<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Hi Andreas,</div><div><br></div><div>I took a look at the starter script and it seems it collided with the ipsec implementation the distri provided. I manually copied the strongswan version over and the problem seems to have vanished.</div><div>And I blamed it on strongswan... *stupidofme*</div><div><br></div><div>Thanks,</div><div>/matthi.</div><br><div><div>On Oct 19, 2010, at 8:46 PM, Andreas Steffen wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Hi Matthias,<br><br>I just see from your log, that ipsec starter initiates the connection<br>several times in a row:<br><br><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: initiate<br></blockquote>'tanzplatz-h3x2'<br><br><blockquote type="cite">Oct 19 17:05:01 tanzplatz charon: 08[CFG] received stroke: initiate<br></blockquote><blockquote type="cite">'tanzplatz-h3x2'<br></blockquote><br><blockquote type="cite">Oct 19 17:10:01 tanzplatz charon: 15[CFG] received stroke: initiate<br></blockquote><blockquote type="cite">'tanzplatz-h3x2'<br></blockquote><br>I actually don't understand what you are doing because starter should<br>initiate the connection only once.<br><br>Regards<br><br>Andreas<br><br>On 19.10.2010 19:19, Matthias Läßig wrote:<br><blockquote type="cite">Hi all,<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I have strongswan 4.3.5 working between two Linux 2.6 gateways, routing<br></blockquote><blockquote type="cite">etc. is working perfectly. When looking at the established connections<br></blockquote><blockquote type="cite">I'm getting:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">000 Status of IKEv1 pluto daemon (strongSwan 4.3.5):<br></blockquote><blockquote type="cite">000 interface lo/lo ::1:500<br></blockquote><blockquote type="cite">000 interface lo/lo 127.0.0.1:4500<br></blockquote><blockquote type="cite">000 interface lo/lo 127.0.0.1:500<br></blockquote><blockquote type="cite">000 interface lo/lo 127.0.0.2:4500<br></blockquote><blockquote type="cite">000 interface lo/lo 127.0.0.2:500<br></blockquote><blockquote type="cite">000 interface eth0/eth0 10.0.0.252:4500<br></blockquote><blockquote type="cite">000 interface eth0/eth0 10.0.0.252:500<br></blockquote><blockquote type="cite">000 interface eth1/eth1 10.0.0.5:4500<br></blockquote><blockquote type="cite">000 interface eth1/eth1 10.0.0.5:500<br></blockquote><blockquote type="cite">000 %myid = '%any'<br></blockquote><blockquote type="cite">000 loaded plugins: curl aes des sha1 sha2 md5 random x509 pubkey pkcs1<br></blockquote><blockquote type="cite">pgp dnskey pem hmac gmp<br></blockquote><blockquote type="cite">000 debug options: none<br></blockquote><blockquote type="cite">000<br></blockquote><blockquote type="cite">Status of IKEv2 charon daemon (strongSwan 4.3.5):<br></blockquote><blockquote type="cite"> uptime: 117 seconds, since Oct 19 17:04:44 2010<br></blockquote><blockquote type="cite"> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 4<br></blockquote><blockquote type="cite"> loaded plugins: curl aes des sha1 sha2 md5 fips-prf random x509 pubkey<br></blockquote><blockquote type="cite">pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown attr<br></blockquote><blockquote type="cite">resolve<br></blockquote><blockquote type="cite">Listening IP addresses:<br></blockquote><blockquote type="cite"> 10.0.0.252<br></blockquote><blockquote type="cite"> 10.0.0.5<br></blockquote><blockquote type="cite">Connections:<br></blockquote><blockquote type="cite">tanzplatz-h3x2: 10.0.0.252...88.198.14.125<br></blockquote><blockquote type="cite">tanzplatz-h3x2: local: [C=DE, ST=Bavaria, L=Unterschleissheim,<br></blockquote><blockquote type="cite">O=apob.net, OU=Network Services, CN=elias.apob.net, E=info@apob.net]<br></blockquote><blockquote type="cite">uses public key authentication<br></blockquote><blockquote type="cite">tanzplatz-h3x2: cert: "C=DE, ST=Bavaria, L=Unterschleissheim,<br></blockquote><blockquote type="cite">O=apob.net, OU=Network Services, CN=elias.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a><br></blockquote><blockquote type="cite"><<a href="mailto:E=info@apob.net">mailto:E=info@apob.net</a>>"<br></blockquote><blockquote type="cite">tanzplatz-h3x2: remote: [C=DE, ST=Bavaria, L=Nuremberg, O=apob.net,<br></blockquote><blockquote type="cite">OU=Network Services, CN=h3x2.apob.net, E=info@apob.net] uses any<br></blockquote><blockquote type="cite">authentication<br></blockquote><blockquote type="cite">tanzplatz-h3x2: cert: "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net,<br></blockquote><blockquote type="cite">OU=Network Services, CN=h3x2.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a><br></blockquote><blockquote type="cite"><<a href="mailto:E=info@apob.net">mailto:E=info@apob.net</a>>"<br></blockquote><blockquote type="cite">tanzplatz-h3x2: child: 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24<br></blockquote><blockquote type="cite">Security Associations:<br></blockquote><blockquote type="cite">tanzplatz-h3x2[1]: ESTABLISHED 114 seconds ago, 10.0.0.252[C=DE,<br></blockquote><blockquote type="cite">ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services,<br></blockquote><blockquote type="cite">CN=elias.apob.net, E=info@apob.net]...88.198.14.125[C=DE, ST=Bavaria,<br></blockquote><blockquote type="cite">L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net,<br></blockquote><blockquote type="cite">E=info@apob.net]<br></blockquote><blockquote type="cite">tanzplatz-h3x2[1]: IKE SPIs: 80f47cac247b838c_i* a6eef15b1c4cafc5_r,<br></blockquote><blockquote type="cite">public key reauthentication in 2 hours<br></blockquote><blockquote type="cite">tanzplatz-h3x2[1]: IKE proposal:<br></blockquote><blockquote type="cite">AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br></blockquote><blockquote type="cite">tanzplatz-h3x2{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cb001dde_i<br></blockquote><blockquote type="cite">cb487bdb_o<br></blockquote><blockquote type="cite">tanzplatz-h3x2{1}: AES_CBC_128/HMAC_SHA1_96, 152 bytes_i (15s ago), 0<br></blockquote><blockquote type="cite">bytes_o, rekeying in 41 minutes<br></blockquote><blockquote type="cite">tanzplatz-h3x2{1}: 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24<br></blockquote><blockquote type="cite">tanzplatz-h3x2{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: ca0c17ef_i<br></blockquote><blockquote type="cite">c24d0e02_o<br></blockquote><blockquote type="cite">tanzplatz-h3x2{2}: AES_CBC_128/HMAC_SHA1_96, 17994 bytes_i (15s ago),<br></blockquote><blockquote type="cite">16661 bytes_o (14s ago), rekeying in 46 minutes<br></blockquote><blockquote type="cite">tanzplatz-h3x2{2}: 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">The longer the SA is up, the more tunnels I get. All of them are being<br></blockquote><blockquote type="cite">rekeyed. After 24 hours there are hundreds of them up. Is there a way to<br></blockquote><blockquote type="cite">prevent this as I don't think this is the expected behaviour?<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Here's my ipsec.conf:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"># /etc/ipsec.conf - Openswan IPsec configuration file<br></blockquote><blockquote type="cite"># RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"># This file: /usr/share/doc/packages/openswan/ipsec.conf-sample<br></blockquote><blockquote type="cite">#<br></blockquote><blockquote type="cite"># Manual: ipsec.conf.5<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">version 2.0 # conforms to second version of ipsec.conf specification<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"># basic configuration<br></blockquote><blockquote type="cite">config setup<br></blockquote><blockquote type="cite"># plutodebug / klipsdebug = "all", "none" or a combation from below:<br></blockquote><blockquote type="cite"># "raw crypt parsing emitting control klips pfkey natt x509 private"<br></blockquote><blockquote type="cite"># eg:<br></blockquote><blockquote type="cite">#plutodebug="all"<br></blockquote><blockquote type="cite">#<br></blockquote><blockquote type="cite"># Only enable klipsdebug=all if you are a developer<br></blockquote><blockquote type="cite">#<br></blockquote><blockquote type="cite"># NAT-TRAVERSAL support, see README.NAT-Traversal<br></blockquote><blockquote type="cite"># nat_traversal=yes<br></blockquote><blockquote type="cite"># virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12<br></blockquote><blockquote type="cite">#<br></blockquote><blockquote type="cite"># Certificate Revocation List handling:<br></blockquote><blockquote type="cite">crlcheckinterval=600<br></blockquote><blockquote type="cite">strictcrlpolicy=no<br></blockquote><blockquote type="cite">#<br></blockquote><blockquote type="cite"># Change rp_filter setting? (default is 0, disabled)<br></blockquote><blockquote type="cite"># See also setting in the /etc/sysctl.conf file!<br></blockquote><blockquote type="cite">#rp_filter=%unchanged<br></blockquote><blockquote type="cite">#<br></blockquote><blockquote type="cite"># Workaround to setup all tunnels immediately, since the new default<br></blockquote><blockquote type="cite"># of "plutowait=no" causes "Resource temporarily unavailable" errors<br></blockquote><blockquote type="cite"># for the first connect attempt over each tunnel, that is delayed to<br></blockquote><blockquote type="cite"># be established later / on demand.<br></blockquote><blockquote type="cite">#<br></blockquote><blockquote type="cite">nat_traversal=yes<br></blockquote><blockquote type="cite">virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">conn %default<br></blockquote><blockquote type="cite"># keyingtries default to %forever<br></blockquote><blockquote type="cite">#keyingtries=3<br></blockquote><blockquote type="cite"># Sig keys (default: %dnsondemand)<br></blockquote><blockquote type="cite">leftrsasigkey=%cert<br></blockquote><blockquote type="cite">rightrsasigkey=%cert<br></blockquote><blockquote type="cite"># Lifetimes, defaults are 1h/8hrs<br></blockquote><blockquote type="cite">#ikelifetime=20m<br></blockquote><blockquote type="cite">#keylife=1h<br></blockquote><blockquote type="cite">#rekeymargin=8m<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">#Disable Opportunistic Encryption<br></blockquote><blockquote type="cite">include /usr/local/etc/ipsec.d/examples/no_oe.conf<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">ca <a href="http://apob.net">apob.net</a> <<a href="http://apob.net">http://apob.net</a>><br></blockquote><blockquote type="cite"> cacert=apob.pem<br></blockquote><blockquote type="cite"> crluri=http://ca.apob.net/ca-crl.crl<br></blockquote><blockquote type="cite"> auto=add<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"># Add connections here<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">conn tanzplatz-h3x2<br></blockquote><blockquote type="cite">authby=rsasig<br></blockquote><blockquote type="cite"> left=10.0.0.252<br></blockquote><blockquote type="cite">leftcert=elias.pem<br></blockquote><blockquote type="cite"> leftsubnet=10.0.0.0/24<br></blockquote><blockquote type="cite"> right=88.198.14.125<br></blockquote><blockquote type="cite"> rightsubnet=10.1.0.0/24,172.16.8.0/24<br></blockquote><blockquote type="cite">rightcert=h3x2.pem<br></blockquote><blockquote type="cite"> compress=no<br></blockquote><blockquote type="cite">keyexchange=ikev2<br></blockquote><blockquote type="cite">keyingtries=%forever<br></blockquote><blockquote type="cite"> rekeyfuzz = 100%<br></blockquote><blockquote type="cite">pfs = yes<br></blockquote><blockquote type="cite">mobike=no<br></blockquote><blockquote type="cite"> auto=start<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">And all the charon messages from syslog:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[DMN] Starting IKEv2 charon daemon<br></blockquote><blockquote type="cite">(strongSwan 4.3.5)<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[KNL] listening on interfaces:<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[KNL] eth0<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[KNL] 10.0.0.252<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[KNL] fe80::6ef0:49ff:fe13:64a7<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[KNL] eth1<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[KNL] 10.0.0.5<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[KNL] fe80::21b:21ff:fe1b:f53d<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading ca certificates from<br></blockquote><blockquote type="cite">'/usr/local/etc/ipsec.d/cacerts'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[CFG] loaded ca certificate "C=DE,<br></blockquote><blockquote type="cite">ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net<br></blockquote><blockquote type="cite">Certification Authority, <a href="mailto:E=info@ca.apob.net">E=info@ca.apob.net</a> <<a href="mailto:E=info@ca.apob.net">mailto:E=info@ca.apob.net</a>>"<br></blockquote><blockquote type="cite">from '/usr/local/etc/ipsec.d/cacerts/apob.pem'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading aa certificates from<br></blockquote><blockquote type="cite">'/usr/local/etc/ipsec.d/aacerts'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading ocsp signer<br></blockquote><blockquote type="cite">certificates from '/usr/local/etc/ipsec.d/ocspcerts'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading attribute certificates<br></blockquote><blockquote type="cite">from '/usr/local/etc/ipsec.d/acerts'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading crls from<br></blockquote><blockquote type="cite">'/usr/local/etc/ipsec.d/crls'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading secrets from<br></blockquote><blockquote type="cite">'/usr/local/etc/ipsec.secrets'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[CFG] loaded RSA private key from<br></blockquote><blockquote type="cite">'/usr/local/etc/ipsec.d/private/elias.key'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[DMN] loaded plugins: curl aes des<br></blockquote><blockquote type="cite">sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac<br></blockquote><blockquote type="cite">gmp kernel-netlink stroke updown attr resolve<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 01[JOB] spawning 16 worker threads<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz ipsec_starter[7194]: charon (7222) started<br></blockquote><blockquote type="cite">after 20 ms<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: add ca 'apob.net'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[CFG] added ca 'apob.net'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: add<br></blockquote><blockquote type="cite">connection 'tanzplatz-h3x2'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[CFG] loaded certificate "C=DE,<br></blockquote><blockquote type="cite">ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services,<br></blockquote><blockquote type="cite">CN=elias.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a> <<a href="mailto:E=info@apob.net">mailto:E=info@apob.net</a>>" from<br></blockquote><blockquote type="cite">'elias.pem'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[CFG] peerid 10.0.0.252 not<br></blockquote><blockquote type="cite">confirmed by certificate, defaulting to subject DN: C=DE, ST=Bavaria,<br></blockquote><blockquote type="cite">L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net,<br></blockquote><blockquote type="cite"><a href="mailto:E=info@apob.net">E=info@apob.net</a> <<a href="mailto:E=info@apob.net">mailto:E=info@apob.net</a>><br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[CFG] loaded certificate "C=DE,<br></blockquote><blockquote type="cite">ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services,<br></blockquote><blockquote type="cite">CN=h3x2.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a> <<a href="mailto:E=info@apob.net">mailto:E=info@apob.net</a>>" from 'h3x2.pem'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[CFG] peerid 88.198.14.125 not<br></blockquote><blockquote type="cite">confirmed by certificate, defaulting to subject DN: C=DE, ST=Bavaria,<br></blockquote><blockquote type="cite">L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net,<br></blockquote><blockquote type="cite"><a href="mailto:E=info@apob.net">E=info@apob.net</a> <<a href="mailto:E=info@apob.net">mailto:E=info@apob.net</a>><br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[CFG] added configuration<br></blockquote><blockquote type="cite">'tanzplatz-h3x2'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: initiate<br></blockquote><blockquote type="cite">'tanzplatz-h3x2'<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[IKE] initiating IKE_SA<br></blockquote><blockquote type="cite">tanzplatz-h3x2[1] to 88.198.14.125<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[IKE] initiating IKE_SA<br></blockquote><blockquote type="cite">tanzplatz-h3x2[1] to 88.198.14.125<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[ENC] generating IKE_SA_INIT request<br></blockquote><blockquote type="cite">0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br></blockquote><blockquote type="cite">Oct 19 17:04:43 tanzplatz charon: 05[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[500] to 88.198.14.125[500]<br></blockquote><blockquote type="cite">Oct 19 17:04:44 tanzplatz charon: 14[NET] received packet: from<br></blockquote><blockquote type="cite">88.198.14.125[500] to 10.0.0.252[500]<br></blockquote><blockquote type="cite">Oct 19 17:04:44 tanzplatz charon: 14[ENC] parsed IKE_SA_INIT response 0<br></blockquote><blockquote type="cite">[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br></blockquote><blockquote type="cite">Oct 19 17:04:44 tanzplatz charon: 14[IKE] local host is behind NAT,<br></blockquote><blockquote type="cite">sending keep alives<br></blockquote><blockquote type="cite">Oct 19 17:04:44 tanzplatz charon: 14[IKE] received cert request for<br></blockquote><blockquote type="cite">"C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services,<br></blockquote><blockquote type="cite">CN=apob.net Certification Authority, <a href="mailto:E=info@ca.apob.net">E=info@ca.apob.net</a><br></blockquote><blockquote type="cite"><<a href="mailto:E=info@ca.apob.net">mailto:E=info@ca.apob.net</a>>"<br></blockquote><blockquote type="cite">Oct 19 17:04:44 tanzplatz charon: 14[IKE] sending cert request for<br></blockquote><blockquote type="cite">"C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services,<br></blockquote><blockquote type="cite">CN=apob.net Certification Authority, <a href="mailto:E=info@ca.apob.net">E=info@ca.apob.net</a><br></blockquote><blockquote type="cite"><<a href="mailto:E=info@ca.apob.net">mailto:E=info@ca.apob.net</a>>"<br></blockquote><blockquote type="cite">Oct 19 17:04:44 tanzplatz charon: 14[IKE] authentication of 'C=DE,<br></blockquote><blockquote type="cite">ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services,<br></blockquote><blockquote type="cite">CN=elias.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a> <<a href="mailto:E=info@apob.net">mailto:E=info@apob.net</a>>' (myself)<br></blockquote><blockquote type="cite">with RSA signature successful<br></blockquote><blockquote type="cite">Oct 19 17:04:44 tanzplatz charon: 14[IKE] sending end entity cert "C=DE,<br></blockquote><blockquote type="cite">ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services,<br></blockquote><blockquote type="cite">CN=elias.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a> <<a href="mailto:E=info@apob.net">mailto:E=info@apob.net</a>>"<br></blockquote><blockquote type="cite">Oct 19 17:04:44 tanzplatz charon: 14[IKE] establishing CHILD_SA<br></blockquote><blockquote type="cite">tanzplatz-h3x2<br></blockquote><blockquote type="cite">Oct 19 17:04:44 tanzplatz charon: 14[IKE] establishing CHILD_SA<br></blockquote><blockquote type="cite">tanzplatz-h3x2<br></blockquote><blockquote type="cite">Oct 19 17:04:44 tanzplatz charon: 14[ENC] generating IKE_AUTH request 1<br></blockquote><blockquote type="cite">[ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) ]<br></blockquote><blockquote type="cite">Oct 19 17:04:44 tanzplatz charon: 14[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[NET] received packet: from<br></blockquote><blockquote type="cite">88.198.14.125[4500] to 10.0.0.252[4500]<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[ENC] parsed IKE_AUTH response 1 [<br></blockquote><blockquote type="cite">IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[IKE] received end entity cert<br></blockquote><blockquote type="cite">"C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services,<br></blockquote><blockquote type="cite">CN=h3x2.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a> <<a href="mailto:E=info@apob.net">mailto:E=info@apob.net</a>>"<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[CFG] using trusted ca certificate<br></blockquote><blockquote type="cite">"C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services,<br></blockquote><blockquote type="cite">CN=apob.net Certification Authority, <a href="mailto:E=info@ca.apob.net">E=info@ca.apob.net</a><br></blockquote><blockquote type="cite"><<a href="mailto:E=info@ca.apob.net">mailto:E=info@ca.apob.net</a>>"<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[CFG] checking certificate status of<br></blockquote><blockquote type="cite">"C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services,<br></blockquote><blockquote type="cite">CN=h3x2.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a> <<a href="mailto:E=info@apob.net">mailto:E=info@apob.net</a>>"<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[CFG] fetching crl from<br></blockquote><blockquote type="cite">'http://ca.apob.net/ca-crl.crl' ...<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[CFG] using trusted certificate<br></blockquote><blockquote type="cite">"C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services,<br></blockquote><blockquote type="cite">CN=apob.net Certification Authority, <a href="mailto:E=info@ca.apob.net">E=info@ca.apob.net</a><br></blockquote><blockquote type="cite"><<a href="mailto:E=info@ca.apob.net">mailto:E=info@ca.apob.net</a>>"<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[CFG] crl correctly signed by<br></blockquote><blockquote type="cite">"C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services,<br></blockquote><blockquote type="cite">CN=apob.net Certification Authority, <a href="mailto:E=info@ca.apob.net">E=info@ca.apob.net</a><br></blockquote><blockquote type="cite"><<a href="mailto:E=info@ca.apob.net">mailto:E=info@ca.apob.net</a>>"<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[CFG] crl is valid: until Oct 26<br></blockquote><blockquote type="cite">00:05:02 2010<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[CFG] certificate status is good<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[CFG] using trusted certificate<br></blockquote><blockquote type="cite">"C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services,<br></blockquote><blockquote type="cite">CN=h3x2.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a> <<a href="mailto:E=info@apob.net">mailto:E=info@apob.net</a>>"<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[IKE] authentication of 'C=DE,<br></blockquote><blockquote type="cite">ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services,<br></blockquote><blockquote type="cite">CN=h3x2.apob.net, <a href="mailto:E=info@apob.net">E=info@apob.net</a> <<a href="mailto:E=info@apob.net">mailto:E=info@apob.net</a>>' with RSA<br></blockquote><blockquote type="cite">signature successful<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[IKE] IKE_SA tanzplatz-h3x2[1]<br></blockquote><blockquote type="cite">established between 10.0.0.252[C=DE, ST=Bavaria, L=Unterschleissheim,<br></blockquote><blockquote type="cite">O=apob.net, OU=Network Services, CN=elias.apob.net,<br></blockquote><blockquote type="cite">E=info@apob.net]...88.198.14.125[C=DE, ST=Bavaria, L=Nuremberg,<br></blockquote><blockquote type="cite">O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info@apob.net]<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[IKE] IKE_SA tanzplatz-h3x2[1]<br></blockquote><blockquote type="cite">established between 10.0.0.252[C=DE, ST=Bavaria, L=Unterschleissheim,<br></blockquote><blockquote type="cite">O=apob.net, OU=Network Services, CN=elias.apob.net,<br></blockquote><blockquote type="cite">E=info@apob.net]...88.198.14.125[C=DE, ST=Bavaria, L=Nuremberg,<br></blockquote><blockquote type="cite">O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info@apob.net]<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[IKE] scheduling reauthentication in<br></blockquote><blockquote type="cite">9844s<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[IKE] maximum IKE_SA lifetime 10384s<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[IKE] CHILD_SA tanzplatz-h3x2{1}<br></blockquote><blockquote type="cite">established with SPIs cb001dde_i cb487bdb_o and TS 10.0.0.0/24 ===<br></blockquote><blockquote type="cite">10.1.0.0/24 172.16.8.0/24<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[IKE] CHILD_SA tanzplatz-h3x2{1}<br></blockquote><blockquote type="cite">established with SPIs cb001dde_i cb487bdb_o and TS 10.0.0.0/24 ===<br></blockquote><blockquote type="cite">10.1.0.0/24 172.16.8.0/24<br></blockquote><blockquote type="cite">Oct 19 17:04:46 tanzplatz charon: 17[IKE] received AUTH_LIFETIME of<br></blockquote><blockquote type="cite">9827s, scheduling reauthentication in 9287s<br></blockquote><blockquote type="cite">Oct 19 17:05:01 tanzplatz charon: 08[CFG] received stroke: initiate<br></blockquote><blockquote type="cite">'tanzplatz-h3x2'<br></blockquote><blockquote type="cite">Oct 19 17:05:01 tanzplatz charon: 13[IKE] establishing CHILD_SA<br></blockquote><blockquote type="cite">tanzplatz-h3x2<br></blockquote><blockquote type="cite">Oct 19 17:05:01 tanzplatz charon: 13[IKE] establishing CHILD_SA<br></blockquote><blockquote type="cite">tanzplatz-h3x2<br></blockquote><blockquote type="cite">Oct 19 17:05:01 tanzplatz charon: 13[ENC] generating CREATE_CHILD_SA<br></blockquote><blockquote type="cite">request 2 [ SA No TSi TSr ]<br></blockquote><blockquote type="cite">Oct 19 17:05:01 tanzplatz charon: 13[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:05:03 tanzplatz charon: 12[NET] received packet: from<br></blockquote><blockquote type="cite">88.198.14.125[4500] to 10.0.0.252[4500]<br></blockquote><blockquote type="cite">Oct 19 17:05:03 tanzplatz charon: 12[ENC] parsed CREATE_CHILD_SA<br></blockquote><blockquote type="cite">response 2 [ SA No TSi TSr ]<br></blockquote><blockquote type="cite">Oct 19 17:05:03 tanzplatz charon: 12[IKE] CHILD_SA tanzplatz-h3x2{2}<br></blockquote><blockquote type="cite">established with SPIs ca0c17ef_i c24d0e02_o and TS 10.0.0.0/24 ===<br></blockquote><blockquote type="cite">10.1.0.0/24 172.16.8.0/24<br></blockquote><blockquote type="cite">Oct 19 17:05:03 tanzplatz charon: 12[IKE] CHILD_SA tanzplatz-h3x2{2}<br></blockquote><blockquote type="cite">established with SPIs ca0c17ef_i c24d0e02_o and TS 10.0.0.0/24 ===<br></blockquote><blockquote type="cite">10.1.0.0/24 172.16.8.0/24<br></blockquote><blockquote type="cite">Oct 19 17:06:16 tanzplatz charon: 15[IKE] sending keep alive<br></blockquote><blockquote type="cite">Oct 19 17:06:16 tanzplatz charon: 15[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:06:46 tanzplatz charon: 09[IKE] sending keep alive<br></blockquote><blockquote type="cite">Oct 19 17:06:46 tanzplatz charon: 09[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:07:19 tanzplatz charon: 15[IKE] sending keep alive<br></blockquote><blockquote type="cite">Oct 19 17:07:19 tanzplatz charon: 15[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:07:39 tanzplatz charon: 13[IKE] sending keep alive<br></blockquote><blockquote type="cite">Oct 19 17:07:39 tanzplatz charon: 13[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:08:15 tanzplatz charon: 10[IKE] sending keep alive<br></blockquote><blockquote type="cite">Oct 19 17:08:15 tanzplatz charon: 10[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:09:19 tanzplatz charon: 05[IKE] sending keep alive<br></blockquote><blockquote type="cite">Oct 19 17:09:19 tanzplatz charon: 05[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:09:45 tanzplatz charon: 16[IKE] sending keep alive<br></blockquote><blockquote type="cite">Oct 19 17:09:45 tanzplatz charon: 16[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:10:01 tanzplatz charon: 15[CFG] received stroke: initiate<br></blockquote><blockquote type="cite">'tanzplatz-h3x2'<br></blockquote><blockquote type="cite">Oct 19 17:10:01 tanzplatz charon: 12[IKE] establishing CHILD_SA<br></blockquote><blockquote type="cite">tanzplatz-h3x2<br></blockquote><blockquote type="cite">Oct 19 17:10:01 tanzplatz charon: 12[IKE] establishing CHILD_SA<br></blockquote><blockquote type="cite">tanzplatz-h3x2<br></blockquote><blockquote type="cite">Oct 19 17:10:01 tanzplatz charon: 12[ENC] generating CREATE_CHILD_SA<br></blockquote><blockquote type="cite">request 3 [ SA No TSi TSr ]<br></blockquote><blockquote type="cite">Oct 19 17:10:01 tanzplatz charon: 12[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:10:01 tanzplatz charon: 10[NET] received packet: from<br></blockquote><blockquote type="cite">88.198.14.125[4500] to 10.0.0.252[4500]<br></blockquote><blockquote type="cite">Oct 19 17:10:01 tanzplatz charon: 10[ENC] parsed CREATE_CHILD_SA<br></blockquote><blockquote type="cite">response 3 [ SA No TSi TSr ]<br></blockquote><blockquote type="cite">Oct 19 17:10:01 tanzplatz charon: 10[IKE] CHILD_SA tanzplatz-h3x2{3}<br></blockquote><blockquote type="cite">established with SPIs c8fcffcc_i cde77e67_o and TS 10.0.0.0/24 ===<br></blockquote><blockquote type="cite">10.1.0.0/24 172.16.8.0/24<br></blockquote><blockquote type="cite">Oct 19 17:10:01 tanzplatz charon: 10[IKE] CHILD_SA tanzplatz-h3x2{3}<br></blockquote><blockquote type="cite">established with SPIs c8fcffcc_i cde77e67_o and TS 10.0.0.0/24 ===<br></blockquote><blockquote type="cite">10.1.0.0/24 172.16.8.0/24<br></blockquote><blockquote type="cite">Oct 19 17:10:32 tanzplatz charon: 05[IKE] sending keep alive<br></blockquote><blockquote type="cite">Oct 19 17:10:32 tanzplatz charon: 05[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:10:52 tanzplatz charon: 09[IKE] sending keep alive<br></blockquote><blockquote type="cite">Oct 19 17:10:52 tanzplatz charon: 09[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:11:12 tanzplatz charon: 16[IKE] sending keep alive<br></blockquote><blockquote type="cite">Oct 19 17:11:12 tanzplatz charon: 16[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:12:13 tanzplatz charon: 15[IKE] sending keep alive<br></blockquote><blockquote type="cite">Oct 19 17:12:13 tanzplatz charon: 15[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite">Oct 19 17:12:47 tanzplatz charon: 08[IKE] sending keep alive<br></blockquote><blockquote type="cite">Oct 19 17:12:47 tanzplatz charon: 08[NET] sending packet: from<br></blockquote><blockquote type="cite">10.0.0.252[4500] to 88.198.14.125[4500]<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I hope someone has a fix for this.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">KInd Regards,<br></blockquote><blockquote type="cite">Matthias<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">*Matthias Läßig* | certified it security specialist<br></blockquote><blockquote type="cite">fon: +49.89.4209548370 | fax: +49.89.4209548379 | mobile: +49.162.2470635<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">_______________________________________________<br></blockquote><blockquote type="cite">Users mailing list<br></blockquote><blockquote type="cite"><a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br></blockquote><blockquote type="cite"><a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a><br></blockquote><br><br>--<br>======================================================================<br>Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br></div></blockquote></div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: 'Helvetica Neue'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="color: rgb(79, 129, 189); "><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; "><b>Matthias Läßig</b></span></font></span><span lang="EN-GB" style="font-size: 10pt; color: rgb(79, 129, 189); "><span class="Apple-converted-space"> </span>| certified</span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 10pt; color: rgb(79, 129, 189); "> it security specialist</span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 8pt; color: gray; "><br></span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 8pt; color: rgb(31, 73, 125); ">fon:</span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 8pt; color: rgb(31, 73, 125); "> +49.89.4209548370 </span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 10pt; color: rgb(31, 73, 125); ">|</span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 8pt; color: rgb(31, 73, 125); "> fax: +49.89.4209548379 </span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 10pt; color: rgb(31, 73, 125); ">|</span></span><span class="Apple-style-span" style="font-size: 15px; "><span lang="EN-GB" style="font-size: 8pt; color: rgb(31, 73, 125); "> mobile: +49.162.2470635</span></span><br><br></span>
</div>
<br></body></html>