MediaWiki API result

This is the HTML representation of the JSON format. HTML is good for debugging, but is unsuitable for application use.

Specify the format parameter to change the output format. To see the non-HTML representation of the JSON format, set format=json.

See the complete documentation, or the API help for more information. 

{
    "batchcomplete": "",
    "continue": {
        "gapcontinue": "Symantec_Raptor_Firewall",
        "continue": "gapcontinue||"
    },
    "query": {
        "pages": {
            "1616": {
                "pageid": 1616,
                "ns": 0,
                "title": "StrongSwan",
                "revisions": [
                    {
                        "contentformat": "text/x-wiki",
                        "contentmodel": "wikitext",
                        "*": "== Platform Notes ==\n[http://www.strongswan.org/ strongSwan] is an open source IPsec VPN solution that runs on Linux systems with either 2.4 or 2.6 kernels.  The data encryption is handled by the Linux kernel (using KLIPS for 2.4, or Linux native IPsec for 2.6), and IKE is handled with a user mode process.\n\nAll versions support standard IKE (IKEv1) using the ''pluto'' IKE deamon.  Recent versions (from version 4.0.0) also support IKEv2 using the ''charon'' daemon.\n\nstrongSwan was originally based on the [http://www.freeswan.org/ FreeS/WAN] product, which is no longer being maintained.  Here are the IKE details for [[FreeS/WAN]].\n\n[http://www.openswan.org/ OpenSwan] is a similar open source Linux IPsec VPN product, which was also based on FreeS/WAN.  Here are the IKE details for [[OpenSwan]].\n\n== Version History ==\n\nThere are currently two strongSwan branches: the stable 2.x branch, and the development 4.x branch.\n\nThe first strongSwan version was 2.0.0, dated March 2004, which was based on FreeS/WAN 2.04 plus X.509, NAT Traversal and AES encryption patches.\n\nstrongSwan 4.0.0, dated May 2006, was based on strongSwan 2.7.0.\n\nIn addition to the releases on each branch, the latest code is also available via CVS.\n\n== Backoff Pattern ==\n=== IKEv1 with pluto ===\nWith IKEv1 using the pluto daemon, strongSwan has the backoff pattern\n<pre>\n0, 10, 20\n</pre>\nThis pattern is also shared by FreeS/WAN and OpenSwan because all of these are based on the FreeS/WAN ''pluto'' daemon.\n\nBelow is an example from strongSwan 4.0.5 running on Debian Linux:\n<pre>\n$ ike-scan -M --showbackoff 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=a997321d37e9afa2)\n        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n\nIKE Backoff Patterns:\n\nIP Address      No.     Recv time               Delta Time\n172.16.3.18     1       1171468498.860140       0.000000\n172.16.3.18     2       1171468508.869134       10.008994\n172.16.3.18     3       1171468528.888169       20.019035\n172.16.3.18     Implementation guess: Linux FreeS/WAN, OpenSwan, strongSwan\n</pre>\n=== IKEv2 with Charon ===\nWith IKEv2, using the ''charon'' daemon, strongSwan does not do any re-transmission.  Below is an example from strongSwan 4.0.5 on Debian Linux.  Note that there is only a single packet in the pattern, indicating no retransmission is being performed by the strongSwan server.\n<pre>\n$ ike-scan --ikev2 -M --showbackoff 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     IKEv2 SA_INIT Handshake returned\n        HDR=(CKY-R=543caf8e5aa2f2fd, IKEv2)\n        SA=(Encr=AES_CBC,KeyLength=128 Integ=HMAC_SHA1_96 Prf=HMAC_SHA1 DH_Group=14:modp2048)\n        KeyExchange(132 bytes)\n        Nonce(16 bytes)\n\nIKE Backoff Patterns:\n\nIP Address      No.     Recv time               Delta Time\n172.16.3.18     1       1171468775.120626       0.000000\n172.16.3.18     Implementation guess: Linksys Etherfast\n</pre>\n\n== Vendor IDs ==\nstrongSwan 4.x returns two Vendor IDs in the first responder packet under IKE Main Mode:\n\n* strongSwan VID (MD5 Hash of \"strongSwan 4.x.y\", where x.y is the minor version number)\n* Dead Peer Detection VID (afcad71368a1f1c96b8696fc77570100)\n\nBecause the strongSwan VID is a hash of the version number, it can be used to identify the exact version of strongSwan.\n\nThe example below shows the Vendor IDs returned by strongSwan 4.0.5 on Debian Linux:\n\n<pre>\n$ ike-scan -M 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=376ab8a5bb2f443d)\n        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\n== Authentication Methods ==\n\nstrongSwan supports ''Pre-Shared Key'' and ''RSA Signature'' authentication methods.\n\nThe method to use is defined by the ''authby'' configuration option, which can take values of ''secret'' for Pre-Shared Key or ''rsasig'' for RSA Signature.\n\n=== RSA Signature Example ===\n\nIn this example, we don't specify an authentication method in ipsec.conf so the default of RSA Signature is used.  We need to use the ''--auth=3'' option to ike-scan to specify RSA Signature authentication.\n\n<pre>\nconn iketest\n        left=172.16.3.18\n        leftsubnet=172.16.3.0/24\n        right=%any\n        auto=add\n</pre>\n\n<pre>\n$ ike-scan -M --auth=3 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=d0cc0abad9d372fe)\n        SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\n=== Pre-Shared Key Example ===\n\nIn this example, we specify Pre-Shared Key authentication in ipsec.conf with ''authby=secret''.\n\n<pre>\nconn iketest\n        left=172.16.3.18\n        leftsubnet=172.16.3.0/24\n        right=%any\n        authby=secret\n        auto=add\n</pre>\n\n<pre>\n$ ike-scan -M 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=2fe7d819d2601f44)\n        SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\n== ISAKMP SA Lifetime ==\n\n=== Lifetime in seconds ===\n\nstrongSwan accepts either no SA lifetime in seconds (i.e. the attribute is not present), or a value in the range 0 to 86,400 seconds (24 hours) inclusive.  Values outside this range result in a NO-PROPOSAL-CHOSEN message.  The examples below illustrate this behaviour:\n\n<pre>\n$ ike-scan -M --lifetime=none --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=5a3610d1cdff1dea)\n        SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\n<pre>\n$ ike-scan -M --lifetime=1 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=6e7acddc8cdf90ef)\n        SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00000001)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\n<pre>\n$ ike-scan -M --lifetime=86400 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=4f65b272c6f96be8)\n        SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00015180)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\n<pre>\n$ ike-scan -M --lifetime=86401 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Notify message 14 (NO-PROPOSAL-CHOSEN)\n        HDR=(CKY-R=43bbf79744a6b00b)\n</pre>\n\nstrongSwan accepts a variable-length lifetime sttribute with a seemingly arbitary value length, providing the value is within the acceptable range.  This has been tested up to value lengths of 256 bytes. The example below shows the response to a lifetime in seconds value of 1 encoded as a variable length attribute with 32 bytes.  The lines have been wrapped to aid readability:\n\n<pre>\n$ ike-scan -M --lifetime=0x0000000000000000000000000000000000000000000000000000000000000001\n  --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=1c6eb126df6bff64)\n        SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds\n            LifeDuration(32)=0x0000000000000000000000000000000000000000000000000000000000000001)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\n=== Lifetime in Kilobytes ===\n\nstrongSwan supports any SA lifetime in Kilobytes, including none at all.  There appears to be no upper limit to the SA lifetime.  It also supports both lifetime in seconds and lifetime in kilobytes together.  The examples below illustrate the behaviour:\n\nNo lifetime in seconds, zero lifetime in kilobytes.\n<pre>\n$ ike-scan -M --lifetime=none --lifesize=0 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=fe75d62f5cbc9c7a)\n        SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Kilobytes LifeDuration(4)=0x00000000)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\nA lifetime of 1 kilobyte.\n<pre>\n$ ike-scan -M --lifetime=none --lifesize=1 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=2aea9f0807ce816d)\n        SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Kilobytes LifeDuration(4)=0x00000001)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\nA huge lifetime in kilobytes.  0xffffffffffffffff is about 1.8x10^19.\n<pre>\n$ ike-scan -M --lifetime=none --lifesize=0xffffffffffffffff --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=d76d428d5e5e56e8)\n        SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Kilobytes LifeDuration(8)=0xffffffffffffffff)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\nA huge lifetime in kilobytes with the maximum permitted lifetime in seconds.\n<pre>\n$ ike-scan -M --lifetime=86400 --lifesize=0xffffffff --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=c4a08a38583a9f3b)\n        SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00015180 LifeType=Kilobytes LifeDuration(4)=0xffffffff)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\n== Transform ordering and rewriting ==\nstrongSwan generally returns the transform attributes in the order that they are supplied by the initiator.\n\nIn the example below, we specify the four mandatory transform attributes in order ''Enc, Hash, Auth, Group'' and then in reverse order ''Group, Auth, Hash, Enc'', and observe that the target returns the attributes in the same order as the initiator specified them.\n<pre>\n$ ike-scan -M --trans=\"(1=5,2=2,3=3,4=2)\" 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=9d2b3e904a3ab3e1)\n        SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n<pre>\n$ ike-scan -M --trans=\"(4=2,3=3,2=2,1=5)\" 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=d9f5aec66242df7e)\n        SA=(Group=2:modp1024 Auth=RSA_Sig Hash=SHA1 Enc=3DES)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\nHere is another example, this time including a lifetime in seconds, and a lifetime in kilobytes.  Again, the attributes are returned in the same order that the initiator sent them.\n<pre>\n$ ike-scan -M --trans=\"(11=2,12=123,11=1,12=456,4=2,3=3,2=2,1=5)\" 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=c53786f9985fea68)\n        SA=(LifeType=Kilobytes LifeDuration=123 LifeType=Seconds LifeDuration=456 Group=2:modp1024 Auth=RSA_Sig Hash=SHA1 Enc=3DES)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\nstrongSwan 4.0.5 (and maybe other versions as well) requires that the keylength attribute follows the encryption algorithm attribute when variable length ciphers are used.  Below is an example using AES-128.  In the first example the attribute ordering is ''DH Group, Auth, Hash, Enc, Keylen'', which works, while in the second it is ''DH Group, Auth, Hash, Keylen, Enc'' which doesn't work and returns NO-PROPOSAL-CHOSEN.\n<pre>\n$ ike-scan -M --trans=\"(4=2,3=3,2=2,1=7,14=128)\" 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=dcf1c29da6a493c5)\n        SA=(Group=2:modp1024 Auth=RSA_Sig Hash=SHA1 Enc=AES KeyLength=128)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n<pre>\n$ ike-scan -M --trans=\"(4=2,3=3,2=2,14=128,1=7)\" 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Notify message 14 (NO-PROPOSAL-CHOSEN)\n        HDR=(CKY-R=7e2ea4c1f76657c8)\n</pre>\n\n== Aggressive Mode ==\n\nstrongSwan does not support IKE Aggressive Mode.  If you try to use aggressive mode, it replies with an informational exchange containing notify message 29 (UNSUPPORTED-EXCHANGE-TYPE) as illustrated below:\n\n<pre>\n$ ike-scan -A -M 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Notify message 29 (UNSUPPORTED-EXCHANGE-TYPE)\n        HDR=(CKY-R=0000000000000000)\n</pre>\n\nThis means that remote access connections where the initiator's IP address is not static cannot use pre-shared key authentication, and must use certificates instead.  This is because Main Mode cannot be used with Pre-Shared key authentication when the initiator's IP address is not known in advance.\n\n== Response to non-compliant and malformed packets ==\n\nIn all the examples below, we specify a single transform.  Except in the case where we are deliberately specifying an unacceptable transform, the attributes are ''Enc=3DES, Hash=SHA1, Auth=RSA_Sig, Group=2'', which is acceptable to the target system.\n\nExcept in the unacceptable transform case, the responder cookie is always zero when reporting an error.  This is similar to CheckPoint Firewall-1, except that CheckPoint responds with a zero cookie in all cases.\n\nIn general, strongSwan responds to invalid packets by sending a notify message, and it uses the notification message that would be expected.\n\n=== No Acceptable Transforms ===\n\nstrongSwan will return notify message 14 (NO-PROPOSAL-CHOSEN) if the Encryption Algorithm, Hash Algorithm, or Diffie-Hellman group is unsupported.  However it will not respond at all for an unsupported Authentication Method.\n\nThe example below shows the response to a single transform where the encryption algorithm is set to DES, which is not supported.  All other attributes are supported.\n\n<pre>\n$ ike-scan -M --trans=1,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Notify message 14 (NO-PROPOSAL-CHOSEN)\n        HDR=(CKY-R=cf677d98bff73747)\n</pre>\n\n=== Bad IKE version ===\n\n<pre>\n$ ike-scan -M --headerver=0x30 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Notify message 5 (INVALID-MAJOR-VERSION)\n        HDR=(CKY-R=0000000000000000)\n</pre>\n\n<pre>\n$ ike-scan -M --headerver=0x11 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Notify message 6 (INVALID-MINOR-VERSION)\n        HDR=(CKY-R=0000000000000000)\n</pre>\n\n=== Invalid DOI ===\n\nGiven the other responses, I would have expected strongSwan to respond with notify message 2 (DOI-NOT-SUPPORTED) rather than message 16 (PAYLOAD-MALFORMED).\n\n<pre>\n$ ike-scan -M --doi=2 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Notify message 16 (PAYLOAD-MALFORMED)\n        HDR=(CKY-R=0000000000000000)\n</pre>\n\n=== Invalid Situation ===\n\n<pre>\n$ ike-scan -M --situation=2 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Notify message 3 (SITUATION-NOT-SUPPORTED)\n        HDR=(CKY-R=0000000000000000)\n</pre>\n\n=== Invalid Initiator Cookie ===\n\n<pre>\n$ ike-scan -M --cookie=0000000000000000 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Notify message 4 (INVALID-COOKIE)\n        HDR=(CKY-R=0000000000000000)\n</pre>\n\n=== Invalid Flags ===\n\nGiven the other responses, I would have expected strongSwan to respond with notify message 8 (INVALID-FLAGS) rather than message 16 (PAYLOAD-MALFORMED).\n\n<pre>\n$ ike-scan -M --hdrflags=255 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Notify message 16 (PAYLOAD-MALFORMED)\n        HDR=(CKY-R=0000000000000000)\n</pre>\n\n=== Invalid Protocol ===\n\n<pre>\n$ ike-scan -M --protocol=2 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Notify message 10 (INVALID-PROTOCOL-ID)\n        HDR=(CKY-R=0000000000000000)\n</pre>\n\n=== Invalid SPI ===\n\n<pre>\n$ ike-scan -M --spisize=32 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Notify message 11 (INVALID-SPI)\n        HDR=(CKY-R=0000000000000000)\n</pre>\n\n=== Non-Zero Reserved Fields ===\n\n<pre>\n$ ike-scan -M --mbz=255 --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Notify message 16 (PAYLOAD-MALFORMED)\n        HDR=(CKY-R=0000000000000000)\n</pre>\n\n== Nat Traversal ==\nstrongSwan supports RFC 3947 NAT Traversal, but only if it is enabled with ''nat_traversal=yes'' in the config setup section of ipsec.conf.  If it is not enabled, then strongSwan will not respond to NAT Traversal encapsulated packets.\n\nHere is an example of a NAT Traversal response.\n<pre>\n$ ike-scan -M --nat-t --trans=5,2,3,2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=f784c6ecc962e297)\n        SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n</pre>\n\nHere is another example, this time specifying the NAT Traversal Vendor ID, which is then included in the response.\n<pre>\n$ ike-scan -M --nat-t --trans=5,2,3,2 --vendor=4a131c81070358455c5728f20e95452f 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     Main Mode Handshake returned\n        HDR=(CKY-R=94f22001c70308c6)\n        SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=dd180d21e5ce655a768ba32211dd8ad9 (strongSwan 4.0.5)\n        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n</pre>\n\n== IKEv2 ==\n\nstrongSwan version 4.x supports both IKE and IKEv2.  Here is an example IKEv2 response from a strongSwan 4.0.5 system running on Debian Linux:\n\n<pre>\n$ ike-scan -M --ikev2 172.16.3.18\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.18     IKEv2 SA_INIT Handshake returned\n        HDR=(CKY-R=35eafcd831ba1227, IKEv2)\n        SA=(Encr=AES_CBC,KeyLength=128 Integ=HMAC_SHA1_96 Prf=HMAC_SHA1 DH_Group=14:modp2048)\n        KeyExchange(132 bytes)\n        Nonce(16 bytes)\n</pre>\n\nThe configuration entry from ''ipsec.conf'' on this system is:\n\n<pre>\nconn iketest\n        left=172.16.3.18\n        leftsubnet=172.16.3.0/24\n        right=%any\n        keyexchange=ikev2\n        authby=secret\n        auto=add\n</pre>\n\n== Remote Access VPN Client ==\n\nstrongSwan does not include a remote access VPN client.  However, it should work with generic VPN clients such as SafeNet because it does not use any proprietary mechanisms.\n\n== Other Interesting Behaviour ==\n\n=== Zero responder cookies in most notify messages ===\n\nWhen a strongSwan system responds with an informational exchange containing a notify message, indicating an error condition, it sets the responder cookie to zero unless the notify message is NO-PROPOSAL-CHOSEN.\n\nThis is similar to CheckPoint Firewall-1, but with CheckPoint the responder cookie is zero for all notify messages.\n\n== Default Configuration ==\n\nBy default, strongSwan 4.0.5 supports the following transform attribute values:\n\n{| class=\"wikitable\"\n|- style=\"background:#dadada; color:#06c\"\n! Encryption\n| Blowfish, Triple-DES, AES-128, AES-192, AES-256, Serpent and Twofish\n|- style=\"background:#dadada; color:#06c\"\n! Hash\n| MD5, SHA1, SHA2-256 and SHA2-512\n|- style=\"background:#dadada; color:#06c\"\n! Authentication\n| RSA Signature (optionally Pre-Shared Key)\n|- style=\"background:#dadada; color:#06c\"\n! DH Group\n| 2, 5, 14, 15, 16, 17 and 18\n|}\n\nThis is a very impressive set of supported attribute values.\n\nAs described in the Authentication Methods section above, the default method is RSA Signature, but Pre-Shared key can also be specified.\n\nNo weak ciphers are supported by default.  In particular there is no support for single DES or Diffie-Hellman group 1.\n\nIt is interesting to see support for the newer MODP Diffie-Hellman groups 14 to 18 from RFC 3526, and also the new SHA2-256 and SHA2-512 hash algorithms.\n\nIt's unusual to see support for AES-192.  Most implementations restrict themselves to AES keylengths of 128 or 256.\n\nBlowfish, Serpent and Twofish are very unusual.\n\nSerpent and Twofish use the values 65004 and 65005 respectively, which are outside the IETF allocated range for encryption algorithm values.  It is not known if this will interoperate with other vendors because I've not observed any other product that offers Serpent or Twofish.\n\nIt is possible to restrict the attributes that strongSwan will accept with the ''ike'' configuration entry.  E.g. ''ike=3des-md5!'' would only allow 3DES encryption with MD5 hash.  The exclamation mark at the end of the cipher list specifies that only this list is acceptable.\n\n== Discovered Vulnerabilities =="
                    }
                ]
            },
            "1626": {
                "pageid": 1626,
                "ns": 0,
                "title": "Sun Solaris",
                "revisions": [
                    {
                        "contentformat": "text/x-wiki",
                        "contentmodel": "wikitext",
                        "*": "== Platform Notes ==\nSun Solaris runs on SPARC and Intel hardware platforms.\n\n== Version History ==\n{| class=\"wikitable\"\n|- style=\"background:#dadada; color:#06c\"\n! Version !! Release Date !! Notes\n|-\n| Solaris 8 || Feb 2000 || First Solaris version to include IPsec.  Manual keying only (no IKE)\n|- style=\"background:#dadada\"\n| Solaris 9 || May 2002 || IKE support added\n|-\n| Solaris 10 || Jan 2005 || NAT Traversal support added\n|}\n\nIPsec support was first added in Solaris 8.  IKE keying support was added in Solaris 9, using the ''in.iked'' daemon.\n\n== Backoff Patterns ==\nAll tested versions of Solaris (currently 9 and 10) have the six-packet IKE backoff pattern:\n<pre>\n0, 0.5, 1, 2, 4, 8\n</pre>\nBelow is an example from Solaris 9 on SPARC.  We need to specify a custom transform, as this system won't respond to our default transform set:\n<pre>\n$ ike-scan -M --showbackoff --trans=5,1,1,5 192.168.124.158\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n192.168.124.158 Main Mode Handshake returned\n        HDR=(CKY-R=7e621cfe41000000)\n        SA=(SPI=7e621cfe41000000 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)\n\nIKE Backoff Patterns:\n\nIP Address      No.     Recv time               Delta Time\n192.168.124.158 1       1171722837.002113       0.000000\n192.168.124.158 2       1171722837.504497       0.502384\n192.168.124.158 3       1171722838.514553       1.010056\n192.168.124.158 4       1171722840.524552       2.009999\n192.168.124.158 5       1171722844.534720       4.010168\n192.168.124.158 6       1171722852.544802       8.010082\n</pre>\n\nHere's an example from Solaris 10 on Intel IA-32, which shows the same backoff pattern:\n<pre>\n$ ike-scan -M --trans=5,1,1,5 --showbackoff 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=871c8aba1cf5a0d7)\n        SA=(SPI=699f1a94e2ac65f8 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n\nIKE Backoff Patterns:\n\nIP Address      No.     Recv time               Delta Time\n172.16.3.28     1       1171749705.664218       0.000000\n172.16.3.28     2       1171749706.175947       0.511729\n172.16.3.28     3       1171749707.190895       1.014948\n172.16.3.28     4       1171749709.192046       2.001151\n172.16.3.28     5       1171749713.210723       4.018677\n172.16.3.28     6       1171749721.211048       8.000325\n172.16.3.28     Implementation guess: Sun Solaris\n</pre>\n\n== Vendor IDs ==\nSolaris 9 does not return any Vendor IDs.\n\nSolaris 10 returns the following Vendor IDs indicating that it supports NAT Traversal:\n\n* RFC 3947 NAT-T (4a131c81070358455c5728f20e95452f)\n* RFC XXXX (810fa565f8ab14369105d706fbd57279)\n\n== Authentication Methods ==\nSolaris supports four authentication types:\n\n* Pre-Shared Key\n* RSA Signature\n* RSA Encryption\n* DSS Signature\n\nPre-Shared Key and RSA Signature are common authentication methods.  RSA Encryption and DSS Signature are standard methods, but are less commonly seen.\n\nThe syntax used in the ''/etc/inet/ike/config'' file is:\n<pre>\nauth_method {preshared, rsa_sig, rsa_encrypt, dss_sig}\n</pre>\n\nFor authentication types other than Pre-Shared Key, a certificate is needed.  In the examples in this document, the following command was used to generate a self-signed certificate on the Solaris 10 system named ''solaris10'':\n<pre>\n# ikecert certlocal -ks -m 1024 -t rsa-sha1 -D \"C=GB, O=NTA_Monitor OU=Technical_Dept CN=solaris10\"\n</pre>\nBelow are examples of each authentication method.  In each case, the Phase-1 transform attributes other than authentication method are always Enc=DES, Hash=MD5, Group=1. For each example, we show the ''config'' file followed by the ike-scan output.\n=== Pre-Shared Key ===\n<pre>\n{\n   label \"default rule\"\n\n   local_addr 0.0.0.0/0\n   remote_addr 0.0.0.0/0\n\n   p1_xform {auth_method preshared oakley_group 1 auth_alg md5 encr_alg des}\n}\n</pre>\n<pre>\n$ ike-scan --trans=1,1,1,1 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=a6d56703fcb2b456)\n        SA=(SPI=e19f058e051e98c6 Enc=DES Hash=MD5 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n=== RSA Signature ===\n<pre>\n{\n   label \"default rule\"\n   local_id_type dn\n   local_id \"C=GB O=NTA_Monitor OU=Technical_Dept CN=solaris10\"\n   remote_id \"C=GB O=NTA_Monitor OU=Technical_Dept CN=solaris9\"\n\n   local_addr 0.0.0.0/0\n   remote_addr 0.0.0.0/0\n\n   p1_xform {auth_method rsa_sig oakley_group 1 auth_alg md5 encr_alg des}\n}\n</pre>\n<pre>\n$ ike-scan --trans=1,1,3,1 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=4895a5c076262fc5)\n        SA=(SPI=754cb173565a55f6 Enc=DES Hash=MD5 Auth=RSA_Sig Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n=== RSA Encryption ===\n<pre>\n{\n   label \"default rule\"\n   local_id_type dn\n   local_id \"C=GB O=NTA_Monitor OU=Technical_Dept CN=solaris10\"\n   remote_id \"C=GB O=NTA_Monitor OU=Technical_Dept CN=solaris9\"\n\n   local_addr 0.0.0.0/0\n   remote_addr 0.0.0.0/0\n\n   p1_xform {auth_method rsa_encrypt oakley_group 1 auth_alg md5 encr_alg des}\n}\n</pre>\n<pre>\n$ ike-scan --trans=1,1,4,1 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=9264a0b930e405fc)\n        SA=(SPI=c706d01cca2ddc1b Enc=DES Hash=MD5 Auth=RSA_Enc Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n=== DSS Signature ===\n<pre>\n{\n   label \"default rule\"\n   local_id_type dn\n   local_id \"C=GB O=NTA_Monitor OU=Technical_Dept CN=solaris10\"\n   remote_id \"C=GB O=NTA_Monitor OU=Technical_Dept CN=solaris9\"\n\n   local_addr 0.0.0.0/0\n   remote_addr 0.0.0.0/0\n\n   p1_xform {auth_method dss_sig oakley_group 1 auth_alg md5 encr_alg des}\n}\n</pre>\n<pre>\n$ ike-scan --trans=1,1,2,1 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=c38d0ac0f21f2bfd)\n        SA=(SPI=72b2de847e268ee2 Enc=DES Hash=MD5 Auth=DSS Group=1:modp768 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n\n== ISAKMP SA Lifetime ==\n=== Lifetime in Seconds ===\nSolaris 10 allows any lifetime in seconds including none at all.  However, it does not support variable length attributes with a value length greater than four bytes even if the value is small enough to fit in four bytes.\n\nFor no lifetime at all, Solaris will not include any lifetime in its response.  For any lifetime between zero and the maximum value that will fit in four bytes, Solaris will return that same lifetime.\n<pre>\n$ ike-scan --lifetime=none --trans=5,1,1,5 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=da12237500a28e30)\n        SA=(SPI=1ad4b0c490fce1cb Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n<pre>\n$ ike-scan --lifetime=0 --trans=5,1,1,5 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=55380e917896c597)\n        SA=(SPI=46a0b434621a4c85 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00000000)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n<pre>\n$ ike-scan --lifetime=1 --trans=5,1,1,5 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=23b517f2fac77ebe)\n        SA=(SPI=b5d4db423539e776 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00000001)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n<pre>\n$ ike-scan --lifetime=0xffffffff --trans=5,1,1,5 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=773fe06a23a2490d)\n        SA=(SPI=3b0f6f54f0d48d90 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0xffffffff)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n<pre>\n$ ike-scan --lifetime=0x0000000000000001 --trans=5,1,1,5 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Notify message 14 (NO-PROPOSAL-CHOSEN)\n        HDR=(CKY-R=b2523d4015397c1b, msgid=fef45996)\n</pre>\n=== Lifetime in Kilobytes ===\nSolaris also supports a lifetime in kilobytes, and handles it in exactly the same was as a lifetime in seconds.\n<pre>\n$ ike-scan --lifetime=none --lifesize=0 --trans=5,1,1,5 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=877d54e81d8446e9)\n        SA=(SPI=e16ef93d5921e2fd Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Kilobytes LifeDuration(4)=0x00000000)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n<pre>\n$ ike-scan --lifetime=none --lifesize=1 --trans=5,1,1,5 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=32fca270ef4cd858)\n        SA=(SPI=e99a5915faf3c7d3 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Kilobytes LifeDuration(4)=0x00000001)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n<pre>\n$ ike-scan --lifetime=none --lifesize=0xffffffff --trans=5,1,1,5 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=b520d53b2e15130d)\n        SA=(SPI=72d33124491bd808 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Kilobytes LifeDuration(4)=0xffffffff)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n<pre>\n$ ike-scan --lifetime=none --lifesize=0x0000000000000001 --trans=5,1,1,5 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Notify message 14 (NO-PROPOSAL-CHOSEN)\n        HDR=(CKY-R=25674e9cbc30a328, msgid=dfe20db5)\n</pre>\nSolaris also supports both a lifetime in seconds and a lifetime in kilobytes.\n<pre>\n$ ike-scan --lifetime=0xffffffff --lifesize=0xffffffff --trans=5,1,1,5 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=0c95195c4375cac1)\n        SA=(SPI=fc539a291bfa7abe Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0xffffffff LifeType=Kilobytes LifeDuration(4)=0xffffffff)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n\n== Transform Attribute ordering and re-writing ==\nSolaris generally returns the transform attributes in the order that they are supplied by the initiator.\n\nIn the example below, we specify the four mandatory transform attributes in order Enc, Hash, Auth, Group and then in reverse order Group, Auth, Hash, Enc, and observe that in both cases the target returns the attributes in the same order as the initiator specified them.\n<pre>\n$ ike-scan -M --trans=\"(1=5,2=1,3=1,4=5)\" 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=8cd1ca4882160673)\n        SA=(SPI=8c144da430ece0a8 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n<pre>\n$ ike-scan -M --trans=\"(4=5,3=1,2=1,1=5)\" 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=d3eb20b057f117c1)\n        SA=(SPI=80ef8605abb52093 Group=5:modp1536 Auth=PSK Hash=MD5 Enc=3DES)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\nHere is another example, this time including a lifetime in seconds, and a lifetime in kilobytes. Again, the attributes are returned in the same order that the initiator sent them.\n<pre>\n$ ike-scan -M --trans=\"(11=2,12=123,11=1,12=456,4=5,3=1,2=1,1=5)\" 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=501ec56ba6834f6e)\n        SA=(SPI=8fa327272a8d983e LifeType=Kilobytes LifeDuration=123 LifeType=Seconds LifeDuration=456 Group=5:modp1536 Auth=PSK Hash=MD5 Enc=3DES)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n\n== Aggressive Mode ==\nSun Solaris supports IKE Aggressive Mode in addition to Main Mode.\n\nBelow in an example Aggressive Mode response from Solaris 9 on SPARC:\n<pre>\n$ ike-scan -M -A --trans=5,1,1,5 192.168.124.158\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n192.168.124.158 Aggressive Mode Handshake returned\n        HDR=(CKY-R=3ea5319cdb000000)\n        SA=(SPI=3ea5319cdb000000 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)\n        KeyExchange(192 bytes)\n        Nonce(32 bytes)\n        ID(Type=ID_IPV4_ADDR, Value=192.168.124.158)\n        Hash(16 bytes)\n</pre>\nBelow is an example Aggressive Mode response from Solaris 10 on Intel:\n<pre>\n$ ike-scan -A --trans=5,1,1,5 -M 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Aggressive Mode Handshake returned\n        HDR=(CKY-R=9506ca7541f4bddc)\n        SA=(SPI=a12e4bf7890d82b3 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)\n        KeyExchange(192 bytes)\n        Nonce(20 bytes)\n        ID(Type=ID_IPV4_ADDR, Value=172.16.3.28)\n        Hash(16 bytes)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n\n== Response to Noncompliant and Malformed Packets ==\nThe responses below are from Solaris 10 unless indicated otherwise.\n=== No acceptable transforms ===\n<pre>\n$ ike-scan -M --trans=1,1,1,1 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Notify message 14 (NO-PROPOSAL-CHOSEN)\n        HDR=(CKY-R=c817c7fd688ba3a3, msgid=657d7cd6)\n</pre>\n=== Bad IKE version ===\nSolaris uses the bad version number in the header of the response message.\n<pre>\n$ ike-scan -M --trans=5,1,1,5 --headerver=0x30 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Notify message 5 (INVALID-MAJOR-VERSION)\n        HDR=(CKY-R=3ad5d91e76ad5314, version=0x30, msgid=c4f53ca1)\n</pre>\n<pre>\n$ ike-scan -M --trans=5,1,1,5 --headerver=0x11 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Notify message 6 (INVALID-MINOR-VERSION)\n        HDR=(CKY-R=a78ed8e586b8cb27, version=0x11, msgid=2769fe27)\n</pre>\n=== Invalid DOI ===\n<pre>\n$ ike-scan -M --trans=5,1,1,5 --doi=2 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Notify message 2 (DOI-NOT-SUPPORTED)\n        HDR=(CKY-R=b41de8c5c3313e35, msgid=2bd87c0f)\n</pre>\n=== Invalid Situation ===\nSolaris reports ''PAYLOAD-MALFORMED'' rather than ''SITUATION-NOT-SUPPORTED''.\n<pre>\n$ ike-scan -M --trans=5,1,1,5 --situation=2 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Notify message 16 (PAYLOAD-MALFORMED)\n        HDR=(CKY-R=48ce342e2d841189, msgid=21a6056c)\n</pre>\n=== Invalid Initiator Cookie ===\nSolaris ignores an invalid cookie, or perhaps it considers a zero initiator cookie as valid.  Note that the SPI in the SA uses the value from the initiator cookie.\n<pre>\n$ ike-scan -M --trans=5,1,1,5 --cookie=0000000000000000 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=f2e306962322f86c)\n        SA=(SPI=0000000000000000 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n=== Invalid Flags ===\n<pre>\n$ ike-scan -M --trans=5,1,1,5 --hdrflags=255 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Notify message 8 (INVALID-FLAGS)\n        HDR=(CKY-R=c230666316059330, msgid=7f4b873f)\n</pre>\n=== Invalid Protocol ===\nSolaris ignores an invalid protocol number in the SA proposal.\n<pre>\n$ ike-scan -M --protocol=2 --trans=5,1,1,5 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=44e6f3fa77df750e)\n        SA=(SPI=c4e677e48afd99cf Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n=== Invalid SPI ===\nSolaris ignores an invalid SPI length.\n<pre>\n$ ike-scan -M --spisize=32 --trans=5,1,1,5 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=b83b7b5012b3cbcd)\n        SA=(SPI=0e948281684af0cf Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n===  Non-Zero Reserved Fields ===\n<pre>\n$ ike-scan -M --mbz=255 --trans=5,1,1,5 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Notify message 16 (PAYLOAD-MALFORMED)\n        HDR=(CKY-R=6d579021798fb502, msgid=3d317617)\n</pre>\n\n== NAT Traversal ==\nSolaris 10 supports NAT Traversal.  However, it does not respond to ike-scan with the ''--nat-t'' option because it uses source port 500 for the response packet rather than using the actual source port.  Here is a tcpdump trace which shows this behaviour:\n<pre>\n18:51:55.955646 IP 192.168.124.7.4500 > 172.16.3.28.4500: UDP, length: 88\n18:51:55.980394 IP 172.16.3.28.500 > 192.168.124.7.4500: isakmp: phase 1 ? ident\n</pre>\nIt is not known if this constitutes a bug that prevents NAT Traversal working in real applications.\n\n== IVEv2 ==\nSun Solaris does not support IKEv2 as of Solaris 10.\n\n== Remote Access VPN Client ==\nThere is no separate Remote Access VPN client for Solaris.\n\n== Other Interesting Behaviour ==\n=== Last 24 bits of responder cookie is counter on Solaris 9 ===\nOn Solaris 9, the last three bytes (24-bits) of the responder cookie are a counter. Below are twenty Solaris 9 responder cookies, sampled immediately after ''in.iked'' was restarted.\n\n<pre>\n23788f3c53000000\n6d2effb3ea000001\na2679fff31000002\nba64e960e2000003\n873545b0c3000004\na88d37b3ed000005\n7c4e8d8fff000006\n0863ccb21c000007\n0b01e70871000008\n1d0f8f9bfb000009\n6defb378ab00000a\n93a621380100000b\n562a4f16f700000c\n298895f01f00000d\n1f09280d7e00000e\nee5f35b0ba00000f\n1072a4a88e000010\nd805b9c006000011\n33aeccd084000012\n58a2c09d3a000013\n</pre>\n\nThe following command was used to obtain these responder cookie values:\n\n<pre>\nperl -e 'print \"192.168.124.158\\n\" x 20' | ike-scan -M --trans=5,1,1,5 -f -\n</pre>\n\nThis behaviour does not occur with Solaris 10, which has apparently random cookies.  Below are ten cookies samples from Solaris 10 running on IA-32, obtained with a similar command:\n<pre>\n3d49ae1f5533a10d\n728e6ae4e568dc29\nde708263348f01f3\n70ce3ce1db2dab42\n688ceabc6bf6ce4a\nf4e461b1e3766505\n85450b28dc1920b7\neaf882c3787684dd\n8c232d8c3e15f926\nd3f993df7439d6a7\n</pre>\n\n=== Solaris 9 uses responder cookie as SPI and Solaris 10 uses initiator cookie ===\nSolaris 9 adds an 8-byte SPI with the same value as the responder cookie to the responder SA.\n<pre>\n$ ike-scan -M --trans=5,1,1,5 192.168.124.158\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n192.168.124.158 Main Mode Handshake returned\n        HDR=(CKY-R=b982f8bd6b000014)\n        SA=(SPI=b982f8bd6b000014 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)\n</pre>\nSolaris 10 also adds an 8-byte SPI, but it uses the initiator cookie instead.\n<pre>\n$ ike-scan -M --cookie=0102030405060708 --trans=5,1,1,5 172.16.3.28\nStarting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)\n172.16.3.28     Main Mode Handshake returned\n        HDR=(CKY-R=72dcdd5203dd75de)\n        SA=(SPI=0102030405060708 Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)\n        VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)\n        VID=810fa565f8ab14369105d706fbd57279\n</pre>\n\n== Default Configuration ==\nThe IKE configuration is defined in the file ''/etc/inet/ike/config''.  If this file exists, then ''in.iked'' will start at boot time and use the configuration contained in it.\n\nSolaris contains a sample file ''/etc/inet/ike/config.sample'', which can be used as a template.  This sample file is shown below.\n\nIn practice, most if not all users will need to customise this file, so there will be no such thing as a default configuration.\n\n<pre>\n#\n#ident  \"@(#)config.sample      1.5     02/08/30 SMI\"\n#\n# Copyright 2001-2002 Sun Microsystems, Inc.  All rights reserved.\n# Use is subject to license terms.\n\n##\n## This file should be copied into /etc/inet/ike/config to enable the\n## launch of the IKE daemon, in.iked(1m), at boot time.  You can also\n## launch the IKE daemon after creating this file without rebooting by\n## invoking /usr/lib/inet/in.iked with a root shell.\n##\n\n# Consult the ike.config(4) man page for further details.  Here is a small\n# example from the man page.\n\n### BEGINNING OF FILE\n\n### First some global parameters...\n\n## Optional hardware acceleration parameters...\n## Use the pathname of a library that supports PKCS#11 in quotes.\n## The example path is for the Sun Crypto Accelerator 1000.\n# pkcs11_path \"/opt/SUNWconn/lib/libpkcs11.so\"\n\n## certificate parameters...\n\n# Root certificates.  I SHOULD use a full Distinguished Name.\n# I MUST have this certificate in my local filesystem, see ikecert(1m).\ncert_root    \"C=US, O=Sun Microsystems\\\\, Inc., CN=Sun CA\"\n\n# Explicitly trusted certs that need no signatures, or perhaps self-signed\n# ones.  Like root certificates, use full DNs for them for now.\ncert_trust    \"EMAIL=root@domain.org\"\n\n# Where do I send LDAP requests?\nldap_server   \"ldap1.domain.org,ldap2.domain.org:389\"\n\n# Some PKI-specific tweaks...\n# If you wish to ignore CRLs, uncomment this:\n#ignore_crls\n# If you wish to use HTTP (with name resolution) for URLs inside certs,\n# uncomment this:\n#use_http\n# HTTP proxy and socks URLs should also be indicated if needed...\nsocks \"socks://socks-relay.domain.org\"\n#proxy \"http://http-proxy.domain.org:8080\"\n\n## Phase 1 transform defaults...\n\np1_lifetime_secs 14400\np1_nonce_len 20\n\n## Parameters that may also show up in rules.\n\np1_xform { auth_method preshared oakley_group 5 auth_alg sha encr_alg 3des }\np2_pfs 2\n\n### Now some rules...\n\n{\n   label \"simple inheritor\"\n   local_id_type ip\n   local_addr 10.1.1.1\n   remote_addr 10.1.1.2\n}\n\n{\n   # an index-only rule.  If I'm a receiver, and all I\n   # have are index-only rules, what do I do about inbound IKE requests?\n   # Answer:  Take them all!\n\n   label \"default rule\"\n   # Use whatever \"host\" (e.g. IP address) identity is appropriate\n   local_id_type ipv4\n\n   local_addr 0.0.0.0/0\n   remote_addr 0.0.0.0/0\n\n   p2_pfs 5\n\n   # Now I'm going to have the p1_xforms\n   p1_xform\n   {auth_method preshared  oakley_group 5  auth_alg md5  encr_alg blowfish }\n   p1_xform\n   {auth_method preshared  oakley_group 5  auth_alg md5  encr_alg 3des }\n\n   # After said list, another keyword (or a '}') will stop xform parsing.\n}\n\n{\n   # Let's try something a little more conventional.\n\n   label \"host to .80 subnet\"\n   local_id_type ip\n   local_id \"10.1.86.51\"\n\n   remote_id \"\"    # Take any, use remote_addr for access control.\n\n   local_addr 10.1.86.51\n   remote_addr 10.1.80.0/24\n\n   p1_xform\n   { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg 3des }\n   p1_xform\n   { auth_method rsa_sig  oakley_group 5  auth_alg md5  encr_alg blowfish }\n   p1_xform\n   { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg 3des }\n   p1_xform\n   { auth_method rsa_sig  oakley_group 5  auth_alg sha1  encr_alg blowfish }\n}\n</pre>\n\n== Discovered Vulnerabilities =="
                    }
                ]
            }
        }
    }
}
Retrieved from ‘http://www.royhills.co.uk/wiki/index.php/Special:ApiHelp