<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7654.12">
<TITLE>configuring charon with installpolicy=no</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Hi,</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">First off, I googled a lot before sending this email, but found no answer.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">My question is:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">--------------------</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">-</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">how to properly configure Charon with “installpolicy=no”, so that</FONT> <FONT SIZE=2 FACE="Courier New">I will be able to control SPD policies priority order.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">More details:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">--------------------</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">I have two hosts, first one (host1) has IP addresses 10.0.0.1/24, 20.0.0.1/24, second one (host2) has ip address 30.0.0.1/24 40.0.0.1/24. </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">The scenario is a vpn is</FONT> <FONT SIZE=2 FACE="Courier New">to be established between 20.0.0.1 === 40.0.0.1, serving subnets 10.0.0.0/24 === 30.0.0.0/24. </FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">I want to be able to insert (just of the sake of example) and exception to this security policy, that if you a ping goes from 10.0.0.1 to 30.0.0.1 (and the oth</FONT><FONT SIZE=2 FACE="Courier New">erway around), it should be passed through un-encrypted.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Ideally, I should be able to introduce SPD policies with higher priorities, in a way that the ping policy has higher priority (I am using setkey)</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">.</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Host1:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">spdadd 10.0.0.0/24 30.0.0.0/24 icmp</FONT> <FONT SIZE=2 FACE="Courier New">–</FONT><FONT SIZE=2 FACE="Courier New">P out</FONT> <FONT SIZE=2 FACE="Courier New">prio 1001 none;</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="it"></SPAN><SPAN LANG="it"><FONT SIZE=2 FACE="Courier New">spdadd 30.0.0.0/24 10.0.0.0/24 icmp</FONT> <FONT SIZE=2 FACE="Courier New">–</FONT><FONT SIZE=2 FACE="Courier New">P in prio 1001 none;</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">spdadd 10.0.0.0/24 30.0.0.0/24 any</FONT> <FONT SIZE=2 FACE="Courier New">–</FONT><FONT SIZE=2 FACE="Courier New">P out prio 1000 ipsec esp/tunnel/20.0.0.1-40.0.0.1/unique;</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">spdadd 30.0.0.0/24 10.0.0.0/24 any</FONT> <FONT SIZE=2 FACE="Courier New">–</FONT><FONT SIZE=2 FACE="Courier New">P in prio 1000 ipsec esp/tunnel/40.0.0.1-20.0.0</FONT><FONT SIZE=2 FACE="Courier New">.1/unique;</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Host2:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="it"></SPAN><SPAN LANG="it"><FONT SIZE=2 FACE="Courier New">spdadd 10.0.0.0/24 30.0.0.0/24 icmp</FONT> <FONT SIZE=2 FACE="Courier New">–</FONT><FONT SIZE=2 FACE="Courier New">P in prio 1001 none;</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-gb"></SPAN><SPAN LANG="en-gb"><FONT SIZE=2 FACE="Courier New">spdadd 30.0.0.0/24 10.0.0.0/24 icmp</FONT> <FONT SIZE=2 FACE="Courier New">–</FONT><FONT SIZE=2 FACE="Courier New">P out prio 1001 none;</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">spdadd 10.0.0.0/24 30.0.0.0/24 any</FONT> <FONT SIZE=2 FACE="Courier New">–</FONT><FONT SIZE=2 FACE="Courier New">P in prio 1000 ipsec esp/tunnel/20.0.0.1-40.0.0.1/unique;</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">spdadd 3</FONT><FONT SIZE=2 FACE="Courier New">0.0.0.0/24 10.0.0.0/24 any</FONT> <FONT SIZE=2 FACE="Courier New">–</FONT><FONT SIZE=2 FACE="Courier New">P out prio 1000 ipsec esp/tunnel/40.0.0.1-20.0.0.1/unique;</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">(the above example works with IKEv1 Racoon, which doesn</FONT><FONT SIZE=2 FACE="Courier New">’</FONT><FONT SIZE=2 FACE="Courier New">t try to play with policies)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">In order to achieve the same with Charon, I have either 2 ways: (A) prevent Charo</FONT><FONT SIZE=2 FACE="Courier New">n from install the SPD policies, or (B) tell charon how to treat priorties.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Solution (A):</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">============</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Prevent Charon from installing policies, and do that manually instead. I didn</FONT><FONT SIZE=2 FACE="Courier New">’</FONT><FONT SIZE=2 FACE="Courier New">t go so far here: I tried to use installpolicy=no. Here is what I did (on</FONT><FONT SIZE=2 FACE="Courier New">ly “ipsec” policy is tried)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Host1:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">spdadd</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0.0.0.0/24</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">3</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0.0.0.0/24 any -P out ipsec esp/tunnel/</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">20.0.0.1-40.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">/</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">unqiue</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">;</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">spdadd</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">3</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0.0.0.0/24</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0.0.0.0/24 any -P in ipsec esp/tunnel/</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">40.0.0.1-20.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">/</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">unqiue</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">;</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">setkey -DP</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">3</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0.0.0.0/24[any]</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0.0.0.0/24[any] any</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> in prio def ipsec</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> esp/tunnel/</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">40.0.0.1-20.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">/require</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> created: May 14 14:11:13 2010 lastused:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> lifetime: 0(s) validtime: 0(s)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> spid=8744 seq=2 pid=14660</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> refcnt=1</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0.0.0.0/24[any]</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">3</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0.0.0.0/24[any] any</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> </FONT> <FONT SIZE=2 FACE="Courier New">out prio def ipsec</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> esp/tunnel/</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">20.0.0.1-40.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">/require</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> created: May 14 14:11:13 2010 lastused:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> lifetime: 0(s) validtime: 0(s)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> spid=8737 seq=1 pid=14660</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> refcnt=1</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">3</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0.0.0.0/24[any]</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0.0.0.0/24[any] any</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> fwd prio def ipsec</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> esp/tunnel/</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">40.0.0.1-20.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">/require</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> created: May 14 14:11:13 2010 lastused:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> lifetime: 0(s) validtime: 0(s)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> spid=8754 seq=0 pid=14660</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> refcnt=1</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">ipsec.conf:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">config setup</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> charonstart</FONT><FONT SIZE=2 FACE="Courier New">=yes</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> plutostart=no</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">conn %default</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> keyexchange=ikev2</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> auto=route</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> installpolicy=no</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">ca strongswan</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">conn</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">CONF</FONT><FONT SIZE=2 FACE="Courier New">IG</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> rekeymargin=2880</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> rekeyfuzz=100%</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> left=</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">2</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> right=</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">40.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> leftsubnet=</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0.0.0.0/24</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> rightsubnet=</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">3</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0.0.0.0/24</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> leftprotoport=%any</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> rightprotoport=%any</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> authby=secret</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> leftid=</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">2</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">.</FONT><FONT SIZE=2 FACE="Courier New">0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> rightid=</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">40.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> ike=aes128-md5-modp1536</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> esp=aes128-sha1</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> type=tunnel</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> ikelifetime=28800s</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> keylife=28800s</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">now start starter:</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">$</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">starter --nofork</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Starting strongSwan 4.3.6 IPsec [starter]...</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[DMN] Starti</FONT><FONT SIZE=2 FACE="Courier New">ng IKEv2 charon daemon (strongSwan 4.3.6)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[KNL] listening on interfaces:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[KNL] eth0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[KNL] </FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">20.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[KNL] fe80::209:6bff:fe58:6492</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[KNL] eth1</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[KNL] 192.168.0.250</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[KNL] 10.0.0.1</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[KNL] fe80::209:6bff:fe58:6493</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[CFG] l</FONT><FONT SIZE=2 FACE="Courier New">oading ca certificates from '/usr/local/etc/ipsec.d/cacerts'</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[CFG] loading attribute certificates from</FONT> <FONT SIZE=2 FACE="Courier New">'/usr/local/etc/ipsec.d/acerts'</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[CFG] loaded IKE secret for</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">20.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"></FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">40.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf ran</FONT><FONT SIZE=2 FACE="Courier New">dom x509 pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown attr resolve</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">00[JOB] spawning 16 worker threads</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">charon (18334) started after 100 ms</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">01[JOB] started worker thread, ID: 1</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">01[JOB] no events, waiting</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">03[JOB] started worker threa</FONT><FONT SIZE=2 FACE="Courier New">d, ID: 3</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">04[JOB] started worker thread, ID: 4</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">05[JOB] started worker thread, ID: 5</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">06[JOB] started worker thread, ID: 6</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">06[NET] waiting for data on raw sockets</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[JOB] started worker thread, ID: 8</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] received stroke: add connection 'CONFIG'</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] co</FONT><FONT SIZE=2 FACE="Courier New">nn CONFIG</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] left=</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">20.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] leftsubnet=10.0.0.0/24</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] leftsourceip=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] leftauth=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] leftauth2=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] leftid=</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">20.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">02[JOB] started worker thread, ID: 2</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">07[JOB] started worker thread, ID: 7</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">09[JOB</FONT><FONT SIZE=2 FACE="Courier New">] started worker thread, ID: 9</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">10[JOB] started worker thread, ID: 10</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">11[JOB] started worker thread, ID: 11</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">12[JOB] started worker thread, ID: 12</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">13[JOB] started worker thread, ID: 13</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">14[JOB] started worker thread, ID: 14</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">15[JOB] started worker thread, ID:</FONT> <FONT SIZE=2 FACE="Courier New">15</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">16[JOB] started worker thread, ID: 16</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] leftid2=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] leftcert=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] leftcert2=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] leftca=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] leftca2=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] leftgroups=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] leftupdown=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] right=</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">40.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG]</FONT><FONT SIZE=2 FACE="Courier New"> rightsubnet=30.0.0.0/24</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] rightsourceip=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] rightauth=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] rightauth2=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] rightid=</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">40.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] rightid2=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] rightcert=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] rightcert2=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] rightca=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] </FONT> <FONT SIZE=2 FACE="Courier New">rightca2=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] rightgroups=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] rightupdown=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] eap_identity=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] ike=aes128-md5-modp1536</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] esp=aes128-sha1</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] mediation=no</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] mediated_by=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] me_peerid=(null)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[KNL]</FONT> <FONT SIZE=2 FACE="Courier New">getting interface name for</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">40.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[KNL]</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">40.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> is not a local address</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[KNL] getting interface name for</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">20.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[KNL]</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">20.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> is on interface eth0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">08[CFG] added configuration 'CONFIG'</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">02[CFG] received stroke: route 'CONFIG'</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">02[CFG] proposing tra</FONT><FONT SIZE=2 FACE="Courier New">ffic selectors for us:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">02[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">02[CFG] proposing traffic selectors for other:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">02[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">configuration 'CONFIG' routed</FONT></SPAN></P>
<BR>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">at this point, it is really irrelevant if you configure ho</FONT><FONT SIZE=2 FACE="Courier New">st2 or not, simple because nothing will be sent. Try a ping from host2 to host1 (which should be encrypted)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">ping</FONT> <FONT SIZE=2 FACE="Courier New">–</FONT><FONT SIZE=2 FACE="Courier New">I 30.0.0.1 10.0.0.1</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">3[KNL] received a XFRM_MSG_ACQUIRE</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">03[KNL] XFRMA_TMPL</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">03[KNL] creating acquire job for policy 10.0.0.1/32[icmp/8] ===</FONT> <FONT SIZE=2 FACE="Courier New">30.0.0.1/32[icmp] with reqid {0}</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">10[CFG] trap not found, unable to acquire reqid 0</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">note that after this ping,a one direction SAD is created:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">setkey -D</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">root@pennywise ipsec-tools-0.8-alpha20090422]# setkey -D</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">20.0.</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"></FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">40.0.0.1</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> esp mode=tunnel spi</FONT><FONT SIZE=2 FACE="Courier New">=0(0x00000000) reqid=0(0x00000000)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> seq=0x00000000 replay=0 flags=0x00000000 state=larval</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> created: May 14 15:22:52 2010 current: May 14 15:22:58 2010</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> diff: 6(s) hard: 165(s) soft: 0(s)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> last</FONT><FONT SIZE=2 FACE="Courier New">: hard: 0(s) soft: 0(s)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> allocated: 0 hard: 0 soft: 0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> sadb_seq=0 pid=18395 refcnt=0</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">given the spi=0, I guess this is just an initialized one, no</FONT><FONT SIZE=2 FACE="Courier New">t even yet completed.</FONT></SPAN></P>
<BR>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">As far as I could tell from “trap not found” error message, charon is trying to find a matching SPD policy before it started IKE negotiation, but it is not able to find it? why is that?</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<BR>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Solution (</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">B</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">):</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">============</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Is there a way to</FONT><FONT SIZE=2 FACE="Courier New"> control the order at which Charon installs SPD policies?</FONT></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>
</BODY>
</HTML>