Visual Guide to Configuring IPSec VPN using RSA + Xauth and iOS Roadwarriors



  • This how-to will explain how to configure IPSec VPN with RSA + Xauth authentication and iOS client device. Steps are pretty detailed so people with little pfSense and/or IPSec experience should be able to follow them without too many issues. The setup was tested on virtual machine running pfSense v2.0.1 and iOS v5 device.

    pfSense box configuration:

    
    WAN subnet:        192.168.100.0/24
    WAN IP address:    192.168.100.207
    LAN subnet:        192.168.56.0/24
    LAN IP address:    192.168.56.100
    VPN client subnet: 192.168.200.0/24
    
    

    Part 1 - Configuring pfSense

    • Step 1 - Create certificate authority
      Go to 'System -> Cert Manager -> CAs' and click on 'add or import ca' icon
      Enter CA details:

      Hit 'Save'

    • Step 2 - Create IPSec server certificate
      Go to 'System -> Cert Manager -> Certificates' and click on 'add or import ca' icon.
      Enter certificate details:

      NOTE: Common Name must be set to the domain or IP address that will be used to connect to the server. If you set it to something else iOS will refuse to connect to the server with message 'Could not validate the server certificate'.
      Hit 'Save'

    • Step 3 - Configure IPSec Phase 1
      Go to 'VPN -> IPSec -> Mobile clients'
      In the 'IKE Extensions' section check 'Enable IPsec Mobile Client Support' and hit 'Save'
      Message will be displayed on the top of the page with a button to create phase 1 entry, click on that link.

      Configure Phase 1:

      NOTE: 'My certificate' is set to the server certificate that was created in step 2
      Hit 'Save'

    • Step 4 - Configure IPSec Phase 2
      Go to 'VPN -> IPSec -> Tunnels'
      Click on the + sign located under the phase 1 entry that you created in step 3 and click on 'add phase2 entry' icon
      Configure Phase 2:

      Hit 'Save'

    • Step 5 - Configure Xauth and client configuration
      Go to 'VPN -> IPSec -> Mobile clients'
      Configure Xauth:

      Hit 'Save'

    • Step 6 - Enable IPSec
      Go to 'VPN -> IPSec -> Tunnels'
      Check 'Enable IPsec' flag and hit 'Save'
      Click the 'Apply changes' button on top

      At this point we are done configuring IPSec. Now we need to configure firewall to allow incoming requests.

    • Step 8 - Configure Firewall
      Go to 'Firewall -> Rules -> WAN'
      Click on 'add new rule' icon and configure ISAKMP port:

      Click on 'add new rule' icon and configure NAT-T port:

      This will allow encrypted IPSec VPN traffic to be passed between road warriors and WAN, but will not allow decrypted traffic to reach LAN or WAN addresses. In order to allow decrypted traffic:
      Go to 'Firewall -> Rules -> IPsec'
      Click on 'add new rule' icon and allow all traffic:

      Warning: This will allow IPSec clients to reach your LAN as well as Internet addresses. If that is not desired make sure you add blocking rules that restrict IPSec client access accordingly. If you do decide to block IPSec access to LAN you have to enable access to port 53 (DNS) on LAN interface because we specified LAN address as DNS server in step 5.

      Hit 'Save' and then 'Apply changes' button on the top of the page in order for the firewall rules to take the effect.

    • Step 9 - Create User(s)
      Go to 'System -> User Manager -> Users'
      Click on 'add user' icon.
      Enter user details and create user certificate:

      Hit 'Save'.
      Now hit 'edit user' and add 'User - System - Shell account access' privilege to effective permission list. If user is not given this permission it will not be able to authenticate.

      We have now finished configuring IPSec, firewall and user and can move on to configuring client device.

    Part 2 - Configuring Client Device

    • Step 10 - Export Certificates
      Go to 'System -> Cert Manager -> CAs', click on 'export ca cert' icon and save .crt file.
      Go to 'System -> User Manager -> Users' and click 'edit' next to your user. In the 'User Certificates' section click on 'export private key' and 'export cert' icons and save .crt and .key files.
      In order to import user's private key and certificate into iOS we need to combine those two files into one single file. We will be doing that using OpenSSL. Run following command in the folder where you saved user key and certificate files.

      openssl pkcs12 -export -clcerts -in IPSecTestUser-IPSecTestUser.crt -inkey IPSecTestUser-IPSecTestUser.key -out IPSecTestUser-IPSecTestUser.p12
      

      In the command above 'IPSecTestUser-IPSecTestUser.crt' is user certificate file, 'IPSecTestUser-IPSecTestUser.key' is user key file and 'IPSecTestUser-IPSecTestUser.p12' is the output file.
      Important: when OpenSSL asks to provide export password - do not leave it blank. iOS does not permit importing private keys that are not password protected.

    • Step 11 - Import Certificates Into iOS Device
      In order to achieve this you need to email CA's certificate file and user's certificate/private key .p12 file to an email that you can access from your iOS device.
      Once you open the email on iOS device click on the CA's certificate first. On the next page click 'Install' button.

      Repeat with the user certificate.

    • Step 12 - Configure VPN on iOS Device
      Now we are ready to configure VPN on the iOS device. To do that go to 'Settings -> General -> Network -> VPN' and click on 'Add VPN Configuration…' and enter server/user information:

      NOTE: server must match what you entered in the common name field when creating server certificate in the 2nd step of part 1.

      After saving configuration you can select it from the list and click on On/Off switch at the top of the page ('Settings -> General -> Network -> VPN'). If iOS is able to connect you will see VPN icon next to 3G/Wifi icon on the top of the screen. On pfSense box you can view VPN tunnel details on 'Status -> IPSec'.

    Configuration described in this guide can be further tweaked to meet your specific requirements. You could use different encryption algorithms to possibly increase the connection speed or route only traffic destined to specific network through VPN, letting all other traffic be routed via regular 3G/wifi connection. iOS also supports VPN-on-demand which allows you to automatically establish VPN when user tries to access specified domains.

    Cheers



  • Thank you so much for sharing your solution with us!!!

    Your settings doesn't work for me (pfSense with fixed IP - iPhone iOS 5.0).

    There is no error in IPsec Logs (it looks good) but iPhone says there is no communication with server possible.  :'(
    The last log entry is "racoon: INFO: Adding remote and local NAT-D payloads."

    If I leave the password field in VPN client empty iPhone do not ask me for the password.

    EDIT: One more thing: Is it correct to use "Local Subnet: none" in Phase 2?! Also do the user really not need the XAuth rights?!



  • I think it is a lot easier to troubleshoot things when you break them down into clearly defined steps and deal with them one by one.

    In this case the whole process can be split into following steps: IKE phase 1, Xauth and IKE phase 2.

    • IKE phase 1's purpose is to establish a secure authenticated communication channel by using the Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. This negotiation results in one single bi-directional ISAKMP Security Association (SA).

    • Xauth is an IKE extension that occurs after phase 1 and adds a login/password authentication. This solves half of the authentication problem: because Xauth occurs just after phase 1, it is secured by phase 1 authentication.

    • During IKE phase 2, the IKE peers use the secure channel established in Phase 1 to negotiate Security Associations on behalf of other services like IPsec. The negotiation results in a minimum of two unidirectional security associations (one inbound and one outbound).

    Sources of the above descriptions and more info: http://en.wikipedia.org/wiki/Internet_Key_Exchange and http://www.netbsd.org/docs/network/ipsec/index.html

    Following is the log of successful VPN tunnel establishment. This is using configuration described in the first step. Road warrior client IP is 192.168.100.140.

    Mar 12 18:46:42 pfsense racoon: INFO: respond new phase 1 negotiation: 192.168.100.207[500]<=>192.168.100.140[500]
    Mar 12 18:46:42 pfsense racoon: INFO: begin Identity Protection mode.
    Mar 12 18:46:42 pfsense racoon: INFO: received Vendor ID: RFC 3947
    Mar 12 18:46:42 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Mar 12 18:46:42 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Mar 12 18:46:42 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Mar 12 18:46:42 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Mar 12 18:46:42 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Mar 12 18:46:42 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Mar 12 18:46:42 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Mar 12 18:46:42 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Mar 12 18:46:42 pfsense racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Mar 12 18:46:42 pfsense racoon: INFO: received Vendor ID: CISCO-UNITY
    Mar 12 18:46:42 pfsense racoon: INFO: received Vendor ID: DPD
    Mar 12 18:46:42 pfsense racoon: [192.168.100.140] INFO: Selected NAT-T version: RFC 3947
    Mar 12 18:46:42 pfsense racoon: INFO: Adding xauth VID payload.
    Mar 12 18:46:42 pfsense racoon: [192.168.100.207] INFO: Hashing 192.168.100.207[500] with algo #2
    Mar 12 18:46:42 pfsense racoon: INFO: NAT-D payload #0 verified
    Mar 12 18:46:42 pfsense racoon: [192.168.100.140] INFO: Hashing 192.168.100.140[500] with algo #2
    Mar 12 18:46:42 pfsense racoon: INFO: NAT-D payload #1 verified
    Mar 12 18:46:42 pfsense racoon: INFO: NAT not detected
    Mar 12 18:46:42 pfsense racoon: [192.168.100.140] INFO: Hashing 192.168.100.140[500] with algo #2
    Mar 12 18:46:42 pfsense racoon: [192.168.100.207] INFO: Hashing 192.168.100.207[500] with algo #2
    Mar 12 18:46:42 pfsense racoon: INFO: Adding remote and local NAT-D payloads.
    Mar 12 18:46:43 pfsense racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=US/ST=Texas/L=Austin/O=My Company Inc. /emailAddress=admin@mycompany.com/CN=IPSecTestUser
    Mar 12 18:46:43 pfsense racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=US/ST=Texas/L=Austin/O=My Company Inc. /emailAddress=admin@mycompany.com/CN=internal-ca
    Mar 12 18:46:43 pfsense racoon: INFO: Sending Xauth request
    Mar 12 18:46:43 pfsense racoon: [192.168.100.140] INFO: received INITIAL-CONTACT
    Mar 12 18:46:43 pfsense racoon: INFO: ISAKMP-SA established 192.168.100.207[500]-192.168.100.140[500] spi:bf12cef871d5de3a:2bb22278ce628e4e

    Phase 1 has been completed, SA is established, iPhone prompts you to enter username/password

    Mar 12 18:46:51 pfsense racoon: INFO: Using port 0
    Mar 12 18:46:51 pfsense racoon: INFO: login succeeded for user "IPSecTestUser"
    Mar 12 18:46:51 pfsense racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    Mar 12 18:46:51 pfsense racoon: ERROR: Cannot open "/etc/motd"
    Mar 12 18:46:51 pfsense racoon: WARNING: Ignored attribute 28683

    Xauth authentication succeeded, next is phase 2

    Mar 12 18:46:52 pfsense racoon: INFO: respond new phase 2 negotiation: 192.168.100.207[500]<=>192.168.100.140[500]
    Mar 12 18:46:52 pfsense racoon: INFO: no policy found, try to generate the policy : 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    Mar 12 18:46:52 pfsense racoon: INFO: IPsec-SA established: ESP 192.168.100.207[500]->192.168.100.140[500] spi=170227682(0xa2577e2)
    Mar 12 18:46:52 pfsense racoon: INFO: IPsec-SA established: ESP 192.168.100.207[500]->192.168.100.140[500] spi=119464702(0x71ee2fe)

    VPN tunnel has been established. This does not however mean that traffic is being routed properly :)

    As you can see your connection is failing even before phase 1 is established so make sure that connection between client and server is reliable, check your firewall, ports 500 and 4500 must be open, check and then re-check your phase 1 configuration. Also try disabling NAT traversal and see if that makes any difference.

    If all of the above fails, re-start racoon in debug mode so it shows a lot more detailed info in the log:

    /usr/bin/killall racoon && /usr/local/sbin/racoon -d -f /var/etc/racoon.conf
    

    I will post same log as above, but in debug mode in a separate post so you have a reference point.

    Regarding the local network: setup as described in the first post will force all traffic from the client device to be routed via VPN tunnel, if you want VPN to be used only for the traffic destined to certain network you can specify it in 'Local Network' section of phase 2 in combination with 'Provide a list of accessible networks to clients' setting on 'Mobile clients' tab.

    I hope this helps you to troubleshoot your problem.

    Regards



  • racoon: DEBUG: ===
    racoon: DEBUG: 644 bytes message received from 192.168.100.140[500] to 192.168.100.207[500]
    racoon: DEBUG:  537c409a 45c19353 00000000 00000000 01100200 00000000 00000284 0d00016c 00000001 00000001 00000160 0101000a 03000024 01010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020002 80040005 03000024 02010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020002 80040002 03000024 03010000 800b0001 800c0e10 80010007 800e0080 8003fded 80020002 80040002 03000024 04010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020001 80040005 03000024 05010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020001 80040002 03000024 06010000 800b0001 800c0e10 80010007 800e0080 8003fded 80020001 80040002 03000020 07010000 800b0001 800c0e10 80010005 8003fded 80020002 80040002 03000020 08010000 800b0001 800c0e10 80010005 8003fded 80020001 80040002 03000020 09010000 800b0001 800c0e10 80010001 8003fded 80020002 80040002 00000020 0a010000 800b0001 800c0e10 80010001 8003fded 80020001 80040002 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 4df37928 e9fc4fd1 b3262170 d515c662 0d000014 8f8d838
    racoon: DEBUG: ===
    racoon: INFO: respond new phase 1 negotiation: 192.168.100.207[500]<=>192.168.100.140[500]
    racoon: INFO: begin Identity Protection mode.
    racoon: DEBUG: begin.
    racoon: DEBUG: seen nptype=1(sa)
    racoon: DEBUG: seen nptype=13(vid)
    racoon: DEBUG: seen nptype=13(vid)
    racoon: DEBUG: seen nptype=13(vid)
    racoon: DEBUG: seen nptype=13(vid)
    racoon: DEBUG: seen nptype=13(vid)
    racoon: DEBUG: seen nptype=13(vid)
    racoon: DEBUG: seen nptype=13(vid)
    racoon: DEBUG: seen nptype=13(vid)
    racoon: DEBUG: seen nptype=13(vid)
    racoon: DEBUG: seen nptype=13(vid)
    racoon: DEBUG: seen nptype=13(vid)
    racoon: DEBUG: seen nptype=13(vid)
    racoon: DEBUG: seen nptype=13(vid)
    racoon: DEBUG: succeed.
    racoon: INFO: received Vendor ID: RFC 3947
    racoon: DEBUG: received unknown Vendor ID
    racoon: DEBUG:  4df37928 e9fc4fd1 b3262170 d515c662
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
    racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    racoon: INFO: received Vendor ID: CISCO-UNITY
    racoon: INFO: received Vendor ID: DPD
    racoon: DEBUG: remote supports DPD
    racoon: [192.168.100.140] INFO: Selected NAT-T version: RFC 3947
    racoon: DEBUG: total SA len=360
    racoon: DEBUG:  00000001 00000001 00000160 0101000a 03000024 01010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020002 80040005 03000024 02010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020002 80040002 03000024 03010000 800b0001 800c0e10 80010007 800e0080 8003fded 80020002 80040002 03000024 04010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020001 80040005 03000024 05010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020001 80040002 03000024 06010000 800b0001 800c0e10 80010007 800e0080 8003fded 80020001 80040002 03000020 07010000 800b0001 800c0e10 80010005 8003fded 80020002 80040002 03000020 08010000 800b0001 800c0e10 80010005 8003fded 80020001 80040002 03000020 09010000 800b0001 800c0e10 80010001 8003fded 80020002 80040002 00000020 0a010000 800b0001 800c0e10 80010001 8003fded 80020001 80040002
    racoon: DEBUG: begin.
    racoon: DEBUG: seen nptype=2(prop)
    racoon: DEBUG: succeed.
    racoon: DEBUG: proposal #1 len=352
    racoon: DEBUG: begin.
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: succeed.
    racoon: DEBUG: transform #1 len=36
    racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client
    racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
    racoon: DEBUG: hash(sha1)
    racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1536-bit MODP group
    racoon: DEBUG: hmac(modp1536)
    racoon: DEBUG: transform #2 len=36
    racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client
    racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
    racoon: DEBUG: hash(sha1)
    racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
    racoon: DEBUG: hmac(modp1024)
    racoon: DEBUG: transform #3 len=36
    racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
    racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client
    racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
    racoon: DEBUG: hash(sha1)
    racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
    racoon: DEBUG: hmac(modp1024)
    racoon: DEBUG: transform #4 len=36
    racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client
    racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
    racoon: DEBUG: hash(md5)
    racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1536-bit MODP group
    racoon: DEBUG: hmac(modp1536)
    racoon: DEBUG: transform #5 len=36
    racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client
    racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
    racoon: DEBUG: hash(md5)
    racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
    racoon: DEBUG: hmac(modp1024)
    racoon: DEBUG: transform #6 len=36
    racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
    racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client
    racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
    racoon: DEBUG: hash(md5)
    racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
    racoon: DEBUG: hmac(modp1024)
    racoon: DEBUG: transform #7 len=32
    racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
    racoon: DEBUG: encryption(3des)
    racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client
    racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
    racoon: DEBUG: hash(sha1)
    racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
    racoon: DEBUG: hmac(modp1024)
    racoon: DEBUG: transform #8 len=32
    racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
    racoon: DEBUG: encryption(3des)
    racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client
    racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
    racoon: DEBUG: hash(md5)
    racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
    racoon: DEBUG: hmac(modp1024)
    racoon: DEBUG: transform #9 len=32
    racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
    racoon: DEBUG: encryption(des)
    racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client
    racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
    racoon: DEBUG: hash(sha1)
    racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
    racoon: DEBUG: hmac(modp1024)
    racoon: DEBUG: transform #10 len=32
    racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC
    racoon: DEBUG: encryption(des)
    racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client
    racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=MD5
    racoon: DEBUG: hash(md5)
    racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
    racoon: DEBUG: hmac(modp1024)
    racoon: DEBUG: pair 1:
    racoon: DEBUG:  0x28520580: next=0x0 tnext=0x28520590
    racoon: DEBUG:   0x28520590: next=0x0 tnext=0x285205a0
    racoon: DEBUG:    0x285205a0: next=0x0 tnext=0x285205b0
    racoon: DEBUG:     0x285205b0: next=0x0 tnext=0x285205c0
    racoon: DEBUG:      0x285205c0: next=0x0 tnext=0x28520600
    racoon: DEBUG:       0x28520600: next=0x0 tnext=0x28520610
    racoon: DEBUG:        0x28520610: next=0x0 tnext=0x28520620
    racoon: DEBUG:         0x28520620: next=0x0 tnext=0x28520630
    racoon: DEBUG:          0x28520630: next=0x0 tnext=0x28520640
    racoon: DEBUG:           0x28520640: next=0x0 tnext=0x0
    racoon: DEBUG: proposal #1: 10 transform
    racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client
    racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
    racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1536-bit MODP group
    racoon: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=10
    racoon: DEBUG: trns#=1, trns-id=IKE
    racoon: DEBUG:   lifetime = 3600
    racoon: DEBUG:   lifebyte = 0
    racoon: DEBUG:   enctype = AES-CBC
    racoon: DEBUG:   encklen = 256
    racoon: DEBUG:   hashtype = SHA
    racoon: DEBUG:   authmethod = XAuth RSASIG client
    racoon: DEBUG:   dh_group = 1536-bit MODP group
    racoon: DEBUG: type=Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client
    racoon: DEBUG: type=Hash Algorithm, flag=0x8000, lorv=SHA
    racoon: DEBUG: type=Group Description, flag=0x8000, lorv=1024-bit MODP group
    racoon: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=10
    racoon: DEBUG: trns#=2, trns-id=IKE
    racoon: DEBUG:   lifetime = 3600
    racoon: DEBUG:   lifebyte = 0
    racoon: DEBUG:   enctype = AES-CBC
    racoon: DEBUG:   encklen = 256
    racoon: DEBUG:   hashtype = SHA
    racoon: DEBUG:   authmethod = XAuth RSASIG client
    racoon: DEBUG:   dh_group = 1024-bit MODP group
    racoon: DEBUG: an acceptable proposal found.
    racoon: DEBUG: hmac(modp1024)
    racoon: DEBUG: agreed on XAuth RSASIG server auth.
    racoon: DEBUG: ===
    racoon: DEBUG: new cookie: f88c033e10dce8a6 
    racoon: INFO: Adding xauth VID payload.
    racoon: DEBUG: add payload of len 52, next type 13
    racoon: DEBUG: add payload of len 8, next type 13
    racoon: DEBUG: add payload of len 16, next type 13
    racoon: DEBUG: add payload of len 16, next type 13
    racoon: DEBUG: add payload of len 16, next type 0
    racoon: DEBUG: 156 bytes from 192.168.100.207[500] to 192.168.100.140[500]
    racoon: DEBUG: sockname 192.168.100.207[500]
    racoon: DEBUG: send packet from 192.168.100.207[500]
    racoon: DEBUG: send packet to 192.168.100.140[500]
    racoon: DEBUG: 1 times of 156 bytes message will be sent to 192.168.100.140[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 01100200 00000000 0000009c 0d000038 00000001 00000001 0000002c 01010001 00000024 02010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020002 80040002 0d00000c 09002689 dfd6b712 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100 0d000014 4a131c81 07035845 5c5728f2 0e95452f 00000014 afcad713 68a1f1c9 6b8696fc 77570100
    racoon: DEBUG: resend phase1 packet 537c409a45c19353:f88c033e10dce8a6
    racoon: DEBUG: ===
    racoon: DEBUG: 228 bytes message received from 192.168.100.140[500] to 192.168.100.207[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 04100200 00000000 000000e4 0a000084 3d1767b0 7e108eb7 31a5ac18 2414aea2 af9e43aa 869a4402 88c0b12b 4cb37338 79d49fc9 2942a05f 0df40cc6 ef30ad74 417fb552 1ff840f8 054b0fca 4d494565 06a1a04b f3c0f2df 47ce481e b45dc560 4eb3012b 871a7ee9 b84fe6d4 50a5d691 6ffdc59f 4747d7fd 51169f66 081dd911 922654b4 e495b8f1 da142432 9a79d960 14000014 e1595c88 53dbbb00 6d5d78bb 812c49ef 14000018 3a07f12d 52924d80 1e95ea2d ef5550d4 14366828 00000018 a7d7526f 5a747267 c881533a 4c85c794 f9667e82
    racoon: DEBUG: begin.
    racoon: DEBUG: seen nptype=4(ke)
    racoon: DEBUG: seen nptype=10(nonce)
    racoon: DEBUG: seen nptype=20(nat-d)
    racoon: DEBUG: seen nptype=20(nat-d)
    racoon: DEBUG: succeed.
    racoon: [192.168.100.207] INFO: Hashing 192.168.100.207[500] with algo #2 
    racoon: DEBUG: hash(sha1)
    racoon: INFO: NAT-D payload #0 verified
    racoon: [192.168.100.140] INFO: Hashing 192.168.100.140[500] with algo #2 
    racoon: DEBUG: hash(sha1)
    racoon: INFO: NAT-D payload #1 verified
    racoon: INFO: NAT not detected 
    racoon: DEBUG: ===
    racoon: DEBUG: compute DH's private.
    racoon: DEBUG:  66beeb2c edf26ecc a65d41a5 cf41b8ae 162c243b 84a78e68 3cf1c030 41d3ce5d 6e54277a 2c4942a6 2ad19f6e 8a7bc29a 4bd28000 daf7bae4 ca5ed628 0c0dc058 0d81fffe 53b9cac2 9c3967e7 a92d0c2f 8e5bd623 f545b0ff 41501681 0156aa61 98ae743d 9b3e4868 11b77d15 cead0ecd c5bef5fc 914b4a83 d3ec0f28 9e41d1d8
    racoon: DEBUG: compute DH's public.
    racoon: DEBUG:  37c64011 e5577c0e dd48b06b 550e691b 28118042 1fd9a7bc 5924feca a51839c6 2f770aac de7aa085 30ef0706 80f3cef7 49e6028c e5aa6329 4b747be3 50a43c0c a1b743de 8341966b e9602a27 ef59fb35 1cf17246 050759c5 7768020f 0cf45564 5a80b349 85f5b511 d5668b75 8cbc132d 5d4613ee 31e2db04 4557144b e2ff52c6
    racoon: [192.168.100.140] DEBUG: appending CR: X.509 Certificate Signature
    racoon: DEBUG:  04308183 310b3009 06035504 06130255 53310e30 0c060355 04081305 54657861 73310f30 0d060355 04071306 41757374 696e3119 30170603 55040a13 104d7920 436f6d70 616e7920 496e632e 20312230 2006092a 864886f7 0d010901 16136164 6d696e40 6d79636f 6d70616e 792e636f 6d311430 12060355 0403130b 696e7465 726e616c 2d6361
    racoon: [192.168.100.140] INFO: Hashing 192.168.100.140[500] with algo #2 
    racoon: DEBUG: hash(sha1)
    racoon: [192.168.100.207] INFO: Hashing 192.168.100.207[500] with algo #2 
    racoon: DEBUG: hash(sha1)
    racoon: INFO: Adding remote and local NAT-D payloads.
    racoon: DEBUG: add payload of len 128, next type 10
    racoon: DEBUG: add payload of len 16, next type 7
    racoon: DEBUG: add payload of len 135, next type 20
    racoon: DEBUG: add payload of len 20, next type 20
    racoon: DEBUG: add payload of len 20, next type 0
    racoon: DEBUG: 367 bytes from 192.168.100.207[500] to 192.168.100.140[500]
    racoon: DEBUG: sockname 192.168.100.207[500]
    racoon: DEBUG: send packet from 192.168.100.207[500]
    racoon: DEBUG: send packet to 192.168.100.140[500]
    racoon: DEBUG: 1 times of 367 bytes message will be sent to 192.168.100.140[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 04100200 00000000 0000016f 0a000084 37c64011 e5577c0e dd48b06b 550e691b 28118042 1fd9a7bc 5924feca a51839c6 2f770aac de7aa085 30ef0706 80f3cef7 49e6028c e5aa6329 4b747be3 50a43c0c a1b743de 8341966b e9602a27 ef59fb35 1cf17246 050759c5 7768020f 0cf45564 5a80b349 85f5b511 d5668b75 8cbc132d 5d4613ee 31e2db04 4557144b e2ff52c6 07000014 e830e98b 0cf5e9e1 2a35121c 5f1c3b10 1400008b 04308183 310b3009 06035504 06130255 53310e30 0c060355 04081305 54657861 73310f30 0d060355 04071306 41757374 696e3119 30170603 55040a13 104d7920 436f6d70 616e7920 496e632e 20312230 2006092a 864886f7 0d010901 16136164 6d696e40 6d79636f 6d70616e 792e636f 6d311430 12060355 0403130b 696e7465 726e616c 2d636114 000018a7 d7526f5a 747267c8 81533a4c 85c794f9 667e8200 0000183a 07f12d52 924d801e 95ea2def 5550d414 366828
    racoon: DEBUG: resend phase1 packet 537c409a45c19353:f88c033e10dce8a6
    racoon: DEBUG: compute DH's shared.
    racoon: DEBUG:  6fca8c40 c2c9c130 2a74a222 bf4bdbe5 224263a6 f8eab4ba 853d4078 6656d777 9e5f7cc8 1323450e 0b7ae174 9a21e406 84184cef d8becef3 c4b2eed3 8fc3c4f3 72516b12 34737b37 4ddb9919 ccbc886e c39d1102 58558e07 90c8da78 5705e03b 6031e68e e6b8ccaf ca5308a2 33e4c937 e172fdc9 3f08c3c3 5fc624bc b388fb44
    racoon: DEBUG: nonce1: 
    racoon: DEBUG:  e1595c88 53dbbb00 6d5d78bb 812c49ef
    racoon: DEBUG: nonce2: 
    racoon: DEBUG:  e830e98b 0cf5e9e1 2a35121c 5f1c3b10
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: SKEYID computed:
    racoon: DEBUG:  ffced2c7 168ac9a9 55e0a461 6c45ec34 9c83f51e
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: SKEYID_d computed:
    racoon: DEBUG:  25aeb79d 78b7a0f6 e8cc26e3 5c517382 33c7ab12
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: SKEYID_a computed:
    racoon: DEBUG:  b4ca8210 47b613ee 8022bcee c763ad8a 96207976
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: SKEYID_e computed:
    racoon: DEBUG:  6bae8183 59017466 6144bef9 90cdaf82 8906e2bd
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: hash(sha1)
    racoon: DEBUG: len(SKEYID_e) < len(Ka) (20 < 32), generating long key (Ka = K1 | K2 | ...)
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: compute intermediate encryption key K1
    racoon: DEBUG:  00
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: compute intermediate encryption key K2
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd
    racoon: DEBUG:  2cfa70e9 fb340244 cd18d5fb 487e45bf 58c2b299
    racoon: DEBUG: final encryption key computed:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: hash(sha1)
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: IV computed:
    racoon: DEBUG:  3039b56b 79a4a4ca bffbf05d 4bbff264
    racoon: DEBUG: ===
    racoon: DEBUG: 1660 bytes message received from 192.168.100.140[500] to 192.168.100.207[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 05100201 00000000 0000067c 033edc6b cc030fe0 62e4a972 0afd50a6 3724f1ea c67ad32c 5a469fe5 edbdb72d 26074d1b 0250efc6 3298ef47 d424005c 8bc76fbc 7ed9a7a0 4bd82c4e 90777ca7 d521c53d 6db789dc 7d41b64b 6aa3300a e2055672 5c99544e 6b8ff0ed d2e821d3 1e829b48 73e07300 ab815af5 1eaf1aad 9eea25bc fb397d1b e4c5bc51 86da1224 b150bcd6 b413aacd 95a8f589 7c28a1d4 fe0e3d3c ae2c1bcc 9fd76c1c d76d904d 9d6af05c 357c8509 e66357be 41afc6a9 6d24974e 477f8c83 e2d8acad bf3e11d5 e5eb7436 24f7ad7e 988e2568 3ba2719f edff70ee bcbb63bd 8b217dfa 1375d596 c24e21a2 c7a2f7fd 97c4024c 837fc6f5 d06cb55a fa4d0a10 78b770a4 a1ab6418 d9d33f69 9b7cde05 6d357799 82dafd31 f2ecbe74 36d9fa56 652da5fc 671da8c8 7164ba82 d0311106 e2cf1a06 d50dbd33 9be28350 a551daf7 0dce7fd6 5cfaa73e 49528bb2 ae025877 346596e0 1291e1b7 a9e0b0f0 fd8d8139 0338da3e 31a84eab d11da987 17a69b57 d088e4b7 1650578b 49d693a4 be906971 3741276c 273f61cb b23c62b9 4c1efa70 cb62f16b 6d1117b2 bf88a766 ffee3e7e 435335d
    racoon: DEBUG: begin decryption.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: IV was saved for next processing:
    racoon: DEBUG:  d48116d4 e41ce2bc b3589b9d 3f4718ea
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: with key:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: decrypted payload by IV:
    racoon: DEBUG:  3039b56b 79a4a4ca bffbf05d 4bbff264
    racoon: DEBUG: decrypted payload, but not trimed.
    racoon: DEBUG:  06000090 09000000 30818531 0b300906 03550406 13025553 310e300c 06035504 08130554 65786173 310f300d 06035504 07130641 75737469 6e311930 17060355 040a1310 4d792043 6f6d7061 6e792049 6e632e20 31223020 06092a86 4886f70d 01090116 1361646d 696e406d 79636f6d 70616e79 2e636f6d 31163014 06035504 03130d49 50536563 54657374 55736572 090004a4 04308204 9b308203 83a00302 01020201 03300d06 092a8648 86f70d01 01050500 30818331 0b300906 03550406 13025553 310e300c 06035504 08130554 65786173 310f300d 06035504 07130641 75737469 6e311930 17060355 040a1310 4d792043 6f6d7061 6e792049 6e632e20 31223020 06092a86 4886f70d 01090116 1361646d 696e406d 79636f6d 70616e79 2e636f6d 31143012 06035504 03130b69 6e746572 6e616c2d 6361301e 170d3132 30333038 30343238 32385a17 0d313330 33303830 34323832 385a3081 85310b30 09060355 04061302 5553310e 300c0603 55040813 05546578 6173310f 300d0603 55040713 06417573 74696e31 19301706 0355040a 13104d79 20436f6d 70616e79 20496e63 2e203122 30200609 2a864886 f70d0109 0116136
    racoon: DEBUG: padding len=8
    racoon: DEBUG: skip to trim padding.
    racoon: DEBUG: decrypted.
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 05100201 00000000 0000067c 06000090 09000000 30818531 0b300906 03550406 13025553 310e300c 06035504 08130554 65786173 310f300d 06035504 07130641 75737469 6e311930 17060355 040a1310 4d792043 6f6d7061 6e792049 6e632e20 31223020 06092a86 4886f70d 01090116 1361646d 696e406d 79636f6d 70616e79 2e636f6d 31163014 06035504 03130d49 50536563 54657374 55736572 090004a4 04308204 9b308203 83a00302 01020201 03300d06 092a8648 86f70d01 01050500 30818331 0b300906 03550406 13025553 310e300c 06035504 08130554 65786173 310f300d 06035504 07130641 75737469 6e311930 17060355 040a1310 4d792043 6f6d7061 6e792049 6e632e20 31223020 06092a86 4886f70d 01090116 1361646d 696e406d 79636f6d 70616e79 2e636f6d 31143012 06035504 03130b69 6e746572 6e616c2d 6361301e 170d3132 30333038 30343238 32385a17 0d313330 33303830 34323832 385a3081 85310b30 09060355 04061302 5553310e 300c0603 55040813 05546578 6173310f 300d0603 55040713 06417573 74696e31 19301706 0355040a 13104d79 20436f6
    racoon: DEBUG: begin.
    racoon: DEBUG: seen nptype=5(id)
    racoon: DEBUG: seen nptype=6(cert)
    racoon: DEBUG: seen nptype=9(sig)
    racoon: DEBUG: seen nptype=7(cr)
    racoon: DEBUG: seen nptype=11(notify)
    racoon: DEBUG: succeed.
    racoon: [192.168.100.140] DEBUG: getrmconf_by_ph1: remote 192.168.100.140[500], identity C=US, ST=Texas, L=Austin, O=My Company Inc. /emailAddress=admin@mycompany.com, CN=IPSecTestUser.
    racoon: [192.168.100.140] DEBUG: configuration "anonymous" selected.
    racoon: DEBUG: CERT saved:
    racoon: DEBUG:  04308204 9b308203 83a00302 01020201 03300d06 092a8648 86f70d01 01050500 30818331 0b300906 03550406 13025553 310e300c 06035504 08130554 65786173 310f300d 06035504 07130641 75737469 6e311930 17060355 040a1310 4d792043 6f6d7061 6e792049 6e632e20 31223020 06092a86 4886f70d 01090116 1361646d 696e406d 79636f6d 70616e79 2e636f6d 31143012 06035504 03130b69 6e746572 6e616c2d 6361301e 170d3132 30333038 30343238 32385a17 0d313330 33303830 34323832 385a3081 85310b30 09060355 04061302 5553310e 300c0603 55040813 05546578 6173310f 300d0603 55040713 06417573 74696e31 19301706 0355040a 13104d79 20436f6d 70616e79 20496e63 2e203122 30200609 2a864886 f70d0109 01161361 646d696e 406d7963 6f6d7061 6e792e63 6f6d3116 30140603 55040313 0d495053 65635465 73745573 65723082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100ae 55a5d193 9b45c02f 903b4364 c9c25cd5 06c6a488 a549ed65 3b3e6d27 8fabf101 b515fa5e 2b119534 a4c88ea6 2e4ac517 a40bf287 2d624ccc b569d353 a4a81974 e3d6cc99 e0f068b
    racoon: DEBUG: Certificate:     Data:         Version: 3 (0x2)         Serial Number: 3 (0x3)         Signature Algorithm: sha1WithRSAEncryption         Issuer: C=US, ST=Texas, L=Austin, O=My Company Inc. /emailAddress=admin@mycompany.com, CN=internal-ca         Validity             Not Before: Mar  8 04:28:28 2012 GMT             Not After : Mar  8 04:28:28 2013 GMT         Subject: C=US, ST=Texas, L=Austin, O=My Company Inc. /emailAddress=admin@mycompany.com, CN=IPSecTestUser         Subject Public Key Info:             Public Key Algorithm: rsaEncryption             RSA Public Key: (2048 bit)                 Modulus (2048 bit):                     00:ae:55:a5:d1:93:9b:45:c0:2f:90:3b:43:64:c9:                     c2:5c:d5:06:c6:a4:88:a5:49:ed:65:3b:3e:6d:27:                     8f:ab:f1:01:b5:15:fa:5e:2b:11:95:34:a4:c8:8e:                     a6:2e:4a:c5:17:a4:0b:f2:87:2d:62:4c:cc:b5:69:                     d3:53:a4:a8:19:74:e3:d6:cc:99:e0:f0:68:b3:06:                     bc:b0:bc:a6:c9:
    racoon: DEBUG: CR received:
    racoon: DEBUG:  04
    racoon: [192.168.100.140] DEBUG: getrmconf_by_ph1: remote 192.168.100.140[500], identity C=US, ST=Texas, L=Austin, O=My Company Inc. /emailAddress=admin@mycompany.com, CN=IPSecTestUser.
    racoon: [192.168.100.140] DEBUG: no remote configuration found
    racoon: [192.168.100.140] DEBUG: getrmconf_by_ph1: remote 192.168.100.140[500], identity C=US, ST=Texas, L=Austin, O=My Company Inc. /emailAddress=admin@mycompany.com, CN=IPSecTestUser.
    racoon: [192.168.100.140] DEBUG: configuration "anonymous" selected.
    racoon: DEBUG: SIGN passed:
    racoon: DEBUG:  2575c19a 052f9939 32181e52 10e88f4b 7d0a9f50 40921025 1915a46c ef0ae401 07f289aa 6f766533 be4739ad 74524fa5 4ff0c3e5 25bf6125 b1de109e 8bf04dcd d847c446 4db97928 9bc40f3a 360c1433 53141457 66593585 ab49d56a e21b6f8b 656f463d 02bd2edb 676463ad 83e973c5 9befa985 f386df39 3d3013bf bf7a47b2 a779dad9 702930ae a1c0d02e 2c8b6d20 531602c6 bd0018e3 6bce63eb 42c938c6 9e3886ee 41791501 18e68048 1c9e7562 6061522f 8fa6852f 0e942cf1 31999e8e 0a9d7be8 0d68b0a9 c02fa887 8236b821 8d7f3db7 a428daeb ccd4cd64 45458fa5 1a82b96b 07dc9a2c f5cd3c45 a5f30cf7 65afdff8 31109751 176055dc 67aeb8ac
    racoon: DEBUG: filename: /var/etc/ca-1.crt
    racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=US/ST=Texas/L=Austin/O=My Company Inc. /emailAddress=admin@mycompany.com/CN=IPSecTestUser
    racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=US/ST=Texas/L=Austin/O=My Company Inc. /emailAddress=admin@mycompany.com/CN=internal-ca
    racoon: DEBUG: CERT validated
    racoon: DEBUG: HASH with:
    racoon: DEBUG:  3d1767b0 7e108eb7 31a5ac18 2414aea2 af9e43aa 869a4402 88c0b12b 4cb37338 79d49fc9 2942a05f 0df40cc6 ef30ad74 417fb552 1ff840f8 054b0fca 4d494565 06a1a04b f3c0f2df 47ce481e b45dc560 4eb3012b 871a7ee9 b84fe6d4 50a5d691 6ffdc59f 4747d7fd 51169f66 081dd911 922654b4 e495b8f1 da142432 9a79d960 37c64011 e5577c0e dd48b06b 550e691b 28118042 1fd9a7bc 5924feca a51839c6 2f770aac de7aa085 30ef0706 80f3cef7 49e6028c e5aa6329 4b747be3 50a43c0c a1b743de 8341966b e9602a27 ef59fb35 1cf17246 050759c5 7768020f 0cf45564 5a80b349 85f5b511 d5668b75 8cbc132d 5d4613ee 31e2db04 4557144b e2ff52c6 537c409a 45c19353 f88c033e 10dce8a6 00000001 00000001 00000160 0101000a 03000024 01010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020002 80040005 03000024 02010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020002 80040002 03000024 03010000 800b0001 800c0e10 80010007 800e0080 8003fded 80020002 80040002 03000024 04010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020001 80040005 03000024 0501000
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: HASH (resp) computed:
    racoon: DEBUG:  4de4d2cd dd48faf9 7c11c82e 518da8bc d5a4f830
    racoon: DEBUG: SIG authenticated
    racoon: [192.168.100.140] DEBUG: peer's ID
    racoon: DEBUG:  09000000 30818531 0b300906 03550406 13025553 310e300c 06035504 08130554 65786173 310f300d 06035504 07130641 75737469 6e311930 17060355 040a1310 4d792043 6f6d7061 6e792049 6e632e20 31223020 06092a86 4886f70d 01090116 1361646d 696e406d 79636f6d 70616e79 2e636f6d 31163014 06035504 03130d49 50536563 54657374 55736572
    racoon: DEBUG: ===
    racoon: DEBUG: use ID type of DER_ASN1_DN
    racoon: DEBUG: generate HASH_R
    racoon: DEBUG: HASH with:
    racoon: DEBUG:  37c64011 e5577c0e dd48b06b 550e691b 28118042 1fd9a7bc 5924feca a51839c6 2f770aac de7aa085 30ef0706 80f3cef7 49e6028c e5aa6329 4b747be3 50a43c0c a1b743de 8341966b e9602a27 ef59fb35 1cf17246 050759c5 7768020f 0cf45564 5a80b349 85f5b511 d5668b75 8cbc132d 5d4613ee 31e2db04 4557144b e2ff52c6 3d1767b0 7e108eb7 31a5ac18 2414aea2 af9e43aa 869a4402 88c0b12b 4cb37338 79d49fc9 2942a05f 0df40cc6 ef30ad74 417fb552 1ff840f8 054b0fca 4d494565 06a1a04b f3c0f2df 47ce481e b45dc560 4eb3012b 871a7ee9 b84fe6d4 50a5d691 6ffdc59f 4747d7fd 51169f66 081dd911 922654b4 e495b8f1 da142432 9a79d960 f88c033e 10dce8a6 537c409a 45c19353 00000001 00000001 00000160 0101000a 03000024 01010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020002 80040005 03000024 02010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020002 80040002 03000024 03010000 800b0001 800c0e10 80010007 800e0080 8003fded 80020002 80040002 03000024 04010000 800b0001 800c0e10 80010007 800e0100 8003fded 80020001 80040005 03000024 0501000
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: HASH (resp) computed:
    racoon: DEBUG:  20197045 7e3f3a33 63943b32 eb95c03f 628a3a85
    racoon: DEBUG: filename: /var/etc/cert-1.key
    racoon: DEBUG: SIGN computed:
    racoon: DEBUG:  1645d80d add4e5fb fb7a974e 4e94655d 9dba9abc 9b175050 680649fb 7ed8450a b2c93056 971a7e96 8a5c7883 3701cde7 d7fa1535 af4d941c 903149c6 0ce68e6d bd49cd12 26a58189 c3c4df56 ca0b60c5 b8c839e9 a1a4c7e8 b0522ec4 537518fc d3ee8185 2781b562 96d2923c 8f5ac75b 45559763 b75879e8 b9fece55 39e78d25 a3a69b72 394882eb 381d79f5 6c79c85b b852e1dc 16bf76af d0149126 b1f8e1b5 74738416 1931fb1d 34b18563 958fd2df bad603b9 c6916e69 5c6862ed 94e37fa4 9d9798f6 66276153 a9c54f24 b53e939d 9b0c21b4 059e1ded e8223d6d bd85ab6c df03749f f4e04d1a edfa4401 81aea4d8 92b88df0 41d2b1b4 ddfd6336 e16cdd71
    racoon: DEBUG: add payload of len 142, next type 6
    racoon: DEBUG: add payload of len 1241, next type 9
    racoon: DEBUG: add payload of len 256, next type 0
    racoon: DEBUG: begin encryption.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: pad length = 13
    racoon: DEBUG:  06000092 09000000 30818731 0b300906 03550406 13025553 310e300c 06035504 08130554 65786173 310f300d 06035504 07130641 75737469 6e311730 15060355 040a130e 4d792043 6f6d7061 6e792049 6e633122 30200609 2a864886 f70d0109 01161361 646d696e 406d7963 6f6d7061 6e792e63 6f6d311a 30180603 55040313 11697073 65632e65 78616d70 6c652e63 6f6d0900 04dd0430 8204d430 8203bca0 03020102 02010230 0d06092a 864886f7 0d010105 05003081 83310b30 09060355 04061302 5553310e 300c0603 55040813 05546578 6173310f 300d0603 55040713 06417573 74696e31 19301706 0355040a 13104d79 20436f6d 70616e79 20496e63 2e203122 30200609 2a864886 f70d0109 01161361 646d696e 406d7963 6f6d7061 6e792e63 6f6d3114 30120603 55040313 0b696e74 65726e61 6c2d6361 301e170d 31323033 30383033 35343130 5a170d31 33303330 38303335 3431305a 30818731 0b300906 03550406 13025553 310e300c 06035504 08130554 65786173 310f300d 06035504 07130641 75737469 6e311730 15060355 040a130e 4d792043 6f6d7061 6e792049 6e633122 30200609 2a864886 f70d0109 0116136
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: with key:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: encrypted payload by IV:
    racoon: DEBUG:  d48116d4 e41ce2bc b3589b9d 3f4718ea
    racoon: DEBUG: save IV for next:
    racoon: DEBUG:  3e42b1bb 137a92a3 1cf42770 36f7cae5
    racoon: DEBUG: encrypted.
    racoon: DEBUG: 1692 bytes from 192.168.100.207[500] to 192.168.100.140[500]
    racoon: DEBUG: sockname 192.168.100.207[500]
    racoon: DEBUG: send packet from 192.168.100.207[500]
    racoon: DEBUG: send packet to 192.168.100.140[500]
    racoon: DEBUG: 1 times of 1692 bytes message will be sent to 192.168.100.140[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 05100201 00000000 0000069c f4a1dad8 4e9da516 fbf7aecd d838e631 4e0937a6 5f0de039 67063548 e346df09 847693c1 feb41a8c 4e65ea5f c40f62e9 43ed05d8 b479bf38 9a242dfa 003bda5e 3d2af9dc 61972193 2f015531 7eb39bbc de772e5f baed0a0c 5c42d1a3 37d77c72 4b1b0e86 ffc03b51 268624ff bcb0acdf 89664a04 a7e4f2c1 cb237264 d3ff2ead fefe2f2a 39d7df36 3723d00f 48c809be ffe78664 34731adf ae5f02ec 6a667719 b274d58b 7a1855a4 f5eda239 da7da62c 5c40ce93 022d3e22 257a9e40 6774a494 69d64fdc d52ffdf0 9c061e33 726f5e02 3d9e050d 32077202 3f469ce3 f81e7798 8dcb0b0e 4a5e0bb8 89bd5eb0 a6d31365 542e19f2 edb330c3 ddf53483 ea9dd4ae bba95052 aaf4a674 6802bfa2 f5261108 d5783114 2cc6f082 f9f3ea02 0d4b59d6 cd19be37 f3b9a226 7c14c9a3 c68b9e08 99502654 3796dfe3 359a141f 0c768763 b798485e 3f6fd7ad 5a17330d efcb9773 94eb960a eaf3a2d8 8e1d8568 8ec11fc6 2ee70984 71081449 b64ce9cd 95258ba4 3d371a5b af94991e 0bdc9862 499b94b1 97d44c13 7b62aedf dc070845 ef891a04 90f99c40 965d1fb0 089fcaf
    racoon: INFO: Sending Xauth request
    racoon: DEBUG: compute IV for phase2
    racoon: DEBUG: phase1 last IV:
    racoon: DEBUG:  3e42b1bb 137a92a3 1cf42770 36f7cae5 b4d735b5
    racoon: DEBUG: hash(sha1)
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: phase2 IV computed:
    racoon: DEBUG:  f7b69c7a 1ee4c566 d9b001fc 4ba020dd
    racoon: DEBUG: HASH with:
    racoon: DEBUG:  b4d735b5 00000014 01007de4 c0880000 40890000 408a0000
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: HASH computed:
    racoon: DEBUG:  7ec5727f 4e90b7d0 85497beb 01420786 f2d4bbd7
    racoon: DEBUG: MODE_CFG packet to send
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 b4d735b5 00000048 0e000018 7ec5727f 4e90b7d0 85497beb 01420786 f2d4bbd7 00000014 01007de4 c0880000 40890000 408a0000
    racoon: DEBUG: begin encryption.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: pad length = 4
    racoon: DEBUG:  0e000018 7ec5727f 4e90b7d0 85497beb 01420786 f2d4bbd7 00000014 01007de4 c0880000 40890000 408a0000 acbcae03
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: with key:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: encrypted payload by IV:
    racoon: DEBUG:  f7b69c7a 1ee4c566 d9b001fc 4ba020dd
    racoon: DEBUG: save IV for next:
    racoon: DEBUG:  d7111300 b717e8d8 2a24491c 402c4508
    racoon: DEBUG: encrypted.
    racoon: DEBUG: 76 bytes from 192.168.100.207[500] to 192.168.100.140[500]
    racoon: DEBUG: sockname 192.168.100.207[500]
    racoon: DEBUG: send packet from 192.168.100.207[500]
    racoon: DEBUG: send packet to 192.168.100.140[500]
    racoon: DEBUG: 1 times of 76 bytes message will be sent to 192.168.100.140[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 b4d735b5 0000004c 429b288d c4f1c5ec f61929d5 a5ad18a7 525ee01c 7c11e763 89842fa2 87b931e0 d7111300 b717e8d8 2a24491c 402c4508
    racoon: DEBUG: sendto mode config attr.
    racoon: [192.168.100.140] INFO: received INITIAL-CONTACT
    racoon: DEBUG: call pfkey_send_dump
    racoon: DEBUG: pk_recv: retry[0] recv() 
    racoon: INFO: ISAKMP-SA established 192.168.100.207[500]-192.168.100.140[500] spi:537c409a45c19353:f88c033e10dce8a6
    racoon: DEBUG: ===
    racoon: DEBUG: ===
    racoon: DEBUG: 92 bytes message received from 192.168.100.140[500] to 192.168.100.207[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 b4d735b5 0000005c ae5c44b8 32af008d 41f15da3 95bfd9d2 b9757629 fe90931f 17d60eca d3ff5c0b bb5b6e3f 8ad4310c 0ee1a3a0 1cfd4b65 a7df025a f407182f 468c45ac 0c98c640
    racoon: DEBUG: begin decryption.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: IV was saved for next processing:
    racoon: DEBUG:  a7df025a f407182f 468c45ac 0c98c640
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: with key:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: decrypted payload by IV:
    racoon: DEBUG:  d7111300 b717e8d8 2a24491c 402c4508
    racoon: DEBUG: decrypted payload, but not trimed.
    racoon: DEBUG:  0e000018 87acd176 e81606bb 3688adde 616319df e42b750b 00000023 02007d00 4089000d 49505365 63546573 74557365 72408a00 06616263 31323300 00000005
    racoon: DEBUG: padding len=6
    racoon: DEBUG: skip to trim padding.
    racoon: DEBUG: decrypted.
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 b4d735b5 0000005c 0e000018 87acd176 e81606bb 3688adde 616319df e42b750b 00000023 02007d00 4089000d 49505365 63546573 74557365 72408a00 06616263 31323300 00000005
    racoon: DEBUG: MODE_CFG packet
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 b4d735b5 0000005c 0e000018 87acd176 e81606bb 3688adde 616319df e42b750b 00000023 02007d00 4089000d 49505365 63546573 74557365 72408a00 06616263 31323300 00000005
    racoon: DEBUG: Seen payload 8
    racoon: DEBUG:  0e000018 87acd176 e81606bb 3688adde 616319df e42b750b
    racoon: DEBUG: HASH with:
    racoon: DEBUG:  b4d735b5 00000023 02007d00 4089000d 49505365 63546573 74557365 72408a00 06616263 313233
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: HASH computed:
    racoon: DEBUG:  87acd176 e81606bb 3688adde 616319df e42b750b
    racoon: DEBUG: Seen payload 14
    racoon: DEBUG:  00000023 02007d00 4089000d 49505365 63546573 74557365 72408a00 06616263 313233
    racoon: DEBUG: Configuration exchange type mode config REPLY
    racoon: DEBUG: Attribute XAUTH_USER_NAME, len 13
    racoon: DEBUG: Attribute XAUTH_USER_PASSWORD, len 6
    racoon: INFO: Using port 0
    racoon: INFO: login succeeded for user "IPSecTestUser"
    racoon: DEBUG: IV freed
    racoon: DEBUG: compute IV for phase2
    racoon: DEBUG: phase1 last IV:
    racoon: DEBUG:  3e42b1bb 137a92a3 1cf42770 36f7cae5 8454f473
    racoon: DEBUG: hash(sha1)
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: phase2 IV computed:
    racoon: DEBUG:  d2b4f385 ae5d0a84 6e9f3add 51900688
    racoon: DEBUG: HASH with:
    racoon: DEBUG:  8454f473 0000000c 03007d00 c08f0001
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: HASH computed:
    racoon: DEBUG:  03983d49 b12e156d cab735e4 4a8cb6ee fe31d984
    racoon: DEBUG: MODE_CFG packet to send
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 8454f473 00000040 0e000018 03983d49 b12e156d cab735e4 4a8cb6ee fe31d984 0000000c 03007d00 c08f0001
    racoon: DEBUG: begin encryption.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: pad length = 12
    racoon: DEBUG:  0e000018 03983d49 b12e156d cab735e4 4a8cb6ee fe31d984 0000000c 03007d00 c08f0001 fba4d6e1 f7d184ba b5b7c40b
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: with key:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: encrypted payload by IV:
    racoon: DEBUG:  d2b4f385 ae5d0a84 6e9f3add 51900688
    racoon: DEBUG: save IV for next:
    racoon: DEBUG:  9a91f15c 0243ebca 9df590f5 7b48d857
    racoon: DEBUG: encrypted.
    racoon: DEBUG: 76 bytes from 192.168.100.207[500] to 192.168.100.140[500]
    racoon: DEBUG: sockname 192.168.100.207[500]
    racoon: DEBUG: send packet from 192.168.100.207[500]
    racoon: DEBUG: send packet to 192.168.100.140[500]
    racoon: DEBUG: 1 times of 76 bytes message will be sent to 192.168.100.140[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 8454f473 0000004c 5103ce8b cb9f1bb4 508dc361 4cd2c1f6 b32a1764 6baa5977 b3d10044 3d281c74 9a91f15c 0243ebca 9df590f5 7b48d857
    racoon: DEBUG: sendto mode config attr.
    racoon: DEBUG: ===
    racoon: DEBUG: 76 bytes message received from 192.168.100.140[500] to 192.168.100.207[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 8454f473 0000004c 6e5af210 e9896ab3 4a626fd0 8f6ee048 0c14d44c a62cab85 c65f5c32 9b31515b 487b3b13 17c91d94 4153b8d6 db7f834e
    racoon: DEBUG: begin decryption.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: IV was saved for next processing:
    racoon: DEBUG:  487b3b13 17c91d94 4153b8d6 db7f834e
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: with key:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: decrypted payload by IV:
    racoon: DEBUG:  9a91f15c 0243ebca 9df590f5 7b48d857
    racoon: DEBUG: decrypted payload, but not trimed.
    racoon: DEBUG:  0e000018 255169e1 4ff47580 30c41723 4f6575a8 aa14c087 0000000c 04007d00 c08f0000 00000000 00000000 0000000c
    racoon: DEBUG: padding len=13
    racoon: DEBUG: skip to trim padding.
    racoon: DEBUG: decrypted.
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 8454f473 0000004c 0e000018 255169e1 4ff47580 30c41723 4f6575a8 aa14c087 0000000c 04007d00 c08f0000 00000000 00000000 0000000c
    racoon: DEBUG: MODE_CFG packet
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 8454f473 0000004c 0e000018 255169e1 4ff47580 30c41723 4f6575a8 aa14c087 0000000c 04007d00 c08f0000 00000000 00000000 0000000c
    racoon: DEBUG: Seen payload 8
    racoon: DEBUG:  0e000018 255169e1 4ff47580 30c41723 4f6575a8 aa14c087
    racoon: DEBUG: HASH with:
    racoon: DEBUG:  8454f473 0000000c 04007d00 c08f0000
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: HASH computed:
    racoon: DEBUG:  255169e1 4ff47580 30c41723 4f6575a8 aa14c087
    racoon: DEBUG: Seen payload 14
    racoon: DEBUG:  0000000c 04007d00 c08f0000
    racoon: DEBUG: Configuration exchange type mode config ACK
    racoon: DEBUG: IV freed
    racoon: DEBUG: ===
    racoon: DEBUG: 172 bytes message received from 192.168.100.140[500] to 192.168.100.207[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 cd42ec74 000000ac 567fc8ad 5121bcbc 35044c74 bb5460df 7c4056a5 90fdeb1e c6888303 c6b87173 11da9458 57173605 44f54b60 66686118 e06a6f71 419c1941 e43d477d dc53feb8 456a5676 4d544943 b99b3e24 a14c69b4 b03097e7 17f0d78a 40f3f0f5 a116f1c2 2f691a83 244e8bdb cdecad20 1376d0cf da838015 a4ae8fb0 a220a8c7 4c0425e8 e4147734 c07f9d1e ac744399 68638f2e
    racoon: DEBUG: compute IV for phase2
    racoon: DEBUG: phase1 last IV:
    racoon: DEBUG:  3e42b1bb 137a92a3 1cf42770 36f7cae5 cd42ec74
    racoon: DEBUG: hash(sha1)
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: phase2 IV computed:
    racoon: DEBUG:  1fd9577e 6422cc28 fef79d07 980e88fd
    racoon: DEBUG: begin decryption.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: IV was saved for next processing:
    racoon: DEBUG:  e4147734 c07f9d1e ac744399 68638f2e
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: with key:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: decrypted payload by IV:
    racoon: DEBUG:  1fd9577e 6422cc28 fef79d07 980e88fd
    racoon: DEBUG: decrypted payload, but not trimed.
    racoon: DEBUG:  0e000018 a0df4fc0 82e37ff6 d549adbe 3fdb1899 251d9626 0000006e 0100b1b8 00010000 00020000 00030000 00040000 00050000 00070026 43697363 6f205379 7374656d 73205650 4e20436c 69656e74 20352e31 3a695068 6f6e6520 4f537000 00007002 00007003 00007004 00007006 00007007 00007001 00007008 00007009 0000700b 00000000 00000000 0000000a
    racoon: DEBUG: padding len=11
    racoon: DEBUG: skip to trim padding.
    racoon: DEBUG: decrypted.
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 cd42ec74 000000ac 0e000018 a0df4fc0 82e37ff6 d549adbe 3fdb1899 251d9626 0000006e 0100b1b8 00010000 00020000 00030000 00040000 00050000 00070026 43697363 6f205379 7374656d 73205650 4e20436c 69656e74 20352e31 3a695068 6f6e6520 4f537000 00007002 00007003 00007004 00007006 00007007 00007001 00007008 00007009 0000700b 00000000 00000000 0000000a
    racoon: DEBUG: MODE_CFG packet
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 cd42ec74 000000ac 0e000018 a0df4fc0 82e37ff6 d549adbe 3fdb1899 251d9626 0000006e 0100b1b8 00010000 00020000 00030000 00040000 00050000 00070026 43697363 6f205379 7374656d 73205650 4e20436c 69656e74 20352e31 3a695068 6f6e6520 4f537000 00007002 00007003 00007004 00007006 00007007 00007001 00007008 00007009 0000700b 00000000 00000000 0000000a
    racoon: DEBUG: Seen payload 8
    racoon: DEBUG:  0e000018 a0df4fc0 82e37ff6 d549adbe 3fdb1899 251d9626
    racoon: DEBUG: HASH with:
    racoon: DEBUG:  cd42ec74 0000006e 0100b1b8 00010000 00020000 00030000 00040000 00050000 00070026 43697363 6f205379 7374656d 73205650 4e20436c 69656e74 20352e31 3a695068 6f6e6520 4f537000 00007002 00007003 00007004 00007006 00007007 00007001 00007008 00007009 0000700b 0000
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: HASH computed:
    racoon: DEBUG:  a0df4fc0 82e37ff6 d549adbe 3fdb1899 251d9626
    racoon: DEBUG: Seen payload 14
    racoon: DEBUG:  0000006e 0100b1b8 00010000 00020000 00030000 00040000 00050000 00070026 43697363 6f205379 7374656d 73205650 4e20436c 69656e74 20352e31 3a695068 6f6e6520 4f537000 00007002 00007003 00007004 00007006 00007007 00007001 00007008 00007009 0000700b 0000
    racoon: DEBUG: Configuration exchange type mode config REQUEST
    racoon: DEBUG: Attribute INTERNAL_IP4_ADDRESS, len 0
    racoon: DEBUG: Attribute INTERNAL_IP4_NETMASK, len 0
    racoon: DEBUG: Attribute INTERNAL_IP4_DNS, len 0
    racoon: DEBUG: Attribute INTERNAL_IP4_NBNS, len 0
    racoon: DEBUG: Attribute INTERNAL_ADDRESS_EXPIRY, len 0
    racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
    racoon: DEBUG: Attribute APPLICATION_VERSION, len 38
    racoon: DEBUG: Attribute UNITY_BANNER, len 0
    racoon: ERROR: Cannot open "/etc/motd"
    racoon: DEBUG: Attribute UNITY_DEF_DOMAIN, len 0
    racoon: DEBUG: Attribute UNITY_SPLITDNS_NAME, len 0
    racoon: DEBUG: Attribute UNITY_SPLIT_INCLUDE, len 0
    racoon: DEBUG: Attribute UNITY_LOCAL_LAN, len 0
    racoon: DEBUG: Attribute UNITY_PFS, len 0
    racoon: DEBUG: Attribute UNITY_SAVE_PASSWD, len 0
    racoon: DEBUG: Attribute UNITY_FW_TYPE, len 0
    racoon: DEBUG: Ignored attribute UNITY_FW_TYPE
    racoon: DEBUG: Attribute UNITY_BACKUP_SERVERS, len 0
    racoon: DEBUG: Ignored attribute UNITY_BACKUP_SERVERS
    racoon: DEBUG: Attribute 28683, len 0
    racoon: WARNING: Ignored attribute 28683
    racoon: DEBUG: Sending MODE_CFG REPLY
    racoon: DEBUG: HASH with:
    racoon: DEBUG:  cd42ec74 0000005f 0200b1b8 00010004 c0a8c801 00020004 ffffff00 00030004 c0a83864 00070014 7261636f 6f6e202f 20495073 65632d74 6f6f6c73 7002000b 6578616d 706c652e 636f6d70 03000c65 78616d70 6c652e63 6f6d00f0 070000f0 010001
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: HASH computed:
    racoon: DEBUG:  9f338323 73c175ca 1b85af02 7ade404a 55b37e1c
    racoon: DEBUG: MODE_CFG packet to send
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 cd42ec74 00000093 0e000018 9f338323 73c175ca 1b85af02 7ade404a 55b37e1c 0000005f 0200b1b8 00010004 c0a8c801 00020004 ffffff00 00030004 c0a83864 00070014 7261636f 6f6e202f 20495073 65632d74 6f6f6c73 7002000b 6578616d 706c652e 636f6d70 03000c65 78616d70 6c652e63 6f6d00f0 070000f0 010001
    racoon: DEBUG: begin encryption.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: pad length = 9
    racoon: DEBUG:  0e000018 9f338323 73c175ca 1b85af02 7ade404a 55b37e1c 0000005f 0200b1b8 00010004 c0a8c801 00020004 ffffff00 00030004 c0a83864 00070014 7261636f 6f6e202f 20495073 65632d74 6f6f6c73 7002000b 6578616d 706c652e 636f6d70 03000c65 78616d70 6c652e63 6f6d00f0 070000f0 0100018f bcc5afe4 d3e2c908
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: with key:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: encrypted payload by IV:
    racoon: DEBUG:  e4147734 c07f9d1e ac744399 68638f2e
    racoon: DEBUG: save IV for next:
    racoon: DEBUG:  bfa83987 211e2d1c 11897699 b2e2b18f
    racoon: DEBUG: encrypted.
    racoon: DEBUG: 156 bytes from 192.168.100.207[500] to 192.168.100.140[500]
    racoon: DEBUG: sockname 192.168.100.207[500]
    racoon: DEBUG: send packet from 192.168.100.207[500]
    racoon: DEBUG: send packet to 192.168.100.140[500]
    racoon: DEBUG: 1 times of 156 bytes message will be sent to 192.168.100.140[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100601 cd42ec74 0000009c f39802a5 fea1a71a 13af8afc 9d4b237a 7a731a8e 6398abcd fab3947f 2cc327a2 31134b29 56ad1b77 8ed002e2 7fd21564 ddeb8128 05b03c6c 19ed36ff 62ca6455 88e5c80e e2f8fd8a 55b96b36 924f973f 3ff6e90e 1074943d 474a16a9 0bf5404e 818ef62e cd05c0dc e3ab129e e4000934 bfa83987 211e2d1c 11897699 b2e2b18f
    racoon: DEBUG: sendto mode config attr.
    racoon: DEBUG: ===
    racoon: DEBUG: 300 bytes message received from 192.168.100.140[500] to 192.168.100.207[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08102001 4d0703b8 0000012c 2bcbdd8d aa743007 fd6aacda eb2a75ea 9105374f 2185e8f6 8720ef77 91963cfc d70c3895 c6aca863 2b0dabf6 e112251d e21a96bc e7033717 2f38be86 c4d5c8c3 98f7f15c be6580ea e5a98a9c 5e904cdb 75b68dcc ed6ffbac f0769e99 beddca06 60dcbe4a 8eb5e6b5 3c70b51e f0f04691 d23804ac d55890ee 1a88a6a7 876c0b09 ba3c0939 283ea378 110a876c 9692ed67 6708b915 ad768354 1d09a47d e8709a51 434553bf 716cf1d3 3b88a3be 193116af cc0b0466 e37958a6 cc8ee66a 3e010cda e83f5e10 9776eda9 064ad76e 32911846 fbf8e182 62a9c504 b625704c 0d72a9a1 5694fad7 3ab6f9d4 c118d935 5c526c17 cec01a59 6727b81f 20d20335 c869d5bd 1e4cb008 aa346cd7 0e579812 85837c48
    racoon: DEBUG: IV freed
    racoon: DEBUG: compute IV for phase2
    racoon: DEBUG: phase1 last IV:
    racoon: DEBUG:  3e42b1bb 137a92a3 1cf42770 36f7cae5 4d0703b8
    racoon: DEBUG: hash(sha1)
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: phase2 IV computed:
    racoon: DEBUG:  317de4e2 a4a75be9 4dda0324 ae6c90b2
    racoon: DEBUG: ===
    racoon: INFO: respond new phase 2 negotiation: 192.168.100.207[500]<=>192.168.100.140[500]
    racoon: DEBUG: begin decryption.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: IV was saved for next processing:
    racoon: DEBUG:  1e4cb008 aa346cd7 0e579812 85837c48
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: with key:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: decrypted payload by IV:
    racoon: DEBUG:  317de4e2 a4a75be9 4dda0324 ae6c90b2
    racoon: DEBUG: decrypted payload, but not trimed.
    racoon: DEBUG:  01000018 45f14127 042b80d4 72bb4f3f b8e8833e f0611fcd 0a0000b8 00000001 00000001 000000ac 01030406 048ff404 0300001c 010c0000 80010001 80020e10 80040001 80060100 80050002 0300001c 020c0000 80010001 80020e10 80040001 80060100 80050001 0300001c 030c0000 80010001 80020e10 80040001 80060080 80050002 0300001c 040c0000 80010001 80020e10 80040001 80060080 80050001 03000018 05030000 80010001 80020e10 80040001 80050002 00000018 06030000 80010001 80020e10 80040001 80050001 05000014 6a31c229 33d3bd66 5c5108e7 760f77da 0500000c 01000000 c0a8c801 00000010 04000000 00000000 00000000 00000000 00000000 00000000 00000010
    racoon: DEBUG: padding len=17
    racoon: DEBUG: skip to trim padding.
    racoon: DEBUG: decrypted.
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08102001 4d0703b8 0000012c 01000018 45f14127 042b80d4 72bb4f3f b8e8833e f0611fcd 0a0000b8 00000001 00000001 000000ac 01030406 048ff404 0300001c 010c0000 80010001 80020e10 80040001 80060100 80050002 0300001c 020c0000 80010001 80020e10 80040001 80060100 80050001 0300001c 030c0000 80010001 80020e10 80040001 80060080 80050002 0300001c 040c0000 80010001 80020e10 80040001 80060080 80050001 03000018 05030000 80010001 80020e10 80040001 80050002 00000018 06030000 80010001 80020e10 80040001 80050001 05000014 6a31c229 33d3bd66 5c5108e7 760f77da 0500000c 01000000 c0a8c801 00000010 04000000 00000000 00000000 00000000 00000000 00000000 00000010
    racoon: DEBUG: begin.
    racoon: DEBUG: seen nptype=8(hash)
    racoon: DEBUG: seen nptype=1(sa)
    racoon: DEBUG: seen nptype=10(nonce)
    racoon: DEBUG: seen nptype=5(id)
    racoon: DEBUG: seen nptype=5(id)
    racoon: DEBUG: succeed.
    racoon: DEBUG: received IDci2:
    racoon: DEBUG:  01000000 c0a8c801
    racoon: DEBUG: received IDcr2:
    racoon: DEBUG:  04000000 00000000 00000000
    racoon: DEBUG: HASH(1) validate:
    racoon: DEBUG:  45f14127 042b80d4 72bb4f3f b8e8833e f0611fcd
    racoon: DEBUG: HASH with:
    racoon: DEBUG:  4d0703b8 0a0000b8 00000001 00000001 000000ac 01030406 048ff404 0300001c 010c0000 80010001 80020e10 80040001 80060100 80050002 0300001c 020c0000 80010001 80020e10 80040001 80060100 80050001 0300001c 030c0000 80010001 80020e10 80040001 80060080 80050002 0300001c 040c0000 80010001 80020e10 80040001 80060080 80050001 03000018 05030000 80010001 80020e10 80040001 80050002 00000018 06030000 80010001 80020e10 80040001 80050001 05000014 6a31c229 33d3bd66 5c5108e7 760f77da 0500000c 01000000 c0a8c801 00000010 04000000 00000000 00000000
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: HASH computed:
    racoon: DEBUG:  45f14127 042b80d4 72bb4f3f b8e8833e f0611fcd
    racoon: DEBUG: getsainfo params: loc='0.0.0.0/0' rmt='192.168.200.1' peer='C=US, ST=Texas, L=Austin, O=My Company Inc. /emailAddress=admin@mycompany.com, CN=IPSecTestUser' client='192.168.200.1' id=1
    racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=1
    racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
    racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
    racoon: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=1
    racoon: DEBUG: Either family (2 - 2), types (1 - 0) of ID from initiator differ or matching sainfo has no id_i defined for the peer. Not filling iph2->sa_src and iph2->sa_dst.
    racoon: DEBUG: get src address from ID payload 192.168.200.1[0] prefixlen=32 ul_proto=255
    racoon: DEBUG: get dst address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=255
    racoon: DEBUG: sub:0xbfbfe3c0: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in
    racoon: DEBUG: sub:0xbfbfe3c0: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: db: 0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in
    racoon: DEBUG: 0xbfbfe3c0 masked with /24: 192.168.200.0[0]
    racoon: DEBUG: 0x28548148 masked with /24: 192.168.56.0[0]
    racoon: DEBUG: sub:0xbfbfe3c0: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out
    racoon: DEBUG: sub:0xbfbfe3c0: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: db: 0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out
    racoon: INFO: no policy found, try to generate the policy : 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: total SA len=180
    racoon: DEBUG:  00000001 00000001 000000ac 01030406 048ff404 0300001c 010c0000 80010001 80020e10 80040001 80060100 80050002 0300001c 020c0000 80010001 80020e10 80040001 80060100 80050001 0300001c 030c0000 80010001 80020e10 80040001 80060080 80050002 0300001c 040c0000 80010001 80020e10 80040001 80060080 80050001 03000018 05030000 80010001 80020e10 80040001 80050002 00000018 06030000 80010001 80020e10 80040001 80050001
    racoon: DEBUG: begin.
    racoon: DEBUG: seen nptype=2(prop)
    racoon: DEBUG: succeed.
    racoon: DEBUG: proposal #1 len=172
    racoon: DEBUG: begin.
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: succeed.
    racoon: DEBUG: transform #1 len=28
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: life duration was in TLV.
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
    racoon: DEBUG: transform #2 len=28
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: life duration was in TLV.
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
    racoon: DEBUG: transform #3 len=28
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: life duration was in TLV.
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
    racoon: DEBUG: transform #4 len=28
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: life duration was in TLV.
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
    racoon: DEBUG: transform #5 len=24
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: life duration was in TLV.
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
    racoon: DEBUG: transform #6 len=24
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: life duration was in TLV.
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
    racoon: DEBUG: pair 1:
    racoon: DEBUG:  0x28520760: next=0x0 tnext=0x28520770
    racoon: DEBUG:   0x28520770: next=0x0 tnext=0x28520780
    racoon: DEBUG:    0x28520780: next=0x0 tnext=0x28520790
    racoon: DEBUG:     0x28520790: next=0x0 tnext=0x285207a0
    racoon: DEBUG:      0x285207a0: next=0x0 tnext=0x285207b0
    racoon: DEBUG:       0x285207b0: next=0x0 tnext=0x0
    racoon: DEBUG: proposal #1: 6 transform
    racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=1 trns-id=AES
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
    racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=2 trns-id=AES
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
    racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=3 trns-id=AES
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
    racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=4 trns-id=AES
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
    racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=5 trns-id=3DES
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
    racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=6 trns-id=3DES
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
    racoon: DEBUG: make a proposal from peer's:
    racoon: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=048ff404 encmode=Tunnel reqid=1:1)
    racoon: DEBUG:   (trns_id=AES encklen=256 authtype=hmac-sha)
    racoon: DEBUG: total SA len=180
    racoon: DEBUG:  00000001 00000001 000000ac 01030406 048ff404 0300001c 010c0000 80010001 80020e10 80040001 80060100 80050002 0300001c 020c0000 80010001 80020e10 80040001 80060100 80050001 0300001c 030c0000 80010001 80020e10 80040001 80060080 80050002 0300001c 040c0000 80010001 80020e10 80040001 80060080 80050001 03000018 05030000 80010001 80020e10 80040001 80050002 00000018 06030000 80010001 80020e10 80040001 80050001
    racoon: DEBUG: begin.
    
    


  • Had to split this in two since the post was too large.

    
    racoon: DEBUG: seen nptype=2(prop)
    racoon: DEBUG: succeed.
    racoon: DEBUG: proposal #1 len=172
    racoon: DEBUG: begin.
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: succeed.
    racoon: DEBUG: transform #1 len=28
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: life duration was in TLV.
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
    racoon: DEBUG: transform #2 len=28
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: life duration was in TLV.
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
    racoon: DEBUG: transform #3 len=28
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: life duration was in TLV.
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
    racoon: DEBUG: transform #4 len=28
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: life duration was in TLV.
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
    racoon: DEBUG: transform #5 len=24
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: life duration was in TLV.
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
    racoon: DEBUG: transform #6 len=24
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: life duration was in TLV.
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
    racoon: DEBUG: pair 1:
    racoon: DEBUG:  0x28520760: next=0x0 tnext=0x28520770
    racoon: DEBUG:   0x28520770: next=0x0 tnext=0x28520780
    racoon: DEBUG:    0x28520780: next=0x0 tnext=0x28520790
    racoon: DEBUG:     0x28520790: next=0x0 tnext=0x285207a0
    racoon: DEBUG:      0x285207a0: next=0x0 tnext=0x285207b0
    racoon: DEBUG:       0x285207b0: next=0x0 tnext=0x0
    racoon: DEBUG: proposal #1: 6 transform
    racoon: DEBUG: begin compare proposals.
    racoon: DEBUG: pair[1]: 0x28520760
    racoon: DEBUG:  0x28520760: next=0x0 tnext=0x28520770
    racoon: DEBUG:   0x28520770: next=0x0 tnext=0x28520780
    racoon: DEBUG:    0x28520780: next=0x0 tnext=0x28520790
    racoon: DEBUG:     0x28520790: next=0x0 tnext=0x285207a0
    racoon: DEBUG:      0x285207a0: next=0x0 tnext=0x285207b0
    racoon: DEBUG:       0x285207b0: next=0x0 tnext=0x0
    racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=1 trns-id=AES
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
    racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=2 trns-id=AES
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
    racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=3 trns-id=AES
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
    racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=4 trns-id=AES
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=128
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
    racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=5 trns-id=3DES
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
    racoon: DEBUG: prop#=1 prot-id=ESP spi-size=4 #trns=6 trns#=6 trns-id=3DES
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-md5
    racoon: DEBUG: peer's single bundle:
    racoon: DEBUG:  (proto_id=ESP spisize=4 spi=048ff404 spi_p=00000000 encmode=Tunnel reqid=0:0)
    racoon: DEBUG:   (trns_id=AES encklen=256 authtype=hmac-sha)
    racoon: DEBUG:   (trns_id=AES encklen=256 authtype=hmac-md5)
    racoon: DEBUG:   (trns_id=AES encklen=128 authtype=hmac-sha)
    racoon: DEBUG:   (trns_id=AES encklen=128 authtype=hmac-md5)
    racoon: DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-sha)
    racoon: DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-md5)
    racoon: DEBUG: my single bundle:
    racoon: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=048ff404 encmode=Tunnel reqid=1:1)
    racoon: DEBUG:   (trns_id=AES encklen=256 authtype=hmac-sha)
    racoon: DEBUG: matched
    racoon: DEBUG: ===
    racoon: DEBUG: call pfkey_send_getspi
    racoon: DEBUG: pfkey GETSPI sent: ESP/Tunnel 192.168.100.140[500]->192.168.100.207[500] 
    racoon: DEBUG: pfkey getspi sent.
    racoon: DEBUG: pk_recv: retry[0] recv() 
    racoon: DEBUG: got pfkey GETSPI message
    racoon: DEBUG: pfkey GETSPI succeeded: ESP/Tunnel 192.168.100.140[500]->192.168.100.207[500] spi=166958688(0x9f39660)
    racoon: DEBUG: total SA len=48
    racoon: DEBUG:  00000001 00000001 00000028 01030401 00000000 0000001c 010c0000 80010001 80020e10 80040001 80060100 80050002
    racoon: DEBUG: begin.
    racoon: DEBUG: seen nptype=2(prop)
    racoon: DEBUG: succeed.
    racoon: DEBUG: proposal #1 len=40
    racoon: DEBUG: begin.
    racoon: DEBUG: seen nptype=3(trns)
    racoon: DEBUG: succeed.
    racoon: DEBUG: transform #1 len=28
    racoon: DEBUG: type=SA Life Type, flag=0x8000, lorv=seconds
    racoon: DEBUG: type=SA Life Duration, flag=0x8000, lorv=3600
    racoon: DEBUG: life duration was in TLV.
    racoon: DEBUG: type=Encryption Mode, flag=0x8000, lorv=Tunnel
    racoon: DEBUG: type=Key Length, flag=0x8000, lorv=256
    racoon: DEBUG: type=Authentication Algorithm, flag=0x8000, lorv=hmac-sha
    racoon: DEBUG: pair 1:
    racoon: DEBUG:  0x28520760: next=0x0 tnext=0x0
    racoon: DEBUG: proposal #1: 1 transform
    racoon: DEBUG: add payload of len 48, next type 10
    racoon: DEBUG: add payload of len 16, next type 5
    racoon: DEBUG: add payload of len 8, next type 5
    racoon: DEBUG: add payload of len 12, next type 0
    racoon: DEBUG: HASH with:
    racoon: DEBUG:  4d0703b8 6a31c229 33d3bd66 5c5108e7 760f77da 0a000034 00000001 00000001 00000028 01030401 09f39660 0000001c 010c0000 80010001 80020e10 80040001 80060100 80050002 05000014 fff609b5 8407a260 70400fc5 48653f1a 0500000c 01000000 c0a8c801 00000010 04000000 00000000 00000000
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: HASH computed:
    racoon: DEBUG:  daadcc9f 491b7366 198c16f7 6a789f74 0887dc0c
    racoon: DEBUG: add payload of len 20, next type 1
    racoon: DEBUG: begin encryption.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: pad length = 4
    racoon: DEBUG:  01000018 daadcc9f 491b7366 198c16f7 6a789f74 0887dc0c 0a000034 00000001 00000001 00000028 01030401 09f39660 0000001c 010c0000 80010001 80020e10 80040001 80060100 80050002 05000014 fff609b5 8407a260 70400fc5 48653f1a 0500000c 01000000 c0a8c801 00000010 04000000 00000000 00000000 85dabf03
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: with key:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: encrypted payload by IV:
    racoon: DEBUG:  1e4cb008 aa346cd7 0e579812 85837c48
    racoon: DEBUG: save IV for next:
    racoon: DEBUG:  ae6a34bd baa55ef6 7795ccaa 62d95c09
    racoon: DEBUG: encrypted.
    racoon: DEBUG: 156 bytes from 192.168.100.207[500] to 192.168.100.140[500]
    racoon: DEBUG: sockname 192.168.100.207[500]
    racoon: DEBUG: send packet from 192.168.100.207[500]
    racoon: DEBUG: send packet to 192.168.100.140[500]
    racoon: DEBUG: 1 times of 156 bytes message will be sent to 192.168.100.140[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08102001 4d0703b8 0000009c 35099f8e 319bc018 10aeb6da 5aaeca8f 384b7057 436e639e a67e565e b452334b dc4c5f76 931fdf75 5c4a6297 37c8a6b2 607359a9 ccb2f238 31b48a15 8b0f72ad 265d93cf 9131418b 454bb500 589c8382 fa472861 9894527f e8bd613b 09e33cd5 2cc551c5 fc608768 aade28b5 075e9a5b ae6a34bd baa55ef6 7795ccaa 62d95c09
    racoon: DEBUG: resend phase2 packet 537c409a45c19353:f88c033e10dce8a6:00004d07
    racoon: DEBUG: ===
    racoon: DEBUG: 60 bytes message received from 192.168.100.140[500] to 192.168.100.207[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08102001 4d0703b8 0000003c db1bb59b 33b7a58d 9c60ff6b 79711823 e59efbb6 f09316b7 f166bc47 b17c85c7
    racoon: DEBUG: begin decryption.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: IV was saved for next processing:
    racoon: DEBUG:  e59efbb6 f09316b7 f166bc47 b17c85c7
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: with key:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: decrypted payload by IV:
    racoon: DEBUG:  ae6a34bd baa55ef6 7795ccaa 62d95c09
    racoon: DEBUG: decrypted payload, but not trimed.
    racoon: DEBUG:  00000018 b1f68910 dea74feb ed694386 e18e5aee 1c7712f7 00000000 00000008
    racoon: DEBUG: padding len=9
    racoon: DEBUG: skip to trim padding.
    racoon: DEBUG: decrypted.
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08102001 4d0703b8 0000003c 00000018 b1f68910 dea74feb ed694386 e18e5aee 1c7712f7 00000000 00000008
    racoon: DEBUG: begin.
    racoon: DEBUG: seen nptype=8(hash)
    racoon: DEBUG: succeed.
    racoon: DEBUG: HASH(3) validate:
    racoon: DEBUG:  b1f68910 dea74feb ed694386 e18e5aee 1c7712f7
    racoon: DEBUG: HASH with: 
    racoon: DEBUG:  004d0703 b86a31c2 2933d3bd 665c5108 e7760f77 dafff609 b58407a2 6070400f c548653f 1a
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: HASH computed:
    racoon: DEBUG:  b1f68910 dea74feb ed694386 e18e5aee 1c7712f7
    racoon: DEBUG: ===
    racoon: DEBUG: KEYMAT compute with
    racoon: DEBUG:  0309f396 606a31c2 2933d3bd 665c5108 e7760f77 dafff609 b58407a2 6070400f c548653f 1a
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: hmac(sha1)
    racoon: DEBUG: encklen=256 authklen=160
    racoon: DEBUG: generating 640 bits of key (dupkeymat=4)
    racoon: DEBUG: generating K1...K4 for KEYMAT.
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG:  ecccf0f4 53bf3288 3f5b60f8 be6712e4 95e7e3e8 09a43f42 064de661 bacec002 3c09009f a2bef76b 05afe1e0 70275a97 a8942e49 afd8d66b 538543f1 251e7294 237f6b86 ba2f16e3 c6a3ad9c 33516374
    racoon: DEBUG: KEYMAT compute with
    racoon: DEBUG:  03048ff4 046a31c2 2933d3bd 665c5108 e7760f77 dafff609 b58407a2 6070400f c548653f 1a
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: hmac(sha1)
    racoon: DEBUG: encklen=256 authklen=160
    racoon: DEBUG: generating 640 bits of key (dupkeymat=4)
    racoon: DEBUG: generating K1...K4 for KEYMAT.
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG:  39d7f4e3 5cc4bff8 6f98af36 10f00a35 36bf2d4d c8d2f945 ac6072b8 97172865 5e77e8fe 13a3f336 6431c4f9 9309909c c700a9c5 b8db7d0e 2d9592d2 598624c0 5678e504 e9d24581 3715b0c9 ae99f097
    racoon: DEBUG: KEYMAT computed.
    racoon: DEBUG: call pk_sendupdate
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: hmac(sha1)
    racoon: DEBUG: call pfkey_send_update2
    racoon: DEBUG: pfkey update sent.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: hmac(sha1)
    racoon: DEBUG: call pfkey_send_add2 (NAT flavor)
    racoon: DEBUG: call pfkey_send_add2
    racoon: DEBUG: pfkey add sent.
    racoon: DEBUG: call pfkey_send_spdupdate2
    racoon: DEBUG: pfkey spdupdate2(inbound) sent.
    racoon: DEBUG: call pfkey_send_spdupdate2
    racoon: DEBUG: pfkey spdupdate2(outbound) sent.
    racoon: DEBUG: sub:0xbfbfe298: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in
    racoon: DEBUG: sub:0xbfbfe298: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out
    racoon: DEBUG: sub:0xbfbfe298: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out
    racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in
    racoon: DEBUG: sub:0xbfbfe298: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out
    racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out
    racoon: DEBUG: pk_recv: retry[0] recv() 
    racoon: DEBUG: got pfkey UPDATE message
    racoon: DEBUG: pfkey UPDATE succeeded: ESP 192.168.100.207[500]->192.168.100.140[500] spi=166958688(0x9f39660)
    racoon: INFO: IPsec-SA established: ESP 192.168.100.207[500]->192.168.100.140[500] spi=166958688(0x9f39660)
    racoon: DEBUG: ===
    racoon: DEBUG: pk_recv: retry[0] recv() 
    racoon: DEBUG: got pfkey ADD message
    racoon: INFO: IPsec-SA established: ESP 192.168.100.207[500]->192.168.100.140[500] spi=76542980(0x48ff404)
    racoon: DEBUG: ===
    racoon: DEBUG: pk_recv: retry[0] recv() 
    racoon: DEBUG: got pfkey X_SPDUPDATE message
    racoon: DEBUG: sub:0xbfbfe5f4: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in
    racoon: DEBUG: sub:0xbfbfe5f4: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out
    racoon: DEBUG: this policy did not exist for removal: "192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in"
    racoon: DEBUG: pk_recv: retry[0] recv() 
    racoon: DEBUG: got pfkey X_SPDUPDATE message
    racoon: DEBUG: sub:0xbfbfe5f4: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out
    racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in
    racoon: DEBUG: sub:0xbfbfe5f4: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out
    racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out
    racoon: DEBUG: sub:0xbfbfe5f4: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out
    racoon: DEBUG: db :0x28548288: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: this policy did not exist for removal: "0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out"
    racoon: DEBUG: pk_recv: retry[0] recv() 
    racoon: DEBUG: got pfkey ACQUIRE message
    racoon: DEBUG: suitable outbound SP found: 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out.
    racoon: DEBUG: sub:0xbfbfe5f8: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: db :0x28548148: 192.168.56.0/24[0] 192.168.56.100/32[0] proto=any dir=in
    racoon: DEBUG: sub:0xbfbfe5f8: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: db :0x28548508: 192.168.56.100/32[0] 192.168.56.0/24[0] proto=any dir=out
    racoon: DEBUG: sub:0xbfbfe5f8: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: db :0x28548288: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in
    racoon: DEBUG: suitable inbound SP found: 192.168.200.1/32[0] 0.0.0.0/0[0] proto=any dir=in.
    racoon: DEBUG: new acquire 0.0.0.0/0[0] 192.168.200.1/32[0] proto=any dir=out
    racoon: [192.168.100.140] DEBUG: configuration "anonymous" selected.
    racoon: DEBUG: getsainfo params: loc='0.0.0.0/0' rmt='192.168.200.1' peer='NULL' client='NULL' id=1
    racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=1
    racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
    racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
    racoon: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=1
    racoon: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=1:1)
    racoon: DEBUG:   (trns_id=AES encklen=256 authtype=hmac-sha)
    racoon: DEBUG: in post_acquire
    racoon: [192.168.100.140] DEBUG: no remote configuration found.
    racoon: ERROR: no configuration found for 192.168.100.140.
    racoon: ERROR: failed to begin ipsec sa negotication.
    racoon: [192.168.100.140] DEBUG: DPD monitoring....
    racoon: DEBUG: compute IV for phase2
    racoon: DEBUG: phase1 last IV:
    racoon: DEBUG:  3e42b1bb 137a92a3 1cf42770 36f7cae5 e750ef7b
    racoon: DEBUG: hash(sha1)
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: phase2 IV computed:
    racoon: DEBUG:  16387c90 dd9908f4 60822939 d708793c
    racoon: DEBUG: HASH with:
    racoon: DEBUG:  e750ef7b 00000020 00000001 01108d28 537c409a 45c19353 f88c033e 10dce8a6 000001a8
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: HASH computed:
    racoon: DEBUG:  17defe05 2c5770a7 c0925fdb 1e7d9bdd f64b082d
    racoon: DEBUG: begin encryption.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: pad length = 8
    racoon: DEBUG:  0b000018 17defe05 2c5770a7 c0925fdb 1e7d9bdd f64b082d 00000020 00000001 01108d28 537c409a 45c19353 f88c033e 10dce8a6 000001a8 e8e1dda4 fde69807
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: with key:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: encrypted payload by IV:
    racoon: DEBUG:  16387c90 dd9908f4 60822939 d708793c
    racoon: DEBUG: save IV for next:
    racoon: DEBUG:  0a6e8914 59b022ff d5c30169 b85841f5
    racoon: DEBUG: encrypted.
    racoon: DEBUG: 92 bytes from 192.168.100.207[500] to 192.168.100.140[500]
    racoon: DEBUG: sockname 192.168.100.207[500]
    racoon: DEBUG: send packet from 192.168.100.207[500]
    racoon: DEBUG: send packet to 192.168.100.140[500]
    racoon: DEBUG: 1 times of 92 bytes message will be sent to 192.168.100.140[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100501 e750ef7b 0000005c 496f8b54 86bc5ff0 3432bd87 781daff2 35a04181 0271f44f b8d2a50d c0c819f9 d7c8f93d 92b3e3f9 8115ce46 5c99febf 0a6e8914 59b022ff d5c30169 b85841f5
    racoon: DEBUG: sendto Information notify.
    racoon: DEBUG: IV freed
    racoon: [192.168.100.140] DEBUG: DPD R-U-There sent (0)
    racoon: [192.168.100.140] DEBUG: rescheduling send_r_u (5).
    racoon: DEBUG: ===
    racoon: DEBUG: 92 bytes message received from 192.168.100.140[500] to 192.168.100.207[500]
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100501 6f5eec39 0000005c fd9a61d5 756cc088 e1953f57 bc6624b6 9ba81f12 ee3b514f e8c7691f 53185f30 0122c903 89cee7c3 7fce17cf 4fd4f6ab 306e58f1 eaebb734 24c69abd 3c447863
    racoon: DEBUG: receive Information.
    racoon: DEBUG: compute IV for phase2
    racoon: DEBUG: phase1 last IV:
    racoon: DEBUG:  3e42b1bb 137a92a3 1cf42770 36f7cae5 6f5eec39
    racoon: DEBUG: hash(sha1)
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: phase2 IV computed:
    racoon: DEBUG:  d4cd0b00 128107ad 2fdf5523 e68e7e0b
    racoon: DEBUG: begin decryption.
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: IV was saved for next processing:
    racoon: DEBUG:  306e58f1 eaebb734 24c69abd 3c447863
    racoon: DEBUG: encryption(aes)
    racoon: DEBUG: with key:
    racoon: DEBUG:  e6996b83 6ba48690 4dc5b9b8 da14ace7 f65e79bd 2cfa70e9 fb340244 cd18d5fb
    racoon: DEBUG: decrypted payload by IV:
    racoon: DEBUG:  d4cd0b00 128107ad 2fdf5523 e68e7e0b
    racoon: DEBUG: decrypted payload, but not trimed.
    racoon: DEBUG:  0b000018 70edd71b 168266eb 836bf003 8deeb800 37db19c5 00000020 00000001 01108d29 537c409a 45c19353 f88c033e 10dce8a6 000001a8 00000000 00000008
    racoon: DEBUG: padding len=9
    racoon: DEBUG: skip to trim padding.
    racoon: DEBUG: decrypted.
    racoon: DEBUG:  537c409a 45c19353 f88c033e 10dce8a6 08100501 6f5eec39 0000005c 0b000018 70edd71b 168266eb 836bf003 8deeb800 37db19c5 00000020 00000001 01108d29 537c409a 45c19353 f88c033e 10dce8a6 000001a8 00000000 00000008
    racoon: DEBUG: IV freed
    racoon: DEBUG: HASH with:
    racoon: DEBUG:  6f5eec39 00000020 00000001 01108d29 537c409a 45c19353 f88c033e 10dce8a6 000001a8
    racoon: DEBUG: hmac(hmac_sha1)
    racoon: DEBUG: HASH computed:
    racoon: DEBUG:  70edd71b 168266eb 836bf003 8deeb800 37db19c5
    racoon: DEBUG: hash validated.
    racoon: DEBUG: begin.
    racoon: DEBUG: seen nptype=8(hash)
    racoon: DEBUG: seen nptype=11(notify)
    racoon: DEBUG: succeed.
    racoon: [192.168.100.140] DEBUG: DPD R-U-There-Ack received
    racoon: DEBUG: received an R-U-THERE-ACK
    
    


  • I can see one big difference to your logs:

    <30>Mar 13 09:05:07 racoon: [WAN-IP] INFO: Hashing WAN-IP[500] with algo #2
    <30>Mar 13 09:05:07 racoon: INFO: NAT-D payload #0 verified
    <30>Mar 13 09:05:07 racoon: [IPHONE-IP] INFO: Hashing IPHONE-IP**[129]** with algo #2
    <30>Mar 13 09:05:07 racoon: INFO: NAT-D payload #1 doesn't match

    I triple checked ALL settings - they are exact the same as yours.

    Perhaps it makes a difference because I use two CAs and also have several other IPsec BOVPN tunnels?!?  ???

    Thanks again for your patience and help!



  • OK - now I changed something on my data option. For 2 Euros per month I was able to get a "real" public IP address instead of a natted one! Looks better now in logs - but still I'm not able to finish phase1:

    Mar 13 11:35:32 	racoon: ERROR: phase1 negotiation failed due to time up. a95cd60e000c4680:7446a7a497024226
    Mar 13 11:34:42 	racoon: INFO: Adding remote and local NAT-D payloads.
    Mar 13 11:34:42 	racoon: [Self]: [WAN-IP] INFO: Hashing WAN-IP[500] with algo #2
    Mar 13 11:34:42 	racoon: [212.23.116.66] INFO: Hashing 212.23.116.66[500] with algo #2
    Mar 13 11:34:42 	racoon: INFO: NAT not detected
    Mar 13 11:34:42 	racoon: INFO: NAT-D payload #1 verified
    Mar 13 11:34:42 	racoon: [212.23.116.66] INFO: Hashing 212.23.116.66[500] with algo #2
    Mar 13 11:34:42 	racoon: INFO: NAT-D payload #0 verified
    Mar 13 11:34:42 	racoon: [Self]: [WAN-IP] INFO: Hashing WAN-IP[500] with algo #2
    Mar 13 11:34:41 	racoon: INFO: Adding xauth VID payload.
    Mar 13 11:34:41 	racoon: [212.23.116.66] INFO: Selected NAT-T version: RFC 3947
    Mar 13 11:34:41 	racoon: INFO: received Vendor ID: DPD
    Mar 13 11:34:41 	racoon: INFO: received Vendor ID: CISCO-UNITY
    Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
    Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
    Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
    Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
    Mar 13 11:34:41 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
    Mar 13 11:34:41 	racoon: INFO: received Vendor ID: RFC 3947
    Mar 13 11:34:41 	racoon: INFO: begin Identity Protection mode.
    Mar 13 11:34:41 	racoon: [Self]: INFO: respond new phase 1 negotiation: WAN-IP[500]<=>212.23.116.66[500]
    

    Now I can see also another problem (?) in system-logs:

    Mar 13 11:34:29 	php: /vpn_ipsec.php: Could not determine VPN endpoint for 'MUVPN (Apple iOS)'
    Mar 13 11:34:05 	php: /vpn_ipsec_phase1.php: Could not determine VPN endpoint for 'MUVPN (Apple iOS)'
    Mar 13 11:33:55 	php: /vpn_ipsec_phase1.php: Reload MUVPN (Apple iOS) tunnel(s)
    

    What means this error?

    EDIT: The error above is gone since I changed the server-certificate to use IP instead of domain name. I still run in phase1 timeout without any other error.



  • Disable NAT traversal and check if that makes any difference.



  • Once the issues have been troubleshooted, I'd suggest adding these step-by-step docs to the PfSense wiki



  • I suggest also adding these step-by-step docs to the PfSense wiki.

    Also there is no need to wait for my (I'm sure) special personal problems:

    I just tried it with another iPhone (same model / same iOS Version / same modem version) and there it works like a charm!
    On this second iPhone it works with 3G and also direct out of the company networks WLAN.
    On my iPhone WLAN and 3G doesn't work.

    So it must have something to do with my iPhone. But I have no idea what this can be!  ???



  • OK - I think I know the problem now.

    I found other guys on the internet who have VPN problems like me (timeout) after untethered jailbreak of iOS 5.01 - and that's the big difference between my iPhone and the other one. Just to make clear: I have a neverlocked iPhone direct from Apple-Store and use the jailbreak for IT related software which is not available in AppStore (e.g. SSH). So i never hacked baseband or something like that. But it seems that the untethered jailbreak itself breaks VPN functions!



  • Glad to hear it is working.



  • There is only one last thing, which is a little bit annoying:

    If I uncheck the box with "Provide login banner to clients", there comes an empty login banner up. Is there no possibility to completly disable the banner? I use VPN on demand and so I have to click all the time on "OK" on the iPhone…



  • If you are talking about the message 'VPN Connection' with buttons OK and disconnect that iOS shows after connection is established then I don't think there is a way to disable that.



  • Thanks for the guide using it and iphone Configuration utility I was able to setup my iphone with VPN on demand, which is a slick feature with one issue.  I can not figure out how to make it save my password.  Everytime I connect to the VPN it prompts for the user password.  It appears if you create the VPN connection on the phone manually via this guide it will save the user password, however if you do it via the iphone configuration utility I do not see a way to save the password.

    Any ideas?



  • @hagak:

    Thanks for the guide using it and iphone Configuration utility I was able to setup my iphone with VPN on demand, which is a slick feature with one issue.  I can not figure out how to make it save my password.  Everytime I connect to the VPN it prompts for the user password.  It appears if you create the VPN connection on the phone manually via this guide it will save the user password, however if you do it via the iphone configuration utility I do not see a way to save the password.

    Any ideas?

    Create an unsigned .mobileconfig and edit it with any text editor. Add these two lines behind the XAuthName-Block:

    <key>XAuthPassword</key> 
    <string>Your Password</string>
    

    Best regards,

    Thorsten



  • Sweet will give that a shot this info.  Odd that if the configs support such a feature that the tool would not have the interface to use it.  Course Apple is known for lack of options.



  • @hagak:

    Odd that if the configs support such a feature that the tool would not have the interface to use it.  Course Apple is known for lack of options.

    I think it's just because everybody could read the password as clear text…



  • @twaldorf:

    @hagak:

    Odd that if the configs support such a feature that the tool would not have the interface to use it.  Course Apple is known for lack of options.

    I think it's just because everybody could read the password as clear text…

    Well there are ways they could encrypt the password to at least make it more difficult to see.



  • @twaldorf:

    Create an unsigned .mobileconfig and edit it with any text editor. Add these two lines behind the XAuthName-Block:

    <key>XAuthPassword</key> 
    <string>Your Password</string>
    

    Best regards,

    Thorsten

    This did not seem to work.  I assume after I edit the file I open the file with iphone configurator to load it on the iphone.



  • If I export the conf back out the added lines are not there



  • I figured it out:)

    You need to email the mobileconfig file to your phone and install it via the email on the phone.  Success.



  • For whatever reason, racoon segfaults when I run RSA+Xauth after the client sends back the XAUTH_USER_PASSWORD. This doesn't happen with PSK+Xauth oddly. >:(


Locked