nic# #!/bin/sh [root@nic github-1210-ikev1-quick-mismatch]# nic# # Display the table, so we know it is correct. [root@nic github-1210-ikev1-quick-mismatch]# nic# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination [root@nic github-1210-ikev1-quick-mismatch]# nic# echo "initdone" initdone [root@nic github-1210-ikev1-quick-mismatch]# nic# : ==== end ==== [root@nic github-1210-ikev1-quick-mismatch]# east# /testing/guestbin/swan-prep [root@east github-1210-ikev1-quick-mismatch]# east# ipsec start Redirecting to: systemctl start ipsec.service [ 31.762183] AVX or AES-NI instructions are not detected. [ 31.769401] AVX or AES-NI instructions are not detected. [root@east github-1210-ikev1-quick-mismatch]# east# ../../guestbin/wait-until-pluto-started ==== cut ==== 000 PID Process addconn exited ==== tuc ==== [root@east github-1210-ikev1-quick-mismatch]# east# ipsec auto --add east WARNING: ipsec auto has been deprecated 002 "east": added IKEv1 connection [root@east github-1210-ikev1-quick-mismatch]# east# echo "initdone" initdone [root@east github-1210-ikev1-quick-mismatch]# road# /testing/guestbin/swan-prep [root@road github-1210-ikev1-quick-mismatch]# road# ipsec start Redirecting to: systemctl start ipsec.service [ 10.828884] AVX or AES-NI instructions are not detected. [ 10.836011] AVX or AES-NI instructions are not detected. [ 11.083255] IPv4 over IPsec tunneling driver [ 11.106863] IPsec XFRM device driver [root@road github-1210-ikev1-quick-mismatch]# road# ../../guestbin/wait-until-pluto-started ==== cut ==== 000 PID Process addconn exited ==== tuc ==== [root@road github-1210-ikev1-quick-mismatch]# road# ipsec auto --add road WARNING: ipsec auto has been deprecated 002 "road": added IKEv1 connection [root@road github-1210-ikev1-quick-mismatch]# road# echo "initdone" initdone [root@road github-1210-ikev1-quick-mismatch]# road# ipsec auto --up road WARNING: ipsec auto has been deprecated 002 "road" #1: initiating IKEv1 Main Mode connection 102 "road" #1: sent Main Mode request 104 "road" #1: sent Main Mode I2 106 "road" #1: sent Main Mode I3 002 "road" #1: Peer ID is ID_FQDN: '@east' 004 "road" #1: ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP2048} 002 "road" #2: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES {using isakmp#1 msgid:7c42d8af proposal=defaults pfsgroup=MODP2048} 115 "road" #2: sent Quick Mode request 010 "road" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response 010 "road" #2: STATE_QUICK_I1: retransmission; will wait 1 seconds for response 010 "road" #2: STATE_QUICK_I1: retransmission; will wait 2 seconds for response 010 "road" #2: STATE_QUICK_I1: retransmission; will wait 4 seconds for response 010 "road" #2: STATE_QUICK_I1: retransmission; will wait 8 seconds for response 010 "road" #2: STATE_QUICK_I1: retransmission; will wait 16 seconds for response 010 "road" #2: STATE_QUICK_I1: retransmission; will wait 32 seconds for response 031 "road" #2: STATE_QUICK_I1: 60 second timeout exceeded after 7 retransmits. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal 002 "road" #2: deleting IPsec SA (QUICK_I1) aged 64.07234s and NOT sending notification [root@road github-1210-ikev1-quick-mismatch 31]# road# echo done done [root@road github-1210-ikev1-quick-mismatch]# east# ../../guestbin/ipsec-look.sh ==== cut ==== DUMP IN: OUTPUT/east.ipsec-look.1039.log ==== tuc ==== east Tue Aug 8 20:06:50 EDT 2023 XFRM state: XFRM policy: XFRM done IPSEC mangle TABLES iptables filter TABLE Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ROUTING TABLES default via 192.1.2.254 dev eth1 proto static 192.0.1.0/24 via 192.1.2.45 dev eth1 proto static onlink 192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.254 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.23 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI [root@east github-1210-ikev1-quick-mismatch]# nic# ../../guestbin/ipsec-look.sh [root@nic github-1210-ikev1-quick-mismatch]# road# ../../guestbin/ipsec-look.sh ==== cut ==== DUMP IN: OUTPUT/road.ipsec-look.782.log ==== tuc ==== road Tue Aug 8 20:06:50 EDT 2023 XFRM state: XFRM policy: XFRM done IPSEC mangle TABLES iptables filter TABLE Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ROUTING TABLES default via 192.1.3.254 dev eth0 proto static 192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI [root@road github-1210-ikev1-quick-mismatch]# >>>>>>>>>> post-mortem >>>>>>>>>>east# ../../guestbin/post-mortem.sh PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND 1 1020 1020 1020 ? -1 Ssl 0 0:00 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork : : checking shutting down pluto : ipsec whack --shutdown pidof pluto PASS: shutting down pluto : : checking core files : PASS: core files : : checking memory leaks : PASS: memory leaks : : checking reference leaks : PASS: reference leaks : : checking xfrm errors : PASS: xfrm errors : : checking state/policy entries : PASS: state/policy entries : : checking selinux audit records : PASS: selinux audit records : : unload any selinux modules : [root@east github-1210-ikev1-quick-mismatch]# nic# ../../guestbin/post-mortem.sh PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND : : pluto is not running, probably strongswan, but possibly iked : : : checking core files : PASS: core files : : checking memory leaks : SKIP: memory leaks as pluto was not running : : checking reference leaks : SKIP: reference leaks as pluto was not running : : checking xfrm errors : SKIP: xfrm errors as pluto was not running : : checking state/policy entries : SKIP: state/policy entries as pluto was not running : : checking selinux audit records : PASS: selinux audit records : : unload any selinux modules : [root@nic github-1210-ikev1-quick-mismatch]# road# ../../guestbin/post-mortem.sh PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND 1 759 759 759 ? -1 Ssl 0 0:00 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork : : checking shutting down pluto : ipsec whack --shutdown pidof pluto PASS: shutting down pluto : : checking core files : PASS: core files : : checking memory leaks : PASS: memory leaks : : checking reference leaks : PASS: reference leaks : : checking xfrm errors : PASS: xfrm errors : : checking state/policy entries : PASS: state/policy entries : : checking selinux audit records : PASS: selinux audit records : : unload any selinux modules : [root@road github-1210-ikev1-quick-mismatch]# <<<<<<<<<< post-mortem <<<<<<<<<<>>>>>>>>>>cut>>>>>>>>>> done <<<<<<<<<