
May 21 23:23:28 router1 pluto[3186]: "PEER"[3] 192.168.1.203 #3: I am sending my cert
May 21 23:23:28 router1 pluto[3186]: "PEER"[3] 192.168.1.203 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 21 23:23:28 router1 pluto[3186]: "PEER"[3] 192.168.1.203 #3: new NAT mapping for #3, was 192.168.1.203:1, now 192.168.1.203:1024
May 21 23:23:28 router1 pluto[3186]: "PEER"[3] 192.168.1.203 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
May 21 23:23:28 router1 pluto[3186]: "PEER"[3] 192.168.1.203 #3: the peer proposed: 192.168.1.202/32:0/0 -> 192.168.3.253/32:0/0
May 21 23:23:28 router1 pluto[3186]: "PEER"[3] 192.168.1.203 #3: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
May 21 23:23:28 router1 pluto[3186]: "PEER"[3] 192.168.1.203 #4: responding to Quick Mode proposal {msgid:5586a3ea}
May 21 23:23:28 router1 pluto[3186]: "PEER"[3] 192.168.1.203 #4:     us: 192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]
May 21 23:23:28 router1 pluto[3186]: "PEER"[3] 192.168.1.203 #4:   them: 192.168.1.203[CN=client3.nina.jp,+S=C]
May 21 23:23:28 router1 pluto[3186]: "PEER"[3] 192.168.1.203 #4: cannot install eroute -- it is in use for "PEER"[2] 192.168.1.203 #2
May 21 23:23:35 router1 pluto[3186]: "PEER"[3] 192.168.1.203 #3: received Delete SA payload: deleting ISAKMP State #3
May 21 23:23:35 router1 pluto[3186]: "PEER"[3] 192.168.1.203: deleting connection "PEER" instance with peer 192.168.1.203 {isakmp=#0/ipsec=#0}
May 21 23:23:35 router1 pluto[3186]: packet from 192.168.1.203:1024: received and ignored informational message

router1のステータスを見てみる。

[root@router1 ~]# ipsec auto --status
000 using kernel interface: netkey
000 interface eth0/eth0 2001:c90:1324:200d:20c:29ff:fe0c:f69a
000 interface eth1/eth1 2001:c90:1324:200d:20c:29ff:fe0c:f6a4
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.202
000 interface eth0/eth0 192.168.1.202
000 interface eth1/eth1 192.168.2.1
000 interface eth1/eth1 192.168.2.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "PEER": 192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]...%any[+S=C]; unrouted; eroute owner: #0
000 "PEER":     myip=unset; hisip=unset; mycert=router1;
000 "PEER":   CAs: 'CN=router1-ca'...'%any'
000 "PEER":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER":   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "PEER"[2]: 192.168.1.202<192.168.1.202>[CN=router1.nina.jp,+S=C]...192.168.1.203[CN=client2.nina.jp,+S=C]; erouted; eroute owner: #2
000 "PEER"[2]:     myip=unset; hisip=unset; mycert=router1;
000 "PEER"[2]:   CAs: 'CN=router1-ca'...'%any'
000 "PEER"[2]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PEER"[2]:   policy: RSASIG+ENCRYPT+PFS+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "PEER"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "PEER"[2]:   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #2: "PEER"[2] 192.168.1.203:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 27895s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set
000 #2: "PEER"[2] 192.168.1.203 esp.c2f44ddc@192.168.1.203 esp.b7be14e9@192.168.1.202 ref=0 refhim=4294901761
000 #1: "PEER"[2] 192.168.1.203:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2695s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000

[サーバの実験室 Redhat/Fedora]