This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
Configuring IPSEC with NAT in a more resilient method requires a few changes to the tratitional static method of setting up an IPSEC connection. The first requires changing the mode that IKE negotiates and agrees on identities and proposals from Main Mode to Aggressive Mode. Main mode protects all of the hashes and identities of the two parties doing the IKE negotiations. Aggressive Mode combines a few of the steps, and exposes the identities of the two parties in the process. However, main mode can only be used with pre-shared keys when the IP address of the peer is also it's identity. Therefore, main mode cannot really support dynamic IP addresses, and aggressive mode must be used instead. Aggressive mode allows other identifiers to be used such as an email address for FQDN. Aggressive Mode combines a few of the steps, and exposes the identities of the two parties in the process. This is susceptible to man-in-the-middle attacks, and brute forcing of the hashes that are sent during the exchange. Using PKI for authentication instead of pre-shared keys with agressive mode solves these issues.
Anyway, with all of the technicalities glazed over breifly. To make it work quickly, albeit a bit insecurely, we'll change our IKE mode to "Aggressive" on both the Initiator (SRX-11) and the responder (SRX-13).
On the host behind the NAT device (initiator), SRX-11, we'll also override the default local-identity of the IP address an use a hostname instead.
SRX-11 aggressive mode IKE configuration
juniper@SRX-11# show
traceoptions {
file ike.log size 10m;
flag ike;
}
proposal REKEY-ALOT {
authentication-method pre-shared-keys;
dh-group group1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 180;
}
policy IKE-POL {
mode aggressive;
proposals REKEY-ALOT;
pre-shared-key ascii-text "$9$byY4ZHqfn/tUj/tuOcSwYgoUjk.PQ36"; ## SECRET-DATA
}
gateway SRX-13 {
ike-policy IKE-POL;
address 192.168.13.13;
local-identity hostname srx-11;
external-interface lo0.0;
}
[edit security ike]
juniper@SRX-11#
On the responder, SRX-13, we change the identifier of the peer from an IP address to "dynamic". We instruct it that the hostname to expect is "srx-11" which matches the identity that SRX-11 set for itself.
SRX-13 aggressive mode IKE configuration
[edit security ike]
juniper@SRX13# show
traceoptions {
file ike.log size 10m;
flag ike;
}
proposal REKEY-ALOT {
authentication-method pre-shared-keys;
dh-group group1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 180;
}
policy IKE-POL {
mode aggressive;
proposals REKEY-ALOT;
pre-shared-key ascii-text "$9$YQ4JD.PQ9A0ikA0BIrl24aZikmfT3/C"; ## SECRET-DATA
}
gateway SRX-11 {
ike-policy IKE-POL;
dynamic hostname srx-11;
external-interface lo0.0;
}
[edit security ike]
juniper@SRX13#
Once the changes are committed, we see that IKE Phase 1 completes, but Phase 2 doesn't go anywhere.
SRX-11 security associations
juniper@SRX-11# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 2735804 UP c960376deaf98d25 5231d00e35462107 Aggressive 192.168.13.13 [edit security ike] juniper@SRX-11# run show security ipsec security-associations Total active tunnels: 0 [edit security ike]
SRX-13 security associations
juniper@SRX13# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 3194349 DOWN c960376deaf98d25 5231d00e35462107 Aggressive 172.18.2.12 [edit security ike] juniper@SRX13# run show security ipsec security-associations Total active tunnels: 0 [edit security ike]
The IKE trace on SRX-11:
SRX-11 IKE trace
[Jan 11 10:44:26]iked_config_process_config_list, configuration diff complete
[Jan 11 10:44:30]ssh_ike_connect: Start, remote_name = 192.168.13.13:500, xchg = 4, flags = 00040000
[Jan 11 10:44:30]ike_sa_allocate: Start, SA = { c960376d eaf98d25 - 00000000 00000000 }
[Jan 11 10:44:30]ike_init_isakmp_sa: Start, remote = 192.168.13.13:500, initiator = 1
[Jan 11 10:44:30]ssh_ike_connect: SA = { c960376d eaf98d25 - 00000000 00000000}, nego = -1
[Jan 11 10:44:30]ike_st_o_sa_proposal: Start
[Jan 11 10:44:30]ike_st_o_ke: Start
[Jan 11 10:44:30]ike_st_o_nonce: Start
[Jan 11 10:44:30]ike_policy_reply_isakmp_nonce_data_len: Start
[Jan 11 10:44:30]ike_st_o_id: Start
[Jan 11 10:44:30]ike_policy_reply_isakmp_vendor_ids: Start
[Jan 11 10:44:30]ike_st_o_private: Start
[Jan 11 10:44:30]ike_policy_reply_private_payload_out: Start
[Jan 11 10:44:30]ike_encode_packet: Start, SA = { 0xc960376d eaf98d25 - 00000000 00000000 } / 00000000, nego = -1
[Jan 11 10:44:30]ike_send_packet: Start, send SA = { c960376d eaf98d25 - 00000000 00000000}, nego = -1, dst = 192.168.13.13:500, routing table id = 0
[Jan 11 10:44:30]ikev2_packet_allocate: Allocated packet 8c37400 from freelist
[Jan 11 10:44:30]ike_sa_find: Not found SA = { c960376d eaf98d25 - 5231d00e 35462107 }
[Jan 11 10:44:30]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 10:44:30]ike_get_sa: Start, SA = { c960376d eaf98d25 - 5231d00e 35462107 } / 00000000, remote = 192.168.13.13:500
[Jan 11 10:44:30]ike_sa_find: Not found SA = { c960376d eaf98d25 - 5231d00e 35462107 }
[Jan 11 10:44:30]ike_sa_find_half: Found half SA = { c960376d eaf98d25 - 00000000 00000000 }
[Jan 11 10:44:30]ike_sa_upgrade: Start, SA = { c960376d eaf98d25 - 00000000 00000000 } -> { ... - 5231d00e 35462107 }
[Jan 11 10:44:30]ike_decode_packet: Start
[Jan 11 10:44:30]ike_decode_packet: Start, SA = { c960376d eaf98d25 - 5231d00e 35462107} / 00000000, nego = -1
[Jan 11 10:44:30]ike_decode_payload_sa: Start
[Jan 11 10:44:30]ike_decode_payload_t: Start, # trans = 1
[Jan 11 10:44:30]ike_st_i_sa_value: Start
[Jan 11 10:44:30]ike_st_i_nonce: Start, nonce[0..16] = 51eeccf9 256deac6 ...
[Jan 11 10:44:30]ike_st_i_id: Start
[Jan 11 10:44:30]ike_st_i_ke: Ke[0..96] = f0b5b111 2a496a92 ...
[Jan 11 10:44:30]ike_st_i_hash: Start, hash[0..20] = 09b9a110 351f3506 ...
[Jan 11 10:44:30]ike_calc_mac: Start, initiator = true, local = false
[Jan 11 10:44:30]ike_find_pre_shared_key: Find pre shared key key for 192.168.11.11:500, id = fqdn(any:0,[0..5]=srx-11) -> 192.168.13.13:500, id = ipv4(any:0,[0..3]=192.168.13.13)
[Jan 11 10:44:30]ike_policy_reply_find_pre_shared_key: Start
[Jan 11 10:44:30]ike_st_i_cert: Start
[Jan 11 10:44:30]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Jan 11 10:44:30]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jan 11 10:44:30]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
[Jan 11 10:44:30]ike_st_i_private: Start
[Jan 11 10:44:30]ike_st_o_hash: Start
[Jan 11 10:44:30]ike_calc_mac: Start, initiator = true, local = true
[Jan 11 10:44:30]ike_st_o_status_n: Start
[Jan 11 10:44:30]ike_st_o_private: Start
[Jan 11 10:44:30]ike_policy_reply_private_payload_out: Start
[Jan 11 10:44:30]ike_policy_reply_private_payload_out: Start
[Jan 11 10:44:30]ike_policy_reply_private_payload_out: Start
[Jan 11 10:44:30]ike_st_o_optional_encrypt: Marking encryption for packet
[Jan 11 10:44:30]ike_st_o_wait_done: Marking for waiting for done
[Jan 11 10:44:30]ike_st_o_all_done: MESSAGE: Phase 1 { 0xc960376d eaf98d25 - 0x5231d00e 35462107 } / 00000000, version = 1.0, xchg = Aggressive, auth_method = Pre shared keys, Initiator, cipher = aes-cbc, hash = sha1, prf = hmac-sha1, life
[Jan 11 10:44:30]192.168.11.11:4500 (Initiator) <-> 192.168.13.13:4500 { c960376d eaf98d25 - 5231d00e 35462107 [-1] / 0x00000000 } Aggr; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = aes-cbc, hash = sha1, prf = hma
[Jan 11 10:44:30]ike_encode_packet: Start, SA = { 0xc960376d eaf98d25 - 5231d00e 35462107 } / 00000000, nego = -1
[Jan 11 10:44:30]ike_send_packet: Start, send SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1, dst = 192.168.13.13:4500, routing table id = 0
[Jan 11 10:44:30]ike_send_notify: Connected, SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1
[Jan 11 10:44:30]ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
[Jan 11 10:44:30]ike_alloc_negotiation: Start, SA = { c960376d eaf98d25 - 5231d00e 35462107}
[Jan 11 10:44:30]ssh_ike_connect_ipsec: SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0
[Jan 11 10:44:30]ike_init_qm_negotiation: Start, initiator = 1, message_id = 6f34e0b7
[Jan 11 10:44:30]ike_st_o_qm_hash_1: Start
[Jan 11 10:44:30]ike_st_o_qm_sa_proposals: Start
[Jan 11 10:44:30]ike_st_o_qm_nonce: Start
[Jan 11 10:44:30]ike_policy_reply_qm_nonce_data_len: Start
[Jan 11 10:44:30]ike_st_o_qm_optional_ke: Start
[Jan 11 10:44:30]ike_st_o_qm_optional_ids: Start
[Jan 11 10:44:30]ike_st_qm_optional_id: Start
[Jan 11 10:44:30]ike_st_qm_optional_id: Start
[Jan 11 10:44:30]ike_st_o_private: Start
[Jan 11 10:44:30]ike_policy_reply_private_payload_out: Start
[Jan 11 10:44:30]ike_policy_reply_private_payload_out: Start
[Jan 11 10:44:30]ike_st_o_encrypt: Marking encryption for packet
[Jan 11 10:44:30]ike_encode_packet: Start, SA = { 0xc960376d eaf98d25 - 5231d00e 35462107 } / 6f34e0b7, nego = 0
[Jan 11 10:44:30]ike_finalize_qm_hash_1: Hash[0..20] = a655f16e 8567394f ...
[Jan 11 10:44:30]ike_send_packet: Start, send SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0, dst = 192.168.13.13:4500, routing table id = 0
[Jan 11 10:44:40]ikev2_packet_allocate: Allocated packet 8c37800 from freelist
[Jan 11 10:44:40]ike_sa_find: Found SA = { c960376d eaf98d25 - 5231d00e 35462107 }
[Jan 11 10:44:40]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 10:44:40]ike_get_sa: Start, SA = { c960376d eaf98d25 - 5231d00e 35462107 } / 00000000, remote = 192.168.13.13:500
[Jan 11 10:44:40]ike_sa_find: Found SA = { c960376d eaf98d25 - 5231d00e 35462107 }
[Jan 11 10:44:40]ike_send_packet: Start, retransmit previous packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1, dst = 192.168.13.13:4500 routing table id = 0
[Jan 11 10:44:40]ike_retransmit_callback: Start, retransmit SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0
[Jan 11 10:44:40]ike_send_packet: Start, retransmit previous packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0, dst = 192.168.13.13:4500 routing table id = 0
[Jan 11 10:44:50]ikev2_packet_allocate: Allocated packet 8c37c00 from freelist
[Jan 11 10:44:50]ike_sa_find: Found SA = { c960376d eaf98d25 - 5231d00e 35462107 }
[Jan 11 10:44:50]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 10:44:50]ike_get_sa: Start, SA = { c960376d eaf98d25 - 5231d00e 35462107 } / 00000000, remote = 192.168.13.13:500
[Jan 11 10:44:50]ike_sa_find: Found SA = { c960376d eaf98d25 - 5231d00e 35462107 }
[Jan 11 10:44:50]ike_send_packet: Start, retransmit previous packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1, dst = 192.168.13.13:4500 routing table id = 0
[Jan 11 10:44:50]ike_retransmit_callback: Start, retransmit SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0
[Jan 11 10:44:50]ike_send_packet: Start, retransmit previous packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0, dst = 192.168.13.13:4500 routing table id = 0
[Jan 11 10:45:00]ike_retransmit_callback: Start, retransmit SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0
[Jan 11 10:45:00]ike_send_packet: Start, retransmit previous packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0, dst = 192.168.13.13:4500 routing table id = 0
[Jan 11 10:45:10]ike_retransmit_callback: Start, retransmit SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0
[Jan 11 10:45:10]ike_send_packet: Start, retransmit previous packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0, dst = 192.168.13.13:4500 routing table id = 0
And the trace on the responder, SRX-13:
SRX-13 IKE trace
[Jan 11 10:44:30]ikev2_packet_allocate: Allocated packet 8c29400 from freelist
[Jan 11 10:44:30]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 10:44:30]ike_get_sa: Start, SA = { c960376d eaf98d25 - 00000000 00000000 } / 00000000, remote = 172.18.2.12:7771
[Jan 11 10:44:30]ike_sa_allocate: Start, SA = { c960376d eaf98d25 - 30d188a5 0f566993 }
[Jan 11 10:44:30]ike_init_isakmp_sa: Start, remote = 172.18.2.12:7771, initiator = 0
[Jan 11 10:44:30]ike_decode_packet: Start
[Jan 11 10:44:30]ike_decode_packet: Start, SA = { c960376d eaf98d25 - 5231d00e 35462107} / 00000000, nego = -1
[Jan 11 10:44:30]ike_decode_payload_sa: Start
[Jan 11 10:44:30]ike_decode_payload_t: Start, # trans = 1
[Jan 11 10:44:30]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Jan 11 10:44:30]ike_st_i_vid: VID[0..16] = 27bab5dc 01ea0760 ...
[Jan 11 10:44:30]ike_st_i_vid: VID[0..16] = 6105c422 e76847e4 ...
[Jan 11 10:44:30]ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
[Jan 11 10:44:30]ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
[Jan 11 10:44:30]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[Jan 11 10:44:30]ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
[Jan 11 10:44:30]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jan 11 10:44:30]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
[Jan 11 10:44:30]ike_st_i_id: Start
[Jan 11 10:44:30]ike_st_i_sa_proposal: Start
[Jan 11 10:44:30]ike_free_id_payload: Start, id type = 2
[Jan 11 10:44:30]ike_isakmp_sa_reply: Start
[Jan 11 10:44:30]ike_state_restart_packet: Start, restart packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1
[Jan 11 10:44:30]ike_st_i_sa_proposal: Start
[Jan 11 10:44:30]ike_st_i_nonce: Start, nonce[0..16] = 9291428a 10853310 ...
[Jan 11 10:44:30]ike_st_i_cert: Start
[Jan 11 10:44:30]ike_st_i_hash_key: Start, no key_hash
[Jan 11 10:44:30]ike_st_i_ke: Ke[0..96] = 85d0edb3 5d6f6747 ...
[Jan 11 10:44:30]ike_st_i_cr: Start
[Jan 11 10:44:30]ike_st_i_private: Start
[Jan 11 10:44:30]ike_st_o_sa_values: Start
[Jan 11 10:44:30]ike_st_o_ke: Start
[Jan 11 10:44:30]ike_st_o_nonce: Start
[Jan 11 10:44:30]ike_policy_reply_isakmp_nonce_data_len: Start
[Jan 11 10:44:30]ike_st_o_id: Start
[Jan 11 10:44:30]ike_policy_reply_isakmp_id: Start
[Jan 11 10:44:30]ike_state_restart_packet: Start, restart packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1
[Jan 11 10:44:30]ike_st_o_id: Start
[Jan 11 10:44:30]ike_st_o_certs_base: Start
[Jan 11 10:44:30]ike_st_o_sig_or_hash: Start, auth_method = 4
[Jan 11 10:44:30]ike_st_o_hash: Start
[Jan 11 10:44:30]ike_find_pre_shared_key: Find pre shared key key for 192.168.13.13:500, id = ipv4(any:0,[0..3]=192.168.13.13) -> 172.18.2.12:7771, id = fqdn(any:0,[0..5]=srx-11)
[Jan 11 10:44:30]ike_policy_reply_find_pre_shared_key: Start
[Jan 11 10:44:30]ike_state_restart_packet: Start, restart packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1
[Jan 11 10:44:30]ike_st_o_sig_or_hash: Start, auth_method = 4
[Jan 11 10:44:30]ike_st_o_hash: Start
[Jan 11 10:44:30]ike_find_pre_shared_key: Find pre shared key key for 192.168.13.13:500, id = ipv4(any:0,[0..3]=192.168.13.13) -> 172.18.2.12:7771, id = fqdn(any:0,[0..5]=srx-11)
[Jan 11 10:44:30]ike_calc_mac: Start, initiator = false, local = true
[Jan 11 10:44:30]ike_policy_reply_isakmp_vendor_ids: Start
[Jan 11 10:44:30]ike_st_o_status_n: Start
[Jan 11 10:44:30]ike_st_o_private: Start
[Jan 11 10:44:30]ike_policy_reply_private_payload_out: Start
[Jan 11 10:44:30]ike_policy_reply_private_payload_out: Start
[Jan 11 10:44:30]ike_policy_reply_private_payload_out: Start
[Jan 11 10:44:30]ike_st_o_calc_skeyid: Calculating skeyid
[Jan 11 10:44:30]ike_encode_packet: Start, SA = { 0xc960376d eaf98d25 - 5231d00e 35462107 } / 00000000, nego = -1
[Jan 11 10:44:30]ike_send_packet: Start, send SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1, dst = 172.18.2.12:7771, routing table id = 0
[Jan 11 10:44:40]ike_retransmit_callback: Start, retransmit SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1
[Jan 11 10:44:40]ike_send_packet: Start, retransmit previous packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1, dst = 172.18.2.12:7771 routing table id = 0
[Jan 11 10:44:50]ike_retransmit_callback: Start, retransmit SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1
[Jan 11 10:44:50]ike_send_packet: Start, retransmit previous packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1, dst = 172.18.2.12:7771 routing table id = 0
[Jan 11 10:45:00]ike_remove_callback: Start, delete SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1
[Jan 11 10:45:00]192.168.13.13:500 (Responder) <-> 172.18.2.12:7771 { c960376d eaf98d25 - 5231d00e 35462107 [-1] / 0x00000000 } Aggr; Connection timed out or error, calling callback
[Jan 11 10:45:00]ike_delete_negotiation: Start, SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1
[Jan 11 10:45:00]ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Jan 11 10:45:00]ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Jan 11 10:45:00]ike_sa_delete: Start, SA = { c960376d eaf98d25 - 5231d00e 35462107 }
[Jan 11 10:45:00]ike_free_negotiation_isakmp: Start, nego = -1
[Jan 11 10:45:00]ike_free_negotiation: Start, nego = -1
[Jan 11 10:45:00]ike_free_id_payload: Start, id type = 1
[Jan 11 10:45:00]ike_free_id_payload: Start, id type = 2
[Jan 11 10:45:00]ike_free_sa: Start
[Jan 11 10:45:00] IKEv1 Error : Timeout
A tcpdump -nvv port udp 500 of the exchange from the link in between SRX-11 and SRX-12:
tcpdump of IKE aggressive mode exchange
11:44:31.261721 IP (tos 0xc0, ttl 64, id 7342, offset 0, flags [none], proto UDP (17), length 450)
192.168.11.11.500 > 192.168.13.13.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie c960376deaf98d25->0000000000000000: phase 1 I agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1 spi=c960376deaf98d25
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(ke: key len=96)
(nonce: n len=16 data=(9291428a10853310767c...ca094c93e242c9de19e7b7c60000000500000500))
(id: idtype=FQDN protoid=0 port=0 len=6 srx-11)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=28)
11:44:31.288096 IP (tos 0xc0, ttl 63, id 8403, offset 0, flags [none], proto UDP (17), length 392)
192.168.13.13.500 > 192.168.11.11.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie c960376deaf98d25->5231d00e35462107: phase 1 R agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(ke: key len=96)
(nonce: n len=16 data=(51eeccf9256deac6e1c9...24252fed53d13ff6d8d981559456eb041edae1b8))
(id: idtype=IPv4 protoid=0 port=0 len=4 192.168.13.13)
(hash: len=20)
(vid: len=16)
(vid: len=16)
(vid: len=28)
(pay20)
(pay20)
11:44:41.299072 IP (tos 0xc0, ttl 63, id 8425, offset 0, flags [none], proto UDP (17), length 392)
192.168.13.13.500 > 192.168.11.11.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie c960376deaf98d25->5231d00e35462107: phase 1 R agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(ke: key len=96)
(nonce: n len=16 data=(51eeccf9256deac6e1c9...24252fed53d13ff6d8d981559456eb041edae1b8))
(id: idtype=IPv4 protoid=0 port=0 len=4 192.168.13.13)
(hash: len=20)
(vid: len=16)
(vid: len=16)
(vid: len=28)
(pay20)
(pay20)
11:44:51.308829 IP (tos 0xc0, ttl 63, id 8431, offset 0, flags [none], proto UDP (17), length 392)
192.168.13.13.500 > 192.168.11.11.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie c960376deaf98d25->5231d00e35462107: phase 1 R agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(ke: key len=96)
(nonce: n len=16 data=(51eeccf9256deac6e1c9...24252fed53d13ff6d8d981559456eb041edae1b8))
(id: idtype=IPv4 protoid=0 port=0 len=4 192.168.13.13)
(hash: len=20)
(vid: len=16)
(vid: len=16)
(vid: len=28)
(pay20)
(pay20)
Looking at the sessions on the firewall, SRX-12, we can see IKE traffic, but nothing else.
flows on SRX-12
juniper@SRX-12# run show security flow session Session ID: 291, Policy name: ALLOW-IKE-500/5, Timeout: 34, Valid In: 192.168.11.11/500 --> 192.168.13.13/500;udp, If: ge-0/0/4.0, Pkts: 1, Bytes: 450 Out: 192.168.13.13/500 --> 172.18.2.12/7771;udp, If: ge-0/0/5.0, Pkts: 3, Bytes: 1176 Total sessions: 1 [edit security nat] juniper@SRX-12#
And the client still doesn't have "pingy"
client connectivity test
juniper@client:~$ ping -c 1 10.80.80.80 PING 10.80.80.80 (10.80.80.80) 56(84) bytes of data. --- 10.80.80.80 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms juniper@client:~$
Examining the IKE session in detail on SRX-11, we can confirm that Phase 2 won't come up and it is trying to use UDP port 4500 on the local and remote endpoints. UDP port 4500 is what IPSEC uses for NAT traversal, or simply NAT-T. This is an IPSEC ESP packet that is encapsulated in UDP. This is necessary because a tunneled ESP packet can include an integrity check that includes the original IP addresses. IPSEC running in transport mode, if any of the IPs are modified along the way, such as by a NAT device, the integrity check will fail and the ESP packet will be discarded. ESP running in tunnel mode generally doesn't have this problem, as there is yet another IP header added which is not part of the integrity check. Encapsulating the original ESP packet is a way of getting around any transitory IP address modifications. It also helps to get through some types of network devices (as we'll see later)..
SRX-11 security associations in detail
juniper@SRX-11# run show security ike security-associations detail
IKE peer 192.168.13.13, Index 2736898, Gateway Name: SRX-13
Role: Initiator, State: UP
Initiator cookie: 1bea56bf6c75c6be, Responder cookie: 441bfe106e872ba7
Exchange type: Aggressive, Authentication method: Pre-shared-keys
Local: 192.168.11.11:4500, Remote: 192.168.13.13:4500
Lifetime: Expires in 49 seconds
Peer ike-id: 192.168.13.13
Xauth user-name: not available
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes128-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-1
Traffic statistics:
Input bytes : 1092
Output bytes : 2702
Input packets: 3
Output packets: 15
Flags: IKE SA is created
IPSec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 0
Flags: IKE SA is created
[edit security ike]
juniper@SRX-11#
Examining the IKE trace on SRX-11, we can narrow in on the problem a bit more by examining the start of Phase 2, and seeing that SRX-11 is trying UDP port 4500 to do so -- and there are alot of retransmisstions.
Excerpts from IKE trace on SRX-11
[Jan 11 10:44:30]192.168.11.11:4500 (Initiator) <-> 192.168.13.13:4500 { c960376d eaf98d25 - 5231d00e 35462107 [-1] / 0x00000000 } Aggr; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = aes-cbc, hash = sha1, prf = hma
[Jan 11 10:44:30]ike_send_packet: Start, send SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1, dst = 192.168.13.13:4500, routing table id = 0
[Jan 11 10:44:40]ike_send_packet: Start, retransmit previous packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = -1, dst = 192.168.13.13:4500 routing table id = 0
[Jan 11 10:44:50]ike_retransmit_callback: Start, retransmit SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0
[Jan 11 10:44:50]ike_send_packet: Start, retransmit previous packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0, dst = 192.168.13.13:4500 routing table id = 0
[Jan 11 10:45:00]ike_retransmit_callback: Start, retransmit SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0
[Jan 11 10:45:00]ike_send_packet: Start, retransmit previous packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0, dst = 192.168.13.13:4500 routing table id = 0
[Jan 11 10:45:10]ike_retransmit_callback: Start, retransmit SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0
[Jan 11 10:45:10]ike_send_packet: Start, retransmit previous packet SA = { c960376d eaf98d25 - 5231d00e 35462107}, nego = 0, dst = 192.168.13.13:4500 routing table id = 0
Examining the logs on SRX-12, we can see that sessions using UDP port 4500 are being denied.
SRX-12 logs blocking UDP 4500 traffic
Jan 17 10:57:35 SRX-12 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.11.11/4500->192.168.13.13/4500 junos-ike-nat 17(0) DENY-ALL SRX11 SRX13 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/4.0 UNKNOWN policy deny
UDP port 4500 is what IPSEC uses for NAT traversal, or NAT-T. This is simply an IPSEC ESP packet that has been encapsulated in a UDP packet. This is necessary because for ESP in tunnel mode, if it is using an integrity check (which most implementations do), the integrity check encompasses the original IP addresses. Changing the source or destination IPs, like with a NAT device, causes the integrity check to fail. Encapsulating the ESP packet in another packet that isn't included in the integrity check is a way around this problem.
Adding the following config snippet on SRX-12, inserted before the ALLOW-IKE-500 policy, allows IKE Phase 2 to complete so our SAs can be setup and our encrypted traffic allowed through end to end. There is another way to solve this using an application layer gateway (alg), which is covered in it's own session.
policy on SRX-12 to allow UDP port 4500 traffic
juniper@SRX-12#
policy ALLOW-NAT-T {
match {
source-address any;
destination-address any;
application junos-ike-nat;
}
then {
permit;
count;
}
}
A few seconds after committing the changes on SRX-12, a new IKE exchange completes Phase 1 and Phase 2 on both SRX-11 and SRX-13.
SRX-11 security associations
juniper@SRX-11# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 2735850 UP 78c4a06b03f412b4 d1203548874ec91b Aggressive 192.168.13.13 2735848 UP d4edb2a332a36805 c674fabf3e7369cb Aggressive 192.168.13.13 2735849 UP 2f12e0279d689157 c266a85b44f41c34 Aggressive 192.168.13.13 [edit security] juniper@SRX-11# run show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-cbc-128/md5 82766ba9 187/ unlim - root 4500 192.168.13.13 >131073 ESP:aes-cbc-128/md5 960136b 187/ unlim - root 4500 192.168.13.13 [edit security] juniper@SRX-11#
SRX-13 security associations
juniper@SRX13# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 3194395 UP 78c4a06b03f412b4 d1203548874ec91b Aggressive 172.18.2.12 [edit security ike] juniper@SRX13# run show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <268173313 ESP:aes-cbc-128/md5 960136b 179/ unlim - root 16052 172.18.2.12 >268173313 ESP:aes-cbc-128/md5 82766ba9 179/ unlim - root 16052 172.18.2.12 [edit security ike] juniper@SRX13#
The IKE trace on SRX-11 now shows Phase 2 completing.
SRX-11 IKE trace
[Jan 11 11:37:35]ssh_ike_connect: Start, remote_name = 192.168.13.13:500, xchg = 4, flags = 00040000
[Jan 11 11:37:35]ike_sa_allocate: Start, SA = { 78c4a06b 03f412b4 - 00000000 00000000 }
[Jan 11 11:37:35]ike_init_isakmp_sa: Start, remote = 192.168.13.13:500, initiator = 1
[Jan 11 11:37:35]ssh_ike_connect: SA = { 78c4a06b 03f412b4 - 00000000 00000000}, nego = -1
[Jan 11 11:37:35]ike_st_o_sa_proposal: Start
[Jan 11 11:37:35]ike_st_o_ke: Start
[Jan 11 11:37:35]ike_st_o_nonce: Start
[Jan 11 11:37:35]ike_policy_reply_isakmp_nonce_data_len: Start
[Jan 11 11:37:35]ike_st_o_id: Start
[Jan 11 11:37:35]ike_policy_reply_isakmp_vendor_ids: Start
[Jan 11 11:37:35]ike_st_o_private: Start
[Jan 11 11:37:35]ike_policy_reply_private_payload_out: Start
[Jan 11 11:37:35]ike_encode_packet: Start, SA = { 0x78c4a06b 03f412b4 - 00000000 00000000 } / 00000000, nego = -1
[Jan 11 11:37:35]ike_send_packet: Start, send SA = { 78c4a06b 03f412b4 - 00000000 00000000}, nego = -1, dst = 192.168.13.13:500, routing table id = 0
[Jan 11 11:37:35]ikev2_packet_allocate: Allocated packet 8c27c00 from freelist
[Jan 11 11:37:35]ike_sa_find: Not found SA = { 78c4a06b 03f412b4 - d1203548 874ec91b }
[Jan 11 11:37:35]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 11:37:35]ike_get_sa: Start, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b } / 00000000, remote = 192.168.13.13:500
[Jan 11 11:37:35]ike_sa_find: Not found SA = { 78c4a06b 03f412b4 - d1203548 874ec91b }
[Jan 11 11:37:35]ike_sa_find_half: Found half SA = { 78c4a06b 03f412b4 - 00000000 00000000 }
[Jan 11 11:37:35]ike_sa_upgrade: Start, SA = { 78c4a06b 03f412b4 - 00000000 00000000 } -> { ... - d1203548 874ec91b }
[Jan 11 11:37:35]ike_decode_packet: Start
[Jan 11 11:37:35]ike_decode_packet: Start, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b} / 00000000, nego = -1
[Jan 11 11:37:35]ike_decode_payload_sa: Start
[Jan 11 11:37:35]ike_decode_payload_t: Start, # trans = 1
[Jan 11 11:37:35]ike_st_i_sa_value: Start
[Jan 11 11:37:35]ike_st_i_nonce: Start, nonce[0..16] = 4f3d8bbb 12064de0 ...
[Jan 11 11:37:35]ike_st_i_id: Start
[Jan 11 11:37:35]ike_st_i_ke: Ke[0..96] = 803f391e 977392a5 ...
[Jan 11 11:37:35]ike_st_i_hash: Start, hash[0..20] = 081aff98 92085ea1 ...
[Jan 11 11:37:35]ike_calc_mac: Start, initiator = true, local = false
[Jan 11 11:37:35]ike_find_pre_shared_key: Find pre shared key key for 192.168.11.11:500, id = fqdn(any:0,[0..5]=srx-11) -> 192.168.13.13:500, id = ipv4(any:0,[0..3]=192.168.13.13)
[Jan 11 11:37:35]ike_policy_reply_find_pre_shared_key: Start
[Jan 11 11:37:35]ike_st_i_cert: Start
[Jan 11 11:37:35]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Jan 11 11:37:35]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jan 11 11:37:35]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
[Jan 11 11:37:35]ike_st_i_private: Start
[Jan 11 11:37:35]ike_st_o_hash: Start
[Jan 11 11:37:35]ike_calc_mac: Start, initiator = true, local = true
[Jan 11 11:37:35]ike_st_o_status_n: Start
[Jan 11 11:37:35]ike_st_o_private: Start
[Jan 11 11:37:35]ike_policy_reply_private_payload_out: Start
[Jan 11 11:37:35]ike_policy_reply_private_payload_out: Start
[Jan 11 11:37:35]ike_policy_reply_private_payload_out: Start
[Jan 11 11:37:35]ike_st_o_optional_encrypt: Marking encryption for packet
[Jan 11 11:37:35]ike_st_o_wait_done: Marking for waiting for done
[Jan 11 11:37:35]ike_st_o_all_done: MESSAGE: Phase 1 { 0x78c4a06b 03f412b4 - 0xd1203548 874ec91b } / 00000000, version = 1.0, xchg = Aggressive, auth_method = Pre shared keys, Initiator, cipher = aes-cbc, hash = sha1, prf = hmac-sha1, life
[Jan 11 11:37:35]192.168.11.11:4500 (Initiator) <-> 192.168.13.13:4500 { 78c4a06b 03f412b4 - d1203548 874ec91b [-1] / 0x00000000 } Aggr; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = aes-cbc, hash = sha1, prf = hma
[Jan 11 11:37:35]ike_encode_packet: Start, SA = { 0x78c4a06b 03f412b4 - d1203548 874ec91b } / 00000000, nego = -1
[Jan 11 11:37:35]ike_send_packet: Start, send SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = -1, dst = 192.168.13.13:4500, routing table id = 0
[Jan 11 11:37:35]ike_send_notify: Connected, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = -1
[Jan 11 11:37:35]ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000
[Jan 11 11:37:35]ike_alloc_negotiation: Start, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}
[Jan 11 11:37:35]ssh_ike_connect_ipsec: SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = 0
[Jan 11 11:37:35]ike_init_qm_negotiation: Start, initiator = 1, message_id = e43bbfb7
[Jan 11 11:37:35]ike_st_o_qm_hash_1: Start
[Jan 11 11:37:35]ike_st_o_qm_sa_proposals: Start
[Jan 11 11:37:35]ike_st_o_qm_nonce: Start
[Jan 11 11:37:35]ike_policy_reply_qm_nonce_data_len: Start
[Jan 11 11:37:35]ike_st_o_qm_optional_ke: Start
[Jan 11 11:37:35]ike_st_o_qm_optional_ids: Start
[Jan 11 11:37:35]ike_st_qm_optional_id: Start
[Jan 11 11:37:35]ike_st_qm_optional_id: Start
[Jan 11 11:37:35]ike_st_o_private: Start
[Jan 11 11:37:35]ike_policy_reply_private_payload_out: Start
[Jan 11 11:37:35]ike_policy_reply_private_payload_out: Start
[Jan 11 11:37:35]ike_st_o_encrypt: Marking encryption for packet
[Jan 11 11:37:35]ike_encode_packet: Start, SA = { 0x78c4a06b 03f412b4 - d1203548 874ec91b } / e43bbfb7, nego = 0
[Jan 11 11:37:35]ike_finalize_qm_hash_1: Hash[0..20] = 72d9a42b fb73bd09 ...
[Jan 11 11:37:35]ike_send_packet: Start, send SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = 0, dst = 192.168.13.13:4500, routing table id = 0
[Jan 11 11:37:35]ikev2_packet_allocate: Allocated packet 8c28000 from freelist
[Jan 11 11:37:35]ike_sa_find: Found SA = { 78c4a06b 03f412b4 - d1203548 874ec91b }
[Jan 11 11:37:35]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 11:37:35]ike_get_sa: Start, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b } / e43bbfb7, remote = 192.168.13.13:4500
[Jan 11 11:37:35]ike_sa_find: Found SA = { 78c4a06b 03f412b4 - d1203548 874ec91b }
[Jan 11 11:37:35]ike_st_o_done: ISAKMP SA negotiation done
[Jan 11 11:37:35]ike_send_notify: Connected, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = -1
[Jan 11 11:37:35]ike_free_negotiation_isakmp: Start, nego = -1
[Jan 11 11:37:35]ike_free_negotiation: Start, nego = -1
[Jan 11 11:37:35]ike_decode_packet: Start
[Jan 11 11:37:35]ike_decode_packet: Start, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b} / e43bbfb7, nego = 0
[Jan 11 11:37:35]ike_decode_payload_sa: Start
[Jan 11 11:37:35]ike_decode_payload_t: Start, # trans = 1
[Jan 11 11:37:35]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Jan 11 11:37:35]ike_st_i_qm_hash_2: Start, hash[0..20] = fea975ec e2cdb953 ...
[Jan 11 11:37:35]ike_st_i_qm_sa_values: Start
[Jan 11 11:37:35]ike_st_i_qm_nonce: Nonce[0..16] = 14bec17c bd75bd47 ...
[Jan 11 11:37:35]ike_st_i_status_n: Start, doi = 1, protocol = 3, code = unknown (40001), spi[0..4] = a96b7682 00000000 ..., data[0..8] = 00010004 c0a8010c ...
[Jan 11 11:37:35]QM notification `(null)' (40001) (size 8 bytes) from 192.168.13.13:4500 for protocol ESP spi[0...3]=a9 6b 76 82
[Jan 11 11:37:35]ike_st_i_private: Start
[Jan 11 11:37:35]ike_st_o_qm_hash_3: Start
[Jan 11 11:37:35]ike_st_o_private: Start
[Jan 11 11:37:35]ike_policy_reply_private_payload_out: Start
[Jan 11 11:37:35]ike_st_o_encrypt: Marking encryption for packet
[Jan 11 11:37:35]:500 (Initiator) <-> 192.168.13.13:4500 { 78c4a06b 03f412b4 - d1203548 874ec91b [0] / 0xe43bbfb7 } QM; MESSAGE: Phase 2 connection succeeded, No PFS, group = 0
[Jan 11 11:37:35]ike_qm_call_callback: MESSAGE: Phase 2 connection succeeded, No PFS, group = 0
[Jan 11 11:37:35]:500 (Initiator) <-> 192.168.13.13:4500 { 78c4a06b 03f412b4 - d1203548 874ec91b [0] / 0xe43bbfb7 } QM; MESSAGE: SA[0][0] = ESP aes, life = 0 kB/200 sec, group = 0, udp-tunnel, hmac-md5-96, Extended seq not used, key l
[Jan 11 11:37:35]ike_qm_call_callback: MESSAGE: SA[0][0] = ESP aes, life = 0 kB/200 sec, group = 0, udp-tunnel, hmac-md5-96, Extended seq not used, key len = 128, key rounds = 0
[Jan 11 11:37:35]ike_st_o_qm_wait_done: Marking for waiting for done
[Jan 11 11:37:35]ike_encode_packet: Start, SA = { 0x78c4a06b 03f412b4 - d1203548 874ec91b } / e43bbfb7, nego = 0
[Jan 11 11:37:35]ike_send_packet: Start, send SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = 0, dst = 192.168.13.13:4500, routing table id = 0
[Jan 11 11:37:35]ike_send_notify: Connected, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = 0
As does the IKE trace on SRX-13.
SRX-13 IKE trace
[Jan 11 11:37:34]ikev2_packet_allocate: Allocated packet 8c34c00 from freelist
[Jan 11 11:37:34]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 11:37:34]ike_get_sa: Start, SA = { 78c4a06b 03f412b4 - 00000000 00000000 } / 00000000, remote = 172.18.2.12:23116
[Jan 11 11:37:34]ike_sa_allocate: Start, SA = { 78c4a06b 03f412b4 - e1c4b8db 0c899ceb }
[Jan 11 11:37:34]ike_init_isakmp_sa: Start, remote = 172.18.2.12:23116, initiator = 0
[Jan 11 11:37:34]ike_decode_packet: Start
[Jan 11 11:37:34]ike_decode_packet: Start, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b} / 00000000, nego = -1
[Jan 11 11:37:34]ike_decode_payload_sa: Start
[Jan 11 11:37:34]ike_decode_payload_t: Start, # trans = 1
[Jan 11 11:37:34]ike_st_i_vid: VID[0..16] = afcad713 68a1f1c9 ...
[Jan 11 11:37:34]ike_st_i_vid: VID[0..16] = 27bab5dc 01ea0760 ...
[Jan 11 11:37:34]ike_st_i_vid: VID[0..16] = 6105c422 e76847e4 ...
[Jan 11 11:37:34]ike_st_i_vid: VID[0..16] = 4485152d 18b6bbcd ...
[Jan 11 11:37:34]ike_st_i_vid: VID[0..16] = cd604643 35df21f8 ...
[Jan 11 11:37:34]ike_st_i_vid: VID[0..16] = 90cb8091 3ebb696e ...
[Jan 11 11:37:34]ike_st_i_vid: VID[0..16] = 7d9419a6 5310ca6f ...
[Jan 11 11:37:34]ike_st_i_vid: VID[0..16] = 4a131c81 07035845 ...
[Jan 11 11:37:34]ike_st_i_vid: VID[0..28] = 69936922 8741c6d4 ...
[Jan 11 11:37:34]ike_st_i_id: Start
[Jan 11 11:37:34]ike_st_i_sa_proposal: Start
[Jan 11 11:37:34]ike_free_id_payload: Start, id type = 2
[Jan 11 11:37:34]ike_isakmp_sa_reply: Start
[Jan 11 11:37:34]ike_state_restart_packet: Start, restart packet SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = -1
[Jan 11 11:37:34]ike_st_i_sa_proposal: Start
[Jan 11 11:37:34]ike_st_i_nonce: Start, nonce[0..16] = 989aada5 620f2bc5 ...
[Jan 11 11:37:34]ike_st_i_cert: Start
[Jan 11 11:37:34]ike_st_i_hash_key: Start, no key_hash
[Jan 11 11:37:34]ike_st_i_ke: Ke[0..96] = d225d127 992c5b16 ...
[Jan 11 11:37:34]ike_st_i_cr: Start
[Jan 11 11:37:34]ike_st_i_private: Start
[Jan 11 11:37:34]ike_st_o_sa_values: Start
[Jan 11 11:37:34]ike_st_o_ke: Start
[Jan 11 11:37:34]ike_st_o_nonce: Start
[Jan 11 11:37:34]ike_policy_reply_isakmp_nonce_data_len: Start
[Jan 11 11:37:34]ike_st_o_id: Start
[Jan 11 11:37:34]ike_policy_reply_isakmp_id: Start
[Jan 11 11:37:34]ike_state_restart_packet: Start, restart packet SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = -1
[Jan 11 11:37:34]ike_st_o_id: Start
[Jan 11 11:37:34]ike_st_o_certs_base: Start
[Jan 11 11:37:34]ike_st_o_sig_or_hash: Start, auth_method = 4
[Jan 11 11:37:34]ike_st_o_hash: Start
[Jan 11 11:37:34]ike_find_pre_shared_key: Find pre shared key key for 192.168.13.13:500, id = ipv4(any:0,[0..3]=192.168.13.13) -> 172.18.2.12:23116, id = fqdn(any:0,[0..5]=srx-11)
[Jan 11 11:37:34]ike_policy_reply_find_pre_shared_key: Start
[Jan 11 11:37:34]ike_state_restart_packet: Start, restart packet SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = -1
[Jan 11 11:37:34]ike_st_o_sig_or_hash: Start, auth_method = 4
[Jan 11 11:37:34]ike_st_o_hash: Start
[Jan 11 11:37:34]ike_find_pre_shared_key: Find pre shared key key for 192.168.13.13:500, id = ipv4(any:0,[0..3]=192.168.13.13) -> 172.18.2.12:23116, id = fqdn(any:0,[0..5]=srx-11)
[Jan 11 11:37:34]ike_calc_mac: Start, initiator = false, local = true
[Jan 11 11:37:34]ike_policy_reply_isakmp_vendor_ids: Start
[Jan 11 11:37:34]ike_st_o_status_n: Start
[Jan 11 11:37:34]ike_st_o_private: Start
[Jan 11 11:37:34]ike_policy_reply_private_payload_out: Start
[Jan 11 11:37:34]ike_policy_reply_private_payload_out: Start
[Jan 11 11:37:34]ike_policy_reply_private_payload_out: Start
[Jan 11 11:37:34]ike_st_o_calc_skeyid: Calculating skeyid
[Jan 11 11:37:34]ike_encode_packet: Start, SA = { 0x78c4a06b 03f412b4 - d1203548 874ec91b } / 00000000, nego = -1
[Jan 11 11:37:34]ike_send_packet: Start, send SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = -1, dst = 172.18.2.12:23116, routing table id = 0
[Jan 11 11:37:34]ikev2_packet_allocate: Allocated packet 8c35000 from freelist
[Jan 11 11:37:34]ike_sa_find: Found SA = { 78c4a06b 03f412b4 - d1203548 874ec91b }
[Jan 11 11:37:34]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 11:37:34]ike_get_sa: Start, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b } / 00000000, remote = 172.18.2.12:16052
[Jan 11 11:37:34]ike_sa_find: Found SA = { 78c4a06b 03f412b4 - d1203548 874ec91b }
[Jan 11 11:37:34]ike_decode_packet: Start
[Jan 11 11:37:34]ike_decode_packet: Start, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b} / 00000000, nego = -1
[Jan 11 11:37:34]ike_st_i_hash: Start, hash[0..20] = b866d6f4 36a4d4da ...
[Jan 11 11:37:34]ike_calc_mac: Start, initiator = false, local = false
[Jan 11 11:37:34]ike_st_i_cert: Start
[Jan 11 11:37:34]ike_st_i_private: Start
[Jan 11 11:37:34]ike_st_o_wait_done: Marking for waiting for done
[Jan 11 11:37:34]ike_st_o_all_done: MESSAGE: Phase 1 { 0x78c4a06b 03f412b4 - 0xd1203548 874ec91b } / 00000000, version = 1.0, xchg = Aggressive, auth_method = Pre shared keys, Responder, cipher = aes-cbc, hash = sha1, prf = hmac-sha1, life
[Jan 11 11:37:34]192.168.13.13:500 (Responder) <-> 172.18.2.12:23116 { 78c4a06b 03f412b4 - d1203548 874ec91b [-1] / 0x00000000 } Aggr; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = aes-cbc, hash = sha1, prf = hmac-
[Jan 11 11:37:34]ike_send_notify: Connected, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = -1
[Jan 11 11:37:34]ikev2_packet_allocate: Allocated packet 8c35400 from freelist
[Jan 11 11:37:34]ike_sa_find: Found SA = { 78c4a06b 03f412b4 - d1203548 874ec91b }
[Jan 11 11:37:34]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 11:37:34]ike_get_sa: Start, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b } / e43bbfb7, remote = 172.18.2.12:16052
[Jan 11 11:37:34]ike_sa_find: Found SA = { 78c4a06b 03f412b4 - d1203548 874ec91b }
[Jan 11 11:37:34]ike_st_o_done: ISAKMP SA negotiation done
[Jan 11 11:37:34]ike_send_notify: Connected, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = -1
[Jan 11 11:37:34]ike_free_negotiation_isakmp: Start, nego = -1
[Jan 11 11:37:34]ike_free_negotiation: Start, nego = -1
[Jan 11 11:37:34]ike_alloc_negotiation: Start, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}
[Jan 11 11:37:34]ike_init_qm_negotiation: Start, initiator = 0, message_id = e43bbfb7
[Jan 11 11:37:34]ike_decode_packet: Start
[Jan 11 11:37:34]ike_decode_packet: Start, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b} / e43bbfb7, nego = 0
[Jan 11 11:37:34]ike_decode_payload_sa: Start
[Jan 11 11:37:34]ike_decode_payload_t: Start, # trans = 1
[Jan 11 11:37:34]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Jan 11 11:37:34]ike_st_i_qm_hash_1: Start, hash[0..20] = 72d9a42b fb73bd09 ...
[Jan 11 11:37:34]ike_st_i_qm_nonce: Nonce[0..16] = 5bf73b11 f95223ef ...
[Jan 11 11:37:34]ike_st_i_qm_sa_proposals: Start
[Jan 11 11:37:34]ike_qm_sa_reply: Start
[Jan 11 11:37:34]ike_qm_sa_reply: Selected proposal 0, and transform 0 for protocol 0
[Jan 11 11:37:34]ike_state_restart_packet: Start, restart packet SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = 0
[Jan 11 11:37:34]ike_st_i_qm_sa_proposals: Start
[Jan 11 11:37:34]ike_st_i_status_n: Start, doi = 1, protocol = 0, code = unknown (40001), spi[0..4] = a96b7682 00000000 ..., data[0..8] = 00010004 c0a8010b ...
[Jan 11 11:37:34]:4500 (Responder) <-> 172.18.2.12:16052 { 78c4a06b 03f412b4 - d1203548 874ec91b [0] / 0xe43bbfb7 } QM; Invalid protocol_id = 0
[Jan 11 11:37:34]QM notification `(null)' (40001) (size 8 bytes) from 172.18.2.12:16052 for protocol Reserved spi[0...3]=a9 6b 76 82
[Jan 11 11:37:34]ike_st_i_private: Start
[Jan 11 11:37:34]ike_st_o_qm_hash_2: Start
[Jan 11 11:37:34]ike_st_o_qm_sa_values: Start
[Jan 11 11:37:34]ike_st_o_qm_nonce: Start
[Jan 11 11:37:34]ike_policy_reply_qm_nonce_data_len: Start
[Jan 11 11:37:34]ike_st_o_qm_optional_ke: Start
[Jan 11 11:37:34]ike_st_o_qm_optional_ids: Start
[Jan 11 11:37:34]ikev2_fb_qm_local_id: Using ipv4_subnet(any:0,[0..7]=0.0.0.0/0) as local QM identity
[Jan 11 11:37:34]ike_policy_reply_qm_local_id: Start
[Jan 11 11:37:34]ikev2_fb_qm_remote_id: Using ipv4_subnet(any:0,[0..7]=0.0.0.0/0) as remote QM identity
[Jan 11 11:37:34]ike_policy_reply_qm_remote_id: Start
[Jan 11 11:37:34]ike_st_qm_optional_id: Start
[Jan 11 11:37:34]ike_st_qm_optional_id: Start
[Jan 11 11:37:34]ike_st_o_qm_optional_responder_lifetime_n: Start
[Jan 11 11:37:34]ike_st_o_private: Start
[Jan 11 11:37:34]ike_policy_reply_private_payload_out: Start
[Jan 11 11:37:34]ike_policy_reply_private_payload_out: Start
[Jan 11 11:37:34]ike_st_o_encrypt: Marking encryption for packet
[Jan 11 11:37:34]ike_encode_packet: Start, SA = { 0x78c4a06b 03f412b4 - d1203548 874ec91b } / e43bbfb7, nego = 0
[Jan 11 11:37:34]ike_send_packet: Start, send SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = 0, dst = 172.18.2.12:16052, routing table id = 0
[Jan 11 11:37:34]ikev2_packet_allocate: Allocated packet 8c35800 from freelist
[Jan 11 11:37:34]ike_sa_find: Found SA = { 78c4a06b 03f412b4 - d1203548 874ec91b }
[Jan 11 11:37:34]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library
[Jan 11 11:37:34]ike_get_sa: Start, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b } / e43bbfb7, remote = 172.18.2.12:16052
[Jan 11 11:37:34]ike_sa_find: Found SA = { 78c4a06b 03f412b4 - d1203548 874ec91b }
[Jan 11 11:37:34]ike_decode_packet: Start
[Jan 11 11:37:34]ike_decode_packet: Start, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b} / e43bbfb7, nego = 0
[Jan 11 11:37:34]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Jan 11 11:37:34]ike_st_i_qm_hash_3: Start, hash[0..20] = 07db49bc 9e7ec0a0 ...
[Jan 11 11:37:34]ike_st_i_private: Start
[Jan 11 11:37:34]:4500 (Responder) <-> 172.18.2.12:16052 { 78c4a06b 03f412b4 - d1203548 874ec91b [0] / 0xe43bbfb7 } QM; MESSAGE: Phase 2 connection succeeded, No PFS, group = 0
[Jan 11 11:37:34]ike_qm_call_callback: MESSAGE: Phase 2 connection succeeded, No PFS, group = 0
[Jan 11 11:37:34]:4500 (Responder) <-> 172.18.2.12:16052 { 78c4a06b 03f412b4 - d1203548 874ec91b [0] / 0xe43bbfb7 } QM; MESSAGE: SA[0][0] = ESP aes, life = 0 kB/200 sec, group = 0, udp-tunnel, hmac-md5-96, Extended seq not used, key l
[Jan 11 11:37:34]ike_qm_call_callback: MESSAGE: SA[0][0] = ESP aes, life = 0 kB/200 sec, group = 0, udp-tunnel, hmac-md5-96, Extended seq not used, key len = 128, key rounds = 0
[Jan 11 11:37:34]ike_st_o_qm_wait_done: Marking for waiting for done
[Jan 11 11:37:34]ike_send_notify: Connected, SA = { 78c4a06b 03f412b4 - d1203548 874ec91b}, nego = 0
The firewall performing NAT now has a new UDP session on port 4500 as well.
flows on SRX-12
juniper@SRX-12# run show security flow session Session ID: 302, Policy name: ALLOW-IKE-500/5, Timeout: 30, Valid In: 192.168.11.11/500 --> 192.168.13.13/500;udp, If: ge-0/0/4.0, Pkts: 46, Bytes: 20700 Out: 192.168.13.13/500 --> 172.18.2.12/23116;udp, If: ge-0/0/5.0, Pkts: 136, Bytes: 53312 Session ID: 746, Policy name: ALLOW-NAT-T/8, Timeout: 58, Valid In: 192.168.11.11/4500 --> 192.168.13.13/4500;udp, If: ge-0/0/4.0, Pkts: 14, Bytes: 2105 Out: 192.168.13.13/4500 --> 172.18.2.12/16052;udp, If: ge-0/0/5.0, Pkts: 10, Bytes: 1529 Total sessions: 2 [edit security policies from-zone SRX11 to-zone SRX13]
A tcpdump -nvv udp port 500 of the IKE traffic of our completed key exchange.
tcpdump of IKE session in aggressive mode completing Phase 1 and Phase 2
12:36:44.888863 IP (tos 0xc0, ttl 63, id 9877, offset 0, flags [none], proto UDP (17), length 392)
192.168.13.13.500 > 192.168.11.11.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 2f12e0279d689157->c266a85b44f41c34: phase 1 ? agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(ke: key len=96)
(nonce: n len=16 data=(19e922a9a5ebec0f8281...e27568559896fec17231d5750ead8dcde1e65e8c))
(id: idtype=IPv4 protoid=0 port=0 len=4 192.168.13.13)
(hash: len=20)
(vid: len=16)
(vid: len=16)
(vid: len=28)
(pay20)
(pay20)
12:36:54.898964 IP (tos 0xc0, ttl 63, id 9915, offset 0, flags [none], proto UDP (17), length 392)
192.168.13.13.500 > 192.168.11.11.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 2f12e0279d689157->c266a85b44f41c34: phase 1 ? agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(ke: key len=96)
(nonce: n len=16 data=(19e922a9a5ebec0f8281...e27568559896fec17231d5750ead8dcde1e65e8c))
(id: idtype=IPv4 protoid=0 port=0 len=4 192.168.13.13)
(hash: len=20)
(vid: len=16)
(vid: len=16)
(vid: len=28)
(pay20)
(pay20)
12:37:35.883902 IP (tos 0xc0, ttl 64, id 12341, offset 0, flags [none], proto UDP (17), length 450)
192.168.11.11.500 > 192.168.13.13.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 78c4a06b03f412b4->0000000000000000: phase 1 I agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1 spi=78c4a06b03f412b4
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(ke: key len=96)
(nonce: n len=16 data=(989aada5620f2bc5e96b...ca094c93e242c9de19e7b7c60000000500000500))
(id: idtype=FQDN protoid=0 port=0 len=6 srx-11)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=28)
12:37:35.894239 IP (tos 0xc0, ttl 63, id 9991, offset 0, flags [none], proto UDP (17), length 392)
192.168.13.13.500 > 192.168.11.11.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 78c4a06b03f412b4->d1203548874ec91b: phase 1 R agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(ke: key len=96)
(nonce: n len=16 data=(4f3d8bbb12064de05143...1924ad4c21b5fc8ce3af12fe663fb848a5dcb83d))
(id: idtype=IPv4 protoid=0 port=0 len=4 192.168.13.13)
(hash: len=20)
(vid: len=16)
(vid: len=16)
(vid: len=28)
(pay20)
(pay20)
And our user on the client reports "PINGY!"
client connectivity test
juniper@client:~$ ping 10.80.80.80 PING 10.80.80.80 (10.80.80.80) 56(84) bytes of data. 64 bytes from 10.80.80.80: icmp_req=2583 ttl=62 time=6.76 ms 64 bytes from 10.80.80.80: icmp_req=2584 ttl=62 time=4.61 ms 64 bytes from 10.80.80.80: icmp_req=2585 ttl=62 time=2.57 ms 64 bytes from 10.80.80.80: icmp_req=2586 ttl=62 time=5.42 ms 64 bytes from 10.80.80.80: icmp_req=2587 ttl=62 time=5.31 ms 64 bytes from 10.80.80.80: icmp_req=2588 ttl=62 time=7.33 ms 64 bytes from 10.80.80.80: icmp_req=2589 ttl=62 time=3.92 ms 64 bytes from 10.80.80.80: icmp_req=2590 ttl=62 time=5.37 ms ^C --- 10.80.80.80 ping statistics --- 2590 packets transmitted, 8 received, 99% packet loss, time 2608997ms rtt min/avg/max/mdev = 2.578/5.167/7.336/1.412 ms juniper@client:~$
And we can see on SRX-11 that both Phase 1 and Phase 2 our happy.
IKE security associaiions on SRX-11
juniper@SRX-11# run show security ike security-associations detail
IKE peer 192.168.13.13, Index 2736900, Gateway Name: SRX-13
Role: Initiator, State: UP
Initiator cookie: 381fda188151a66c, Responder cookie: 83f2d336de968610
Exchange type: Aggressive, Authentication method: Pre-shared-keys
Local: 192.168.11.11:4500, Remote: 192.168.13.13:4500
Lifetime: Expires in 179 seconds
Peer ike-id: 192.168.13.13
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes128-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-1
Traffic statistics:
Input bytes : 552
Output bytes : 778
Input packets: 2
Output packets: 4
Flags: IKE SA is created
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Initiator, Message ID: 0
Local: 192.168.11.11:4500, Remote: 192.168.13.13:4500
Local identity: srx-11
Remote identity: 192.168.13.13
Flags: IKE SA is created
[edit security ike]
juniper@SRX-11#
And for completeness, here is a tcpdump -nvv udp port 500 or udp port 4500" of a session being completed. Note that this is for an entirely new set of SAs.
tcpdump of IKE aggressive mode session
13:45:18.941915 IP (tos 0xc0, ttl 64, id 14578, offset 0, flags [none], proto UDP (17), length 220)
192.168.11.11.4500 > 192.168.13.13.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid f54e3f1a cookie dfc841e2b8196ce1->206a8bb7b0538c62: phase 2/others ? oakley-quick[E]: [encrypted hash]
13:45:28.952204 IP (tos 0xc0, ttl 64, id 14584, offset 0, flags [none], proto UDP (17), length 220)
192.168.11.11.4500 > 192.168.13.13.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid f54e3f1a cookie dfc841e2b8196ce1->206a8bb7b0538c62: phase 2/others ? oakley-quick[E]: [encrypted hash]
13:45:38.962042 IP (tos 0xc0, ttl 64, id 14590, offset 0, flags [none], proto UDP (17), length 220)
192.168.11.11.4500 > 192.168.13.13.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid f54e3f1a cookie dfc841e2b8196ce1->206a8bb7b0538c62: phase 2/others ? oakley-quick[E]: [encrypted hash]
13:45:48.012116 IP (tos 0xc0, ttl 64, id 14596, offset 0, flags [none], proto UDP (17), length 124)
192.168.11.11.4500 > 192.168.13.13.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid d5e208bc cookie dfc841e2b8196ce1->206a8bb7b0538c62: phase 2/others ? inf[E]: [encrypted hash]
13:45:48.387289 IP (tos 0xc0, ttl 64, id 14597, offset 0, flags [none], proto UDP (17), length 450)
192.168.11.11.500 > 192.168.13.13.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie a6c75d9b4341807d->0000000000000000: phase 1 I agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1 spi=a6c75d9b4341807d
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(ke: key len=96)
(nonce: n len=16 data=(b937dd7b82585bfed04d...ca094c93e242c9de19e7b7c60000000500000500))
(id: idtype=FQDN protoid=0 port=0 len=6 srx-11)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=28)
13:45:48.404868 IP (tos 0xc0, ttl 63, id 12036, offset 0, flags [none], proto UDP (17), length 392)
192.168.13.13.500 > 192.168.11.11.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie a6c75d9b4341807d->2b7d6ea094f20871: phase 1 R agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp768)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=000000b4)(type=auth value=preshared))))
(ke: key len=96)
(nonce: n len=16 data=(f840d35f46c8cbfadc74...225fb001db1137f0ec76985de3ebf289f15f5129))
(id: idtype=IPv4 protoid=0 port=0 len=4 192.168.13.13)
(hash: len=20)
(vid: len=16)
(vid: len=16)
(vid: len=28)
(pay20)
(pay20)
13:45:48.411833 IP (tos 0xc0, ttl 64, id 14598, offset 0, flags [none], proto UDP (17), length 140)
192.168.11.11.4500 > 192.168.13.13.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid 00000000 cookie a6c75d9b4341807d->2b7d6ea094f20871: phase 1 I agg[E]: [encrypted hash]
13:45:48.416944 IP (tos 0xc0, ttl 64, id 14599, offset 0, flags [none], proto UDP (17), length 220)
192.168.11.11.4500 > 192.168.13.13.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid e00a67f5 cookie a6c75d9b4341807d->2b7d6ea094f20871: phase 2/others I oakley-quick[E]: [encrypted hash]
13:45:48.429457 IP (tos 0xc0, ttl 63, id 12037, offset 0, flags [none], proto UDP (17), length 220)
192.168.13.13.4500 > 192.168.11.11.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid e00a67f5 cookie a6c75d9b4341807d->2b7d6ea094f20871: phase 2/others R oakley-quick[E]: [encrypted hash]
13:45:48.437046 IP (tos 0xc0, ttl 64, id 14600, offset 0, flags [none], proto UDP (17), length 92)
192.168.11.11.4500 > 192.168.13.13.4500: [udp sum ok] NONESP-encap: isakmp 1.0 msgid e00a67f5 cookie a6c75d9b4341807d->2b7d6ea094f20871: phase 2/others I oakley-quick[E]: [encrypted hash]
13:45:49.384019 IP (tos 0x0, ttl 63, id 30573, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: [no cksum] UDP-encap: ESP(spi=0x009b2df6,seq=0x1), length 132
13:45:49.387250 IP (tos 0x0, ttl 62, id 30217, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: [no cksum] UDP-encap: ESP(spi=0x7721c5f7,seq=0x1), length 132
13:45:50.385234 IP (tos 0x0, ttl 63, id 30574, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: [no cksum] UDP-encap: ESP(spi=0x009b2df6,seq=0x2), length 132
13:45:50.389958 IP (tos 0x0, ttl 62, id 30218, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: [no cksum] UDP-encap: ESP(spi=0x7721c5f7,seq=0x2), length 132
13:45:51.386592 IP (tos 0x0, ttl 63, id 30575, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: [no cksum] UDP-encap: ESP(spi=0x009b2df6,seq=0x3), length 132
13:45:51.389998 IP (tos 0x0, ttl 62, id 30219, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: [no cksum] UDP-encap: ESP(spi=0x7721c5f7,seq=0x3), length 132
13:45:52.388642 IP (tos 0x0, ttl 63, id 30576, offset 0, flags [none], proto UDP (17), length 160)
192.168.11.11.4500 > 192.168.13.13.4500: [no cksum] UDP-encap: ESP(spi=0x009b2df6,seq=0x4), length 132
13:45:52.391189 IP (tos 0x0, ttl 62, id 30220, offset 0, flags [none], proto UDP (17), length 160)
192.168.13.13.4500 > 192.168.11.11.4500: [no cksum] UDP-encap: ESP(spi=0x7721c5f7,seq=0x4), length 132