<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi all,<div><br></div><div>I have strongswan 4.3.5 working between two Linux 2.6 gateways, routing etc. is working perfectly. When looking at the established connections I'm getting:</div><div><br></div><div><div><font class="Apple-style-span" face="'Courier New'">000 Status of IKEv1 pluto daemon (strongSwan 4.3.5):</font></div><div><font class="Apple-style-span" face="'Courier New'">000 interface lo/lo ::1:500</font></div><div><font class="Apple-style-span" face="'Courier New'">000 interface lo/lo 127.0.0.1:4500</font></div><div><font class="Apple-style-span" face="'Courier New'">000 interface lo/lo 127.0.0.1:500</font></div><div><font class="Apple-style-span" face="'Courier New'">000 interface lo/lo 127.0.0.2:4500</font></div><div><font class="Apple-style-span" face="'Courier New'">000 interface lo/lo 127.0.0.2:500</font></div><div><font class="Apple-style-span" face="'Courier New'">000 interface eth0/eth0 10.0.0.252:4500</font></div><div><font class="Apple-style-span" face="'Courier New'">000 interface eth0/eth0 10.0.0.252:500</font></div><div><font class="Apple-style-span" face="'Courier New'">000 interface eth1/eth1 10.0.0.5:4500</font></div><div><font class="Apple-style-span" face="'Courier New'">000 interface eth1/eth1 10.0.0.5:500</font></div><div><font class="Apple-style-span" face="'Courier New'">000 %myid = '%any'</font></div><div><font class="Apple-style-span" face="'Courier New'">000 loaded plugins: curl aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem hmac gmp </font></div><div><font class="Apple-style-span" face="'Courier New'">000 debug options: none</font></div><div><font class="Apple-style-span" face="'Courier New'">000 </font></div><div><font class="Apple-style-span" face="'Courier New'">Status of IKEv2 charon daemon (strongSwan 4.3.5):</font></div><div><font class="Apple-style-span" face="'Courier New'"> uptime: 117 seconds, since Oct 19 17:04:44 2010</font></div><div><font class="Apple-style-span" face="'Courier New'"> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 4</font></div><div><font class="Apple-style-span" face="'Courier New'"> loaded plugins: curl aes des sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown attr resolve </font></div><div><font class="Apple-style-span" face="'Courier New'">Listening IP addresses:</font></div><div><font class="Apple-style-span" face="'Courier New'"> 10.0.0.252</font></div><div><font class="Apple-style-span" face="'Courier New'"> 10.0.0.5</font></div><div><font class="Apple-style-span" face="'Courier New'">Connections:</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2: 10.0.0.252...88.198.14.125</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2: local: [C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, E=info@apob.net] uses public key authentication</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2: cert: "C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a>"</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2: remote: [C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info@apob.net] uses any authentication</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2: cert: "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a>"</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2: child: 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24 </font></div><div><font class="Apple-style-span" face="'Courier New'">Security Associations:</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2[1]: ESTABLISHED 114 seconds ago, 10.0.0.252[C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, E=info@apob.net]...88.198.14.125[C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info@apob.net]</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2[1]: IKE SPIs: 80f47cac247b838c_i* a6eef15b1c4cafc5_r, public key reauthentication in 2 hours</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cb001dde_i cb487bdb_o</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2{1}: AES_CBC_128/HMAC_SHA1_96, 152 bytes_i (15s ago), 0 bytes_o, rekeying in 41 minutes</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2{1}: 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24 </font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: ca0c17ef_i c24d0e02_o</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2{2}: AES_CBC_128/HMAC_SHA1_96, 17994 bytes_i (15s ago), 16661 bytes_o (14s ago), rekeying in 46 minutes</font></div><div><font class="Apple-style-span" face="'Courier New'">tanzplatz-h3x2{2}: 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24</font></div></div><div><font class="Apple-style-span" face="'Courier New'"><br></font></div><div>The longer the SA is up, the more tunnels I get. All of them are being rekeyed. After 24 hours there are hundreds of them up. Is there a way to prevent this as I don't think this is the expected behaviour?</div><div><br></div><div>Here's my ipsec.conf:</div><div><br></div><div><div><font class="Apple-style-span" face="'Courier New'"># /etc/ipsec.conf - Openswan IPsec configuration file</font></div><div><font class="Apple-style-span" face="'Courier New'"># RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $</font></div><div><font class="Apple-style-span" face="'Courier New'"><br></font></div><div><font class="Apple-style-span" face="'Courier New'"># This file: /usr/share/doc/packages/openswan/ipsec.conf-sample</font></div><div><font class="Apple-style-span" face="'Courier New'">#</font></div><div><font class="Apple-style-span" face="'Courier New'"># Manual: ipsec.conf.5</font></div><div><font class="Apple-style-span" face="'Courier New'"><br></font></div><div><font class="Apple-style-span" face="'Courier New'"><br></font></div><div><font class="Apple-style-span" face="'Courier New'">version</font><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">2.0</font><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># conforms to second version of ipsec.conf specification</font></div><div><font class="Apple-style-span" face="'Courier New'"><br></font></div><div><font class="Apple-style-span" face="'Courier New'"># basic configuration</font></div><div><font class="Apple-style-span" face="'Courier New'">config setup</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># plutodebug / klipsdebug = "all", "none" or a combation from below:</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># "raw crypt parsing emitting control klips pfkey natt x509 private"</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># eg:</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">#plutodebug="all"</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">#</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># Only enable klipsdebug=all if you are a developer</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">#</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># NAT-TRAVERSAL support, see README.NAT-Traversal</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># nat_traversal=yes</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">#</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># Certificate Revocation List handling:</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">crlcheckinterval=600</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">strictcrlpolicy=no</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">#</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># Change rp_filter setting? (default is 0, disabled)</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># See also setting in the /etc/sysctl.conf file!</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">#rp_filter=%unchanged</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">#</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># Workaround to setup all tunnels immediately, since the new default</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># of "plutowait=no" causes "Resource temporarily unavailable" errors</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># for the first connect attempt over each tunnel, that is delayed to</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># be established later / on demand.</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">#</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">nat_traversal=yes</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16</font></div><div><font class="Apple-style-span" face="'Courier New'"><br></font></div><div><font class="Apple-style-span" face="'Courier New'">conn %default</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># keyingtries default to %forever</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">#keyingtries=3</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># Sig keys (default: %dnsondemand)</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">leftrsasigkey=%cert</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">rightrsasigkey=%cert</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'"># Lifetimes, defaults are 1h/8hrs</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">#ikelifetime=20m</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">#keylife=1h</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">#rekeymargin=8m</font></div><div><font class="Apple-style-span" face="'Courier New'"><br></font></div><div><font class="Apple-style-span" face="'Courier New'">#Disable Opportunistic Encryption</font></div><div><font class="Apple-style-span" face="'Courier New'">include /usr/local/etc/ipsec.d/examples/no_oe.conf</font></div><div><font class="Apple-style-span" face="'Courier New'"><br></font></div><div><font class="Apple-style-span" face="'Courier New'">ca <a href="http://apob.net">apob.net</a></font></div><div><font class="Apple-style-span" face="'Courier New'"> cacert=apob.pem</font></div><div><font class="Apple-style-span" face="'Courier New'"> crluri=http://ca.apob.net/ca-crl.crl</font></div><div><font class="Apple-style-span" face="'Courier New'"> auto=add</font></div><div><font class="Apple-style-span" face="'Courier New'"><br></font></div><div><font class="Apple-style-span" face="'Courier New'"># Add connections here</font></div><div><font class="Apple-style-span" face="'Courier New'"><br></font></div><div><font class="Apple-style-span" face="'Courier New'">conn tanzplatz-h3x2</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">authby=rsasig</font></div><div><font class="Apple-style-span" face="'Courier New'"> left=10.0.0.252</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">leftcert=elias.pem</font></div><div><font class="Apple-style-span" face="'Courier New'"> leftsubnet=10.0.0.0/24</font></div><div><font class="Apple-style-span" face="'Courier New'"> right=88.198.14.125</font></div><div><font class="Apple-style-span" face="'Courier New'"> rightsubnet=10.1.0.0/24,172.16.8.0/24</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">rightcert=h3x2.pem</font></div><div><font class="Apple-style-span" face="'Courier New'"> compress=no</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">keyexchange=ikev2</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">keyingtries=%forever</font></div><div><font class="Apple-style-span" face="'Courier New'"> rekeyfuzz = 100%</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">pfs = yes</font></div><div><span class="Apple-tab-span" style="white-space:pre"><font class="Apple-style-span" face="'Courier New'"> </font></span><font class="Apple-style-span" face="'Courier New'">mobike=no</font></div><div><font class="Apple-style-span" face="'Courier New'"> auto=start</font></div></div><div><font class="Apple-style-span" face="'Courier New'"><br></font></div><div><font class="Apple-style-span" face="Helvetica">And all the charon messages from syslog:</font></div><div><font class="Apple-style-span" face="'Courier New'"><br></font></div><div><font class="Apple-style-span" face="'Courier New'"><div>Oct 19 17:04:43 tanzplatz charon: 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.5)</div><div>Oct 19 17:04:43 tanzplatz charon: 01[KNL] listening on interfaces:</div><div>Oct 19 17:04:43 tanzplatz charon: 01[KNL] eth0</div><div>Oct 19 17:04:43 tanzplatz charon: 01[KNL] 10.0.0.252</div><div>Oct 19 17:04:43 tanzplatz charon: 01[KNL] fe80::6ef0:49ff:fe13:64a7</div><div>Oct 19 17:04:43 tanzplatz charon: 01[KNL] eth1</div><div>Oct 19 17:04:43 tanzplatz charon: 01[KNL] 10.0.0.5</div><div>Oct 19 17:04:43 tanzplatz charon: 01[KNL] fe80::21b:21ff:fe1b:f53d</div><div>Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'</div><div>Oct 19 17:04:43 tanzplatz charon: 01[CFG] loaded ca certificate "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net Certification Authority, <a href="mailto:E=info@ca.apob.net">E=info@ca.apob.net</a>" from '/usr/local/etc/ipsec.d/cacerts/apob.pem'</div><div>Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'</div><div>Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'</div><div>Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'</div><div>Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'</div><div>Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'</div><div>Oct 19 17:04:43 tanzplatz charon: 01[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/elias.key'</div><div>Oct 19 17:04:43 tanzplatz charon: 01[DMN] loaded plugins: curl aes des sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown attr resolve </div><div>Oct 19 17:04:43 tanzplatz charon: 01[JOB] spawning 16 worker threads</div><div>Oct 19 17:04:43 tanzplatz ipsec_starter[7194]: charon (7222) started after 20 ms</div><div>Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: add ca 'apob.net'</div><div>Oct 19 17:04:43 tanzplatz charon: 05[CFG] added ca 'apob.net'</div><div>Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: add connection 'tanzplatz-h3x2'</div><div>Oct 19 17:04:43 tanzplatz charon: 05[CFG] loaded certificate "C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a>" from 'elias.pem'</div><div>Oct 19 17:04:43 tanzplatz charon: 05[CFG] peerid 10.0.0.252 not confirmed by certificate, defaulting to subject DN: C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a></div><div>Oct 19 17:04:43 tanzplatz charon: 05[CFG] loaded certificate "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a>" from 'h3x2.pem'</div><div>Oct 19 17:04:43 tanzplatz charon: 05[CFG] peerid 88.198.14.125 not confirmed by certificate, defaulting to subject DN: C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a></div><div>Oct 19 17:04:43 tanzplatz charon: 05[CFG] added configuration 'tanzplatz-h3x2'</div><div>Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: initiate 'tanzplatz-h3x2'</div><div>Oct 19 17:04:43 tanzplatz charon: 05[IKE] initiating IKE_SA tanzplatz-h3x2[1] to 88.198.14.125</div><div>Oct 19 17:04:43 tanzplatz charon: 05[IKE] initiating IKE_SA tanzplatz-h3x2[1] to 88.198.14.125</div><div>Oct 19 17:04:43 tanzplatz charon: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</div><div>Oct 19 17:04:43 tanzplatz charon: 05[NET] sending packet: from 10.0.0.252[500] to 88.198.14.125[500]</div><div>Oct 19 17:04:44 tanzplatz charon: 14[NET] received packet: from 88.198.14.125[500] to 10.0.0.252[500]</div><div>Oct 19 17:04:44 tanzplatz charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]</div><div>Oct 19 17:04:44 tanzplatz charon: 14[IKE] local host is behind NAT, sending keep alives</div><div>Oct 19 17:04:44 tanzplatz charon: 14[IKE] received cert request for "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net Certification Authority, <a href="mailto:E=info@ca.apob.net">E=info@ca.apob.net</a>"</div><div>Oct 19 17:04:44 tanzplatz charon: 14[IKE] sending cert request for "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net Certification Authority, <a href="mailto:E=info@ca.apob.net">E=info@ca.apob.net</a>"</div><div>Oct 19 17:04:44 tanzplatz charon: 14[IKE] authentication of 'C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a>' (myself) with RSA signature successful</div><div>Oct 19 17:04:44 tanzplatz charon: 14[IKE] sending end entity cert "C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a>"</div><div>Oct 19 17:04:44 tanzplatz charon: 14[IKE] establishing CHILD_SA tanzplatz-h3x2</div><div>Oct 19 17:04:44 tanzplatz charon: 14[IKE] establishing CHILD_SA tanzplatz-h3x2</div><div>Oct 19 17:04:44 tanzplatz charon: 14[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) ]</div><div>Oct 19 17:04:44 tanzplatz charon: 14[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:04:46 tanzplatz charon: 17[NET] received packet: from 88.198.14.125[4500] to 10.0.0.252[4500]</div><div>Oct 19 17:04:46 tanzplatz charon: 17[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]</div><div>Oct 19 17:04:46 tanzplatz charon: 17[IKE] received end entity cert "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a>"</div><div>Oct 19 17:04:46 tanzplatz charon: 17[CFG] using trusted ca certificate "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net Certification Authority, <a href="mailto:E=info@ca.apob.net">E=info@ca.apob.net</a>"</div><div>Oct 19 17:04:46 tanzplatz charon: 17[CFG] checking certificate status of "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a>"</div><div>Oct 19 17:04:46 tanzplatz charon: 17[CFG] fetching crl from 'http://ca.apob.net/ca-crl.crl' ...</div><div>Oct 19 17:04:46 tanzplatz charon: 17[CFG] using trusted certificate "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net Certification Authority, <a href="mailto:E=info@ca.apob.net">E=info@ca.apob.net</a>"</div><div>Oct 19 17:04:46 tanzplatz charon: 17[CFG] crl correctly signed by "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net Certification Authority, <a href="mailto:E=info@ca.apob.net">E=info@ca.apob.net</a>"</div><div>Oct 19 17:04:46 tanzplatz charon: 17[CFG] crl is valid: until Oct 26 00:05:02 2010</div><div>Oct 19 17:04:46 tanzplatz charon: 17[CFG] certificate status is good</div><div>Oct 19 17:04:46 tanzplatz charon: 17[CFG] using trusted certificate "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a>"</div><div>Oct 19 17:04:46 tanzplatz charon: 17[IKE] authentication of 'C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a>' with RSA signature successful</div><div>Oct 19 17:04:46 tanzplatz charon: 17[IKE] IKE_SA tanzplatz-h3x2[1] established between 10.0.0.252[C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, E=info@apob.net]...88.198.14.125[C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info@apob.net]</div><div>Oct 19 17:04:46 tanzplatz charon: 17[IKE] IKE_SA tanzplatz-h3x2[1] established between 10.0.0.252[C=DE, ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net, E=info@apob.net]...88.198.14.125[C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info@apob.net]</div><div>Oct 19 17:04:46 tanzplatz charon: 17[IKE] scheduling reauthentication in 9844s</div><div>Oct 19 17:04:46 tanzplatz charon: 17[IKE] maximum IKE_SA lifetime 10384s</div><div>Oct 19 17:04:46 tanzplatz charon: 17[IKE] CHILD_SA tanzplatz-h3x2{1} established with SPIs cb001dde_i cb487bdb_o and TS 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24 </div><div>Oct 19 17:04:46 tanzplatz charon: 17[IKE] CHILD_SA tanzplatz-h3x2{1} established with SPIs cb001dde_i cb487bdb_o and TS 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24 </div><div>Oct 19 17:04:46 tanzplatz charon: 17[IKE] received AUTH_LIFETIME of 9827s, scheduling reauthentication in 9287s</div><div>Oct 19 17:05:01 tanzplatz charon: 08[CFG] received stroke: initiate 'tanzplatz-h3x2'</div><div>Oct 19 17:05:01 tanzplatz charon: 13[IKE] establishing CHILD_SA tanzplatz-h3x2</div><div>Oct 19 17:05:01 tanzplatz charon: 13[IKE] establishing CHILD_SA tanzplatz-h3x2</div><div>Oct 19 17:05:01 tanzplatz charon: 13[ENC] generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ]</div><div>Oct 19 17:05:01 tanzplatz charon: 13[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:05:03 tanzplatz charon: 12[NET] received packet: from 88.198.14.125[4500] to 10.0.0.252[4500]</div><div>Oct 19 17:05:03 tanzplatz charon: 12[ENC] parsed CREATE_CHILD_SA response 2 [ SA No TSi TSr ]</div><div>Oct 19 17:05:03 tanzplatz charon: 12[IKE] CHILD_SA tanzplatz-h3x2{2} established with SPIs ca0c17ef_i c24d0e02_o and TS 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24 </div><div>Oct 19 17:05:03 tanzplatz charon: 12[IKE] CHILD_SA tanzplatz-h3x2{2} established with SPIs ca0c17ef_i c24d0e02_o and TS 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24 </div><div>Oct 19 17:06:16 tanzplatz charon: 15[IKE] sending keep alive</div><div>Oct 19 17:06:16 tanzplatz charon: 15[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:06:46 tanzplatz charon: 09[IKE] sending keep alive</div><div>Oct 19 17:06:46 tanzplatz charon: 09[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:07:19 tanzplatz charon: 15[IKE] sending keep alive</div><div>Oct 19 17:07:19 tanzplatz charon: 15[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:07:39 tanzplatz charon: 13[IKE] sending keep alive</div><div>Oct 19 17:07:39 tanzplatz charon: 13[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:08:15 tanzplatz charon: 10[IKE] sending keep alive</div><div>Oct 19 17:08:15 tanzplatz charon: 10[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:09:19 tanzplatz charon: 05[IKE] sending keep alive</div><div>Oct 19 17:09:19 tanzplatz charon: 05[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:09:45 tanzplatz charon: 16[IKE] sending keep alive</div><div>Oct 19 17:09:45 tanzplatz charon: 16[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:10:01 tanzplatz charon: 15[CFG] received stroke: initiate 'tanzplatz-h3x2'</div><div>Oct 19 17:10:01 tanzplatz charon: 12[IKE] establishing CHILD_SA tanzplatz-h3x2</div><div>Oct 19 17:10:01 tanzplatz charon: 12[IKE] establishing CHILD_SA tanzplatz-h3x2</div><div>Oct 19 17:10:01 tanzplatz charon: 12[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]</div><div>Oct 19 17:10:01 tanzplatz charon: 12[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:10:01 tanzplatz charon: 10[NET] received packet: from 88.198.14.125[4500] to 10.0.0.252[4500]</div><div>Oct 19 17:10:01 tanzplatz charon: 10[ENC] parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ]</div><div>Oct 19 17:10:01 tanzplatz charon: 10[IKE] CHILD_SA tanzplatz-h3x2{3} established with SPIs c8fcffcc_i cde77e67_o and TS 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24 </div><div>Oct 19 17:10:01 tanzplatz charon: 10[IKE] CHILD_SA tanzplatz-h3x2{3} established with SPIs c8fcffcc_i cde77e67_o and TS 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24 </div><div>Oct 19 17:10:32 tanzplatz charon: 05[IKE] sending keep alive</div><div>Oct 19 17:10:32 tanzplatz charon: 05[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:10:52 tanzplatz charon: 09[IKE] sending keep alive</div><div>Oct 19 17:10:52 tanzplatz charon: 09[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:11:12 tanzplatz charon: 16[IKE] sending keep alive</div><div>Oct 19 17:11:12 tanzplatz charon: 16[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:12:13 tanzplatz charon: 15[IKE] sending keep alive</div><div>Oct 19 17:12:13 tanzplatz charon: 15[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div>Oct 19 17:12:47 tanzplatz charon: 08[IKE] sending keep alive</div><div>Oct 19 17:12:47 tanzplatz charon: 08[NET] sending packet: from 10.0.0.252[4500] to 88.198.14.125[4500]</div><div><span class="Apple-style-span" style="font-family: 'Helvetica Neue'; "><br></span></div><div><span class="Apple-style-span" style="font-family: 'Helvetica Neue'; ">I hope someone has a fix for this.</span></div><div> </div><div><span class="Apple-style-span" style="font-family: Helvetica; ">KInd Regards,</span></div><div><font class="Apple-style-span" face="Helvetica">Matthias</font></div><div><font class="Apple-style-span" face="Helvetica"><br></font></div></font></div><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: 'Helvetica Neue'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="color: rgb(79, 129, 189); "><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; "><b>Matthias Läßig</b></span></font></span><span lang="EN-GB" style="font-size: 10pt; color: rgb(79, 129, 189); "><span class="Apple-converted-space"> </span>| certified</span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 10pt; color: rgb(79, 129, 189); "> it security specialist</span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 8pt; color: gray; "><br></span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 8pt; color: rgb(31, 73, 125); ">fon:</span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 8pt; color: rgb(31, 73, 125); "> +49.89.4209548370 </span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 10pt; color: rgb(31, 73, 125); ">|</span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 8pt; color: rgb(31, 73, 125); "> fax: +49.89.4209548379 </span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 10pt; color: rgb(31, 73, 125); ">|</span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 8pt; color: rgb(31, 73, 125); "> mobile: +49.162.2470635</span></span><br><br></span>
</div>
<br></body></html>