FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bfeng
Staff
Staff
Description
This article describes how to reserve a virtual ip address assignment for IPSec VPN client based on authenticated user and how to setup a FortiGate unit to work with RADIUS server to pass RADIUS assigned virtual ip address to ipsec vpn client based on the user authenticated.





Scope
Fortigate 4.0
RADIUS
IPSec,
FortiClient, or ipsec client supports xauth and DHCP-IPSec.

Solution
During RADIUS authentication, the FortiGate unit will look for the 'Framed-IP-Address' attribute (RFC 2865, section 5.8) in the Access-Accept packet. When this attribute is present and the FortiGate unit is configured to use it, it will be given back to the client through IPsec, SSL-VPN and PPTP.

This is only supported in FortiOS 4.0 and higher.

For Example:

bfeng_vpndialupdiagram1.jpg

Summary:

  • Client PC establishes a VPN tunnel to the FortiGate unit. 
  • The FortiGate unit is setup to send authentication request forwarded to a RADIUS server.
  • If authentication is successful, RADIUS server sends Access Accept packets with the RADIUS attribute of Framed-IP-Address (the IP address assigned/reserved for the user.) back to the FortiGate unit.
  • The Client requests an IP address over DHCP-IPsec.
  • The FortiGate unit passes the address received from the RADIUS server to the client over DHCP-IPsec.
  • In this example port2 is the external port facing the client, and port5 is the interface facing the internal 10.166.0.0 subnet.

Prerequisite:

  • A FortiGate unit running FortiOS 4.0 or higher
  • The FortiGate unit is connected to internet
  • The FortiGate unit can reach the RADIUS server
  • The RADIUS server is properly setup and has the correct Framed-IP-Address setup for users, so that the  RADIUS server will send Framed-IP-Address associated with the user in access accept packet.
  • As there are all kinds of RADIUS servers available, Fortinet is not responsible for the setup of the RADIUS server. 

The following is a simple example of a user setup for FreeRadius:

fortinettest    Auth-Type := CHAP, User-Password == "fortinet"
        Service-Type = Framed-User,
        Session-Timeout = 180,
        Idle-Timeout = 120,
        Framed-IP-Address = 192.168.253.25,

FortiGate Configuration:

In this example we used route based (aka. interface mode)

Config RADIUS profile and user group:

config user radius
    edit "RADIUS"
        set nas-ip 10.100.0.109
        set secret ENC t8JMeRJkFjDf
        set server "10.100.0.9"
    next

config user group
    edit "RADIUS-Client"
            set member "RADIUS"            
    next

Setup dialup ipsec vpn

config vpn ipsec phase1-interface
    edit "Radius-test"
        set type dynamic
        set interface "port2"
        set proposal 3des-sha1
        set xauthtype pap                 <------ enable xauth
        set psksecret ENC ldspei00
        set authusrgrp "RADIUS-Client"    <------ authenticate by the user group created above
    next
config vpn ipsec phase2-interface
    edit "Radius-test_ph2"
        set add-route enable      <------ Optional
        set phase1name "Radius-test"
        set proposal 3des-sha1
        set dhcp-ipsec enable     <------ enable dhcp over ipsec
    next
end

Setup DHCP over IPsec:

Setup dhcp server from CLI: In this example, we used "DHCP-radius" as the name,

config system dhcp server
    edit "DHCP-radius"
        set interface Radius-test     <----- DHCP server is bind to the ipsec sub-interface
        set netmask 255.255.255.255   <-----Netmask must be set to 255.255.255.255
        set server-type ipsec
        set ip-mode usrgrp
    next
end

Setup firewall policy:

config firewall policy
    edit 1
        set srcintf "Radius-test"
        set dstintf "port5"
            set srcaddr "forticlient"                  
            set dstaddr "internal subnets"            
        set action accept
        set schedule "always"
            set service "ANY"            
    next
    edit 2
        set srcintf "port5"
        set dstintf "Radius-test"
            set srcaddr "internal subnets"            
            set dstaddr "forticlient"            
        set action accept
        set schedule "always"
            set service "ANY"            
    next

FortiClient setup:

This setup is transparent to FortiClient. The FortiClient setup is the same as usual client setup with xauthentication enabled and accquire virtual ip address via DHCP over IPsec.



Internal Notes

Debugs:

IPSec
diag debug app ike -1

DHCP

Diag debug app dhcps 7

RADIUS

diag debug app fnbamd –1


lease see below for a sample debug capture for a successful connection.


Connected

 

FG3K6A3406605059 # diag de app ike -1
FG3K6A3406605059 # diag de app dhcps -1
FG3K6A3406605059 # diag de app fnbamd -1
FG3K6A3406605059 # diag de en

 

FG3K6A3406605059 #
0: comes 192.168.183.254:30213->172.31.210.237:500,ifindex=7....
0: exchange=Identity Protection id=16a56d8f8717703f/0000000000000000 len=284
0:dialup-phase1: new connection.
0:dialup-phase1: check for IP assignment method ...
0:dialup-phase1: user IP assignment using group 'IPsec&PPTPgrp' via DHCP server 'dhcp-ipsec-framedip'
0:dialup-phase1:0: responder: main mode get 1st message...
0:dialup-phase1:0: VID DPD
0:dialup-phase1:0: DPD negotiated
0:dialup-phase1:0: unknown VID (16): AFCA071368A1F1C96B8696FC77570100
0:dialup-phase1:0: unknown VID (16): 6EF67E6852CF311713E50B8B005DB7B8
0:dialup-phase1:0: VID draft-ietf-ipsec-nat-t-ike-03
0:dialup-phase1:0: VID draft-ietf-ipsec-nat-t-ike-00
0:dialup-phase1:0: negotiation result
0:dialup-phase1:0: proposal id = 1:
0:dialup-phase1:0:   protocol id = ISAKMP:
0:dialup-phase1:0:      trans_id = KEY_IKE.
0:dialup-phase1:0:      encapsulation = IKE/none
0:dialup-phase1:0:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
0:dialup-phase1:0:         type=OAKLEY_HASH_ALG, val=SHA.
0:dialup-phase1:0:         type=AUTH_METHOD, val=PRESHARED_KEY.
0:dialup-phase1:0:         type=OAKLEY_GROUP, val=1536.
0:dialup-phase1:0: ISKAMP SA lifetime=28800
0:dialup-phase1:0: selected NAT-T version: draft-ietf-ipsec-nat-t-ike-03
0:dialup-phase1:0: cookie 16a56d8f8717703f/ca462924bd879ce2
0:dialup-phase1:0: sent IKE msg (ident_r1send): 172.31.210.237:500->192.168.183.254:30213, len=132
dialup-phase1: Responder: sent 192.168.183.254 main mode message #1 (OK)

0: comes 192.168.183.254:30213->172.31.210.237:500,ifindex=7....
0: exchange=Identity Protection id=16a56d8f8717703f/ca462924bd879ce2 len=292
0: found dialup-phase1 172.31.210.237 7 -> 192.168.183.254:30213
0:dialup-phase1:0: responder:main mode get 2nd message...
0:dialup-phase1:0: NAT detected: PEER
0:dialup-phase1:0: sent IKE msg (ident_r2send): 172.31.210.237:500->192.168.183.254:30213, len=292
0:dialup-phase1:0: put connection to natt list...ip=192.168.183.254.
dialup-phase1: Responder: sent 192.168.183.254 main mode message #2 (OK)

0: comes 192.168.183.254:30214->172.31.210.237:4500,ifindex=7....
0: exchange=Identity Protection id=16a56d8f8717703f/ca462924bd879ce2 len=92
0:dialup-phase1:0: responder: main mode get 3rd message...
0:dialup-phase1:0: PSK authentication succeeded
0:dialup-phase1:0: authentication OK
0:dialup-phase1: adding new dialup tunnel for 192.168.183.254:30214
[debug]Received netlink message
[debug]Processing NEWVDBIND event
0:dialup-phase1_0: added new dialup tunnel for 192.168.183.254:30214
[debug]Adding IPsec interface dialup-phase1_0
dialup-phase1_0: Responder: parsed 192.168.183.254 main mode message #3 (DONE)
[debug]    found dialup-phase1(IPSEC) dev dialup-phase1

[note]Listening on Socket/dialup-phase1/dialup-phase1
0:dialup-phase1_0:0: confirmed nat-t draft3
[note]Sending on   Socket/dialup-phase1/dialup-phase1
0:dialup-phase1_0:0: sent IKE msg (ident_r3send): 172.31.210.237:4500->192.168.183.254:30214, len=68
dialup-phase1_0: Responder: sent 192.168.183.254 main mode message #3 (DONE)

0:dialup-phase1_0:0: initiating XAUTH.
0:dialup-phase1_0:0: sending Xauth request
0:dialup-phase1_0:0: confirmed nat-t draft3
0:dialup-phase1_0:0: sent IKE msg (cfg_send): 172.31.210.237:4500->192.168.183.254:30214, len=100
dialup-phase1_0: Initiator: sent 192.168.183.254 xauth mode message #1 (OK)

0:dialup-phase1_0:0: ISAKMP SA established

0: comes 192.168.183.254:30214->172.31.210.237:4500,ifindex=7....
0: exchange=Quick id=16a56d8f8717703f/ca462924bd879ce2:75c34f62 len=476
0: found dialup-phase1_0 172.31.210.237 7 -> 192.168.183.254:30214
0:dialup-phase1_0:0: peer has not completed XAUTH exchange
0:dialup-phase1_0:0: error processing quick-mode msg from 192.168.183.254 as responder
0:dialup-phase1_0:0: confirmed nat-t draft3
0:dialup-phase1_0:0: sent IKE msg (CFG_RETRANS): 172.31.210.237:4500->192.168.183.254:30214, len=100

0: comes 192.168.183.254:30214->172.31.210.237:4500,ifindex=7....
0: exchange=Mode config id=16a56d8f8717703f/ca462924bd879ce2:69e4add0 len=100
0: found dialup-phase1_0 172.31.210.237 7 -> 192.168.183.254:30214
0:dialup-phase1_0: XAUTH user "fortinettest" in group 'IPsec&PPTPgrp' (1)
0:dialup-phase1_0: XAUTH 4784128 pending
fnbamd_fsm.c[890] handle_req-Rcvd auth req 4784128 for fortinettest in IPsec&PPTPgrp opt=32 prot=1
fnbamd_radius.c[789] fnbamd_radius_auth_send-Sent radius req to 172.31.210.254: code=1 id=21 len=149 user="fortinettest" using CHAP
fnbamd_auth.c[544] auth_tac_plus_start-Didn't find tac_plus servers (0)
fnbamd_auth.c[1248] fnbamd_auth_handle_result-->Result for radius svr 172.31.210.254(0) is 0
fnbamd_framed_ip_db.c[82] backup_db-vfid(0) written
fnbamd_framed_ip_db.c[92] backup_db-visiting vfid(0) list[0]
fnbamd_framed_ip_db.c[92] backup_db-visiting vfid(0) list[1]
fnbamd_framed_ip_db.c[92] backup_db-visiting vfid(0) list[2]
fnbamd_framed_ip_db.c[55] backup_ip-ip(192.168.253.25) written     !!!!!
Framed-IP-Address returned by RADIUS
fnbamd_framed_ip_db.c[92] backup_db-visiting vfid(0) list[3]
fnbamd_framed_ip_db.c[92] backup_db-visiting vfid(0) list[4]
fnbamd_framed_ip_db.c[92] backup_db-visiting vfid(0) list[5]
fnbamd_framed_ip_db.c[92] backup_db-visiting vfid(0) list[6]
fnbamd_framed_ip_db.c[92] backup_db-visiting vfid(0) list[7]
fnbamd_framed_ip_db.c[118] backup_framed_ip_db-backup done by pid(51)
fnbamd_framed_ip_db.c[441] search_framed_ip-backup framed ip done
fnbamd_comm.c[104] fnbamd_comm_send_result-Sending result 0 for req 4784128

0: XAUTH 4784128 result 0
0:dialup-phase1_0: XAUTH succeeded for user "fortinettest"

0:dialup-phase1_0: assigned IP 192.168.253.25
0:dialup-phase1_0:0: confirmed nat-t draft3
0:dialup-phase1_0:0: sent IKE msg (cfg_send): 172.31.210.237:4500->192.168.183.254:30214, len=68
dialup-phase1_0: Initiator: sent 192.168.183.254 xauth mode message #2 (OK)

0:dialup-phase1_0:0: no pending Quick-Mode negotiations

0: comes 192.168.183.254:30214->172.31.210.237:4500,ifindex=7....
0: exchange=Quick id=16a56d8f8717703f/ca462924bd879ce2:75c34f62 len=476
0: found dialup-phase1_0 172.31.210.237 7 -> 192.168.183.254:30214
0:dialup-phase1_0:0:2: responder received first quick-mode message
0:dialup-phase1_0:0:2: peer proposal is: peer:172.16.87.92-172.16.87.92, me:0.0.0.0-255.255.255.255, ports=67/68, protocol=17/17
0:dialup-phase1_0:0:2: trying dialup-phase2
0:dialup-phase1_0:0:dialup-phase2:2: matched phase2
0:dialup-phase1_0:0:dialup-phase2:2: dialup
0:dialup-phase1_0:0:dialup-phase2:2: my proposal:
0:dialup-phase1_0:0:dialup-phase2:2: proposal id = 1:
0:dialup-phase1_0:0:dialup-phase2:2:   protocol id = IPSEC_ESP:
0:dialup-phase1_0:0:dialup-phase2:2:      trans_id = ESP_3DES
0:dialup-phase1_0:0:dialup-phase2:2:      encapsulation = ENCAPSULATION_MODE_TUNNEL
0:dialup-phase1_0:0:dialup-phase2:2:         type = AUTH_ALG, val=SHA1
0:dialup-phase1_0:0:dialup-phase2:2:      trans_id = ESP_AES (key_len = 128)
0:dialup-phase1_0:0:dialup-phase2:2:      encapsulation = ENCAPSULATION_MODE_TUNNEL
0:dialup-phase1_0:0:dialup-phase2:2:         type = AUTH_ALG, val=SHA1
0:dialup-phase1_0:0:dialup-phase2:2: incoming proposal:
0:dialup-phase1_0:0:dialup-phase2:2: proposal id = 1:
0:dialup-phase1_0:0:dialup-phase2:2:   protocol id = IPSEC_ESP:
0:dialup-phase1_0:0:dialup-phase2:2:      trans_id = ESP_3DES
0:dialup-phase1_0:0:dialup-phase2:2:      encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL
0:dialup-phase1_0:0:dialup-phase2:2:         type = AUTH_ALG, val=MD5
0:dialup-phase1_0:0: cmpsaprop: natt flags 0x5, pr1 encmode 61443, pr2 encmode 1
0:dialup-phase1_0:0:dialup-phase2:2: incoming proposal:
0:dialup-phase1_0:0:dialup-phase2:2: proposal id = 2:
0:dialup-phase1_0:0:dialup-phase2:2:   protocol id = IPSEC_ESP:
0:dialup-phase1_0:0:dialup-phase2:2:      trans_id = ESP_3DES
0:dialup-phase1_0:0:dialup-phase2:2:      encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL
0:dialup-phase1_0:0:dialup-phase2:2:         type = AUTH_ALG, val=SHA1
0:dialup-phase1_0:0: cmpsaprop: natt flags 0x5, pr1 encmode 61443, pr2 encmode 1
0:dialup-phase1_0:0:dialup-phase2:2: negotiation r

0: comes 192.168.183.254:30214->172.31.210.237:4500,ifindex=7....
0: exchange=Quick id=16a56d8f8717703f/ca462924bd879ce2:75c34f62 len=52
0: found dialup-phase1_0 172.31.210.237 7 -> 192.168.183.254:30214
0:dialup-phase1_0:0:dialup-phase2:2: replay protection enabled
0:dialup-phase1_0:0:dialup-phase2:2: set sa life soft seconds=111.
0:dialup-phase1_0:0:dialup-phase2:2: set sa life hard seconds=120.
0:dialup-phase1_0:2: add route 172.16.87.92/255.255.255.255 oif dialup-phase1_0(19) metric 1 priority 0
0:dialup-phase1_0:0:dialup-phase2:2: tunnel 1 of VDOM limit 0/0
0:dialup-phase1_0:0:dialup-phase2:2: add SA #src=1 #dst=1
0:dialup-phase1_0:0:dialup-phase2:2: src 0 7 0.0.0.0-255.255.255.255
0:dialup-phase1_0:0:dialup-phase2:2: dst 0 7 172.16.87.92-172.16.87.92
0:dialup-phase1_0:0:dialup-phase2:2: installed SA: SPIs=b36de1a1/f6fa97c1
0:dialup-phase1_0:dialup-phase2: sending tunnel UP notification 192.168.253.25
dialup-phase1_0: Responder: parsed 192.168.183.254 quick mode message #2 (DONE)

[debug]IPsec tunnel dialup-phase1_0 is up
[debug]setup_ipsec_host(): adding tunnel/ip pair dialup-phase1_0/192.168.253.25
[debug]setup_ipsec_host(): adding entry to hash table

0:dialup-phase1_0: link is idle 7 172.31.210.237->192.168.183.254:30214 dpd=2 seqno=1
shrank heap by 110592 bytes

0:dialup-phase1_0: link is idle 7 172.31.210.237->192.168.183.254:30214 dpd=2 seqno=2
0:dialup-phase1_0: send DPD probe, seqno 2
0:dialup-phase1_0:0: confirmed nat-t draft3
0:dialup-phase1_0:0: sent IKE msg (R-U-THERE): 172.31.210.237:4500->192.168.183.254:30214, len=92

0: comes 192.168.183.254:30214->172.31.210.237:4500,ifindex=7....
0: exchange=Informational id=16a56d8f8717703f/ca462924bd879ce2:27322d1a len=84
0: found dialup-phase1_0 172.31.210.237 7 -> 192.168.183.254:30214
0:dialup-phase1_0:0: notify msg received: R-U-THERE-ACK

[debug]calling handler[dialup-phase1]
[debug]entering sck_receive_packet
[debug]sck_receive_packet(): got dhcp packet from 172.16.87.92:68 to 255.255.255.255
[debug]leaving sck_receive_packet
[debug]locate_network prhtype(31) pihtype(31)
[debug]look for host 'dialup-phase1_0'
[debug]find_lease(): found tunnel in hash
[debug]mockup_externally_assigned_ip_lease(): entering function
[debug]mockup_externally_assigned_ip_lease(): lease ip is 192.168.253.25
[debug]mockup_externally_assigned_ip_lease(): leaving function
[debug]htyp packet 31, htype hw_addr 64

[note]DHCPDISCOVER from 00:1c:bf:83:1e:7d via dialup-phase1(IPSEC)
[debug]packet length 300
[debug]op = 1  htype = 31  hlen = 6  hops = 0
[debug]xid = 6e32739  secs = 0  flags = 0
[debug]ciaddr = 0.0.0.0
[debug]yiaddr = 0.0.0.0
[debug]siaddr = 0.0.0.0
[debug]giaddr = 0.0.0.0
[debug]chaddr = 00:1c:bf:83:1e:7d
[debug]filename =
[debug]server_name =
[debug]  host-name = "LENOVO-19B9A2EB"
[debug]  vendor-encapsulated-options = dc:0
[debug]  dhcp-message-type = 1
[debug]  dhcp-parameter-request-list = 1,15,3,6,44,46,47,31,33,249,43
[debug]  dhcp-class-identifier = "MSFT 5.0"
[debug]  dhcp-client-identifier = 1f:0:1c:bf:83:1e:7d
[debug]  option-116 = 1
[debug]
[pkt]000: 01 1f 06 00 39 27 e3 06  00 00 00 00 00 00 00 00
[pkt]010: 00 00 00 00 00 00 00 00  00 00 00 00 00 1c bf 83
[pkt]020: 1e 7d 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]070: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]080: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]090: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]0a0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]0b0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]0c0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]0d0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]0e0: 00 00 00 00 00 00 00 00  00 00 00 00 63 82 53 63
[pkt]0f0: 35 01 01 74 01 01 3d 07  1f 00 1c bf 83 1e 7d 0c
[pkt]100: 0f 4c 45 4e 4f 56 4f 2d  31 39 42 39 41 32 45 42
[pkt]110: 3c 08 4d 53 46 54 20 35  2e 30 37 0b 01 0f 03 06
[pkt]120: 2c 2e 2f 1f 21 f9 2b 2b  02 dc 00 ff

[note]DHCPOFFER on 192.168.253.25 to 00:1c:bf:83:1e:7d via dialup-phase1(IPSEC)
[pkt]000: 02 1f 06 00 39 27 e3 06  00 00 00 00 00 00 00 00
[pkt]010: c0 a8 fd 19 ac 1f d2 ed  00 00 00 00 00 1c bf 83
[pkt]020: 1e 7d 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]070: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]080: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]090: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]0a0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]0b0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]0c0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]0d0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
[pkt]0e0: 00 00 00 00 00 00 00 00  00 00 00 00 63 82 53 63
[pkt]0f0: 35 01 02 36 04 ac 1f d2  ed 33 04 00 09 3a 80 01
[pkt]100: 04 ff ff ff ff 06 04 c0  a8 03 01 2c 04 c0 a8 03
[pkt]110: 02 3a 04 00 04 9d 40 3b  04 00 08 13 30 ff

[debug]replying to IPSEC using dst ip = 172.16.87.92
[debug]sending on dialup-phase1(IPSEC)
[debug]calling handler[dialup-phase1]
[debug]entering sck_receive_packet
[debug]sck_receive_packet(): got dhcp packet from 172.16.87.92:68 to 255.255.255.255
[debug]leaving sck_receive_packet
[debug]locate_network prhtype(31) pihtype(31)
[debug]find_lease(): packet contains preferred client IP, cip.s_addr is 192.168.253.25
[debug]look for host 'dialup-phase1_0'
[debug]find_lease(): found tunnel in hash
[debug]mockup_externally_assigned_ip_lease(): entering function
[debug]mockup_externally

0: comes 192.168.183.254:30214->172.31.210.237:4500,ifindex=7....
0: exchange=Informational id=16a56d8f8717703f/ca462924bd879ce2:ffb94ab2 len=76
0: found dialup-phase1_0 172.31.210.237 7 -> 192.168.183.254:30214
0:dialup-phase1_0:0: recv IPsec SA delete, spi count 2
0:dialup-phase1_0: deleting SA with SPI f6fa97c1
0:dialup-phase1_0: deleted SA with SPI f6fa97c1, dialup-phase2 has 0 SAs left
0:dialup-phase1_0: sending SNMP tunnel DOWN trap for dialup-phase2
0:dialup-phase1: found phase2 dialup-phase2
0:dialup-phase1_0: delete DHCP sessions

[debug]IPsec tunnel dialup-phase1_0 is down
[debug]Finding lease for DHCP/IPSec client 172.16.87.92 vf 0 intf dialup-phase1_0
[debug]search through all subnets to find an ip lease (172.16.87.92)
[debug]no lease found for DHCP/IPSec IP 172.16.87.92

[debug]remove_ipsec_host(): trying to remove tunnel/ip pair dialup-phase1_0/172.16.87.92

0:dialup-phase1_0: delete routes for dialup-phase2
0:dialup-phase1_0:2: del route 172.16.87.92/255.255.255.255 oif dialup-phase1_0(19) metric 1 priority 0
0:dialup-phase1_0: delete dialup-phase2
0:dialup-phase1_0:0: send IPsec SA delete, spi b36de1a1
0:dialup-phase1_0:0: confirmed nat-t draft3
0:dialup-phase1_0:0: sent IKE msg (IPsec SA_DELETE-NOTIFY): 172.31.210.237:4500->192.168.183.254:30214, len=76
0:dialup-phase1_0: deleting SA with SPI b36de1a1
0:dialup-phase1_0: SA with SPI b36de1a1 does not exist

0: comes 192.168.183.254:30214->172.31.210.237:4500,ifindex=7....
0: exchange=Quick id=16a56d8f8717703f/ca462924bd879ce2:bf2dd56b len=476
0: found dialup-phase1_0 172.31.210.237 7 -> 192.168.183.254:30214
0:dialup-phase1_0:0:5: responder received first quick-mode message
0:dialup-phase1_0:0:5: peer proposal is: peer:192.168.253.25-192.168.253.25, me:10.140.0.0-10.140.0.255, ports=0/0, protocol=0/0
0:dialup-phase1_0:0:5: trying dialup-phase2
0:dialup-phase1_0:0:dialup-phase2:5: matched phase2
0:dialup-phase1_0:0:dialup-phase2:5: dialup
0:dialup-phase1_0:0:dialup-phase2:5: my proposal:
0:dialup-phase1_0:0:dialup-phase2:5: proposal id = 1:
0:dialup-phase1_0:0:dialup-phase2:5:   protocol id = IPSEC_ESP:
0:dialup-phase1_0:0:dialup-phase2:5:      trans_id = ESP_3DES
0:dialup-phase1_0:0:dialup-phase2:5:      encapsulation = ENCAPSULATION_MODE_TUNNEL
0:dialup-phase1_0:0:dialup-phase2:5:         type = AUTH_ALG, val=SHA1
0:dialup-phase1_0:0:dialup-phase2:5:      trans_id = ESP_AES (key_len = 128)
0:dialup-phase1_0:0:dialup-phase2:5:      encapsulation = ENCAPSULATION_MODE_TUNNEL
0:dialup-phase1_0:0:dialup-phase2:5:         type = AUTH_ALG, val=SHA1
0:dialup-phase1_0:0:dialup-phase2:5: incoming proposal:
0:dialup-phase1_0:0:dialup-phase2:5: proposal id = 1:
0:dialup-phase1_0:0:dialup-phase2:5:   protocol id = IPSEC_ESP:
0:dialup-phase1_0:0:dialup-phase2:5:      trans_id = ESP_3DES
0:dialup-phase1_0:0:dialup-phase2:5:      encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL
0:dialup-phase1_0:0:dialup-phase2:5:         type = AUTH_ALG, val=MD5
0:dialup-phase1_0:0: cmpsaprop: natt flags 0x5, pr1 encmode 61443, pr2 encmode 1
0:dialup-phase1_0:0:dialup-phase2:5: incoming proposal:
0:dialup-phase1_0:0:dialup-phase2:5: proposal id = 2:
0:dialup-phase1_0:0:dialup-phase2:5:   protocol id = IPSEC_ESP:
0:dialup-phase1_0:0:dialup-phase2:5:      trans_id = ESP_3DES
0:dialup-phase1_0:0:dialup-phase2:5:      encapsulation = UDP_ENCAPSULATION_MODE_TUNNEL
0:dialup-phase1_0:0:dialup-phase2:5:         type = AUTH_ALG, val=SHA1
0:dialup-phase1_0:0: cmpsaprop: natt flags 0x5, pr1 encmode 61443, pr2 encmode 1
0:dialup-phase1_0:0:dialup-phase2:5: negotiation result
0:dialup-phase1_0:0:dialup-phase2:5: proposal id = 2:
0:dialup-phase1_0:0:dialup-phase2:5:   protocol id = IPSEC_ESP:
0:dialup-phase1_0:0:dialup-phase2:5:      trans_id = ESP_3DES
0:dialup-phase1_0:0:dialup-phase2:5:      encapsulation = ENCAPSULATION_MODE_TUNNEL
0:dialup-phase1_0:0:dialup-phase2:5:         type = AUTH_ALG, val=SHA1
0:dialup-phase1_0:0:dialup-phase2:5: set pfs=1536
0:dialup-phase1_0:0:dialup-phase2:5: encapsulation = 1
0:dialup-phase1_0:0:dialup-phase2:5: using udp tunnel mode.
0:dialup-phase1_0:0: confirmed nat-t draf[warn]got an interrupt

0:dialup-phase1_0: link is idle 7 172.31.210.237->192.168.183.254:30214 dpd=2 seqno=3
shrank heap by 4096 bytes

0:dialup-phase1_0: link is idle 7 172.31.210.237->192.168.183.254:30214 dpd=2 seqno=4

0:dialup-phase1_0: send DPD probe, seqno 4

0:dialup-phase1_0:0: confirmed nat-t draft3

0:dialup-phase1_0:0: sent IKE msg (R-U-THERE): 172.31.210.237:4500->192.168.183.254:30214, len=92

 

0: comes 192.168.183.254:30214->172.31.210.237:4500,ifindex=7....

0: exchange=Informational id=16a56d8f8717703f/ca462924bd879ce2:dcfbb8d4 len=84

0: found dialup-phase1_0 172.31.210.237 7 -> 192.168.183.254:30214

0:dialup-phase1_0:0: notify msg received: R-U-THERE-ACK

0:dialup-phase1_0: link is idle 7 172.31.210.237->192.168.183.254:30214 dpd=2 seqno=5

0:dialup-phase1_0: send DPD probe, seqno 5

0:dialup-phase1_0:0: confirmed nat-t draft3

0:dialup-phase1_0:0: sent IKE msg (R-U-THERE): 172.31.210.237:4500->192.168.183.254:30214, len=92

 

0: comes 192.168.183.254:30214->172.31.210.237:4500,ifindex=7....

0: exchange=Informational id=16a56d8f8717703f/ca462924bd879ce2:f1838f41 len=84

0: found dialup-phase1_0 172.31.210.237 7 -> 192.168.183.254:30214

0:dialup-phase1_0:0: notify msg received: R-U-THERE-ACK

 

FG3K6A3406605059 # diag de dis

 

Contributors