Windows Suite B Support with IKEv1 » History » Version 26
Andreas Steffen, 22.07.2009 22:13
added newline
1 | 10 | Andreas Steffen | h1. Windows Suite B Support with IKEv1 |
---|---|---|---|
2 | 1 | Andreas Steffen | |
3 | 20 | Andreas Steffen | {{>toc}} |
4 | 1 | Andreas Steffen | |
5 | 21 | Andreas Steffen | Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/. |
6 | 20 | Andreas Steffen | |
7 | 21 | Andreas Steffen | Starting with strongSwan release 4.3.3 the IKEv1 pluto daemon also fully supports the Suite B cryptographic algorithms. This is the reason that we created this HOWTO on Windows Suite B interoperability. |
8 | 21 | Andreas Steffen | |
9 | 22 | Andreas Steffen | h2. 1 Preparations |
10 | 1 | Andreas Steffen | |
11 | 22 | Andreas Steffen | h3. 1.1 Import of Windows Machine Certificates |
12 | 16 | Andreas Steffen | |
13 | 23 | Andreas Steffen | First we import both an ECDSA-256 and an ECDSA-384 machine certificate plus the corresponding private keys and root CA certificate in PKCS#12 format (.p12) into the local computer part of the Windows registry using the Microsoft Management Console *mmc*. The following "step-by-step tutorial":http://wiki.strongswan.org/wiki/strongswan/Win7Certs shows how this is done. If you have been successful then the mmc console display should look like this: |
14 | 16 | Andreas Steffen | |
15 | 14 | Andreas Steffen | !advfirewall_mmc.png! |
16 | 14 | Andreas Steffen | |
17 | 23 | Andreas Steffen | Here are some details on the imported ECDSA-256 certificate: |
18 | 14 | Andreas Steffen | |
19 | 1 | Andreas Steffen | !advfirewall_ecdsa256_cert.png! |
20 | 16 | Andreas Steffen | |
21 | 23 | Andreas Steffen | and here on the imported ECDSA-384 certificate: |
22 | 16 | Andreas Steffen | |
23 | 1 | Andreas Steffen | !advfirewall_ecdsa384_cert.png! |
24 | 1 | Andreas Steffen | |
25 | 22 | Andreas Steffen | h3. 1.2 Import of strongSwan Private Keys |
26 | 1 | Andreas Steffen | |
27 | 20 | Andreas Steffen | The path to RSA and ECDSA private keys are defined in /etc/ipsec.secrets: |
28 | 20 | Andreas Steffen | |
29 | 20 | Andreas Steffen | <pre> |
30 | 20 | Andreas Steffen | # /etc/ipsec.secrets - strongSwan IPsec secrets file |
31 | 20 | Andreas Steffen | |
32 | 20 | Andreas Steffen | : RSA vpnKey.pem |
33 | 20 | Andreas Steffen | |
34 | 20 | Andreas Steffen | : ECDSA koala_ec256Key.pem |
35 | 20 | Andreas Steffen | |
36 | 20 | Andreas Steffen | : ECDSA koala_ec384Key.pem |
37 | 20 | Andreas Steffen | |
38 | 20 | Andreas Steffen | </pre> |
39 | 20 | Andreas Steffen | |
40 | 22 | Andreas Steffen | h3. 1.3 Windows Main Mode Security Methods |
41 | 20 | Andreas Steffen | |
42 | 24 | Andreas Steffen | The following command sets the IKEv1 Main Mode security methods globally since the Suite B parameters cannot be set via the graphical advanced firewall interface: |
43 | 1 | Andreas Steffen | |
44 | 19 | Andreas Steffen | <pre> |
45 | 19 | Andreas Steffen | netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1 |
46 | 19 | Andreas Steffen | </pre> |
47 | 19 | Andreas Steffen | |
48 | 19 | Andreas Steffen | The currently configured algorithms can be checked using the command: |
49 | 19 | Andreas Steffen | |
50 | 19 | Andreas Steffen | <pre> |
51 | 19 | Andreas Steffen | netsh advfirewall show global |
52 | 19 | Andreas Steffen | |
53 | 19 | Andreas Steffen | Main Mode: |
54 | 19 | Andreas Steffen | KeyLifetime 480min,0sess |
55 | 19 | Andreas Steffen | SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
56 | 19 | Andreas Steffen | ForceDH No |
57 | 19 | Andreas Steffen | </pre> |
58 | 19 | Andreas Steffen | |
59 | 22 | Andreas Steffen | h2. 2 Suite B with 128 Bit Security |
60 | 1 | Andreas Steffen | |
61 | 22 | Andreas Steffen | h3. 2.1 Windows Connection Security Rule |
62 | 16 | Andreas Steffen | |
63 | 24 | Andreas Steffen | First we create a new "VPN Suite B 256" security rule. As first authentication method we choose ECDSA-P256 and and select our Root CA: |
64 | 1 | Andreas Steffen | |
65 | 24 | Andreas Steffen | !advfirewall_auth_method_ecdsa_256.png! |
66 | 24 | Andreas Steffen | |
67 | 24 | Andreas Steffen | Also the connection endpoints (traffic selectors) as well as the local and remote IP address of the VPN connection must be defined: |
68 | 24 | Andreas Steffen | |
69 | 16 | Andreas Steffen | !advfirewall_security_rule_256.png! |
70 | 16 | Andreas Steffen | |
71 | 16 | Andreas Steffen | The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B 256": |
72 | 1 | Andreas Steffen | |
73 | 16 | Andreas Steffen | <pre> |
74 | 1 | Andreas Steffen | netsh advfirewall consec set rule name="VPN Suite B 256" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256 |
75 | 3 | Andreas Steffen | </pre> |
76 | 4 | Andreas Steffen | |
77 | 24 | Andreas Steffen | These Suite B Quick Mode parameters cannot be set via the graphical advanced firewall interface. The resulting current rule settings are shown with the following command: |
78 | 5 | Andreas Steffen | |
79 | 5 | Andreas Steffen | <pre> |
80 | 16 | Andreas Steffen | netsh advfirewall consec show rule name="VPN Suite B 256" |
81 | 5 | Andreas Steffen | |
82 | 16 | Andreas Steffen | Rule Name: VPN Suite B 256 |
83 | 5 | Andreas Steffen | ---------------------------------------------------------------------- |
84 | 5 | Andreas Steffen | Enabled: Yes |
85 | 5 | Andreas Steffen | Profiles: Domain,Private,Public |
86 | 5 | Andreas Steffen | Type: Static |
87 | 5 | Andreas Steffen | Mode: Tunnel |
88 | 11 | Andreas Steffen | LocalTunnelEndpoint: 10.10.0.6 |
89 | 5 | Andreas Steffen | RemoteTunnelEndpoint: 10.10.0.1 |
90 | 5 | Andreas Steffen | Endpoint1: 10.10.0.6/32 |
91 | 5 | Andreas Steffen | Endpoint2: 10.10.1.0/24 |
92 | 5 | Andreas Steffen | Protocol: Any |
93 | 5 | Andreas Steffen | Action: RequireInRequireOut |
94 | 11 | Andreas Steffen | Auth1: ComputerCertECDSAP256 |
95 | 11 | Andreas Steffen | Auth1ECDSAP256CAName: C=CH, O=strongSec GmbH, CN=strongSec 2007 CA |
96 | 11 | Andreas Steffen | Auth1ECDSAP256CertMapping: No |
97 | 11 | Andreas Steffen | Auth1ECDSAP256ExcludeCAName: No |
98 | 11 | Andreas Steffen | Auth1ECDSAP256CertType: Root |
99 | 1 | Andreas Steffen | Auth1ECDSAP256HealthCert: No |
100 | 1 | Andreas Steffen | MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
101 | 11 | Andreas Steffen | QuickModeSecMethods: ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb |
102 | 5 | Andreas Steffen | ExemptIPsecProtectedConnections: No |
103 | 11 | Andreas Steffen | ApplyAuthorization: No |
104 | 1 | Andreas Steffen | Ok. |
105 | 1 | Andreas Steffen | </pre> |
106 | 5 | Andreas Steffen | |
107 | 22 | Andreas Steffen | h3. 2.2 strongSwan Connection Definition |
108 | 16 | Andreas Steffen | |
109 | 8 | Andreas Steffen | On the strongSwan side the following entries are required in ipsec.conf for 128 bit security: |
110 | 8 | Andreas Steffen | |
111 | 1 | Andreas Steffen | <pre> |
112 | 17 | Andreas Steffen | conn suiteB-256 |
113 | 17 | Andreas Steffen | leftcert=koala_ec256Cert.pem |
114 | 17 | Andreas Steffen | rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com" |
115 | 17 | Andreas Steffen | ike=aes128-sha256-ecp256! |
116 | 17 | Andreas Steffen | esp=aes128gcm16! |
117 | 17 | Andreas Steffen | also=suiteB |
118 | 17 | Andreas Steffen | auto=add |
119 | 17 | Andreas Steffen | |
120 | 1 | Andreas Steffen | conn suiteB |
121 | 12 | Andreas Steffen | left=10.10.0.1 |
122 | 12 | Andreas Steffen | leftsubnet=10.10.1.0/24 |
123 | 17 | Andreas Steffen | leftid=@koala.strongsec.com |
124 | 1 | Andreas Steffen | leftfirewall=yes |
125 | 1 | Andreas Steffen | lefthostaccess=yes |
126 | 1 | Andreas Steffen | right=10.10.0.6 |
127 | 1 | Andreas Steffen | rightca=%same |
128 | 1 | Andreas Steffen | keyexchange=ikev1 |
129 | 10 | Andreas Steffen | pfs=no |
130 | 12 | Andreas Steffen | dpdaction=clear |
131 | 12 | Andreas Steffen | dpddelay=300s |
132 | 12 | Andreas Steffen | rekey=no |
133 | 10 | Andreas Steffen | </pre> |
134 | 1 | Andreas Steffen | |
135 | 22 | Andreas Steffen | h3. 2.3 Windows Security Association Monitoring |
136 | 16 | Andreas Steffen | |
137 | 1 | Andreas Steffen | Pinging host 10.10.1.11 behind the Linux VPN gateway from the Windows host triggers the IKEv1 tunnel setup. |
138 | 13 | Andreas Steffen | The following Windows status information is available for the Main Mode: |
139 | 1 | Andreas Steffen | |
140 | 1 | Andreas Steffen | !advfirewall_main_mode_128.png! |
141 | 13 | Andreas Steffen | |
142 | 13 | Andreas Steffen | and the established Quick Mode: |
143 | 1 | Andreas Steffen | |
144 | 13 | Andreas Steffen | !advfirewall_quick_mode_128.png! |
145 | 13 | Andreas Steffen | |
146 | 22 | Andreas Steffen | h3. 2.4 strongSwan IPsec Status Information |
147 | 1 | Andreas Steffen | |
148 | 1 | Andreas Steffen | Here the resulting status output on the Linux side: |
149 | 1 | Andreas Steffen | |
150 | 1 | Andreas Steffen | <pre> |
151 | 17 | Andreas Steffen | root@koala:~# ipsec statusall suiteB-256 |
152 | 1 | Andreas Steffen | |
153 | 1 | Andreas Steffen | Status of IKEv1 pluto daemon (strongSwan 4.3.3): |
154 | 17 | Andreas Steffen | interface eth1/eth1 10.10.0.1:4500 |
155 | 17 | Andreas Steffen | interface eth1/eth1 10.10.0.1:500 |
156 | 1 | Andreas Steffen | loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac |
157 | 1 | Andreas Steffen | debug options: control |
158 | 17 | Andreas Steffen | |
159 | 17 | Andreas Steffen | "suiteB-256": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com]; erouted; eroute owner: !#2 |
160 | 17 | Andreas Steffen | "suiteB-256": CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA' |
161 | 17 | Andreas Steffen | "suiteB-256": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 |
162 | 17 | Andreas Steffen | "suiteB-256": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; |
163 | 17 | Andreas Steffen | "suiteB-256": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; |
164 | 17 | Andreas Steffen | "suiteB-256": newest ISAKMP SA: !#1; newest IPsec SA: !#2; |
165 | 17 | Andreas Steffen | "suiteB-256": IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256 |
166 | 17 | Andreas Steffen | "suiteB-256": ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A> |
167 | 1 | Andreas Steffen | |
168 | 17 | Andreas Steffen | !#2: "suiteB-256" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3579s; newest IPSEC; eroute owner |
169 | 17 | Andreas Steffen | !#2: "suiteB-256" esp.aa4cf272@10.10.0.6 (180 bytes, 16s ago) esp.cdf37664@10.10.0.1 (240 bytes, 16s ago); tunnel |
170 | 17 | Andreas Steffen | !#1: "suiteB-256" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28778s; newest ISAKMP |
171 | 16 | Andreas Steffen | |
172 | 16 | Andreas Steffen | </pre> |
173 | 22 | Andreas Steffen | |
174 | 1 | Andreas Steffen | h2. 3 Suite B with 192 Bit Security |
175 | 16 | Andreas Steffen | |
176 | 1 | Andreas Steffen | h3. 3.1 Windows Connection Security Rule |
177 | 1 | Andreas Steffen | |
178 | 24 | Andreas Steffen | We create a "VPN Suite B 384" security rule: As first authentication method we choose ECDSA-P384 and and select our Root CA: |
179 | 1 | Andreas Steffen | |
180 | 24 | Andreas Steffen | !advfirewall_auth_method_ecdsa_384.png! |
181 | 24 | Andreas Steffen | |
182 | 24 | Andreas Steffen | Also the connection endpoints (traffic selectors) as well as the local and remote IP address of the VPN connection must be defined: |
183 | 24 | Andreas Steffen | |
184 | 18 | Andreas Steffen | !advfirewall_security_rule_384.png! |
185 | 18 | Andreas Steffen | |
186 | 18 | Andreas Steffen | The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B 384": |
187 | 1 | Andreas Steffen | |
188 | 1 | Andreas Steffen | <pre> |
189 | 18 | Andreas Steffen | netsh advfirewall consec set rule name="VPN Suite B 384" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256 |
190 | 18 | Andreas Steffen | </pre> |
191 | 1 | Andreas Steffen | |
192 | 24 | Andreas Steffen | These Suite B Quick Mode parameters cannot be set via the graphical advanced firewall interface. The resulting current rule settings are shown with the following command: |
193 | 18 | Andreas Steffen | |
194 | 18 | Andreas Steffen | <pre> |
195 | 18 | Andreas Steffen | netsh advfirewall consec show rule name="VPN Suite B 384" |
196 | 18 | Andreas Steffen | |
197 | 16 | Andreas Steffen | Rule Name: VPN Suite B 384 |
198 | 16 | Andreas Steffen | ---------------------------------------------------------------------- |
199 | 16 | Andreas Steffen | Enabled: Yes |
200 | 16 | Andreas Steffen | Profiles: Domain,Private,Public |
201 | 16 | Andreas Steffen | Type: Static |
202 | 16 | Andreas Steffen | Mode: Tunnel |
203 | 16 | Andreas Steffen | LocalTunnelEndpoint: 10.10.0.6 |
204 | 16 | Andreas Steffen | RemoteTunnelEndpoint: 10.10.0.1 |
205 | 16 | Andreas Steffen | Endpoint1: 10.10.0.6/32 |
206 | 16 | Andreas Steffen | Endpoint2: 10.10.1.0/24 |
207 | 16 | Andreas Steffen | Protocol: Any |
208 | 16 | Andreas Steffen | Action: RequireInRequireOut |
209 | 16 | Andreas Steffen | Auth1: ComputerCertECDSAP384 |
210 | 16 | Andreas Steffen | Auth1ECDSAP384CAName: C=CH, O=strongSec GmbH, CN=strongSec 2007 CA |
211 | 16 | Andreas Steffen | Auth1ECDSAP384CertMapping: No |
212 | 16 | Andreas Steffen | Auth1ECDSAP384ExcludeCAName: No |
213 | 16 | Andreas Steffen | Auth1ECDSAP384CertType: Root |
214 | 16 | Andreas Steffen | Auth1ECDSAP384HealthCert: No |
215 | 16 | Andreas Steffen | MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
216 | 16 | Andreas Steffen | QuickModeSecMethods: ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb |
217 | 16 | Andreas Steffen | ExemptIPsecProtectedConnections: No |
218 | 16 | Andreas Steffen | ApplyAuthorization: No |
219 | 1 | Andreas Steffen | Ok. |
220 | 19 | Andreas Steffen | </pre> |
221 | 19 | Andreas Steffen | |
222 | 22 | Andreas Steffen | h3. 3.2 strongSwan Connection Definition |
223 | 19 | Andreas Steffen | |
224 | 19 | Andreas Steffen | On the strongSwan side the following entries are required in ipsec.conf for 192 bit security: |
225 | 19 | Andreas Steffen | |
226 | 19 | Andreas Steffen | <pre> |
227 | 19 | Andreas Steffen | conn suiteB-384 |
228 | 19 | Andreas Steffen | leftcert=koala_ec384Cert.pem |
229 | 19 | Andreas Steffen | rightid="C=CH, O=strongSec GmbH, OU=ECDSA-384, CN=bonsai.strongsec.com" |
230 | 19 | Andreas Steffen | ike=aes192-sha384-ecp384! |
231 | 19 | Andreas Steffen | esp=aes192gcm16! |
232 | 19 | Andreas Steffen | also=suiteB |
233 | 19 | Andreas Steffen | auto=add |
234 | 25 | Andreas Steffen | |
235 | 25 | Andreas Steffen | conn suiteB |
236 | 25 | Andreas Steffen | left=10.10.0.1 |
237 | 25 | Andreas Steffen | leftsubnet=10.10.1.0/24 |
238 | 25 | Andreas Steffen | leftid=@koala.strongsec.com |
239 | 25 | Andreas Steffen | leftfirewall=yes |
240 | 25 | Andreas Steffen | lefthostaccess=yes |
241 | 25 | Andreas Steffen | right=10.10.0.6 |
242 | 25 | Andreas Steffen | rightca=%same |
243 | 25 | Andreas Steffen | keyexchange=ikev1 |
244 | 25 | Andreas Steffen | pfs=no |
245 | 25 | Andreas Steffen | dpdaction=clear |
246 | 25 | Andreas Steffen | dpddelay=300s |
247 | 25 | Andreas Steffen | rekey=no |
248 | 16 | Andreas Steffen | </pre> |
249 | 16 | Andreas Steffen | |
250 | 22 | Andreas Steffen | h3. 3.3 Windows Security Association Monitoring |
251 | 1 | Andreas Steffen | |
252 | 18 | Andreas Steffen | Pinging host 10.10.1.11 behind the Linux VPN gateway from the Windows host triggers the IKEv1 tunnel setup. |
253 | 18 | Andreas Steffen | The following Windows status information is available for the Main Mode: |
254 | 1 | Andreas Steffen | |
255 | 18 | Andreas Steffen | !advfirewall_main_mode_192.png! |
256 | 18 | Andreas Steffen | |
257 | 18 | Andreas Steffen | and the established Quick Mode: |
258 | 18 | Andreas Steffen | |
259 | 18 | Andreas Steffen | !advfirewall_quick_mode_192.png! |
260 | 18 | Andreas Steffen | |
261 | 22 | Andreas Steffen | h3. 3.4 strongSwan IPsec Status Information |
262 | 18 | Andreas Steffen | |
263 | 1 | Andreas Steffen | Here the resulting status output on the Linux side: |
264 | 18 | Andreas Steffen | |
265 | 18 | Andreas Steffen | <pre> |
266 | 18 | Andreas Steffen | root@koala:~# ipsec statusall suiteB-384 |
267 | 18 | Andreas Steffen | |
268 | 18 | Andreas Steffen | Status of IKEv1 pluto daemon (strongSwan 4.3.3): |
269 | 18 | Andreas Steffen | interface eth1/eth1 10.10.0.1:4500 |
270 | 18 | Andreas Steffen | interface eth1/eth1 10.10.0.1:500 |
271 | 18 | Andreas Steffen | loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac |
272 | 18 | Andreas Steffen | debug options: control |
273 | 18 | Andreas Steffen | |
274 | 18 | Andreas Steffen | "suiteB-384": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-384, CN=bonsai.strongsec.com]; erouted; eroute owner: !#6 |
275 | 18 | Andreas Steffen | "suiteB-384": CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA' |
276 | 18 | Andreas Steffen | "suiteB-384": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 |
277 | 18 | Andreas Steffen | "suiteB-384": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; |
278 | 18 | Andreas Steffen | "suiteB-384": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; |
279 | 18 | Andreas Steffen | "suiteB-384": newest ISAKMP SA: !#5; newest IPsec SA: !#6; |
280 | 18 | Andreas Steffen | "suiteB-384": IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384 |
281 | 18 | Andreas Steffen | "suiteB-384": ESP proposal: AES_GCM_16_192/AUTH_NONE/<N/A> |
282 | 18 | Andreas Steffen | |
283 | 18 | Andreas Steffen | !#6: "suiteB-384" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3591s; newest IPSEC; eroute owner |
284 | 18 | Andreas Steffen | !#6: "suiteB-384" esp.f54365c2@10.10.0.6 (180 bytes, 4s ago) esp.9f80bd7e@10.10.0.1 (240 bytes, 4s ago); tunnel |
285 | 18 | Andreas Steffen | !#5: "suiteB-384" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28790s; newest ISAKMP |
286 | 26 | Andreas Steffen | |
287 | 18 | Andreas Steffen | </pre> |