<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span><br></span></div><div>Greetings,</div><div><br></div><div>Appreciate if someone can give me a hand to track down a hard to reproduce freeze up problem. <br></div><div><br></div><div>When the problem occurs, support staffs can remote login and the system appears normal in cpu load, disk usage and memory usage. Only charon appears dead. ps aux shows charon is in 'S' mode. ipsec statusall just hangs. ipsec stop leave mess behind (because stroke can't talk to charon?) so support just reboot the PC to recover. <br></div><div><br></div><div>StrongSwan version: 4.3.2<br>Linux version: Debian 5.0.4<br>Kernel: 2.6.32<br><br></div><div>It just happened again at one site. The last log entries before charon stopped working look like this:</div><div><br></div><div>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 0.0.0.0/0 ===
10.2.19.0/24 out <br>Nov 28 11:18:06 moon charon: 17[IKE] CHILD_SA SN00000A2446-1{10046} established with SPIs c0a4afb0_i c7e5a8d0_o and TS 0.0.0.0/0 === 10.1.46.0/24 10.2.46.0/24 10.3.46.0/24 <br>Nov 28 11:18:06 moon charon: 17[IKE] CHILD_SA SN00000A2446-1{10046} established with SPIs c0a4afb0_i c7e5a8d0_o and TS 0.0.0.0/0 === 10.1.46.0/24 10.2.46.0/24 10.3.46.0/24 <br>Nov 28 11:18:06 moon charon: 15[KNL] policy 10.2.19.0/24 === 0.0.0.0/0 in already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 10.2.19.0/24 === 0.0.0.0/0 in <br>Nov 28 11:18:06 moon charon: 15[KNL] policy 10.2.19.0/24 === 0.0.0.0/0 fwd already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 10.2.19.0/24 === 0.0.0.0/0 fwd <br>Nov 28 11:18:06 moon charon: 15[KNL] policy 0.0.0.0/0 === 10.3.19.0/24 out already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 0.0.0.0/0 ===
10.3.19.0/24 out <br>Nov 28 11:18:06 moon charon: 15[KNL] policy 10.3.19.0/24 === 0.0.0.0/0 in already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 10.3.19.0/24 === 0.0.0.0/0 in <br>Nov 28 11:18:06 moon charon: 15[KNL] policy 10.3.19.0/24 === 0.0.0.0/0 fwd already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 10.3.19.0/24 === 0.0.0.0/0 fwd <br>Nov 28 11:18:06 moon charon: 15[KNL] getting interface name for a.b.c.d <br>Nov 28 12:06:02 moon ntpd[8484]: kernel time sync status change 0001<br>Nov 28 12:17:01 moon CRON[13865]: pam_unix(cron:session): session opened for user root by (uid=0)<br>Nov 28 12:17:01 moon CRON[13865]: pam_unix(cron:session): session closed for user root<br><br></div> <div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"> <div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"> <font face="Arial" size="2">
<hr size="1"> <b><span style="font-weight: bold;"></span></b></font><br>Did a grep in the source code and noticed that kernel_netlink_net.c calls mutex->lock after the "getting interface name" debug print.<br><br>Q1. Does it mean that there is a mismatch in the thread calling mutex->lock/mutex->unlock? What else can cause mutex->lock wait forever?<br><br>However in /var/log/messages the "getting interface name" log always appear in triplicate and right next to each other. That may be because all the tunnels have 3 subnets (10.1.x.0, 10.2.x.0, 10.3.x.0) so there are 3 fwd policies. Just before freeze up, the 3 fwd policies were logged:<br><br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 10.1.19.0/24 === 0.0.0.0/0 fwd <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 10.2.19.0/24 === 0.0.0.0/0 fwd <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 10.3.19.0/24 === 0.0.0.0/0 fwd <br><br>Q2. Does these 3 log entries exonerate
"mutex->lock" in get_interface_name? Cause if mutex->lock cannot return, then I should have only 1 "adding policy ... fwd" in the log, not three. May be there were 2 more "getting interface name" log entries got buffered up?<br><br> Q3. Probably I fail to understand the code. I think add_policy in kernel_netlink_ipsec.c prints the "adding policy..." log and then if the policy is fwd, add a route thus triggering the "getting interface name" log. In that case "getting interface name" log should interleave with "adding policy ... fwd" logs. Where else can get_interface_name be called during add policies?<br><br>Q4. One thing I noticed from the full log was that just before frozen, charon had 2 threads doing REKEY_SA simultaneously. (See the interleaving thread 15 and 17 below.) Could threads running concurrently increase chance of lockup? The PC has 2 cores. Is there a setup parameter to disable multi-threading?<br><br>Really appreciate any help
anyone can provide. Thanks.<br>Simon<br><br>===========================================================<br><br>Here goes the full log:<br><br>Nov 28 11:18:06 moon charon: 07[NET] received packet: from 46.46.46.46[4500] to a.b.c.d[4500] <br>Nov 28 11:18:06 moon charon: 07[NET] waiting for data on raw sockets <br>Nov 28 11:18:06 moon charon: 17[MGR] checkout IKE_SA by message <br>Nov 28 11:18:06 moon charon: 17[MGR] IKE_SA successfully checked out <br>Nov 28 11:18:06 moon charon: 17[NET] received packet: from 46.46.46.46[4500] to a.b.c.d[4500] <br>Nov 28 11:18:06 moon charon: 17[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) ] <br>Nov 28 11:18:06 moon charon: 17[CFG] looking for peer configs matching a.b.c.d[a.b.c.d]...46.46.46.46[SN00000A2446] <br>Nov 28 11:18:06 moon charon: 07[NET] received packet: from 19.19.19.19[4500] to a.b.c.d[4500] <br>Nov
28 11:18:06 moon charon: 07[NET] waiting for data on raw sockets <br>Nov 28 11:18:06 moon charon: 17[CFG] candidate "SN00000A2446-1", match: 20/20/5 (me/other/ike) <br>Nov 28 11:18:06 moon charon: 17[CFG] selected peer config 'SN00000A2446-1' <br>Nov 28 11:18:06 moon charon: 17[IKE] authentication of 'SN00000A2446' with pre-shared key successful <br>Nov 28 11:18:06 moon charon: 17[IKE] peer supports MOBIKE <br>Nov 28 11:18:06 moon charon: 17[IKE] got additional MOBIKE peer address: 10.2.46.1 <br>Nov 28 11:18:06 moon charon: 17[IKE] got additional MOBIKE peer address: 10.3.46.1 <br>Nov 28 11:18:06 moon charon: 17[IKE] got additional MOBIKE peer address: 10.1.46.1 <br>Nov 28 11:18:06 moon charon: 17[IKE] got additional MOBIKE peer address: 10.100.2.7 <br>Nov 28 11:18:06 moon charon: 17[IKE] got additional MOBIKE peer address: 10.99.0.99 <br>Nov 28 11:18:06 moon charon: 17[IKE] authentication of 'a.b.c.d' (myself) with pre-shared key <br>Nov 28
11:18:06 moon charon: 17[IKE] successfully created shared key MAC <br>Nov 28 11:18:06 moon charon: 17[MGR] checkout IKE_SA <br>Nov 28 11:18:06 moon charon: 17[MGR] IKE_SA successfully checked out <br>Nov 28 11:18:06 moon charon: 17[IKE] deleting duplicate IKE_SA for peer 'SN00000A2446' due to uniqueness policy <br>Nov 28 11:18:06 moon charon: 17[IKE] queueing IKE_DELETE task <br>Nov 28 11:18:06 moon charon: 02[JOB] got event, queuing job for execution <br>Nov 28 11:18:06 moon charon: 02[JOB] next event in 530ms, waiting <br>Nov 28 11:18:06 moon charon: 17[IKE] delaying task initiation, exchange in progress <br>Nov 28 11:18:06 moon charon: 17[MGR] checkin IKE_SA <br>Nov 28 11:18:06 moon charon: 17[MGR] check-in of IKE_SA successful. <br>Nov 28 11:18:06 moon charon: 17[IKE] IKE_SA SN00000A2446-1[41959] state change: CONNECTING => ESTABLISHED <br>Nov 28 11:18:06 moon charon: 17[IKE] IKE_SA SN00000A2446-1[41959] established between
a.b.c.d[a.b.c.d]...46.46.46.46[SN00000A2446] <br>Nov 28 11:18:06 moon charon: 17[IKE] IKE_SA SN00000A2446-1[41959] established between a.b.c.d[a.b.c.d]...46.46.46.46[SN00000A2446] <br>Nov 28 11:18:06 moon charon: 17[CFG] looking for a child config for 0.0.0.0/0 === 10.1.46.0/24 10.2.46.0/24 10.3.46.0/24 <br>Nov 28 11:18:06 moon charon: 17[CFG] selecting traffic selectors for other: <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.1.46.0/24, received: 10.1.46.0/24 => match: 10.1.46.0/24 <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.1.46.0/24, received: 10.2.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.1.46.0/24, received: 10.3.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.2.46.0/24, received: 10.1.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.2.46.0/24, received: 10.2.46.0/24 => match: 10.2.46.0/24 <br>Nov 28 11:18:06
moon charon: 17[CFG] config: 10.2.46.0/24, received: 10.3.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.3.46.0/24, received: 10.1.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.3.46.0/24, received: 10.2.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.3.46.0/24, received: 10.3.46.0/24 => match: 10.3.46.0/24 <br>Nov 28 11:18:06 moon charon: 17[CFG] candidate "SN00000A2446-1" with prio 3 <br>Nov 28 11:18:06 moon charon: 17[CFG] selecting traffic selectors for other: <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.1.46.0/24, received: 10.1.46.0/24 => match: 10.1.46.0/24 <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.1.46.0/24, received: 10.2.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.1.46.0/24, received: 10.3.46.0/24 => no match <br>Nov 28 11:18:06 moon charon:
17[CFG] config: 10.2.46.0/24, received: 10.1.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.2.46.0/24, received: 10.2.46.0/24 => match: 10.2.46.0/24 <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.2.46.0/24, received: 10.3.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.3.46.0/24, received: 10.1.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.3.46.0/24, received: 10.2.46.0/24 => no match <br>- - - another thread started to run (I think) - - -<br>Nov 28 11:18:06 moon charon: 02[JOB] next event in 530ms, waiting <br>Nov 28 11:18:06 oCM3 charon: 12[MGR] checkout IKE_SA <br>Nov 28 11:18:06 oCM3 charon: 12[MGR] IKE_SA successfully checked out <br>Nov 28 11:18:06 oCM3 charon: 12[IKE] giving up after 5 retransmits <br>Nov 28 11:18:06 oCM3 charon: 12[MGR] checkin and destroy IKE_SA <br>Nov 28 11:18:06 oCM3 charon: 12[IKE] IKE_SA
SN00000A2407-1[41832] state change: ESTABLISHED => DESTROYING <br>. . .<br>deleting policies and SAD entries<br>. . .<br>Nov 28 11:18:06 oCM3 charon: 12[MGR] check-in and destroy of IKE_SA successful <br>Nov 28 11:18:06 moon charon: 15[MGR] checkout IKE_SA by message <br>Nov 28 11:18:06 moon charon: 15[MGR] IKE_SA successfully checked out <br>Nov 28 11:18:06 moon charon: 15[NET] received packet: from 19.19.19.19[4500] to a.b.c.d[4500] <br>Nov 28 11:18:06 moon charon: 15[ENC] parsed CREATE_CHILD_SA request 8 [ N(REKEY_SA) SA No TSi TSr ] <br>Nov 28 11:18:06 moon charon: 15[CFG] looking for a child config for 0.0.0.0/0 === 10.1.19.0/24 10.2.19.0/24 10.3.19.0/24 <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.3.46.0/24, received: 10.3.46.0/24 => match: 10.3.46.0/24 <br>Nov 28 11:18:06 moon charon: 17[CFG] candidate "SN00000A2446-1" with prio 3 <br>Nov 28 11:18:06 moon charon: 15[CFG] selecting traffic selectors for other:
<br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.1.19.0/24, received: 10.1.19.0/24 => match: 10.1.19.0/24 <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.1.19.0/24, received: 10.2.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.1.19.0/24, received: 10.3.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.2.19.0/24, received: 10.1.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.2.19.0/24, received: 10.2.19.0/24 => match: 10.2.19.0/24 <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.2.19.0/24, received: 10.3.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.3.19.0/24, received: 10.1.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.3.19.0/24, received: 10.2.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.3.19.0/24, received:
10.3.19.0/24 => match: 10.3.19.0/24 <br>Nov 28 11:18:06 moon charon: 15[CFG] candidate "SN00000A2419-1" with prio 3 <br>Nov 28 11:18:06 moon charon: 15[CFG] selecting traffic selectors for other: <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.1.19.0/24, received: 10.1.19.0/24 => match: 10.1.19.0/24 <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.1.19.0/24, received: 10.2.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.1.19.0/24, received: 10.3.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.2.19.0/24, received: 10.1.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.2.19.0/24, received: 10.2.19.0/24 => match: 10.2.19.0/24 <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.2.19.0/24, received: 10.3.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.3.19.0/24, received: 10.1.19.0/24
=> no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.3.19.0/24, received: 10.2.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.3.19.0/24, received: 10.3.19.0/24 => match: 10.3.19.0/24 <br>Nov 28 11:18:06 moon charon: 15[CFG] candidate "SN00000A2419-1" with prio 3 <br>Nov 28 11:18:06 moon charon: 15[CFG] found matching child config "SN00000A2419-1" with prio 3 <br>Nov 28 11:18:06 moon charon: 15[CFG] selecting proposal: <br>Nov 28 11:18:06 moon charon: 17[CFG] found matching child config "SN00000A2446-1" with prio 3 <br>Nov 28 11:18:06 moon charon: 15[CFG] proposal matches <br>Nov 28 11:18:06 moon charon: 15[CFG] received proposals: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ <br>Nov 28 11:18:06 moon charon: 15[CFG] configured proposals: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ <br>Nov 28 11:18:06 moon charon: 15[CFG] selected proposal: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ <br>Nov
28 11:18:06 moon charon: 15[KNL] getting SPI for reqid {26161} <br>Nov 28 11:18:06 moon charon: 17[CFG] selecting proposal: <br>Nov 28 11:18:06 moon charon: 17[CFG] proposal matches <br>Nov 28 11:18:06 moon charon: 17[CFG] received proposals: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ <br>Nov 28 11:18:06 moon charon: 17[CFG] configured proposals: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ <br>Nov 28 11:18:06 moon charon: 17[CFG] selected proposal: ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ <br>Nov 28 11:18:06 moon charon: 17[KNL] getting SPI for reqid {10046} <br>Nov 28 11:18:06 moon charon: 17[KNL] got SPI c0a4afb0 for reqid {10046} <br>Nov 28 11:18:06 moon charon: 17[CFG] selecting traffic selectors for us: <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0 <br>Nov 28 11:18:06 moon charon: 17[CFG] selecting traffic selectors for other: <br>Nov 28 11:18:06 moon charon: 17[CFG] config:
10.1.46.0/24, received: 10.1.46.0/24 => match: 10.1.46.0/24 <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.1.46.0/24, received: 10.2.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.1.46.0/24, received: 10.3.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.2.46.0/24, received: 10.1.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.2.46.0/24, received: 10.2.46.0/24 => match: 10.2.46.0/24 <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.2.46.0/24, received: 10.3.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.3.46.0/24, received: 10.1.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.3.46.0/24, received: 10.2.46.0/24 => no match <br>Nov 28 11:18:06 moon charon: 17[CFG] config: 10.3.46.0/24, received: 10.3.46.0/24 => match: 10.3.46.0/24 <br>Nov 28 11:18:06 moon
charon: 17[CHD] using AES_CBC for encryption <br>Nov 28 11:18:06 moon charon: 17[CHD] using HMAC_MD5_96 for integrity <br>Nov 28 11:18:06 moon charon: 17[CHD] adding inbound ESP SA <br>Nov 28 11:18:06 moon charon: 17[CHD] SPI 0xc0a4afb0, src 46.46.46.46 dst a.b.c.d <br>Nov 28 11:18:06 moon charon: 17[KNL] adding SAD entry with SPI c0a4afb0 and reqid {10046} <br>Nov 28 11:18:06 moon charon: 17[KNL] using encryption algorithm AES_CBC with key size 128 <br>Nov 28 11:18:06 moon charon: 17[KNL] using integrity algorithm HMAC_MD5_96 with key size 128 <br>Nov 28 11:18:06 moon charon: 17[CHD] adding outbound ESP SA <br>Nov 28 11:18:06 moon charon: 17[CHD] SPI 0xc7e5a8d0, src a.b.c.d dst 46.46.46.46 <br>Nov 28 11:18:06 moon charon: 17[KNL] adding SAD entry with SPI c7e5a8d0 and reqid {10046} <br>Nov 28 11:18:06 moon charon: 17[KNL] using encryption algorithm AES_CBC with key size
128 <br>Nov 28 11:18:06 moon charon: 17[KNL] using integrity algorithm HMAC_MD5_96 with key size 128 <br>Nov 28 11:18:06 moon charon: 17[KNL] policy 0.0.0.0/0 === 10.1.46.0/24 out already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 17[KNL] adding policy 0.0.0.0/0 === 10.1.46.0/24 out <br>Nov 28 11:18:06 moon charon: 17[KNL] policy 10.1.46.0/24 === 0.0.0.0/0 in already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 17[KNL] adding policy 10.1.46.0/24 === 0.0.0.0/0 in <br>Nov 28 11:18:06 moon charon: 17[KNL] policy 10.1.46.0/24 === 0.0.0.0/0 fwd already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 17[KNL] adding policy 10.1.46.0/24 === 0.0.0.0/0 fwd <br>Nov 28 11:18:06 moon charon: 17[KNL] policy 0.0.0.0/0 === 10.2.46.0/24 out already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 17[KNL] adding policy 0.0.0.0/0 === 10.2.46.0/24 out <br>Nov 28 11:18:06 moon charon: 17[KNL] policy
10.2.46.0/24 === 0.0.0.0/0 in already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 17[KNL] adding policy 10.2.46.0/24 === 0.0.0.0/0 in <br>Nov 28 11:18:06 moon charon: 17[KNL] policy 10.2.46.0/24 === 0.0.0.0/0 fwd already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 17[KNL] adding policy 10.2.46.0/24 === 0.0.0.0/0 fwd <br>Nov 28 11:18:06 moon charon: 17[KNL] policy 0.0.0.0/0 === 10.3.46.0/24 out already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 17[KNL] adding policy 0.0.0.0/0 === 10.3.46.0/24 out <br>Nov 28 11:18:06 moon charon: 17[KNL] policy 10.3.46.0/24 === 0.0.0.0/0 in already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 17[KNL] adding policy 10.3.46.0/24 === 0.0.0.0/0 in <br>Nov 28 11:18:06 moon charon: 17[KNL] policy 10.3.46.0/24 === 0.0.0.0/0 fwd already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 17[KNL] adding policy 10.3.46.0/24 === 0.0.0.0/0 fwd <br>Nov 28
11:18:06 moon charon: 17[KNL] getting interface name for a.b.c.d <br>Nov 28 11:18:06 moon charon: 17[KNL] a.b.c.d is on interface eth0 <br>Nov 28 11:18:06 moon charon: 17[KNL] getting interface name for a.b.c.d <br>Nov 28 11:18:06 moon charon: 17[KNL] a.b.c.d is on interface eth0 <br>Nov 28 11:18:06 moon charon: 17[KNL] getting interface name for a.b.c.d <br>Nov 28 11:18:06 moon charon: 17[KNL] a.b.c.d is on interface eth0 <br>Nov 28 11:18:06 moon charon: 15[KNL] got SPI cdd777e4 for reqid {26161} <br>Nov 28 11:18:06 moon charon: 15[CFG] selecting traffic selectors for us: <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0 <br>Nov 28 11:18:06 moon charon: 15[CFG] selecting traffic selectors for other: <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.1.19.0/24, received: 10.1.19.0/24 => match: 10.1.19.0/24 <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.1.19.0/24, received:
10.2.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.1.19.0/24, received: 10.3.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.2.19.0/24, received: 10.1.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.2.19.0/24, received: 10.2.19.0/24 => match: 10.2.19.0/24 <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.2.19.0/24, received: 10.3.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.3.19.0/24, received: 10.1.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.3.19.0/24, received: 10.2.19.0/24 => no match <br>Nov 28 11:18:06 moon charon: 15[CFG] config: 10.3.19.0/24, received: 10.3.19.0/24 => match: 10.3.19.0/24 <br>Nov 28 11:18:06 moon charon: 15[CHD] using AES_CBC for encryption <br>Nov 28 11:18:06 moon charon: 15[CHD] using HMAC_MD5_96 for integrity
<br>Nov 28 11:18:06 moon charon: 15[CHD] adding inbound ESP SA <br>Nov 28 11:18:06 moon charon: 15[CHD] SPI 0xcdd777e4, src 19.19.19.19 dst a.b.c.d <br>Nov 28 11:18:06 moon charon: 15[KNL] adding SAD entry with SPI cdd777e4 and reqid {26161} <br>Nov 28 11:18:06 moon charon: 15[KNL] using encryption algorithm AES_CBC with key size 128 <br>Nov 28 11:18:06 moon charon: 15[KNL] using integrity algorithm HMAC_MD5_96 with key size 128 <br>Nov 28 11:18:06 moon charon: 15[CHD] adding outbound ESP SA <br>Nov 28 11:18:06 moon charon: 15[CHD] SPI 0xc27035ad, src a.b.c.d dst 19.19.19.19 <br>Nov 28 11:18:06 moon charon: 15[KNL] adding SAD entry with SPI c27035ad and reqid {26161} <br>Nov 28 11:18:06 moon charon: 15[KNL] using encryption algorithm AES_CBC with key size 128 <br>Nov 28 11:18:06 moon charon: 15[KNL] using integrity algorithm HMAC_MD5_96 with key size 128 <br>Nov 28 11:18:06 moon
charon: 15[KNL] policy 0.0.0.0/0 === 10.1.19.0/24 out already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 0.0.0.0/0 === 10.1.19.0/24 out <br>Nov 28 11:18:06 moon charon: 15[KNL] policy 10.1.19.0/24 === 0.0.0.0/0 in already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 10.1.19.0/24 === 0.0.0.0/0 in <br>Nov 28 11:18:06 moon charon: 15[KNL] policy 10.1.19.0/24 === 0.0.0.0/0 fwd already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 10.1.19.0/24 === 0.0.0.0/0 fwd <br>Nov 28 11:18:06 moon charon: 15[KNL] policy 0.0.0.0/0 === 10.2.19.0/24 out already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 0.0.0.0/0 === 10.2.19.0/24 out <br>Nov 28 11:18:06 moon charon: 17[IKE] CHILD_SA SN00000A2446-1{10046} established with SPIs c0a4afb0_i c7e5a8d0_o and TS 0.0.0.0/0 === 10.1.46.0/24 10.2.46.0/24 10.3.46.0/24 <br>Nov
28 11:18:06 moon charon: 17[IKE] CHILD_SA SN00000A2446-1{10046} established with SPIs c0a4afb0_i c7e5a8d0_o and TS 0.0.0.0/0 === 10.1.46.0/24 10.2.46.0/24 10.3.46.0/24 <br>Nov 28 11:18:06 moon charon: 15[KNL] policy 10.2.19.0/24 === 0.0.0.0/0 in already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 10.2.19.0/24 === 0.0.0.0/0 in <br>Nov 28 11:18:06 moon charon: 15[KNL] policy 10.2.19.0/24 === 0.0.0.0/0 fwd already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 10.2.19.0/24 === 0.0.0.0/0 fwd <br>Nov 28 11:18:06 moon charon: 15[KNL] policy 0.0.0.0/0 === 10.3.19.0/24 out already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 0.0.0.0/0 === 10.3.19.0/24 out <br>Nov 28 11:18:06 moon charon: 15[KNL] policy 10.3.19.0/24 === 0.0.0.0/0 in already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 10.3.19.0/24 ===
0.0.0.0/0 in <br>Nov 28 11:18:06 moon charon: 15[KNL] policy 10.3.19.0/24 === 0.0.0.0/0 fwd already exists, increasing refcount <br>Nov 28 11:18:06 moon charon: 15[KNL] adding policy 10.3.19.0/24 === 0.0.0.0/0 fwd <br>Nov 28 11:18:06 moon charon: 15[KNL] getting interface name for a.b.c.d <br>Nov 28 12:06:02 moon ntpd[8484]: kernel time sync status change 0001<br>Nov 28 12:17:01 moon CRON[13865]: pam_unix(cron:session): session opened for user root by (uid=0)<br>Nov 28 12:17:01 moon CRON[13865]: pam_unix(cron:session): session closed for user root<br><br>-----------------------------------------------------<br>ipsec.conf for the two tunnels shown:<br><br>conn SN00000A2446-1<br> left=a.b.c.d<br> right=%any<br> rightid=@SN00000A2446<br> rekey=no<br> leftsubnet=0.0.0.0/0<br> leftsourceip=a.b.c.d<br>
rightsubnet=10.1.46.0/24,10.2.46.0/24,10.3.46.0/24<br> leftfirewall=yes<br> ike=aes128-md5-modp1536!<br> ikelifetime=28800s<br> keyexchange=ikev2<br> mobike=yes<br> dpddelay=30s<br> dpdtimeout=120s<br> dpdaction=clear<br> keyingtries=%forever<br> esp=aes128-md5!<br> keylife=3600s<br> rekeymargin=540s<br> type=tunnel<br> pfs=yes<br> compress=no<br> authby=secret<br> auto=add<br><br>conn SN00000A2419-1<br> left=a.b.c.d<br> right=%any<br> rightid=@SN00000A2419<br> rekey=no<br> leftsubnet=0.0.0.0/0<br> leftsourceip=a.b.c.d<br>
rightsubnet=10.1.19.0/24,10.2.19.0/24,10.3.19.0/24<br> leftfirewall=yes<br> ike=aes128-md5-modp1536!<br> ikelifetime=28800s<br> keyexchange=ikev2<br> mobike=yes<br> dpddelay=30s<br> dpdtimeout=120s<br> dpdaction=clear<br> keyingtries=%forever<br> esp=aes128-md5!<br> keylife=3600s<br> rekeymargin=540s<br> type=tunnel<br> pfs=yes<br> compress=no<br> authby=secret<br> auto=add<br><br><br><br><br><br> </div> </div> </div></body></html>