Hallo,
bei mir läuft SuSE 8.1 und zusätzlich setze ich freeswan for SuSE von
http://www.suse.de/~garloff/linux/FreeSWAN
version 1.99_0.9.23 ein
Dabei habe ich Problme mit SuSEFirewall2 auf dem gateway.
Meine Installation
wired Lan 192.168.1.0/24
!
eth0 192.168.1.2/24
gateway------------------------------- eth2/pppp0--> Internet
eth1 192.168.3.2/24
!
wireless Lan 192.168.3.0/24
a) Mit der firewall wird kein ping beantwortet
/var/log/messages:21581:Mar 19 16:28:17 gateway kernel:
SuSE-FW-DROP-ANTI-SPOOF IN=eth1 OUT=... SRC=192.168.3.10 DST=192.168.3.2
LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=50369 PROTO=UDP SPT=500 DPT=500 LEN=64
I habe TCP und UDP-Ports für IPSEC gesetzt:
FW_QUICKMODE="no"
FW_DEV_EXT="ppp0 ipsec0"
FW_DEV_INT="eth0 eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="ppp0"
FW_MASQ_NETS="192.168.1.0/24 192.168.3.0/24"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="17 53 888 domain"
FW_SERVICES_EXT_UDP="500"
FW_SERVICES_EXT_IP="50 51"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="..."
FW_SERVICES_INT_UDP="... 500..."
FW_SERVICES_INT_IP="50 51"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.168.1.0/24 192.168.3.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="yes"
FW_SERVICE_SAMBA="yes"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT="192.168.1.3/32,0/0,tcp,80,3128"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
b) Ohne die firewall kann ich ein ping 192.168.3.2 vom wireless client, also
192.168.3.10 (after echo 1 > /proc/sys/net/ipv4/ip_forward) absetzen
Mar 19 16:20:18 gateway pluto[2988]: |
Mar 19 16:20:18 gateway pluto[2988]: | *time to handle event
Mar 19 16:20:18 gateway pluto[2988]: | event after this is EVENT_REINIT_SECRET
in 2400 seconds
Mar 19 16:20:18 gateway pluto[2988]: | inserting event EVENT_SHUNT_SCAN,
timeout in 120 seconds
Mar 19 16:20:18 gateway pluto[2988]: | scanning for shunt eroutes
Mar 19 16:20:18 gateway pluto[2988]: | next event EVENT_SHUNT_SCAN in 120
seconds
Mar 19 16:21:20 gateway pluto[2988]: |
Mar 19 16:21:20 gateway pluto[2988]: | *received 256 bytes from
192.168.3.10:500 on eth1
...
Mar 19 16:21:20 gateway pluto[2988]: | **parse ISAKMP Message:
Mar 19 16:21:20 gateway pluto[2988]: | initiator cookie:
Mar...
Mar 19 16:21:20 gateway pluto[2988]: packet from 192.168.3.10:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
...
Mar 19 16:21:20 gateway pluto[2988]: packet from 192.168.3.10:500: ignoring
Vendor ID payload [4048b7d56ebce885...]
Mar 19 16:21:20 gateway pluto[2988]: | VID: 40 48 b7 d5 6e bc e8 85 25 e7
de 7f 00 d6 c2 d3
Mar 19 16:21:20 gateway pluto[2988]: packet from 192.168.3.10:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
...
Mar 19 16:21:20 gateway pluto[2988]: "wanClient" #2: responding to Main Mode
...
Mar 19 16:21:20 gateway pluto[2988]: | ike_alg_enc_ok(ealg=5,key_len=0):
blocksize=8, keyminlen=192, keydeflen=192, keymaxlen=192,
...
Mar 19 16:21:20 gateway pluto[2988]: | sending 84 bytes for STATE_MAIN_R0
through eth1 to 192.168.3.10:500:
...
Mar 19 16:21:20 gateway pluto[2988]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: | next event EVENT_RETRANSMIT in 10
seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: |
Mar 19 16:21:20 gateway pluto[2988]: | *received 184 bytes from
192.168.3.10:500 on eth1
...
...
Mar 19 16:21:20 gateway pluto[2988]: | DH public value received:
...
Mar 19 16:21:20 gateway pluto[2988]: | Local DH secret:
...
Mar 19 16:21:20 gateway pluto[2988]: | Public DH value sent:
...
Mar 19 16:21:20 gateway pluto[2988]: | DH shared secret:
...
Mar 19 16:21:20 gateway pluto[2988]: | sending 188 bytes for STATE_MAIN_R1
through eth1 to 192.168.3.10:500:
...
Mar 19 16:21:20 gateway pluto[2988]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: | next event EVENT_RETRANSMIT in 10
seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: |
Mar 19 16:21:20 gateway pluto[2988]: | *received 1564 bytes from
192.168.3.10:500 on eth1
...
Mar 19 16:21:20 gateway pluto[2988]: | state object #2 found, in STATE_MAIN_R2
Mar 19 16:21:20 gateway pluto[2988]: | received encrypted packet from
192.168.3.10:500
Mar 19 16:21:20 gateway pluto[2988]: | decrypting 1536 bytes using algorithm
OAKLEY_3DES_CBC
Mar 19 16:21:20 gateway pluto[2988]: | decrypted:
...
Mar 19 16:21:20 gateway pluto[2988]: "wanClient" #2: Peer ID is
ID_DER_ASN1_DN: 'C=...
Mar 19 16:21:20 gateway pluto[2988]: | L0 - certificate:
...
Mar 19 16:21:20 gateway pluto[2988]: | L1 - tbsCertificate:
...
Mar 19 16:21:20 gateway pluto[2988]: | L2 - DEFAULT v1:
Mar 19 16:21:20 gateway pluto[2988]: | L3 - version:
Mar 19 16:21:20 gateway pluto[2988]: | 02
Mar 19 16:21:20 gateway pluto[2988]: | v3
Mar 19 16:21:20 gateway pluto[2988]: | L2 - serialNumber:
Mar 19 16:21:20 gateway pluto[2988]: | 03
Mar 19 16:21:20 gateway pluto[2988]: | L2 - signature:
Mar 19 16:21:20 gateway pluto[2988]: | L3 - sigAlg:
Mar 19 16:21:20 gateway pluto[2988]: | 'md5WithRSAEncryption'
Mar 19 16:21:20 gateway pluto[2988]: | L2 - issuer:
...
Mar 19 16:21:20 gateway pluto[2988]: | L2 - validity:
Mar 19 16:21:20 gateway pluto[2988]: | L3 - notBefore:
Mar 19 16:21:20 gateway pluto[2988]: | 'Mar 16 17:03:56 UTC 2004'
Mar 19 16:21:20 gateway pluto[2988]: | L3 - notAfter:
Mar 19 16:21:20 gateway pluto[2988]: | 'Mar 14 17:03:56 UTC 2014'
...
Mar 19 16:21:21 gateway pluto[2988]: | L4 - algorithm:
Mar 19 16:21:21 gateway pluto[2988]: | 'rsaEncryption'
Mar 19 16:21:21 gateway pluto[2988]: | L3 - subjectPublicKey:
Mar 19 16:21:21 gateway pluto[2988]: | L4 - RSAPublicKey:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - modulus:
...
Mar 19 16:21:21 gateway pluto[2988]: | L5 - publicExponent:
Mar 19 16:21:21 gateway pluto[2988]: | 01 00 01
Mar 19 16:21:21 gateway pluto[2988]: | L2 - optional extensions:
Mar 19 16:21:21 gateway pluto[2988]: | L3 - extensions:
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'basicConstraints'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | 30 00
Mar 19 16:21:21 gateway pluto[2988]: | L6 - basicConstraints:
Mar 19 16:21:21 gateway pluto[2988]: | L7 - CA:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'nsComment'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | 16 1d 4f 70 65 6e 53 53 4c 20 47 65
6e 65 72 61
Mar 19 16:21:21 gateway pluto[2988]: | 74 65 64 20 43 65 72 74 69 66 69 63
61 74 65
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'subjectKeyIdentifier'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | 04 14 37 8b d5 e2 42 2a e7 18 ae 44
1e bb e8 e5
Mar 19 16:21:21 gateway pluto[2988]: | 6e 39 a7 9a bb c3
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'authorityKeyIdentifier'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | L1 - signatureAlgorithm:
Mar 19 16:21:21 gateway pluto[2988]: | L2 - algorithm:
Mar 19 16:21:21 gateway pluto[2988]: | 'md5WithRSAEncryption'
Mar 19 16:21:21 gateway pluto[2988]: | L1 - signature:
Mar 19 16:21:21 gateway pluto[2988]: | Subject: 'C=...
Mar 19 16:21:21 gateway pluto[2988]: | not before : Mar 16 17:03:56 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | current time: Mar 19 15:21:21 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | not after : Mar 14 17:03:56 UTC
2014
Mar 19 16:21:21 gateway pluto[2988]: | certificate is valid
Mar 19 16:21:21 gateway pluto[2988]: | Issuer: 'C=...
Mar 19 16:21:21 gateway pluto[2988]: | issuer CA certificate found
Mar 19 16:21:21 gateway pluto[2988]: | Signature Algorithm:
'md5WithRSAEncryption'
Mar 19 16:21:21 gateway pluto[2988]: "wanClient" #2: Issuer CRL not found
Mar 19 16:21:21 gateway pluto[2988]: | Subject: '...
Mar 19 16:21:21 gateway pluto[2988]: | not before : Mar 16 16:44:49 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | current time: Mar 19 15:21:21 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | not after : Apr 15 16:44:49 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | certificate is valid
Mar 19 16:21:21 gateway pluto[2988]: | Issuer: '...
Mar 19 16:21:21 gateway pluto[2988]: | issuer CA certificate found
Mar 19 16:21:21 gateway pluto[2988]: | Signature Algorithm:
'md5WithRSAEncryption'
Mar 19 16:21:21 gateway pluto[2988]: | digest: 87 be 74 35 bd 04 ff f7 7c
06 11 17 ef bc 7f 7d
Mar 19 16:21:21 gateway pluto[2988]: | decrypted signature:
...
Mar 19 16:21:21 gateway pluto[2988]: | certificate signature is valid
Mar 19 16:21:21 gateway pluto[2988]: "wanClient" #2: Issuer CRL not found
Mar 19 16:21:21 gateway pluto[2988]: | Public key validated
Mar 19 16:21:21 gateway pluto[2988]: | hashing 160 bytes of SA
Mar 19 16:21:21 gateway pluto[2988]: | an RSA Sig check passed with *AwEAAeaiG
[preloaded key]
Mar 19 16:21:21 gateway pluto[2988]: | authentication succeeded
Mar 19 16:21:22 gateway pluto[2988]: "wanClient" #2: sent MR3, ISAKMP SA
established
Mar 19 16:21:22 gateway pluto[2988]: | next event EVENT_SHUNT_SCAN in 56
seconds
Mar 19 16:21:22 gateway pluto[2988]: |
Mar 19 16:21:22 gateway pluto[2988]: | *received 1564 bytes from
192.168.3.10:500 on eth1
...
Mar 19 16:21:23 gateway pluto[2988]: "wanClient" #2: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0xdbd7ba97 (perhaps
this is a duplicated packet)
Mar 19 16:21:23 gateway pluto[2988]: "wanClient" #2: sending encrypted
notification INVALID_MESSAGE_ID to 192.168.3.10:500
...
Mar 19 16:21:25 gateway pluto[2988]: "wanClient" #2: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0xdbd7ba97 (perhaps
this is a duplicated packet)
Mar 19 16:21:25 gateway pluto[2988]: "wanClient" #2: sending encrypted
notification INVALID_MESSAGE_ID to 192.168.3.10:500
Hat jemand einen Tip mit SuSEfirewall weiss, warum es diese freeswan Meldung gibt "Quick Mode
I1 message is unacceptable because it uses a previously used Message ID
0xdbd7ba97 (perhaps this is a duplicated packet)" ?
Sage
bei mir läuft SuSE 8.1 und zusätzlich setze ich freeswan for SuSE von
http://www.suse.de/~garloff/linux/FreeSWAN
version 1.99_0.9.23 ein
Dabei habe ich Problme mit SuSEFirewall2 auf dem gateway.
Meine Installation
wired Lan 192.168.1.0/24
!
eth0 192.168.1.2/24
gateway------------------------------- eth2/pppp0--> Internet
eth1 192.168.3.2/24
!
wireless Lan 192.168.3.0/24
a) Mit der firewall wird kein ping beantwortet
/var/log/messages:21581:Mar 19 16:28:17 gateway kernel:
SuSE-FW-DROP-ANTI-SPOOF IN=eth1 OUT=... SRC=192.168.3.10 DST=192.168.3.2
LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=50369 PROTO=UDP SPT=500 DPT=500 LEN=64
I habe TCP und UDP-Ports für IPSEC gesetzt:
FW_QUICKMODE="no"
FW_DEV_EXT="ppp0 ipsec0"
FW_DEV_INT="eth0 eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="ppp0"
FW_MASQ_NETS="192.168.1.0/24 192.168.3.0/24"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="17 53 888 domain"
FW_SERVICES_EXT_UDP="500"
FW_SERVICES_EXT_IP="50 51"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="..."
FW_SERVICES_INT_UDP="... 500..."
FW_SERVICES_INT_IP="50 51"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.168.1.0/24 192.168.3.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="yes"
FW_SERVICE_SAMBA="yes"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT="192.168.1.3/32,0/0,tcp,80,3128"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
b) Ohne die firewall kann ich ein ping 192.168.3.2 vom wireless client, also
192.168.3.10 (after echo 1 > /proc/sys/net/ipv4/ip_forward) absetzen
Mar 19 16:20:18 gateway pluto[2988]: |
Mar 19 16:20:18 gateway pluto[2988]: | *time to handle event
Mar 19 16:20:18 gateway pluto[2988]: | event after this is EVENT_REINIT_SECRET
in 2400 seconds
Mar 19 16:20:18 gateway pluto[2988]: | inserting event EVENT_SHUNT_SCAN,
timeout in 120 seconds
Mar 19 16:20:18 gateway pluto[2988]: | scanning for shunt eroutes
Mar 19 16:20:18 gateway pluto[2988]: | next event EVENT_SHUNT_SCAN in 120
seconds
Mar 19 16:21:20 gateway pluto[2988]: |
Mar 19 16:21:20 gateway pluto[2988]: | *received 256 bytes from
192.168.3.10:500 on eth1
...
Mar 19 16:21:20 gateway pluto[2988]: | **parse ISAKMP Message:
Mar 19 16:21:20 gateway pluto[2988]: | initiator cookie:
Mar...
Mar 19 16:21:20 gateway pluto[2988]: packet from 192.168.3.10:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
...
Mar 19 16:21:20 gateway pluto[2988]: packet from 192.168.3.10:500: ignoring
Vendor ID payload [4048b7d56ebce885...]
Mar 19 16:21:20 gateway pluto[2988]: | VID: 40 48 b7 d5 6e bc e8 85 25 e7
de 7f 00 d6 c2 d3
Mar 19 16:21:20 gateway pluto[2988]: packet from 192.168.3.10:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
...
Mar 19 16:21:20 gateway pluto[2988]: "wanClient" #2: responding to Main Mode
...
Mar 19 16:21:20 gateway pluto[2988]: | ike_alg_enc_ok(ealg=5,key_len=0):
blocksize=8, keyminlen=192, keydeflen=192, keymaxlen=192,
...
Mar 19 16:21:20 gateway pluto[2988]: | sending 84 bytes for STATE_MAIN_R0
through eth1 to 192.168.3.10:500:
...
Mar 19 16:21:20 gateway pluto[2988]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: | next event EVENT_RETRANSMIT in 10
seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: |
Mar 19 16:21:20 gateway pluto[2988]: | *received 184 bytes from
192.168.3.10:500 on eth1
...
...
Mar 19 16:21:20 gateway pluto[2988]: | DH public value received:
...
Mar 19 16:21:20 gateway pluto[2988]: | Local DH secret:
...
Mar 19 16:21:20 gateway pluto[2988]: | Public DH value sent:
...
Mar 19 16:21:20 gateway pluto[2988]: | DH shared secret:
...
Mar 19 16:21:20 gateway pluto[2988]: | sending 188 bytes for STATE_MAIN_R1
through eth1 to 192.168.3.10:500:
...
Mar 19 16:21:20 gateway pluto[2988]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: | next event EVENT_RETRANSMIT in 10
seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: |
Mar 19 16:21:20 gateway pluto[2988]: | *received 1564 bytes from
192.168.3.10:500 on eth1
...
Mar 19 16:21:20 gateway pluto[2988]: | state object #2 found, in STATE_MAIN_R2
Mar 19 16:21:20 gateway pluto[2988]: | received encrypted packet from
192.168.3.10:500
Mar 19 16:21:20 gateway pluto[2988]: | decrypting 1536 bytes using algorithm
OAKLEY_3DES_CBC
Mar 19 16:21:20 gateway pluto[2988]: | decrypted:
...
Mar 19 16:21:20 gateway pluto[2988]: "wanClient" #2: Peer ID is
ID_DER_ASN1_DN: 'C=...
Mar 19 16:21:20 gateway pluto[2988]: | L0 - certificate:
...
Mar 19 16:21:20 gateway pluto[2988]: | L1 - tbsCertificate:
...
Mar 19 16:21:20 gateway pluto[2988]: | L2 - DEFAULT v1:
Mar 19 16:21:20 gateway pluto[2988]: | L3 - version:
Mar 19 16:21:20 gateway pluto[2988]: | 02
Mar 19 16:21:20 gateway pluto[2988]: | v3
Mar 19 16:21:20 gateway pluto[2988]: | L2 - serialNumber:
Mar 19 16:21:20 gateway pluto[2988]: | 03
Mar 19 16:21:20 gateway pluto[2988]: | L2 - signature:
Mar 19 16:21:20 gateway pluto[2988]: | L3 - sigAlg:
Mar 19 16:21:20 gateway pluto[2988]: | 'md5WithRSAEncryption'
Mar 19 16:21:20 gateway pluto[2988]: | L2 - issuer:
...
Mar 19 16:21:20 gateway pluto[2988]: | L2 - validity:
Mar 19 16:21:20 gateway pluto[2988]: | L3 - notBefore:
Mar 19 16:21:20 gateway pluto[2988]: | 'Mar 16 17:03:56 UTC 2004'
Mar 19 16:21:20 gateway pluto[2988]: | L3 - notAfter:
Mar 19 16:21:20 gateway pluto[2988]: | 'Mar 14 17:03:56 UTC 2014'
...
Mar 19 16:21:21 gateway pluto[2988]: | L4 - algorithm:
Mar 19 16:21:21 gateway pluto[2988]: | 'rsaEncryption'
Mar 19 16:21:21 gateway pluto[2988]: | L3 - subjectPublicKey:
Mar 19 16:21:21 gateway pluto[2988]: | L4 - RSAPublicKey:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - modulus:
...
Mar 19 16:21:21 gateway pluto[2988]: | L5 - publicExponent:
Mar 19 16:21:21 gateway pluto[2988]: | 01 00 01
Mar 19 16:21:21 gateway pluto[2988]: | L2 - optional extensions:
Mar 19 16:21:21 gateway pluto[2988]: | L3 - extensions:
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'basicConstraints'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | 30 00
Mar 19 16:21:21 gateway pluto[2988]: | L6 - basicConstraints:
Mar 19 16:21:21 gateway pluto[2988]: | L7 - CA:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'nsComment'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | 16 1d 4f 70 65 6e 53 53 4c 20 47 65
6e 65 72 61
Mar 19 16:21:21 gateway pluto[2988]: | 74 65 64 20 43 65 72 74 69 66 69 63
61 74 65
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'subjectKeyIdentifier'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | 04 14 37 8b d5 e2 42 2a e7 18 ae 44
1e bb e8 e5
Mar 19 16:21:21 gateway pluto[2988]: | 6e 39 a7 9a bb c3
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'authorityKeyIdentifier'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | L1 - signatureAlgorithm:
Mar 19 16:21:21 gateway pluto[2988]: | L2 - algorithm:
Mar 19 16:21:21 gateway pluto[2988]: | 'md5WithRSAEncryption'
Mar 19 16:21:21 gateway pluto[2988]: | L1 - signature:
Mar 19 16:21:21 gateway pluto[2988]: | Subject: 'C=...
Mar 19 16:21:21 gateway pluto[2988]: | not before : Mar 16 17:03:56 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | current time: Mar 19 15:21:21 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | not after : Mar 14 17:03:56 UTC
2014
Mar 19 16:21:21 gateway pluto[2988]: | certificate is valid
Mar 19 16:21:21 gateway pluto[2988]: | Issuer: 'C=...
Mar 19 16:21:21 gateway pluto[2988]: | issuer CA certificate found
Mar 19 16:21:21 gateway pluto[2988]: | Signature Algorithm:
'md5WithRSAEncryption'
Mar 19 16:21:21 gateway pluto[2988]: "wanClient" #2: Issuer CRL not found
Mar 19 16:21:21 gateway pluto[2988]: | Subject: '...
Mar 19 16:21:21 gateway pluto[2988]: | not before : Mar 16 16:44:49 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | current time: Mar 19 15:21:21 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | not after : Apr 15 16:44:49 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | certificate is valid
Mar 19 16:21:21 gateway pluto[2988]: | Issuer: '...
Mar 19 16:21:21 gateway pluto[2988]: | issuer CA certificate found
Mar 19 16:21:21 gateway pluto[2988]: | Signature Algorithm:
'md5WithRSAEncryption'
Mar 19 16:21:21 gateway pluto[2988]: | digest: 87 be 74 35 bd 04 ff f7 7c
06 11 17 ef bc 7f 7d
Mar 19 16:21:21 gateway pluto[2988]: | decrypted signature:
...
Mar 19 16:21:21 gateway pluto[2988]: | certificate signature is valid
Mar 19 16:21:21 gateway pluto[2988]: "wanClient" #2: Issuer CRL not found
Mar 19 16:21:21 gateway pluto[2988]: | Public key validated
Mar 19 16:21:21 gateway pluto[2988]: | hashing 160 bytes of SA
Mar 19 16:21:21 gateway pluto[2988]: | an RSA Sig check passed with *AwEAAeaiG
[preloaded key]
Mar 19 16:21:21 gateway pluto[2988]: | authentication succeeded
Mar 19 16:21:22 gateway pluto[2988]: "wanClient" #2: sent MR3, ISAKMP SA
established
Mar 19 16:21:22 gateway pluto[2988]: | next event EVENT_SHUNT_SCAN in 56
seconds
Mar 19 16:21:22 gateway pluto[2988]: |
Mar 19 16:21:22 gateway pluto[2988]: | *received 1564 bytes from
192.168.3.10:500 on eth1
...
Mar 19 16:21:23 gateway pluto[2988]: "wanClient" #2: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0xdbd7ba97 (perhaps
this is a duplicated packet)
Mar 19 16:21:23 gateway pluto[2988]: "wanClient" #2: sending encrypted
notification INVALID_MESSAGE_ID to 192.168.3.10:500
...
Mar 19 16:21:25 gateway pluto[2988]: "wanClient" #2: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0xdbd7ba97 (perhaps
this is a duplicated packet)
Mar 19 16:21:25 gateway pluto[2988]: "wanClient" #2: sending encrypted
notification INVALID_MESSAGE_ID to 192.168.3.10:500
Hat jemand einen Tip mit SuSEfirewall weiss, warum es diese freeswan Meldung gibt "Quick Mode
I1 message is unacceptable because it uses a previously used Message ID
0xdbd7ba97 (perhaps this is a duplicated packet)" ?
Sage