Re: IPsec debugging

To: Greg Troxel <gdt%ir.bbn.com@localhost>
Subject: Re: IPsec debugging
From: Frank Wille <frank%phoenix.owl.de@localhost>
Date: Sun, 28 Feb 2016 14:22:56 +0100

Greg Troxel wrote:

> I have 100% absorbed the details of what you are doing.  But I have a
> few suggestions in addition to what you have done, all to be on both
> sides:

On both sides is not possible, because the remote side is a Lancom 1781EF
router. I can provide traces from its VPN logs, though.

In case I didn't mention it: I'm trying to set up a so called "road-warrior"
configuration. I have a client which uses IPSEC with NAT-T to connect to
the Lancom router. I also hope to receive my ip-address and gateway via IKE
Config Mode, so I become part of my office's LAN.

>   run "route -n monitor" and save it to a file.   Look for failed route
>   lookups that seem relevant.

This produces an empty file. There is never anything in it.

>   run "setkey -x" and save that.  This will probably just confirm that
>   racoon is doing what it said.

There is not much in it either. But I have seen some more output in previous
test runs. You find it attached.

To be honest, I don't know if I need to run any setkey commands at all, when
doing a completely certificate-based connection set up. In racoon.conf I
have currently a "test.sh" script for phase1-up and -down, which does
nothing besides echoing $LOCAL_ADDR, $REMOTE_ADDR, etc., although I never
see that anywhere.

>   run 'tcpdump -s1500 -wFILE', and then go back and look  at the 5
>   seconds very carefully.

I attached the ASCII version of it, replacing all remote gateway addresses
with 1.2.3.4. Will send you the pcap by private email.

I also entered the Lancom console and logged the VPN status with "trace +
vpn-status". It might provide some useful information (see attached). It
shows that phase-1 looks good. The Lancom sends one keep-alive and receives
an ACK. Then it receives a keep-alive and sends an ACK.

But 10 seconds later, at 12:32:22, it prints "time out" and
"IFC-R-Connection-timeout-dynamic", without any other reason...

This seems to be within phase-2. From now on "phase 2/others I inf[E]" is no
longer answered by the Lancom, although it happened twice before.

>   run 'setkey -D' and 'setkey -D -P' after negotiation and before the
>   DPD failure.  Check that the SAs match.

I never saw anything else than
  No SAD entries.
  No SPD entries.
at any point of time.

> The big question in my mind is whether the DPD is wrong

Probably not. I verified that both sides have DPD with 20 seconds enabled. I
haven't set "natt_keepalive" yet, as I hoped the default value will do...

> or if the probe
> packet is actually being dropped because something else is wrong.

Who knows? There is not much information on both sides.

>> Feb 26 12:16:23 powerbook racoon: ERROR: fatal parse failure (1
>> errors) 
>
> This is fatal, it says.  How is racoon starting?  Or did you fix it and
> not trim the logs?

Indeed, sorry. There were some lines from previous tests in it. I tried to
remove the "compression algorithm" statement for phase-2, which racoon
didn't like.

> (Your log lines are wrapped in mail; it would be nice to not munge
> them.)

Attached them now. Hope that works.

> This shows that the ISAKMP SA was created, but no phase 2 SA.

This is also my impression at the moment. Something goes wrong in phase 2?

Hmm, but why is the phase1-up script not called?

>  So no
> real need to look at setkey.  But the big question is what the logs on
> the other side show and if there is a 4500/4500 probe packet.

Refer to the attached Lancom.trace. According to tcpdump 4500/4500
communication seems to happen at least twice, before the Lancom terminates
the connection.

> What did tcpdump actually show?  (data, not conclusion)

The attached tcpdump.txt contains everything which happened.

> Are you sure your nat stuff in the middle is working

Not really. How can I check that, besides seeing UDP packages exchanged on
port 4500 from both sides?

Thanks for looking into the problem! It would really be nice to get IPSec
with NetBSD going, as my company intends to use NetBSD (rdesktop via VPN)
on all their notebooks!

-- 
Frank Wille

12:31:36.349498 
sadb_msg{ version=2 type=11 errno=0 satype=1
  len=2 reserved=0 seq=0 pid=3000

12:31:36.349714 
12:31:52.470479 
sadb_msg{ version=2 type=10 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=3805

12:31:57.426896 
sadb_msg{ version=2 type=10 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=3127

12:31:57.453442 
sadb_msg{ version=2 type=18 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=1095

12:31:59.946788 
sadb_msg{ version=2 type=10 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=1026

12:31:59.973390 
sadb_msg{ version=2 type=18 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=2064

12:32:01.050741 
sadb_msg{ version=2 type=10 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=2563

12:32:01.077366 
sadb_msg{ version=2 type=18 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=904

12:32:07.210774 
sadb_msg{ version=2 type=10 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=3374

12:32:07.237439 
sadb_msg{ version=2 type=18 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=3159

12:32:14.938939 
sadb_msg{ version=2 type=10 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=1058

12:32:14.965596 
sadb_msg{ version=2 type=18 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=2096

12:32:26.314776 
sadb_msg{ version=2 type=10 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=2595

12:32:26.341309 
sadb_msg{ version=2 type=18 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=936

12:32:28.242855 
sadb_msg{ version=2 type=10 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=3406

12:32:28.269619 
sadb_msg{ version=2 type=18 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=3191

12:32:40.570991 
sadb_msg{ version=2 type=10 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=1159

12:32:40.597652 
sadb_msg{ version=2 type=18 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=1090

12:32:57.755771 
sadb_msg{ version=2 type=10 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=3805

12:33:00.026977 
sadb_msg{ version=2 type=10 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=1191

12:33:00.053812 
sadb_msg{ version=2 type=18 errno=2 satype=0
  len=2 reserved=0 seq=0 pid=1122

12:31:51.470820 IP powerbook-wlan.owl.de.isakmp > 1.2.3.4.isakmp: isakmp: phase 1 I ident
12:31:51.563603 IP 1.2.3.4.isakmp > powerbook-wlan.owl.de.isakmp: isakmp: phase 1 R ident
12:31:51.635534 IP powerbook-wlan.owl.de.isakmp > 1.2.3.4.isakmp: isakmp: phase 1 I ident
12:31:51.700760 IP 1.2.3.4.isakmp > powerbook-wlan.owl.de.isakmp: isakmp: phase 1 R ident
12:31:51.851120 IP powerbook-wlan.owl.de.ipsec-nat-t > 1.2.3.4.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
12:31:52.416253 IP 1.2.3.4.ipsec-nat-t > powerbook-wlan.owl.de.ipsec-nat-t: NONESP-encap: isakmp: phase 1 R ident[E]
12:31:52.467385 IP powerbook-wlan.owl.de.ipsec-nat-t > 1.2.3.4.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I inf[E]
12:31:52.539912 IP 1.2.3.4.ipsec-nat-t > powerbook-wlan.owl.de.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R inf[E]
12:31:52.570866 IP powerbook-wlan.owl.de.ipsec-nat-t > 1.2.3.4.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I inf[E]
12:32:07.773904 IP powerbook-wlan.owl.de.ipsec-nat-t > 1.2.3.4.ipsec-nat-t: isakmp-nat-keep-alive
12:32:12.486257 IP powerbook-wlan.owl.de.ipsec-nat-t > 1.2.3.4.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I inf[E]
12:32:12.533086 IP 1.2.3.4.ipsec-nat-t > powerbook-wlan.owl.de.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others R inf[E]
12:32:27.793879 IP powerbook-wlan.owl.de.ipsec-nat-t > 1.2.3.4.ipsec-nat-t: isakmp-nat-keep-alive
12:32:32.576217 IP powerbook-wlan.owl.de.ipsec-nat-t > 1.2.3.4.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I inf[E]
12:32:32.649556 IP 1.2.3.4 > powerbook-wlan.owl.de: ICMP 1.2.3.4 udp port ipsec-nat-t unreachable, length 36
12:32:37.616049 IP powerbook-wlan.owl.de.ipsec-nat-t > 1.2.3.4.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I inf[E]
12:32:37.657882 IP 1.2.3.4 > powerbook-wlan.owl.de: ICMP 1.2.3.4 udp port ipsec-nat-t unreachable, length 36
12:32:42.656126 IP powerbook-wlan.owl.de.ipsec-nat-t > 1.2.3.4.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I inf[E]
12:32:42.702614 IP 1.2.3.4 > powerbook-wlan.owl.de: ICMP 1.2.3.4 udp port ipsec-nat-t unreachable, length 36
12:32:47.696053 IP powerbook-wlan.owl.de.ipsec-nat-t > 1.2.3.4.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I inf[E]
12:32:47.737297 IP 1.2.3.4 > powerbook-wlan.owl.de: ICMP 1.2.3.4 udp port ipsec-nat-t unreachable, length 36
12:32:47.823554 IP powerbook-wlan.owl.de.ipsec-nat-t > 1.2.3.4.ipsec-nat-t: isakmp-nat-keep-alive
12:32:52.725951 IP powerbook-wlan.owl.de.ipsec-nat-t > 1.2.3.4.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others I inf[E]
12:32:52.766298 IP 1.2.3.4 > powerbook-wlan.owl.de: ICMP 1.2.3.4 udp port ipsec-nat-t unreachable, length 36

[VPN-Status] 2016/02/29 12:31:51,460
IKE info: The remote peer def-main-peer supports NAT-T in RFC mode
IKE info: The remote peer def-main-peer supports NAT-T in draft mode
IKE info: The remote server 91.56.236.148:2532 (UDP) peer def-main-peer id <no_id> negotiated rfc-3706-dead-peer-detection


[VPN-Status] 2016/02/29 12:31:51,461
IKE info: Phase-1 remote proposal 1 for peer def-main-peer matched with local proposal 1


[VPN-Status] 2016/02/29 12:31:51,841
IKE log: 123151.841384 Default conf_get_list: empty field, ignoring...


[VPN-Status] 2016/02/29 12:31:52,283
VPN: WAN state changed to WanSetup for  (0.0.0.0), called by: 009c5f50

[VPN-Status] 2016/02/29 12:31:52,283
VPN: WAN state changed to WanCalled for VPNCLIENT15EF90 (0.0.0.0), called by: 009c5cb8

[VPN-Status] 2016/02/29 12:31:52,283
vpn-maps[37], remote: VPNCLIENT15EF90, nego, connected-by-name

[VPN-Status] 2016/02/29 12:31:52,283
IKE info: exchange_finalize: assuming identified for road-warrior with cert, id=VPNCLIENT15EF90, RemoteGW=91.56.236.148


[VPN-Status] 2016/02/29 12:31:52,304
IKE info: Phase-1 [responder] for peer VPNCLIENT15EF90 initiator id CN=VPNCLIENT15,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052, responder id CN=ZENTRALE,O=WPS,C=DE,L=HERFORD,ST=NRW,OU=IT,postalCode=32052
IKE info: initiator cookie: 0x4f5e1f08e12bd21c, responder cookie: 0x2e8dc875b4e07c26
IKE info: NAT-T enabled in mode rfc, we are not behind a nat, the remote side is  behind a nat
IKE info: SA ISAKMP for peer VPNCLIENT15EF90 encryption aes-cbc authentication MD5
IKE info: life time ( 28800 sec/ 0 kb) DPD 0 sec


[VPN-Status] 2016/02/29 12:31:52,306
IKE info: Phase-1 SA Timeout (Hard-Event) for peer VPNCLIENT15EF90 set to 28800 seconds (Responder)


[VPN-Status] 2016/02/29 12:31:52,431
IKE info: NOTIFY received of type INITIAL_CONTACT for peer VPNCLIENT15EF90


[VPN-Status] 2016/02/29 12:31:52,431
IKE info: Phase-1 [responder] got INITIAL-CONTACT from peer VPNCLIENT15EF90 (91.56.236.148)


[VPN-Status] 2016/02/29 12:31:52,441
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE sent for Phase-1 SA to peer VPNCLIENT15EF90, sequence nr 0x56e60865


[VPN-Status] 2016/02/29 12:31:52,530
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE_ACK for peer VPNCLIENT15EF90 Seq-Nr 0x56e60865, expected 0x56e60865


[VPN-Status] 2016/02/29 12:32:12,430
IKE info: NOTIFY received of type ISAKMP_NOTIFY_DPD_R_U_THERE for peer VPNCLIENT15EF90 Seq-Nr 0xea7, expected 0xea7


[VPN-Status] 2016/02/29 12:32:12,433
IKE info: ISAKMP_NOTIFY_DPD_R_U_THERE_ACK sent for Phase-1 SA to peer VPNCLIENT15EF90, sequence nr 0xea7


[VPN-Status] 2016/02/29 12:32:22,284
VPN: connection for VPNCLIENT15EF90 (91.56.236.148) timed out: no response

[VPN-Status] 2016/02/29 12:32:22,284
VPN: Error: IFC-R-Connection-timeout-dynamic (0x1205) for VPNCLIENT15EF90 (91.56.236.148)

[VPN-Status] 2016/02/29 12:32:22,284
vpn-maps[37], remote: VPNCLIENT15EF90

[VPN-Status] 2016/02/29 12:32:22,284
VPN: installing ruleset for VPNCLIENT15EF90 (91.56.236.148)

[VPN-Status] 2016/02/29 12:32:22,284
VPN: WAN state changed to WanDisconnect for VPNCLIENT15EF90 (91.56.236.148), called by: 009c5cb8

[VPN-Status] 2016/02/29 12:32:22,285
IKE info: Phase-1 SA removed: peer VPNCLIENT15EF90 rule VPNCLIENT15EF90 removed


[VPN-Status] 2016/02/29 12:32:22,290
VPN: WAN state changed to WanIdle for VPNCLIENT15EF90 (91.56.236.148), called by: 009c5cb8

[VPN-Status] 2016/02/29 12:32:22,291
removeAllDeletedRoutes, called by: 009bdd24

[VPN-Status] 2016/02/29 12:32:22,293
VPN: installing ruleset generally

[VPN-Status] 2016/02/29 12:32:22,295
VPN: VPNCLIENT15EF90 (91.56.236.148)  disconnected

[VPN-Status] 2016/02/29 12:32:22,298
VPN: installing pending rulesets

[VPN-Status] 2016/02/29 12:32:22,690
IKE log: 123222.690797 Default x509_read_from_minifs: /flash/security/vpn/vpn_pkcs12_int: imported successfully (2/3)


[VPN-Status] 2016/02/29 12:32:22,716
VPN: rulesets installed

[VPN-Status] 2016/02/29 12:32:32,552
IKE log: 123232.552208 Default message_drop_invalid_cookies: invalid cookie(s) 4f5e1f08e12bd21c 2e8dc875b4e07c26


[VPN-Status] 2016/02/29 12:32:32,552
IKE log: 123232.552410 Default dropped message from 91.56.236.148 port 2500 due to notification type INVALID_COOKIE


[VPN-Status] 2016/02/29 12:32:32,552
IKE info: Informational messages are unidirectional and therefore are not answered! (cookies 4F 5E 1F 08 E1 2B D2 1C 2E 8D C8 75 B4 E0 7C 26)


[VPN-Status] 2016/02/29 12:32:37,560
IKE log: 123237.560788 Default message_drop_invalid_cookies: invalid cookie(s) 4f5e1f08e12bd21c 2e8dc875b4e07c26


[VPN-Status] 2016/02/29 12:32:37,560
IKE log: 123237.560967 Default dropped message from 91.56.236.148 port 2500 due to notification type INVALID_COOKIE


[VPN-Status] 2016/02/29 12:32:37,561
IKE info: Informational messages are unidirectional and therefore are not answered! (cookies 4F 5E 1F 08 E1 2B D2 1C 2E 8D C8 75 B4 E0 7C 26)


[VPN-Status] 2016/02/29 12:32:42,605
IKE log: 123242.605142 Default message_drop_invalid_cookies: invalid cookie(s) 4f5e1f08e12bd21c 2e8dc875b4e07c26


[VPN-Status] 2016/02/29 12:32:42,605
IKE log: 123242.605323 Default dropped message from 91.56.236.148 port 2500 due to notification type INVALID_COOKIE


[VPN-Status] 2016/02/29 12:32:42,605
IKE info: Informational messages are unidirectional and therefore are not answered! (cookies 4F 5E 1F 08 E1 2B D2 1C 2E 8D C8 75 B4 E0 7C 26)


[VPN-Status] 2016/02/29 12:32:47,640
IKE log: 123247.640821 Default message_drop_invalid_cookies: invalid cookie(s) 4f5e1f08e12bd21c 2e8dc875b4e07c26


[VPN-Status] 2016/02/29 12:32:47,641
IKE log: 123247.641000 Default dropped message from 91.56.236.148 port 2500 due to notification type INVALID_COOKIE


[VPN-Status] 2016/02/29 12:32:47,641
IKE info: Informational messages are unidirectional and therefore are not answered! (cookies 4F 5E 1F 08 E1 2B D2 1C 2E 8D C8 75 B4 E0 7C 26)


[VPN-Status] 2016/02/29 12:32:52,669
IKE log: 123252.669756 Default message_drop_invalid_cookies: invalid cookie(s) 4f5e1f08e12bd21c 2e8dc875b4e07c26


[VPN-Status] 2016/02/29 12:32:52,669
IKE log: 123252.669937 Default dropped message from 91.56.236.148 port 2500 due to notification type INVALID_COOKIE


[VPN-Status] 2016/02/29 12:32:52,670
IKE info: Informational messages are unidirectional and therefore are not answered! (cookies 4F 5E 1F 08 E1 2B D2 1C 2E 8D C8 75 B4 E0 7C 26)

Feb 29 12:31:27 powerbook racoon: INFO: @(#)ipsec-tools cvs (http://ipsec-tools.sourceforge.net) 
Feb 29 12:31:27 powerbook racoon: INFO: @(#)This product linked OpenSSL 1.0.1p 9 Jul 2015 (http://www.openssl.org/) 
Feb 29 12:31:27 powerbook racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" 
Feb 29 12:31:27 powerbook racoon: INFO: 192.168.1.5[500] used for NAT-T 
Feb 29 12:31:27 powerbook racoon: INFO: 192.168.1.5[500] used as isakmp port (fd=7) 
Feb 29 12:31:27 powerbook racoon: INFO: 192.168.1.5[4500] used for NAT-T 
Feb 29 12:31:27 powerbook racoon: INFO: 192.168.1.5[4500] used as isakmp port (fd=8) 
Feb 29 12:31:27 powerbook racoon: INFO: 127.0.0.1[500] used for NAT-T 
Feb 29 12:31:27 powerbook racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) 
Feb 29 12:31:27 powerbook racoon: INFO: 127.0.0.1[4500] used for NAT-T 
Feb 29 12:31:27 powerbook racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=10) 
Feb 29 12:31:36 powerbook racoon: INFO: unsupported PF_KEY message X_PROMISC 
Feb 29 12:31:51 powerbook racoon: INFO: accept a request to establish IKE-SA: 1.2.3.4 
Feb 29 12:31:51 powerbook racoon: INFO: initiate new phase 1 negotiation: 192.168.1.5[500]<=>1.2.3.4[500] 
Feb 29 12:31:51 powerbook racoon: INFO: begin Identity Protection mode. 
Feb 29 12:31:51 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
Feb 29 12:31:51 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
Feb 29 12:31:51 powerbook racoon: INFO: received Vendor ID: RFC 3947 
Feb 29 12:31:51 powerbook racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 
Feb 29 12:31:51 powerbook racoon: INFO: received Vendor ID: DPD 
Feb 29 12:31:51 powerbook racoon: [1.2.3.4] INFO: Selected NAT-T version: RFC 3947 
Feb 29 12:31:51 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #1  
Feb 29 12:31:51 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1  
Feb 29 12:31:51 powerbook racoon: INFO: Adding remote and local NAT-D payloads. 
Feb 29 12:31:51 powerbook racoon: [192.168.1.5] INFO: Hashing 192.168.1.5[500] with algo #1  
Feb 29 12:31:51 powerbook racoon: INFO: NAT-D payload #0 doesn't match 
Feb 29 12:31:51 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #1  
Feb 29 12:31:51 powerbook racoon: INFO: NAT-D payload #1 verified 
Feb 29 12:31:51 powerbook racoon: INFO: NAT detected: ME  
Feb 29 12:31:51 powerbook racoon: INFO: KA list add: 192.168.1.5[4500]->1.2.3.4[4500] 
Feb 29 12:31:52 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/postalCode=32052/OU=IT/ST=NRW/L=HERFORD/C=DE/O=WPS/CN=ZENTRALE 
Feb 29 12:31:52 powerbook racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=DE/O=LANCOM SYSTEMS/CN=LANCOM CA 
Feb 29 12:31:52 powerbook racoon: [1.2.3.4] INFO: received INITIAL-CONTACT 
Feb 29 12:31:52 powerbook racoon: INFO: ISAKMP-SA established 192.168.1.5[4500]-1.2.3.4[4500] spi:4f5e1f08e12bd21c:2e8dc875b4e07c26 
Feb 29 12:32:57 powerbook racoon: [1.2.3.4] INFO: DPD: remote (ISAKMP-SA spi=4f5e1f08e12bd21c:2e8dc875b4e07c26) seems to be dead. 
Feb 29 12:32:57 powerbook racoon: INFO: purging ISAKMP-SA spi=4f5e1f08e12bd21c:2e8dc875b4e07c26. 
Feb 29 12:32:57 powerbook racoon: INFO: purged ISAKMP-SA spi=4f5e1f08e12bd21c:2e8dc875b4e07c26. 
Feb 29 12:32:57 powerbook racoon: INFO: ISAKMP-SA deleted 192.168.1.5[4500]-1.2.3.4[4500] spi:4f5e1f08e12bd21c:2e8dc875b4e07c26 
Feb 29 12:32:57 powerbook racoon: INFO: KA remove: 192.168.1.5[4500]->1.2.3.4[4500]

Follow-Ups:
- Re: IPsec debugging
  - From: Greg Troxel

References:
- IPsec debugging
  - From: Frank Wille
- Re: IPsec debugging
  - From: Greg Troxel

Prev by Date: Re: IPsec debugging
Next by Date: Re: IPsec debugging
Previous by Thread: Re: IPsec debugging
Next by Thread: Re: IPsec debugging
Indexes:

Home | Main Index | Thread Index | Old Index