<div dir="ltr"><div dir="ltr"><div class="gmail_default"><font color="#000000" face="tahoma,sans-serif">Hi All,</font></div><div class="gmail_default"><br><font color="#000000" face="tahoma,sans-serif"></font></div><div class="gmail_default"><font color="#000000" face="tahoma,sans-serif">I'm trying to setup a cert based IPsec tunnel between Cisco CSR 03.13.01.S and Strongswan U5.2.1/K3.5.0-17-generic using IKEv2.</font></div><div class="gmail_default"><font color="#000000" face="tahoma,sans-serif">The issue that I'm facing is that SA on Strongswan side is up but stuck in "IN-NEG” status
on Cisco side (Response is outside of window received 0x1, expect 0x2 <=
mess_id < 0x2).</font></div><div class="gmail_default"><font color="#000000" face="tahoma,sans-serif"> </font></div><div class="gmail_default"><p class="MsoNormal"><font face="tahoma,sans-serif"><font color="#000000">On Cisco side,
I’m using SCEP for cert enrollment from LabCA server in the lab. On
Strongswan side, I used private key from LabCA in order to sign a csr and
generate a certificate for Strongswan.</font><br></font></p><p class="MsoNormal"><font face="tahoma,sans-serif"><font color="#000000"><br></font></font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Cisco configuration:</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">======================</font></p><p class="MsoNormal"><span><font face="monospace, monospace"><font color="#000000">!<br>crypto pki trustpoint LabCA<br> enrollment retry count 12<br> enrollment retry period 5<br> enrollment url </font><a href="http://172.24.176.42:80" target="_blank"><font color="#000000">http://172.24.176.42:80</font></a><br><font color="#000000"> usage ike<br> fqdn router.lab.local<br> subject-name CN=router.lab.local<br> vrf MGMT<br> revocation-check none<br> rsakeypair LabCA<br> auto-enroll 90 regenerate<br>!<br>!<br>crypto pki certificate map CSR_SWAN 10<br> subject-name co ne.lab.local <br>!<br>crypto pki certificate chain LabCA<br> certificate 09<br> 3082032A <omitted output><br> quit<br> certificate ca 01<br> 3082031A <omitted output><br> quit<br>!<br>crypto ikev2 proposal CSR_SWAN <br> encryption aes-cbc-128<br> integrity sha1<br> group 5<br>!<br>crypto ikev2 policy CSR_SWAN <br> proposal CSR_SWAN<br>!<br>!<br>crypto ikev2 profile CSR_SWAN<br> match certificate CSR_SWAN<br> identity local dn <br> authentication remote rsa-sig<br> authentication local rsa-sig<br> pki trustpoint LabCA<br>!<br>!<br>crypto ipsec transform-set CSR_SWAN esp-aes esp-sha-hmac <br> mode tunnel<br>!<br>!<br>crypto ipsec profile CSR_SWAN<br> set transform-set CSR_SWAN <br> set ikev2-profile CSR_SWAN<br>!<br>!<br>interface Tunnel101<br> description ### OUTER TUNNEL ###<br> ip address 169.254.100.1 255.255.255.0<br> tunnel source GigabitEthernet2<br> tunnel destination 10.10.100.2<br> tunnel key 100<br> tunnel protection ipsec profile CSR_SWAN<br>!<br></font></font></span></p><p class="MsoNormal"><font face="monospace, monospace"><br></font></p><p class="MsoNormal"><span><font color="#000000" face="monospace, monospace">Strongswan configuration:</font></span></p><p class="MsoNormal"><span><font color="#000000" face="monospace, monospace">==========================</font></span></p><p class="MsoNormal"><span><font color="#000000" face="monospace, monospace">ca myCert<br> cacert=LabCA.crt<br> auto=add</font></span></p><span><font face="monospace, monospace"><p class="MsoNormal"><br><font color="#000000">conn %default<br> ikelifetime=1440m<br> keylife=60m<br> rekeymargin=3m<br> keyingtries=1<br> keyexchange=ikev2</font></p><p class="MsoNormal"><font color="#000000"><br></font></p><p class="MsoNormal"><font color="#000000">conn csr-swan<br> auto=add<br> authby=pubkey<br> left=10.10.100.2<br> leftsourceip=10.10.100.2<br> leftid="C=US, CN=ne.lab.local"<br> leftrsasigkey=%cert<br> leftcert=ne.crt<br> leftsendcert=always<br> right=172.20.100.1<br> rightid="CN=router.lab.local, unstructuredName=router.lab.local"<br> ike=aes128-sha1-modp1536<br> esp=aes128-sha1<br> keyexchange=ikev2</font></p><p class="MsoNormal"><font color="#000000"> </font></p><p class="MsoNormal"><font color="#000000">Cisco status:</font></p><p class="MsoNormal"><font color="#000000">==============</font></p><p class="MsoNormal"><font color="#000000">CSR-LAB-SITE-01#show crypto ikev2 sa detailed <br> IPv4 Crypto IKEv2 SA </font></p><p class="MsoNormal"><font color="#000000">Tunnel-id Local Remote fvrf/ivrf Status <br>1 <a href="http://172.20.100.1/500" target="_blank">172.20.100.1/500</a> <a href="http://10.10.100.2/500" target="_blank">10.10.100.2/500</a> none/none IN-NEG <br> Encr: AES-CBC, keysize: 128, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: RSA<br> Life/Active Time: 86400/0 sec<br> CE id: 1108, Session-id: 0<br> Status Description: Initiator waiting for AUTH response<br> Local spi: 4E88D7FCDF82752D Remote spi: 8DBED65029709452<br> Local id: hostname=router.lab.local,cn=router.lab.local<br> Remote id: cn=ne.lab.local,c=US<br> Local req msg id: 2 Remote req msg id: 0 <br> Local next msg id: 2 Remote next msg id: 0 <br> Local req queued: 2 Remote req queued: 0 <br> Local window: 5 Remote window: 1 <br> DPD configured for 0 seconds, retry 0<br> Fragmentation not configured.<br> Extended Authentication not configured.<br> NAT-T is not detected <br> Cisco Trust Security SGT is disabled<br> Initiator of SA : Yes</font></p><p class="MsoNormal"><font color="#000000"> IPv6 Crypto IKEv2 SA </font></p><p class="MsoNormal"><font color="#000000">CSR-LAB-SITE-01#</font></p><p class="MsoNormal"><font color="#000000"> </font></p><p class="MsoNormal"><font color="#000000">Strongswan status:</font></p><p class="MsoNormal"><font color="#000000">===================</font></p></font></span></div><p class="MsoNormal"><font face="monospace, monospace"><span style="color:rgb(31,73,125)"></span><span style="color:black"><a href="mailto:root@SWAN-01" target="_blank"><font color="#000000">root@SWAN-01</font></a><font color="#000000">:~# ipsec statusall <br>Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.5.0-17-generic, x86_64):<br> uptime: 5 minutes, since Apr 14 16:03:30 2015<br> malloc: sbrk 544768, mmap 0, used 408096, free 136672<br> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4<br> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown xauth-generic<br>Listening IP addresses:<br> 198.18.92.225<br> 10.10.100.2<br> 192.168.13.1<br> 192.168.14.1<br> 169.254.100.2<br>Connections:<br> csr-swan: 10.10.100.2...172.20.100.1 IKEv2<br> csr-swan: local: [C=US, CN=ne.lab.local] uses public key authentication<br> csr-swan: cert: "C=US, CN=ne.lab.local"<br> csr-swan: remote: [CN=router.lab.local, unstructuredName=router.lab.local] uses public key authentication<br> csr-swan: child: dynamic === dynamic TUNNEL<br>Security Associations (1 up, 0 connecting):<br> csr-swan[2]: ESTABLISHED 119 seconds ago, 10.10.100.2[C=US, CN=ne.lab.local]...172.20.100.1[CN=router.lab.local, unstructuredName=router.lab.local]<br> csr-swan[2]: IKEv2 SPIs: 2d7582dffcd7884e_i 5294702950d6be8d_r*, public key reauthentication in 23 hours<br> csr-swan[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<br> csr-swan{2}: INSTALLED, TUNNEL, ESP SPIs: c439a8dc_i cd654165_o<br> csr-swan{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 52 minutes<br> csr-swan{2}: <a href="http://10.10.100.2/32%5Bgre%5D" target="_blank">10.10.100.2/32[gre]</a> === <a href="http://172.20.100.1/32%5Bgre%5D" target="_blank">172.20.100.1/32[gre]</a> <br></font><a href="mailto:root@SWAN-01" target="_blank"><font color="#000000">root@SWAN-01</font></a><font color="#000000">:~# </font></span></font></p><p class="MsoNormal"><span style="color:black"><font color="#000000" face="monospace, monospace"><br></font></span></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">root@SWAN-01:~# ipsec listall </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"><br></font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">List of CA Information Sections:</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"><br></font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> authname: "CN=US_LAB.lab.local"</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> authkey: fe:81:80:3d:5c:15:96:ed:5a:4e:83:32:b8:b4:35:98:15:48:68:dc</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> keyid: ed:31:0f:9f:5b:90:cc:da:61:21:43:db:5d:19:77:72:ff:64:9d:b6</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"><br></font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">List of X.509 End Entity Certificates:</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"><br></font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> subject: "CN=router.lab.local, unstructuredName=router.lab.local"</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> issuer: "CN=US_LAB.lab.local"</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> serial: 09</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> validity: not before Apr 13 17:20:49 2015, ok</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> not after Jul 22 17:20:49 2015, ok </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> pubkey: RSA 2048 bits</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> keyid: 3d:76:88:6a:21:04:7a:ee:08:58:06:da:91:8a:59:ad:36:d5:c6:98</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> subjkey: 34:28:a2:6e:e1:93:2e:7c:9e:d1:bb:80:c5:6b:ca:65:8c:50:22:f2</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> authkey: fe:81:80:3d:5c:15:96:ed:5a:4e:83:32:b8:b4:35:98:15:48:68:dc</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"><br></font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> subject: "C=US, CN=ne.lab.local"</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> issuer: "CN=US_LAB.lab.local"</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> serial: 10:00</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> validity: not before Apr 13 15:40:55 2015, ok</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> not after Apr 12 15:40:55 2016, ok </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> pubkey: RSA 2048 bits, has private key</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> keyid: e8:ca:6d:c5:de:b0:68:a3:20:1a:28:8a:07:21:1a:63:f0:db:0c:27</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> subjkey: c9:a3:33:74:7d:3a:33:00:e8:c2:ce:00:04:21:7b:a8:10:79:1f:4b</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> authkey: fe:81:80:3d:5c:15:96:ed:5a:4e:83:32:b8:b4:35:98:15:48:68:dc</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"><br></font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">List of X.509 CA Certificates:</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"><br></font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> subject: "CN=US_LAB.lab.local"</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> issuer: "CN=US_LAB.lab.local"</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> serial: 01</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> validity: not before Apr 12 13:45:35 2015, ok</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> not after Apr 12 13:45:35 2035, ok </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> pubkey: RSA 2048 bits</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> keyid: ed:31:0f:9f:5b:90:cc:da:61:21:43:db:5d:19:77:72:ff:64:9d:b6</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> subjkey: fe:81:80:3d:5c:15:96:ed:5a:4e:83:32:b8:b4:35:98:15:48:68:dc</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"></font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"> authkey: fe:81:80:3d:5c:15:96:ed:5a:4e:83:32:b8:b4:35:98:15:48:68:dc</font></p><p class="MsoNormal"><font face="monospace, monospace"><span style="color:black"></span><font color="#000000"> </font></font></p><p class="MsoNormal"><font face="monospace, monospace"><span style="color:black"></span><br></font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Cisco debug:</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">===========</font></p><div class="gmail_default" style="font-family:verdana,sans-serif;display:inline"><font color="#000000" face="monospace, monospace">==</font></div><p></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:20.282: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 4,<br> (identity) local= <a href="http://172.20.100.1:0" target="_blank">172.20.100.1:0</a>, remote= <a href="http://10.10.100.2:0" target="_blank">10.10.100.2:0</a>,<br> local_proxy= <a href="http://172.20.100.1/255.255.255.255/47/0" target="_blank">172.20.100.1/255.255.255.255/47/0</a>,<br> remote_proxy= <a href="http://10.10.100.2/255.255.255.255/47/0" target="_blank">10.10.100.2/255.255.255.255/47/0</a><br>Apr 14 13:46:20.282: IPSEC(sa_request): ,<br> (key eng. msg.) OUTBOUND local= <a href="http://172.20.100.1:500" target="_blank">172.20.100.1:500</a>, remote= <a href="http://10.10.100.2:500" target="_blank">10.10.100.2:500</a>,<br> local_proxy= <a href="http://172.20.100.1/255.255.255.255/47/0" target="_blank">172.20.100.1/255.255.255.255/47/0</a>,<br> remote_proxy= <a href="http://10.10.100.2/255.255.255.255/47/0" target="_blank">10.10.100.2/255.255.255.255/47/0</a>,<br> protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), <br> lifedur= 3600s and 4608000kb, <br> spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0<br>Apr 14 13:46:20.282: IKEv2:Searching Policy with fvrf 0, local address 172.20.100.1<br>Apr 14 13:46:20.282: IKEv2:Found Policy 'CSR_SWAN'<br>Apr 14 13:46:20.282: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.20.100.1-172.20.100.1 Protocol: 47 Port Range: 0-65535 ; remote traffic selector = Address Range: 10.10.100.2-10.10.100.2 Protocol: 47 Port Range: 0-65535 </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:20.282: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session<br>Apr 14 13:46:20.282: CRYPTO_PKI: (A003A) Session started - identity not specified<br>Apr 14 13:46:20.282: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED<br>Apr 14 13:46:20.282: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5<br>Apr 14 13:46:20.282: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED<br>Apr 14 13:46:20.282: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key<br>Apr 14 13:46:20.282: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch<br>Apr 14 13:46:20.282: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message<br>Apr 14 13:46:20.282: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), <br>Num. transforms: 4<br> AES-CBC SHA1 SHA96 DH_GROUP_1536_MODP/Group 5 </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:20.282: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To <a href="http://10.10.100.2:500/From" target="_blank">10.10.100.2:500/From</a> <a href="http://172.20.100.1:500/VRF" target="_blank">172.20.100.1:500/VRF</a> i0:f0] <br>Initiator SPI : 70F862F7FD8191ED - Responder SPI : 0000000000000000 Message id: 0<br>IKEv2 IKE_SA_INIT Exchange REQUEST <br>Payload contents: <br> SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:20.282: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:20.291: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From <a href="http://10.10.100.2:500/To" target="_blank">10.10.100.2:500/To</a> <a href="http://172.20.100.1:500/VRF" target="_blank">172.20.100.1:500/VRF</a> i0:f0] <br>Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message id: 0<br>IKEv2 IKE_SA_INIT Exchange RESPONSE <br>Payload contents: <br> SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(Unknown - 16404) </font></p><p class="MsoNormal"><font face="monospace, monospace"><font color="#000000">Apr 14 13:46:20.291: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message<br>Apr 14 13:46:20.291: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message<br>Apr 14 13:46:20.291: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message<br>Apr 14 13:46:20.291: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)<br>Apr 14 13:46:20.291: CRYPTO_PKI: Trust-Point LabCA picked up<br>Apr 14 13:46:20.291: CRYPTO_PKI: 1 matching trustpoints found<br>Apr 14 13:46:20.291: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'LabCA' <br>Apr 14 13:46:20.291: CRYPTO_PKI: locked trustpoint LabCA, refcount is 1<br>Apr 14 13:46:20.291: CRYPTO_PKI: Identity bound (LabCA) for session A003A<br>Apr 14 13:46:20.291: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint LabCA<br>Apr 14 13:46:20.292: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED<br>Apr 14 13:46:20.292: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery<br>Apr 14 13:46:20.292: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found<br>Apr 14 13:46:20.292: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5<br>Apr 14 13:46:20.300: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED<br>Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret<br>Apr 14 13:46:20.300: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA<br>Apr 14 13:46:20.300: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED<br>Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange<br>Apr 14 13:46:20.300: IKEv2:Config data to send:<br>Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Config-type: Config-request <br>Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Attrib type: app-version, length: 251, data: Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S1, RELEASE SOFTWARE (fc3)<br>Technical Support: </font><a href="http://www.cisco.com/techsupport" target="_blank"><font color="#000000">http://www.cisco.com/techsupport</font></a><br><font color="#000000">Copyright (c) 1986-2014 by Cisco Systems, Inc.<br>Compiled Fri 31-Oct-14 17:32 by mcpre<br>Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Have config mode data to send<br>Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange<br>Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data<br>Apr 14 13:46:20.300: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data<br>Apr 14 13:46:20.300: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED<br>Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method<br>Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'RSA'<br>Apr 14 13:46:20.300: IKEv2:(SESSION ID = 1,SA ID = 1):Sign authentication data<br>Apr 14 13:46:20.300: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key<br>Apr 14 13:46:20.300: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED<br>Apr 14 13:46:20.300: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data<br>Apr 14 13:46:20.314: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED<br>Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):Authentication material has been sucessfully signed<br>Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange<br>Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message<br>Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: 'hostname=router.lab.local,cn=router.lab.local' of type 'DER ASN1 DN'<br>Apr 14 13:46:20.314: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)<br>Apr 14 13:46:20.314: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'LabCA' <br>Apr 14 13:46:20.314: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints<br>Apr 14 13:46:20.314: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED<br>Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), <br>Num. transforms: 3<br> AES-CBC SHA96 Don't use ESN<br>Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption. <br>Payload contents: <br> VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) </font></font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:20.314: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To <a href="http://10.10.100.2:500/From" target="_blank">10.10.100.2:500/From</a> <a href="http://172.20.100.1:500/VRF" target="_blank">172.20.100.1:500/VRF</a> i0:f0] <br>Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message id: 1<br>IKEv2 IKE_AUTH Exchange REQUEST <br>Payload contents: <br> ENCR </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:20.413: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From <a href="http://10.10.100.2:500/To" target="_blank">10.10.100.2:500/To</a> <a href="http://172.20.100.1:500/VRF" target="_blank">172.20.100.1:500/VRF</a> i0:f0] <br>Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message id: 1<br>IKEv2 IKE_AUTH Exchange RESPONSE <br>Payload contents: <br> IDr CERT AUTH SA TSi TSr NOTIFY(Unknown - 16403) </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:20.413: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify<br>Apr 14 13:46:20.415: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:20.415: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To <a href="http://10.10.100.2:500/From" target="_blank">10.10.100.2:500/From</a> <a href="http://172.20.100.1:500/VRF" target="_blank">172.20.100.1:500/VRF</a> i0:f0] <br>Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message id: 1<br>IKEv2 IKE_AUTH Exchange REQUEST <br>Payload contents: <br> ENCR </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:20.667: IKEv2:(SESSION ID = 1,SA ID = 1):Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2<br>: Received an IKE msg id outside supported window<br>Apr 14 13:46:20.669: IKEv2:Couldn't find matching SA: Received an IKE msg id outside supported window </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:20.669: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From <a href="http://10.10.100.2:500/To" target="_blank">10.10.100.2:500/To</a> <a href="http://172.20.100.1:500/VRF" target="_blank">172.20.100.1:500/VRF</a> i0:f0] <br>Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message id: 1<br>IKEv2 IKE_AUTH Exchange RESPONSE<br>Apr 14 13:46:20.669: IKEv2:: A supplied parameter is incorrect<br>Apr 14 13:46:22.381: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:22.381: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To <a href="http://10.10.100.2:500/From" target="_blank">10.10.100.2:500/From</a> <a href="http://172.20.100.1:500/VRF" target="_blank">172.20.100.1:500/VRF</a> i0:f0] <br>Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message id: 1<br>IKEv2 IKE_AUTH Exchange REQUEST <br>Payload contents: <br> ENCR </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:22.384: IKEv2:(SESSION ID = 1,SA ID = 1):Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2<br>: Received an IKE msg id outside supported window<br>Apr 14 13:46:22.386: IKEv2:Couldn't find matching SA: Received an IKE msg id outside supported window </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:22.386: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From <a href="http://10.10.100.2:500/To" target="_blank">10.10.100.2:500/To</a> <a href="http://172.20.100.1:500/VRF" target="_blank">172.20.100.1:500/VRF</a> i0:f0] <br>Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message id: 1<br>IKEv2 IKE_AUTH Exchange RESPONSE<br>Apr 14 13:46:22.386: IKEv2:: A supplied parameter is incorrect<br>Apr 14 13:46:26.213: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:26.213: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To <a href="http://10.10.100.2:500/From" target="_blank">10.10.100.2:500/From</a> <a href="http://172.20.100.1:500/VRF" target="_blank">172.20.100.1:500/VRF</a> i0:f0] <br>Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message id: 1<br>IKEv2 IKE_AUTH Exchange REQUEST <br>Payload contents: <br> ENCR </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:26.215: IKEv2:(SESSION ID = 1,SA ID = 1):Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2<br>: Received an IKE msg id outside supported window<br>Apr 14 13:46:26.216: IKEv2:Couldn't find matching SA: Received an IKE msg id outside supported window </font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 13:46:26.216: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From <a href="http://10.10.100.2:500/To" target="_blank">10.10.100.2:500/To</a> <a href="http://172.20.100.1:500/VRF" target="_blank">172.20.100.1:500/VRF</a> i0:f0] <br>Initiator SPI : 70F862F7FD8191ED - Responder SPI : 3EC73AFAD382B3C3 Message id: 1<br>IKEv2 IKE_AUTH Exchange RESPONSE<br>Apr 14 13:46:26.216: IKEv2:: A supplied parameter is incorrect<br></font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace"><br></font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Strongswan log:</font></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">===============</font></p><div class="gmail_default" style="font-family:verdana,sans-serif;display:inline"><font color="#000000" face="monospace, monospace">=</font></div><p></p><p class="MsoNormal"><font color="#000000" face="monospace, monospace">Apr 14 16:03:30 SWAN-01 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.5.0-17-generic, x86_64)<br>Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'<br>Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loaded ca certificate "CN=US_LAB.lab.local" from '/usr/local/etc/ipsec.d/cacerts/LabCA.crt'<br>Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'<br>Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'<br>Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'<br>Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'<br>Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'<br>Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loaded IKE secret for 10.10.100.2<br>Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loaded IKE secret for 172.20.100.1<br>Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loaded IKE secret for %any<br>Apr 14 16:03:30 SWAN-01 charon: 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/ne.key'<br>Apr 14 16:03:30 SWAN-01 charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed<br>Apr 14 16:03:30 SWAN-01 charon: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown xauth-generic<br>Apr 14 16:03:30 SWAN-01 charon: 00[LIB] unable to load 7 plugin features (7 due to unmet dependencies)<br>Apr 14 16:03:30 SWAN-01 charon: 00[JOB] spawning 16 worker threads<br>Apr 14 16:03:30 SWAN-01 charon: 11[CFG] received stroke: add ca 'myCert'<br>Apr 14 16:03:30 SWAN-01 charon: 11[CFG] loaded ca certificate "CN=US_LAB.lab.local" from 'LabCA.crt'<br>Apr 14 16:03:30 SWAN-01 charon: 11[CFG] added ca 'myCert'<br>Apr 14 16:03:30 SWAN-01 charon: 13[CFG] received stroke: add connection 'csr-swan'<br>Apr 14 16:03:30 SWAN-01 charon: 13[CFG] loaded certificate "C=US, CN=ne.lab.local" from 'ne.crt'<br>Apr 14 16:03:30 SWAN-01 charon: 13[CFG] added configuration 'csr-swan'</font></p><p class="MsoNormal"><font face="monospace, monospace"><br><font color="#000000">Apr 14 16:04:03 SWAN-01 charon: 15[NET] received packet: from 172.20.100.1[500] to 10.10.100.2[500] (400 bytes)<br>Apr 14 16:04:03 SWAN-01 charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]<br>Apr 14 16:04:03 SWAN-01 charon: 15[IKE] received Cisco Delete Reason vendor ID<br>Apr 14 16:04:03 SWAN-01 charon: 15[ENC] received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44<br>Apr 14 16:04:03 SWAN-01 charon: 15[IKE] 172.20.100.1 is initiating an IKE_SA<br>Apr 14 16:04:03 SWAN-01 charon: 15[IKE] sending cert request for "CN=US_LAB.lab.local"<br>Apr 14 16:04:03 SWAN-01 charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>Apr 14 16:04:03 SWAN-01 charon: 15[NET] sending packet: from 10.10.100.2[500] to 172.20.100.1[500] (401 bytes)<br>Apr 14 16:04:03 SWAN-01 charon: 16[NET] received packet: from 172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)<br>Apr 14 16:04:03 SWAN-01 charon: 16[ENC] unknown attribute type (28692)<br>Apr 14 16:04:03 SWAN-01 charon: 16[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ N(HTTP_CERT_LOOK) AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]<br>Apr 14 16:04:03 SWAN-01 charon: 16[IKE] cert payload ANY not supported - ignored<br>Apr 14 16:04:03 SWAN-01 charon: 16[IKE] received end entity cert "CN=router.lab.local, unstructuredName=router.lab.local"<br>Apr 14 16:04:03 SWAN-01 charon: 16[CFG] looking for peer configs matching 10.10.100.2[%any]...172.20.100.1[CN=router.lab.local, unstructuredName=router.lab.local]<br>Apr 14 16:04:03 SWAN-01 charon: 16[CFG] selected peer config 'csr-swan'<br>Apr 14 16:04:03 SWAN-01 charon: 16[CFG] using certificate "CN=router.lab.local, unstructuredName=router.lab.local"<br>Apr 14 16:04:03 SWAN-01 charon: 16[CFG] using trusted ca certificate "CN=US_LAB.lab.local"<br>Apr 14 16:04:03 SWAN-01 charon: 16[CFG] checking certificate status of "CN=router.lab.local, unstructuredName=router.lab.local"<br>Apr 14 16:04:03 SWAN-01 charon: 16[CFG] certificate status is not available<br>Apr 14 16:04:03 SWAN-01 charon: 16[CFG] reached self-signed root ca with a path length of 0<br>Apr 14 16:04:03 SWAN-01 charon: 16[IKE] authentication of 'CN=router.lab.local, unstructuredName=router.lab.local' with RSA signature successful<br>Apr 14 16:04:03 SWAN-01 charon: 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding<br>Apr 14 16:04:03 SWAN-01 charon: 16[IKE] authentication of 'C=US, CN=ne.lab.local' (myself) with RSA signature successful<br>Apr 14 16:04:03 SWAN-01 charon: 16[IKE] IKE_SA csr-swan[1] established between 10.10.100.2[C=US, CN=ne.lab.local]...172.20.100.1[CN=router.lab.local, unstructuredName=router.lab.local]<br>Apr 14 16:04:03 SWAN-01 charon: 16[IKE] scheduling reauthentication in 86151s<br>Apr 14 16:04:03 SWAN-01 charon: 16[IKE] maximum IKE_SA lifetime 86331s<br>Apr 14 16:04:03 SWAN-01 charon: 16[IKE] sending end entity cert "C=US, CN=ne.lab.local"<br>Apr 14 16:04:03 SWAN-01 charon: 16[IKE] CHILD_SA csr-swan{1} established with SPIs cb262567_i 4d68c4bb_o and TS <a href="http://10.10.100.2/32%5Bgre%5D" target="_blank">10.10.100.2/32[gre]</a> === <a href="http://172.20.100.1/32%5Bgre%5D" target="_blank">172.20.100.1/32[gre]</a> <br>Apr 14 16:04:03 SWAN-01 charon: 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]<br>Apr 14 16:04:03 SWAN-01 charon: 16[NET] sending packet: from 10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)<br>Apr 14 16:04:03 SWAN-01 charon: 05[NET] received packet: from 172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)<br>Apr 14 16:04:03 SWAN-01 charon: 05[ENC] unknown attribute type (28692)<br>Apr 14 16:04:03 SWAN-01 charon: 05[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ N(HTTP_CERT_LOOK) AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]<br>Apr 14 16:04:03 SWAN-01 charon: 05[IKE] received retransmit of request with ID 1, retransmitting response<br>Apr 14 16:04:03 SWAN-01 charon: 05[NET] sending packet: from 10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)<br>Apr 14 16:04:05 SWAN-01 charon: 04[NET] received packet: from 172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)<br>Apr 14 16:04:05 SWAN-01 charon: 04[ENC] unknown attribute type (28692)<br>Apr 14 16:04:05 SWAN-01 charon: 04[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ N(HTTP_CERT_LOOK) AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]<br>Apr 14 16:04:05 SWAN-01 charon: 04[IKE] received retransmit of request with ID 1, retransmitting response<br>Apr 14 16:04:05 SWAN-01 charon: 04[NET] sending packet: from 10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)<br>Apr 14 16:04:09 SWAN-01 charon: 03[NET] received packet: from 172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)<br>Apr 14 16:04:09 SWAN-01 charon: 03[ENC] unknown attribute type (28692)<br>Apr 14 16:04:09 SWAN-01 charon: 03[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ N(HTTP_CERT_LOOK) AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]<br>Apr 14 16:04:09 SWAN-01 charon: 03[IKE] received retransmit of request with ID 1, retransmitting response<br>Apr 14 16:04:09 SWAN-01 charon: 03[NET] sending packet: from 10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)<br>Apr 14 16:04:16 SWAN-01 charon: 02[NET] received packet: from 172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)<br>Apr 14 16:04:16 SWAN-01 charon: 02[ENC] unknown attribute type (28692)<br>Apr 14 16:04:16 SWAN-01 charon: 02[ENC] parsed IKE_AU</font></font></p><div class="gmail_default" style="font-family:verdana,sans-serif;display:inline"><font face="monospace, monospace"><font color="#000000"></font></font></div><font face="monospace, monospace"><font color="#000000">TH request 1 [ V IDi CERT CERTREQ N(HTTP_CERT_LOOK) AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]<br>Apr 14 16:04:16 SWAN-01 charon: 02[IKE] received retransmit of request with ID 1, retransmitting response<br>Apr 14 16:04:16 SWAN-01 charon: 02[NET] sending packet: from 10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)<br>Apr 14 16:04:31 SWAN-01 charon: 01[NET] received packet: from 172.20.100.1[500] to 10.10.100.2[500] (1724 bytes)<br>Apr 14 16:04:31 SWAN-01 charon: 01[ENC] unknown attribute type (28692)<br>Apr 14 16:04:31 SWAN-01 charon: 01[ENC] parsed IKE_AUTH request 1 [ V IDi CERT CERTREQ N(HTTP_CERT_LOOK) AUTH CPRQ(DNS DNS NBNS NBNS SUBNET DNS6 SUBNET6 VER U_SPLITDNS U_BANNER (28692) U_BKPSRV U_DEFDOM) SA TSi TSr N(INIT_CONTACT) N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]<br>Apr 14 16:04:31 SWAN-01 charon: 01[IKE] received retransmit of request with ID 1, retransmitting response<br>Apr 14 16:04:31 SWAN-01 charon: 01[NET] sending packet: from 10.10.100.2[500] to 172.20.100.1[500] (1324 bytes)</font></font><p></p><p class="MsoNormal"><font color="#000000" face="tahoma,sans-serif"></font> </p><p class="MsoNormal"><font color="#000000" face="tahoma,sans-serif"></font> </p><p class="MsoNormal"><font color="#000000" face="tahoma,sans-serif">Any help is greatly appreciated.</font></p><p class="MsoNormal"><font color="#000000" face="tahoma,sans-serif"></font> </p><p class="MsoNormal"><font color="#000000" face="tahoma,sans-serif">Thanks!</font></p><p class="MsoNormal"><font color="#000000" face="tahoma,sans-serif"></font> </p><p class="MsoNormal"><font color="#000000" face="tahoma,sans-serif">Alexey</font></p><p class="MsoNormal"><font color="#000000" face="tahoma,sans-serif"></font> </p></div><font color="#000000" face="tahoma,sans-serif">
</font>
</div>