-------------------------------------------------------------------------------
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        plutostart=no
        charondebug="cfg 2"

conn %default
        ikelifetime=60m
        keylife=2m
        rekeymargin=10s
        keyingtries=1
        keyexchange=ikev2
        ike=aes128-sha256-modp2048!
        esp=aes128-sha256-modp1536!
        mobike=no

conn net-net 
        left=192.168.0.1
        leftcert=moonCert.pem
        leftid=@moon.strongswan.org
        leftsubnet=10.1.0.0/16
        leftfirewall=yes
        right=192.168.0.2
        rightid=@sun.strongswan.org
        rightsubnet=10.2.0.0/16
        auto=add

-------------------------------------------------------------------------------
# Start charon daemon

Mar 18 10:17:09 moon charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2dr3) 
Mar 18 10:17:09 moon charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 
Mar 18 10:17:09 moon charon: 00[CFG]   loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' 
Mar 18 10:17:09 moon charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 
Mar 18 10:17:09 moon charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 
Mar 18 10:17:09 moon charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 
Mar 18 10:17:09 moon charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' 
Mar 18 10:17:09 moon charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' 
Mar 18 10:17:09 moon charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/moonKey.pem' 
Mar 18 10:17:09 moon charon: 00[KNL] listening on interfaces: 
Mar 18 10:17:09 moon charon: 00[KNL]   eth0 
Mar 18 10:17:09 moon charon: 00[KNL]     192.168.0.1 
Mar 18 10:17:09 moon charon: 00[KNL]     fec0::1 
Mar 18 10:17:09 moon charon: 00[KNL]     fe80::fcfd:c0ff:fea8:1 
Mar 18 10:17:09 moon charon: 00[KNL]   eth1 
Mar 18 10:17:09 moon charon: 00[KNL]     10.1.0.1 
Mar 18 10:17:09 moon charon: 00[KNL]     fec1::1 
Mar 18 10:17:09 moon charon: 00[KNL]     fe80::fcfd:aff:fe01:1 
Mar 18 10:17:09 moon charon: 00[DMN] loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown  
Mar 18 10:17:09 moon charon: 00[JOB] spawning 16 worker threads 
Mar 18 10:17:09 moon charon: 08[CFG] received stroke: add connection 'net-net' 
Mar 18 10:17:09 moon charon: 08[CFG] conn net-net 
Mar 18 10:17:09 moon charon: 08[CFG]   left=192.168.0.1 
Mar 18 10:17:09 moon charon: 08[CFG]   leftsubnet=10.1.0.0/16 
Mar 18 10:17:09 moon charon: 08[CFG]   leftsourceip=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   leftauth=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   leftauth2=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   leftid=@moon.strongswan.org 
Mar 18 10:17:09 moon charon: 08[CFG]   leftid2=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   leftcert=moonCert.pem 
Mar 18 10:17:09 moon charon: 08[CFG]   leftcert2=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   leftca=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   leftca2=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   leftgroups=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   leftupdown=ipsec _updown iptables 
Mar 18 10:17:09 moon charon: 08[CFG]   right=192.168.0.2 
Mar 18 10:17:09 moon charon: 08[CFG]   rightsubnet=10.2.0.0/16 
Mar 18 10:17:09 moon charon: 08[CFG]   rightsourceip=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   rightauth=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   rightauth2=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   rightid=@sun.strongswan.org 
Mar 18 10:17:09 moon charon: 08[CFG]   rightid2=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   rightcert=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   rightcert2=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   rightca=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   rightca2=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   rightgroups=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   rightupdown=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   eap_identity=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   aaa_identity=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   ike=aes128-sha256-modp2048! 
Mar 18 10:17:09 moon charon: 08[CFG]   esp=aes128-sha256-modp1536! 
Mar 18 10:17:09 moon charon: 08[CFG]   mediation=no 
Mar 18 10:17:09 moon charon: 08[CFG]   mediated_by=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   me_peerid=(null) 
Mar 18 10:17:09 moon charon: 08[CFG]   loaded certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" from 'moonCert.pem' 
Mar 18 10:17:09 moon charon: 08[CFG] added configuration 'net-net' 

-------------------------------------------------------------------------------
# Start up net-net connection: establish IKE_SA and CHILD_SA

Mar 18 10:17:16 moon charon: 13[CFG] received stroke: initiate 'net-net' 
Mar 18 10:17:16 moon charon: 06[IKE] initiating IKE_SA net-net[1] to 192.168.0.2 
Mar 18 10:17:16 moon charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
Mar 18 10:17:16 moon charon: 06[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar 18 10:17:16 moon charon: 05[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar 18 10:17:16 moon charon: 05[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ] 
Mar 18 10:17:16 moon charon: 05[CFG] selecting proposal: 
Mar 18 10:17:16 moon charon: 05[CFG]   proposal matches 
Mar 18 10:17:16 moon charon: 05[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 
Mar 18 10:17:16 moon charon: 05[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 
Mar 18 10:17:16 moon charon: 05[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 
Mar 18 10:17:16 moon charon: 05[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar 18 10:17:16 moon charon: 05[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar 18 10:17:16 moon charon: 05[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful 
Mar 18 10:17:16 moon charon: 05[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org" 
Mar 18 10:17:16 moon charon: 05[IKE] establishing CHILD_SA net-net 
Mar 18 10:17:16 moon charon: 05[CFG] proposing traffic selectors for us: 
Mar 18 10:17:16 moon charon: 05[CFG]  10.1.0.0/16 (derived from 10.1.0.0/16) 
Mar 18 10:17:16 moon charon: 05[CFG] proposing traffic selectors for other: 
Mar 18 10:17:16 moon charon: 05[CFG]  10.2.0.0/16 (derived from 10.2.0.0/16) 
Mar 18 10:17:16 moon charon: 05[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ] 
Mar 18 10:17:16 moon charon: 05[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar 18 10:17:17 moon charon: 04[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar 18 10:17:17 moon charon: 04[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ] 
Mar 18 10:17:17 moon charon: 04[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" 
Mar 18 10:17:17 moon charon: 04[CFG]   using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" 
Mar 18 10:17:17 moon charon: 04[CFG]   certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" key: 2048 bit RSA 
Mar 18 10:17:17 moon charon: 04[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar 18 10:17:17 moon charon: 04[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" 
Mar 18 10:17:17 moon charon: 04[CFG] ocsp check skipped, no ocsp found 
Mar 18 10:17:17 moon charon: 04[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ... 
Mar 18 10:17:17 moon charon: 04[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar 18 10:17:17 moon charon: 04[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" 
Mar 18 10:17:17 moon charon: 04[CFG]   crl is valid: until Apr 16 23:30:03 2011 
Mar 18 10:17:17 moon charon: 04[CFG] certificate status is good 
Mar 18 10:17:17 moon charon: 04[CFG]   certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" key: 2048 bit RSA 
Mar 18 10:17:17 moon charon: 04[CFG]   reached self-signed root ca with a path length of 0 
Mar 18 10:17:17 moon charon: 04[IKE] authentication of 'sun.strongswan.org' with RSA signature successful 
Mar 18 10:17:17 moon charon: 04[IKE] IKE_SA net-net[1] established between 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org] 
Mar 18 10:17:17 moon charon: 04[IKE] scheduling reauthentication in 3588s 
Mar 18 10:17:17 moon charon: 04[IKE] maximum IKE_SA lifetime 3598s 

Mar 18 10:17:17 moon charon: 04[CFG] selecting proposal: 
Mar 18 10:17:17 moon charon: 04[CFG]   proposal matches 
Mar 18 10:17:17 moon charon: 04[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ 
Mar 18 10:17:17 moon charon: 04[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ 
Mar 18 10:17:17 moon charon: 04[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ 
Mar 18 10:17:17 moon charon: 04[CFG] selecting traffic selectors for us: 
Mar 18 10:17:17 moon charon: 04[CFG]  config: 10.1.0.0/16, received: 10.1.0.0/16 => match: 10.1.0.0/16 
Mar 18 10:17:17 moon charon: 04[CFG] selecting traffic selectors for other: 
Mar 18 10:17:17 moon charon: 04[CFG]  config: 10.2.0.0/16, received: 10.2.0.0/16 => match: 10.2.0.0/16 
Mar 18 10:17:17 moon charon: 04[IKE] CHILD_SA net-net{1} established with SPIs c65a8cd9_i cecef2ef_o and TS 10.1.0.0/16 === 10.2.0.0/16  
Mar 18 10:17:17 moon charon: 04[IKE] received AUTH_LIFETIME of 3366s, scheduling reauthentication in 3356s 

Mar 18 10:18:30 moon charon: 15[CFG] proposing traffic selectors for us: 
Mar 18 10:18:30 moon charon: 15[CFG]  10.1.0.0/16 (derived from 10.1.0.0/16) 
Mar 18 10:18:30 moon charon: 15[CFG] proposing traffic selectors for other: 
Mar 18 10:18:30 moon charon: 15[CFG]  10.2.0.0/16 (derived from 10.2.0.0/16) 
Mar 18 10:18:43 moon charon: 01[CFG] proposing traffic selectors for us: 
Mar 18 10:18:43 moon charon: 01[CFG]  10.1.0.0/16 (derived from 10.1.0.0/16) 
Mar 18 10:18:43 moon charon: 01[CFG] proposing traffic selectors for other: 
Mar 18 10:18:43 moon charon: 01[CFG]  10.2.0.0/16 (derived from 10.2.0.0/16) 
Mar 18 10:18:58 moon charon: 09[KNL] creating rekey job for ESP CHILD_SA with SPI cecef2ef and reqid {1} 
Mar 18 10:18:58 moon charon: 06[IKE] establishing CHILD_SA net-net{1} 
Mar 18 10:18:58 moon charon: 06[CFG] proposing traffic selectors for us: 
Mar 18 10:18:58 moon charon: 06[CFG]  10.1.0.0/16 (derived from 10.1.0.0/16) 
Mar 18 10:18:58 moon charon: 06[CFG] proposing traffic selectors for other: 
Mar 18 10:18:58 moon charon: 06[CFG]  10.2.0.0/16 (derived from 10.2.0.0/16) 
Mar 18 10:18:58 moon charon: 06[ENC] generating CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No KE TSi TSr ] 
Mar 18 10:18:58 moon charon: 06[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar 18 10:18:58 moon charon: 05[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar 18 10:18:58 moon charon: 05[ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ] 
Mar 18 10:18:58 moon charon: 05[CFG] selecting proposal: 
Mar 18 10:18:58 moon charon: 05[CFG]   proposal matches 
Mar 18 10:18:58 moon charon: 05[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ 
Mar 18 10:18:58 moon charon: 05[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ 
Mar 18 10:18:58 moon charon: 05[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ 
Mar 18 10:18:58 moon charon: 05[CFG] selecting traffic selectors for us: 
Mar 18 10:18:58 moon charon: 05[CFG]  config: 10.1.0.0/16, received: 10.1.0.0/16 => match: 10.1.0.0/16 
Mar 18 10:18:58 moon charon: 05[CFG] selecting traffic selectors for other: 
Mar 18 10:18:58 moon charon: 05[CFG]  config: 10.2.0.0/16, received: 10.2.0.0/16 => match: 10.2.0.0/16 
Mar 18 10:18:58 moon charon: 05[IKE] CHILD_SA net-net{1} established with SPIs c65719c1_i c5b686e4_o and TS 10.1.0.0/16 === 10.2.0.0/16  

-------------------------------------------------------------------------------
moon ~ # ipsec statusall

Status of IKEv2 charon daemon (strongSwan 4.5.2dr3):
  uptime: 94 seconds, since Mar 18 10:17:09 2011
  malloc: sbrk 135168, mmap 0, used 87464, free 47704
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3
  loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown 
Listening IP addresses:
  192.168.0.1
  fec0::1
  10.1.0.1
  fec1::1
Connections:
     net-net:  192.168.0.1...192.168.0.2
     net-net:   local:  [moon.strongswan.org] uses public key authentication
     net-net:    cert:  "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
     net-net:   remote: [sun.strongswan.org] uses any authentication
     net-net:   child:  10.1.0.0/16 === 10.2.0.0/16 
Security Associations:
     net-net[1]: ESTABLISHED 86 seconds ago, 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
     net-net[1]: IKE SPIs: 0c01492ce46c4f98_i* b5ad160a0c77e9b5_r, public key reauthentication in 54 minutes
     net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
     net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c65a8cd9_i cecef2ef_o
     net-net{1}:  AES_CBC_128/HMAC_SHA2_256_128, 168 bytes_i (3s ago), 168 bytes_o (3s ago), rekeying in 15 seconds
     net-net{1}:   10.1.0.0/16 === 10.2.0.0/16 

-------------------------------------------------------------------------------
# CHILD_SA rekeying

Mar 18 10:18:30 moon charon: 15[CFG] proposing traffic selectors for us: 
Mar 18 10:18:30 moon charon: 15[CFG]  10.1.0.0/16 (derived from 10.1.0.0/16) 
Mar 18 10:18:30 moon charon: 15[CFG] proposing traffic selectors for other: 
Mar 18 10:18:30 moon charon: 15[CFG]  10.2.0.0/16 (derived from 10.2.0.0/16) 
Mar 18 10:18:43 moon charon: 01[CFG] proposing traffic selectors for us: 
Mar 18 10:18:43 moon charon: 01[CFG]  10.1.0.0/16 (derived from 10.1.0.0/16) 
Mar 18 10:18:43 moon charon: 01[CFG] proposing traffic selectors for other: 
Mar 18 10:18:43 moon charon: 01[CFG]  10.2.0.0/16 (derived from 10.2.0.0/16) 
Mar 18 10:18:58 moon charon: 09[KNL] creating rekey job for ESP CHILD_SA with SPI cecef2ef and reqid {1} 
Mar 18 10:18:58 moon charon: 06[IKE] establishing CHILD_SA net-net{1} 
Mar 18 10:18:58 moon charon: 06[CFG] proposing traffic selectors for us: 
Mar 18 10:18:58 moon charon: 06[CFG]  10.1.0.0/16 (derived from 10.1.0.0/16) 
Mar 18 10:18:58 moon charon: 06[CFG] proposing traffic selectors for other: 
Mar 18 10:18:58 moon charon: 06[CFG]  10.2.0.0/16 (derived from 10.2.0.0/16) 
Mar 18 10:18:58 moon charon: 06[ENC] generating CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No KE TSi TSr ] 
Mar 18 10:18:58 moon charon: 06[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] 
Mar 18 10:18:58 moon charon: 05[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] 
Mar 18 10:18:58 moon charon: 05[ENC] parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ] 
Mar 18 10:18:58 moon charon: 05[CFG] selecting proposal: 
Mar 18 10:18:58 moon charon: 05[CFG]   proposal matches 
Mar 18 10:18:58 moon charon: 05[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ 
Mar 18 10:18:58 moon charon: 05[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ 
Mar 18 10:18:58 moon charon: 05[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ 
Mar 18 10:18:58 moon charon: 05[CFG] selecting traffic selectors for us: 
Mar 18 10:18:58 moon charon: 05[CFG]  config: 10.1.0.0/16, received: 10.1.0.0/16 => match: 10.1.0.0/16 
Mar 18 10:18:58 moon charon: 05[CFG] selecting traffic selectors for other: 
Mar 18 10:18:58 moon charon: 05[CFG]  config: 10.2.0.0/16, received: 10.2.0.0/16 => match: 10.2.0.0/16 
Mar 18 10:18:58 moon charon: 05[IKE] CHILD_SA net-net{1} established with SPIs c65719c1_i c5b686e4_o and TS 10.1.0.0/16 === 10.2.0.0/16  

-------------------------------------------------------------------------------
moon ~ # ipsec statusall

Status of IKEv2 charon daemon (strongSwan 4.5.2dr3):
  uptime: 117 seconds, since Mar 18 10:17:10 2011
  malloc: sbrk 135168, mmap 0, used 87504, free 47664
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3
  loaded plugins: curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown 
Listening IP addresses:
  192.168.0.1
  fec0::1
  10.1.0.1
  fec1::1
Connections:
     net-net:  192.168.0.1...192.168.0.2
     net-net:   local:  [moon.strongswan.org] uses public key authentication
     net-net:    cert:  "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
     net-net:   remote: [sun.strongswan.org] uses any authentication
     net-net:   child:  10.1.0.0/16 === 10.2.0.0/16 
Security Associations:
     net-net[1]: ESTABLISHED 109 seconds ago, 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
     net-net[1]: IKE SPIs: 0c01492ce46c4f98_i* b5ad160a0c77e9b5_r, public key reauthentication in 54 minutes
     net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
     net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c65719c1_i c5b686e4_o
     net-net{1}:  AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 93 seconds
     net-net{1}:   10.1.0.0/16 === 10.2.0.0/16