<div dir="ltr"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Hi,</span><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px">I have a server (1.100.0.5, auto=add) and two clients (1.100.0.9 and 1.100.0.13, auto=start).</div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px">All the entities (2 clients and 1 server) have their own self-signed certs, but all of them share the same subject DN.</div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px">Due to the way things work in our setup, unfortunately there could be a queue of events that will lead in multiple (potentially >20) modifications to ipsec.conf (and certs). Each of these events is handled by changing ipsec.conf and issuing an "ipsec reload". Connections could be added or deleted by each of these events.</div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px">I have detailed config below. But I am seeing while things work fine with a single client, when I bring the setup up with two clients, one of them fails with the following error in client logs:</div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><div style="margin:0px;padding:0px;border:0px">2605 16[CFG] unable to install policy <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> === <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists</div><div style="margin:0px;padding:0px;border:0px">2606 16[CFG] unable to install policy <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> === <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists</div><div style="margin:0px;padding:0px;border:0px">2607 16[CFG] unable to install policy <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> === <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists</div><div style="margin:0px;padding:0px;border:0px">2608 16[CFG] unable to install policy <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> === <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists</div><div style="margin:0px;padding:0px;border:0px">2609 16[IKE] unable to install IPsec policies (SPD) in kernel</div></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px">As a result the server responder reports TS_UNACCEPTABLE.</div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px">Why is the client's IPsec SA getting re-established? Is it because the server had initiated an IKE_SA_INIT? Is server expected to initiate IKE_SA_INIT (despite it having auto=add)? The first ESTABLISHED below is with client1 initiating IKE_SA_INIT, but the second one seems to be because server initiated it. Please advise. Logs and ipsec.conf follow:<br></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><div style="margin:0px;padding:0px;border:0px">00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-75-generic, x86_64)</div></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px">....</div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><div style="margin:0px;padding:0px;border:0px"><font color="#00ff00" style="margin:0px;padding:0px;border:0px;background-color:rgb(255,255,0)">04[IKE] IKE_SA 1.100.0.5[1] state change: CONNECTING => <b>ESTABLISHED</b></font></div><div style="margin:0px;padding:0px;border:0px">04[IKE] scheduling rekeying in 3380s</div><div style="margin:0px;padding:0px;border:0px">04[IKE] maximum IKE_SA lifetime 3560s</div><div style="margin:0px;padding:0px;border:0px">01[JOB] next event in 3s 993ms, waiting</div><div style="margin:0px;padding:0px;border:0px">01[JOB] next event in 3s 993ms, waiting</div><div style="margin:0px;padding:0px;border:0px">04[CFG] selecting proposal:</div><div style="margin:0px;padding:0px;border:0px">04[CFG]   proposal matches</div><div style="margin:0px;padding:0px;border:0px">04[CFG] received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ</div><div style="margin:0px;padding:0px;border:0px">04[CFG] configured proposals: ESP:AES_GCM_16_256/MODP_2048/<wbr>NO_EXT_SEQ</div><div style="margin:0px;padding:0px;border:0px">04[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ</div><div style="margin:0px;padding:0px;border:0px">04[CFG] selecting traffic selectors for us: </div><div style="margin:0px;padding:0px;border:0px">04[CFG]  config: <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a>, received: <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> => match: <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a></div><div style="margin:0px;padding:0px;border:0px">04[CFG] selecting traffic selectors for other:</div><div style="margin:0px;padding:0px;border:0px">04[CFG]  config: <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a>, received: <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> => match: <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a></div><div style="margin:0px;padding:0px;border:0px">04[CHD]   using AES_GCM_16 for encryption</div><div style="margin:0px;padding:0px;border:0px">04[CHD] adding inbound ESP SA</div><div style="margin:0px;padding:0px;border:0px">04[CHD]   SPI 0xccd1087c, src 1.100.0.5 dst 1.100.0.9</div><div style="margin:0px;padding:0px;border:0px">04[KNL] adding SAD entry with SPI ccd1087c and reqid {1}  (mark 0/0x00000000)</div><div style="margin:0px;padding:0px;border:0px">04[KNL]   using encryption algorithm AES_GCM_16 with key size 288 </div><div style="margin:0px;padding:0px;border:0px">04[KNL]   using replay window of 32 packets</div><div style="margin:0px;padding:0px;border:0px">04[CHD] adding outbound ESP SA</div><div style="margin:0px;padding:0px;border:0px">04[CHD]   SPI 0xc2544878, src 1.100.0.9 dst 1.100.0.5</div><div style="margin:0px;padding:0px;border:0px">04[KNL] adding SAD entry with SPI c2544878 and reqid {1}  (mark 0/0x00000000)</div><div style="margin:0px;padding:0px;border:0px">04[KNL]   using encryption algorithm AES_GCM_16 with key size 288 </div><div style="margin:0px;padding:0px;border:0px">04[KNL]   using replay window of 32 packets</div><div style="margin:0px;padding:0px;border:0px">04[KNL] adding policy <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> === <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> out  (mark 0/0x00000000)</div><div style="margin:0px;padding:0px;border:0px">04[KNL] adding policy <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> === <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> in  (mark 0/0x00000000)</div><div style="margin:0px;padding:0px;border:0px">04[KNL] policy <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> === <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> out  (mark 0/0x00000000) already exists, increasing refcount</div><div style="margin:0px;padding:0px;border:0px">04[KNL] updating policy <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> === <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> out  (mark 0/0x00000000)</div><div style="margin:0px;padding:0px;border:0px">04[KNL] policy <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> === <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> in  (mark 0/0x00000000) already exists, increasing refcount</div><div style="margin:0px;padding:0px;border:0px">04[KNL] updating policy <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> === <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> in  (mark 0/0x00000000)</div><div style="margin:0px;padding:0px;border:0px">04[IKE] CHILD_SA 1.100.0.5{1} established with SPIs ccd1087c_i c2544878_o and TS <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> === <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> </div><div style="margin:0px;padding:0px;border:0px">04[IKE] peer supports MOBIKE</div><div style="margin:0px;padding:0px;border:0px">04[IKE] got additional MOBIKE peer address: 169.254.0.90</div><div style="margin:0px;padding:0px;border:0px">04[IKE] activating new tasks</div><div style="margin:0px;padding:0px;border:0px">04[IKE] nothing to initiate</div><div style="margin:0px;padding:0px;border:0px">04[MGR] checkin IKE_SA 1.100.0.5[1]</div><div style="margin:0px;padding:0px;border:0px">04[MGR] check-in of IKE_SA successful.</div><div style="margin:0px;padding:0px;border:0px">01[JOB] got event, queuing job for execution</div><div style="margin:0px;padding:0px;border:0px">01[JOB] next event in 8s 939ms, waiting</div><div style="margin:0px;padding:0px;border:0px">12[MGR] checkout IKE_SA</div><div style="margin:0px;padding:0px;border:0px">12[MGR] IKE_SA 1.100.0.5[1] successfully checked out </div><div style="margin:0px;padding:0px;border:0px">12[MGR] checkin IKE_SA 1.100.0.5[1]</div><div style="margin:0px;padding:0px;border:0px">12[MGR] check-in of IKE_SA successful.</div><div style="margin:0px;padding:0px;border:0px">01[JOB] got event, queuing job for execution</div><div style="margin:0px;padding:0px;border:0px">01[JOB] next event in 47s 66ms, waiting</div><div style="margin:0px;padding:0px;border:0px">11[MGR] checkout IKE_SA</div><div style="margin:0px;padding:0px;border:0px">11[MGR] IKE_SA 1.100.0.5[1] successfully checked out </div><div style="margin:0px;padding:0px;border:0px">11[MGR] checkin IKE_SA 1.100.0.5[1]</div><div style="margin:0px;padding:0px;border:0px">11[MGR] check-in of IKE_SA successful.</div><div style="margin:0px;padding:0px;border:0px">02[NET] received packet: from 1.100.0.5[500] to 1.100.0.9[500]</div><div style="margin:0px;padding:0px;border:0px">02[ENC] parsing header of message</div><div style="margin:0px;padding:0px;border:0px">02[ENC] parsing HEADER payload, 432 bytes left</div></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px">....</div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><div style="margin:0px;padding:0px;border:0px"><b><font color="#ff0000" style="margin:0px;padding:0px;border:0px;background-color:rgb(255,255,0)">10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</font></b></div><div style="margin:0px;padding:0px;border:0px">10[CFG] looking for an ike config for 1.100.0.9...1.100.0.5</div><div style="margin:0px;padding:0px;border:0px">10[CFG]   candidate: 1.100.0.9...1.100.0.5, prio 3100</div><div style="margin:0px;padding:0px;border:0px">10[CFG] found matching ike config: 1.100.0.9...1.100.0.5 with prio 3100</div><div style="margin:0px;padding:0px;border:0px">10[IKE] 1.100.0.5 is initiating an IKE_SA</div><div style="margin:0px;padding:0px;border:0px">10[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING</div><div style="margin:0px;padding:0px;border:0px">10[CFG] selecting proposal:</div><div style="margin:0px;padding:0px;border:0px">10[CFG]   proposal matches</div><div style="margin:0px;padding:0px;border:0px">10[CFG] received proposals: IKE:AES_GCM_16_256/AES_XCBC_<wbr>96/PRF_AES128_XCBC/MODP_2048</div><div style="margin:0px;padding:0px;border:0px">10[CFG] configured proposals: IKE:AES_GCM_16_256/AES_XCBC_<wbr>96/PRF_AES128_XCBC/MODP_2048</div><div style="margin:0px;padding:0px;border:0px">10[CFG] selected proposal: IKE:AES_GCM_16_256/PRF_AES128_<wbr>XCBC/MODP_2048</div><div style="margin:0px;padding:0px;border:0px">10[LIB] size of DH secret exponent: 2047 bits</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type SECURITY_ASSOCIATION to message</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type KEY_EXCHANGE to message</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type NONCE to message</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type NOTIFY to message</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type NOTIFY to message</div><div style="margin:0px;padding:0px;border:0px">10[IKE] sending cert request for "C=US, ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=<a href="http://owca.com/" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">owca.com</a>"</div><div style="margin:0px;padding:0px;border:0px">10[IKE] sending cert request for "C=US, ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=<a href="http://owca.com/" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">owca.com</a>"</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type CERTIFICATE_REQUEST to message</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type NOTIFY to message</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type SECURITY_ASSOCIATION to message</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type KEY_EXCHANGE to message</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type NONCE to message</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type NOTIFY to message</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type NOTIFY to message</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type CERTIFICATE_REQUEST to message</div><div style="margin:0px;padding:0px;border:0px">10[ENC] added payload of type NOTIFY to message</div><div style="margin:0px;padding:0px;border:0px">10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]</div><div style="margin:0px;padding:0px;border:0px">10[ENC] not encrypting payloads</div></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px">....</div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><div style="margin:0px;padding:0px;border:0px">10[ENC] generating NOTIFY payload finished</div><div style="margin:0px;padding:0px;border:0px">10[NET] sending packet: from 1.100.0.9[500] to 1.100.0.5[500] (477 bytes)</div><div style="margin:0px;padding:0px;border:0px">10[MGR] checkin IKE_SA (unnamed)[2]</div><div style="margin:0px;padding:0px;border:0px">10[MGR] check-in of IKE_SA successful.</div><div style="margin:0px;padding:0px;border:0px">01[JOB] next event in 29s 999ms, waiting</div><div style="margin:0px;padding:0px;border:0px">06[NET] sending packet: from 1.100.0.9[500] to 1.100.0.5[500]</div><div style="margin:0px;padding:0px;border:0px">02[NET] received packet: from 1.100.0.5[4500] to 1.100.0.9[4500]</div><div style="margin:0px;padding:0px;border:0px">02[ENC] parsing header of message</div><div style="margin:0px;padding:0px;border:0px">02[ENC] parsing HEADER payload, 1670 bytes left</div></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px">....</div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><div style="margin:0px;padding:0px;border:0px">16[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]</div><div style="margin:0px;padding:0px;border:0px">16[IKE] received cert request for "C=US, ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=<a href="http://owca.com/" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">owca.com</a>"</div><div style="margin:0px;padding:0px;border:0px">16[IKE] received cert request for unknown ca with keyid be:a4:64:e4:0a:8e:87:30:a7:cf:<wbr>d8:46:c4:ba:44:d1:af:fd:8b:5b</div><div style="margin:0px;padding:0px;border:0px">16[IKE] received cert request for "C=US, ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=<a href="http://owca.com/" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">owca.com</a>"</div><div style="margin:0px;padding:0px;border:0px">16[IKE] received 1 cert requests for an unknown ca</div><div style="margin:0px;padding:0px;border:0px">16[ASN] L0 - x509:</div><div style="margin:0px;padding:0px;border:0px">16[ASN] L1 - tbsCertificate:</div><div style="margin:0px;padding:0px;border:0px">16[ASN] L2 - DEFAULT v1:</div><div style="margin:0px;padding:0px;border:0px">16[ASN] L3 - version:</div><div style="margin:0px;padding:0px;border:0px">16[ASN]   X.509v3</div><div style="margin:0px;padding:0px;border:0px">16[ASN] L2 - serialNumber:</div><div style="margin:0px;padding:0px;border:0px">16[ASN] L2 - signature:</div><div style="margin:0px;padding:0px;border:0px">16[ASN] L3 - algorithmIdentifier:</div><div style="margin:0px;padding:0px;border:0px">16[ASN] L4 - algorithm:</div></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px">....</div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><div style="margin:0px;padding:0px;border:0px">16[IKE] received end entity cert "C=US, ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=<a href="http://owca.com/" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">owca.com</a>"</div><div style="margin:0px;padding:0px;border:0px">16[CFG] looking for peer configs matching 1.100.0.9[C=US, ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=<a href="http://owca.com/" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">owca.com</a>]...1.100.0.5[C=US, ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=<a href="http://owca.com/" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">owca.com</a>]</div><div style="margin:0px;padding:0px;border:0px">16[CFG]   candidate "1.100.0.5", match: 20/20/3100 (me/other/ike)</div><div style="margin:0px;padding:0px;border:0px">16[CFG] selected peer config '1.100.0.5'</div><div style="margin:0px;padding:0px;border:0px">16[CFG]   using trusted certificate "C=US, ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=<a href="http://owca.com/" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">owca.com</a>"</div><div style="margin:0px;padding:0px;border:0px">16[IKE] authentication of 'C=US, ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=<a href="http://owca.com/" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">owca.com</a>' with RSA signature successful</div><div style="margin:0px;padding:0px;border:0px">16[IKE] peer supports MOBIKE</div><div style="margin:0px;padding:0px;border:0px">16[IKE] got additional MOBIKE peer address: 169.254.0.90</div><div style="margin:0px;padding:0px;border:0px">16[ENC] added payload of type ID_RESPONDER to message</div><div style="margin:0px;padding:0px;border:0px">16[ENC] added payload of type AUTHENTICATION to message</div><div style="margin:0px;padding:0px;border:0px">16[IKE] authentication of 'C=US, ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=<a href="http://owca.com/" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">owca.com</a>' (myself) with RSA signature successful</div><div style="margin:0px;padding:0px;border:0px">16[IKE] IKE_SA 1.100.0.5[2] established between 1.100.0.9[C=US, ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=<a href="http://owca.com/" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">owca.com</a>]...1.100.0.5[C=US, ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=<a href="http://owca.com/" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">owca.com</a>]</div><div style="margin:0px;padding:0px;border:0px"><font color="#00ff00" style="margin:0px;padding:0px;border:0px;background-color:rgb(255,255,0)">16[IKE] IKE_SA 1.100.0.5[2] state change: CONNECTING => <b>ESTABLISHED</b></font></div><div style="margin:0px;padding:0px;border:0px">16[IKE] scheduling rekeying in 3246s</div><div style="margin:0px;padding:0px;border:0px">01[JOB] next event in 29s 973ms, waiting</div><div style="margin:0px;padding:0px;border:0px">16[IKE] maximum IKE_SA lifetime 3426s</div><div style="margin:0px;padding:0px;border:0px">01[JOB] next event in 29s 973ms, waiting</div><div style="margin:0px;padding:0px;border:0px">01[JOB] next event in 29s 973ms, waiting</div><div style="margin:0px;padding:0px;border:0px">16[IKE] sending end entity cert "C=US, ST=CA, L=Mountain View, O=OWCA, OU=AgentC, CN=<a href="http://owca.com/" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">owca.com</a>"</div><div style="margin:0px;padding:0px;border:0px">16[ENC] added payload of type CERTIFICATE to message</div><div style="margin:0px;padding:0px;border:0px">16[CFG] looking for a child config for <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> === <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> </div><div style="margin:0px;padding:0px;border:0px">16[CFG] proposing traffic selectors for us:</div><div style="margin:0px;padding:0px;border:0px">16[CFG]  <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a></div><div style="margin:0px;padding:0px;border:0px">16[CFG] proposing traffic selectors for other:</div><div style="margin:0px;padding:0px;border:0px">16[CFG]  <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a></div><div style="margin:0px;padding:0px;border:0px">16[CFG]   candidate "1.100.0.5" with prio 5+5</div><div style="margin:0px;padding:0px;border:0px">16[CFG] found matching child config "1.100.0.5" with prio 10</div><div style="margin:0px;padding:0px;border:0px">16[CFG] selecting proposal:</div><div style="margin:0px;padding:0px;border:0px">16[CFG]   proposal matches</div><div style="margin:0px;padding:0px;border:0px">16[CFG] received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ</div><div style="margin:0px;padding:0px;border:0px">16[CFG] configured proposals: ESP:AES_GCM_16_256/MODP_2048/<wbr>NO_EXT_SEQ</div><div style="margin:0px;padding:0px;border:0px">16[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ</div><div style="margin:0px;padding:0px;border:0px">16[KNL] getting SPI for reqid {2}</div><div style="margin:0px;padding:0px;border:0px">16[KNL] got SPI cda54f7c for reqid {2}</div></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px">....</div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><div style="margin:0px;padding:0px;border:0px">16[CFG] selecting traffic selectors for us:</div><div style="margin:0px;padding:0px;border:0px">16[CFG]  config: <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a>, received: <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> => match: <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a></div><div style="margin:0px;padding:0px;border:0px">16[CFG] selecting traffic selectors for other:</div><div style="margin:0px;padding:0px;border:0px">16[CFG]  config: <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a>, received: <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> => match: <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a></div><div style="margin:0px;padding:0px;border:0px">16[CHD]   using AES_GCM_16 for encryption</div><div style="margin:0px;padding:0px;border:0px">16[CHD] adding inbound ESP SA</div><div style="margin:0px;padding:0px;border:0px">16[CHD]   SPI 0xcda54f7c, src 1.100.0.5 dst 1.100.0.9</div><div style="margin:0px;padding:0px;border:0px">16[KNL] adding SAD entry with SPI cda54f7c and reqid {2}  (mark 0/0x00000000)</div><div style="margin:0px;padding:0px;border:0px">16[KNL]   using encryption algorithm AES_GCM_16 with key size 288</div><div style="margin:0px;padding:0px;border:0px">16[KNL]   using replay window of 32 packets</div><div style="margin:0px;padding:0px;border:0px">16[CHD] adding outbound ESP SA</div><div style="margin:0px;padding:0px;border:0px">16[CHD]   SPI 0xcec6ba54, src 1.100.0.9 dst 1.100.0.5</div><div style="margin:0px;padding:0px;border:0px">16[KNL] adding SAD entry with SPI cec6ba54 and reqid {2}  (mark 0/0x00000000)</div><div style="margin:0px;padding:0px;border:0px">16[KNL]   using encryption algorithm AES_GCM_16 with key size 288</div><div style="margin:0px;padding:0px;border:0px">16[KNL]   using replay window of 32 packets</div><div style="margin:0px;padding:0px;border:0px"><font color="#ff0000" style="margin:0px;padding:0px;border:0px;background-color:rgb(255,255,0)">16[CFG] unable to install policy <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> === <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists</font></div><div style="margin:0px;padding:0px;border:0px"><font color="#ff0000" style="margin:0px;padding:0px;border:0px;background-color:rgb(255,255,0)">16[CFG] unable to install policy <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> === <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists</font></div><div style="margin:0px;padding:0px;border:0px"><font color="#ff0000" style="margin:0px;padding:0px;border:0px;background-color:rgb(255,255,0)">16[CFG] unable to install policy <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> === <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists</font></div><div style="margin:0px;padding:0px;border:0px"><font color="#ff0000" style="margin:0px;padding:0px;border:0px;background-color:rgb(255,255,0)">16[CFG] unable to install policy <a href="http://1.100.0.5/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.5/32</a> === <a href="http://1.100.0.9/32" target="_blank" rel="nofollow" style="margin:0px;padding:0px;border:0px;text-decoration-line:none;color:rgb(102,17,204)">1.100.0.9/32</a> in (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists</font></div><div style="margin:0px;padding:0px;border:0px"><font color="#ff0000" style="margin:0px;padding:0px;border:0px;background-color:rgb(255,255,0)">16[IKE] unable to install IPsec policies (SPD) in kernel</font></div><div style="margin:0px;padding:0px;border:0px"><br></div><div style="margin:0px;padding:0px;border:0px">                                                                                                                </div></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px">IPSEC.confs follow:</div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><b>Client1 ipsec.conf:</b></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><div style="margin:0px;padding:0px;border:0px">config setup</div><div style="margin:0px;padding:0px;border:0px">    uniqueids=no</div><div style="margin:0px;padding:0px;border:0px"><br></div><div style="margin:0px;padding:0px;border:0px">conn %default</div><div style="margin:0px;padding:0px;border:0px">    ikelifetime=60m</div><div style="margin:0px;padding:0px;border:0px">    keylife=20m</div><div style="margin:0px;padding:0px;border:0px">    rekeymargin=3m</div><div style="margin:0px;padding:0px;border:0px">    keyingtries=1</div><div style="margin:0px;padding:0px;border:0px">    keyexchange=ikev2</div><div style="margin:0px;padding:0px;border:0px">    ike=aes256gcm16-aesxcbc-<wbr>modp2048!</div><div style="margin:0px;padding:0px;border:0px">    esp=aes256gcm16-modp2048!</div><div style="margin:0px;padding:0px;border:0px"><br></div><div style="margin:0px;padding:0px;border:0px"><br></div><div style="margin:0px;padding:0px;border:0px">conn 1.100.0.5</div><div style="margin:0px;padding:0px;border:0px">    type=transport</div><div style="margin:0px;padding:0px;border:0px">    left=1.100.0.9</div><div style="margin:0px;padding:0px;border:0px">    leftcert=client1_cert.pem</div><div style="margin:0px;padding:0px;border:0px">    leftsendcert=always</div><div style="margin:0px;padding:0px;border:0px">    rightcert=server_cert.pem</div><div style="margin:0px;padding:0px;border:0px">    right=1.100.0.5</div><div style="margin:0px;padding:0px;border:0px">    reauth=no</div><div style="margin:0px;padding:0px;border:0px">    dpdaction=restart</div><div style="margin:0px;padding:0px;border:0px">    auto=start</div></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><b>Client2 ipsec.conf:</b></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><div style="margin:0px;padding:0px;border:0px">config setup</div><div style="margin:0px;padding:0px;border:0px">    uniqueids=no</div><div style="margin:0px;padding:0px;border:0px"><br></div><div style="margin:0px;padding:0px;border:0px">conn %default</div><div style="margin:0px;padding:0px;border:0px">    ikelifetime=60m</div><div style="margin:0px;padding:0px;border:0px">    keylife=20m</div><div style="margin:0px;padding:0px;border:0px">    rekeymargin=3m</div><div style="margin:0px;padding:0px;border:0px">    keyingtries=1</div><div style="margin:0px;padding:0px;border:0px">    keyexchange=ikev2</div><div style="margin:0px;padding:0px;border:0px">    ike=aes256gcm16-aesxcbc-<wbr>modp2048!</div><div style="margin:0px;padding:0px;border:0px">    esp=aes256gcm16-modp2048!</div><div style="margin:0px;padding:0px;border:0px"><br></div><div style="margin:0px;padding:0px;border:0px"><br></div><div style="margin:0px;padding:0px;border:0px"><br></div><div style="margin:0px;padding:0px;border:0px">conn 1.100.0.5</div><div style="margin:0px;padding:0px;border:0px">    type=transport</div><div style="margin:0px;padding:0px;border:0px">    left=1.100.0.13</div><div style="margin:0px;padding:0px;border:0px">    leftcert=client2_cert.pem</div><div style="margin:0px;padding:0px;border:0px">    leftsendcert=always</div><div style="margin:0px;padding:0px;border:0px">    rightcert=server_cert.pem</div><div style="margin:0px;padding:0px;border:0px">    right=1.100.0.5</div><div style="margin:0px;padding:0px;border:0px">    reauth=no</div><div style="margin:0px;padding:0px;border:0px">    dpdaction=restart</div><div style="margin:0px;padding:0px;border:0px">    auto=start</div></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><b>Server ipsec.conf</b></div><div style="margin:0px;padding:0px;border:0px;font-family:Arial,Helvetica,sans-serif;font-size:13px"><div style="margin:0px;padding:0px;border:0px">config setup</div><div style="margin:0px;padding:0px;border:0px">    uniqueids=no</div><div style="margin:0px;padding:0px;border:0px"><br></div><div style="margin:0px;padding:0px;border:0px">conn %default</div><div style="margin:0px;padding:0px;border:0px">    ikelifetime=60m</div><div style="margin:0px;padding:0px;border:0px">    keylife=20m</div><div style="margin:0px;padding:0px;border:0px">    rekeymargin=3m</div><div style="margin:0px;padding:0px;border:0px">    keyingtries=1</div><div style="margin:0px;padding:0px;border:0px">    keyexchange=ikev2</div><div style="margin:0px;padding:0px;border:0px">    ike=aes256gcm16-aesxcbc-<wbr>modp2048!</div><div style="margin:0px;padding:0px;border:0px">    esp=aes256gcm16-modp2048!</div><div style="margin:0px;padding:0px;border:0px"><br></div><div style="margin:0px;padding:0px;border:0px"><br></div><div style="margin:0px;padding:0px;border:0px">conn 1.100.0.13<br></div><div style="margin:0px;padding:0px;border:0px">    type=transport</div><div style="margin:0px;padding:0px;border:0px">    left=1.100.0.5</div><div style="margin:0px;padding:0px;border:0px">    leftcert=server_cert.pem</div><div style="margin:0px;padding:0px;border:0px">    leftsendcert=always</div><div style="margin:0px;padding:0px;border:0px">    rightcert=client1_cert.pem</div><div style="margin:0px;padding:0px;border:0px">    right=1.100.0.13</div><div style="margin:0px;padding:0px;border:0px">    reauth=no</div><div style="margin:0px;padding:0px;border:0px">    dpdaction=restart</div><div style="margin:0px;padding:0px;border:0px">    auto=add<br></div><div style="margin:0px;padding:0px;border:0px"><br></div><div style="margin:0px;padding:0px;border:0px"><br></div><div style="margin:0px;padding:0px;border:0px">conn 1.100.0.9</div><div style="margin:0px;padding:0px;border:0px">    type=transport</div><div style="margin:0px;padding:0px;border:0px">    left=1.100.0.5</div><div style="margin:0px;padding:0px;border:0px">    leftcert=server_cert.pem</div><div style="margin:0px;padding:0px;border:0px">    leftsendcert=always</div><div style="margin:0px;padding:0px;border:0px">    rightcert=client0_cert.pem</div><div style="margin:0px;padding:0px;border:0px">    right=1.100.0.9</div><div style="margin:0px;padding:0px;border:0px">    reauth=no</div><div style="margin:0px;padding:0px;border:0px">    dpdaction=restart</div><div style="margin:0px;padding:0px;border:0px">    auto=add</div></div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><span style="font-size:12.8px">Piyush Agarwal</span><br></div><div><span style="color:rgb(17,17,17)"><font face="arial, helvetica, sans-serif" size="2">Life can only be understood backwards; but it must be lived forwards.</font></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>