<div dir="ltr">OOPs!!...Jumped the Gun...Sorry!<div><br></div><div>Noel has answered it more correctly and succintly....Sorry again</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 22, 2017 at 5:26 AM, Rajiv Kulkarni <span dir="ltr"><<a href="mailto:rajivkulkarni69@gmail.com" target="_blank">rajivkulkarni69@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi<div><br></div><div>Try giving the "right=<ipaddr-of-tunnel-<wbr>endppoint>"</div><div><br></div><div>for e,g:</div><div><br></div><div>left=1.1.1.11</div><div>right=2.2.2.51</div><div><br></div><div>and also use the below policy instead of using leftprotoport/rightprotoport</div><div><br></div><div><div>leftsubnet=1.1.1.11[gre]</div><div>rightsubnet=2.2.2.51[gre]</div></div><div><br></div><div>maybe then the gre tunnel traffic will trigger the ipsec tunnel; to come up </div><div><br></div><div>Also first try if possible with the firewall disabled...and then try with firewall enabled...to eliminate and narrow down where the issue is...</div><div><br></div><div>In your case, does the traffic go thru once you bring up the ipsec tunnel manually?</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 14, 2017 at 12:37 PM, Chengcheng Fu <span dir="ltr"><<a href="mailto:terryfcc@icloud.com" target="_blank">terryfcc@icloud.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>Hi,</div><div><br></div><div>After I manually bring up the tunnel from the spoke side, it has started working.</div><div><br></div><div>"ipsec up host-host".</div><div><br></div><div>But is this normal??</div><div><br></div><div>Regards,</div><div><br></div><div>Terry</div><div><br>On Sep 13, 2017, at 07:12 PM, Chengcheng Fu <<a href="mailto:terryfcc@icloud.com" target="_blank">terryfcc@icloud.com</a>> wrote:<br><br></div><div><blockquote type="cite"><div class="m_-7137867514355898596m_-5650816122747257959msg-quote"><div>Hi,</div><div><br></div><div>The GRE tunnel is working on its own, it's like Strongswan is not even aware of it's happening, and not trying to encapsulate it.</div><div>I must be missing something simple.</div><div><br></div><div>Below are my configs.</div><div><br></div><div><br></div><div>=========================<br> hub-192.168.23.193<br>=========================<br>##### ipsec.conf #####<br>config setup<br><br>conn %default<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m<br> keyingtries=1<br> authby=secret<br> mobike=no<br> keyexchange=ikev2<br><br>conn host-host<br> left=192.168.23.193<br> leftprotoport=gre<br> rightprotoport=gre<br> type=transport<br> auto=add<br> reauth=no<br> closeaction=clear<br> keyexchange=ikev2<br> right=%any<br> mark=%unique<br><br><br>##### strongswan.conf #####<br>charon {<br> load_modular = yes<br> plugins {<br> include strongswan.d/charon/*.conf<br> }<br> filelog {<br> /var/log/charon_debug.log {<br> time_format = %a, %Y-%m-%d %R<br> default = 2<br> mgr = 0<br> net = 1<br> enc = 1<br> asn = 1<br> job = 1<br> knl = 1<br> ike_name = yes<br> append = no<br> flush_line = yes<br> }<br> }<br>}<br><br>include strongswan.d/*.conf<br><br><br><br>##### swanctl.conf #####<br>include conf.d/*.conf<br><br><br><br><br>##### ipsec statusall #####<br>Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):<br> uptime: 12 minutes, since Sep 14 09:52:04 2017<br> malloc: sbrk 1081344, mmap 0, used 267712, free 813632<br> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0<br> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic<br>Listening IP addresses:<br> 192.168.23.193<br> 192.168.34.1<br>Connections:<br> host-host: 192.168.23.193...%any IKEv2<br> host-host: local: [192.168.23.193] uses pre-shared key authentication<br> host-host: remote: uses pre-shared key authentication<br> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT<br>Security Associations (0 up, 0 connecting):<br> none<br><br><br><br><br>##### iptables -L -v #####<br>Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination <br> 25 1876 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED<br> 0 0 ACCEPT icmp -- any any anywhere anywhere <br> 0 0 ACCEPT all -- lo any anywhere anywhere <br> 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh<br><br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination <br><br>Chain OUTPUT (policy ACCEPT 13 packets, 1332 bytes)<br> pkts bytes target prot opt in out source destination <br><br><br><br><br><br>##### ip route show table all #####<br>default via 192.168.23.232 dev eth0 proto static metric 20 <br>default via 192.168.23.232 dev eth0 proto static metric 100 <br><a href="http://192.168.23.0/24" target="_blank">192.168.23.0/24</a> dev eth0 proto kernel scope link src 192.168.23.193 metric 100 <br>192.168.34.3 dev gre1 proto kernel scope link src 192.168.34.1 <br>broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 <br>local <a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a> dev lo table local proto kernel scope host src 127.0.0.1 <br>local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 <br>broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 <br>broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src 192.168.23.193 <br>local 192.168.23.193 dev eth0 table local proto kernel scope host src 192.168.23.193 <br>broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src 192.168.23.193 <br>local 192.168.34.1 dev gre1 table local proto kernel scope host src 192.168.34.1 <br>unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium<br>unreachable ::/96 dev lo metric 1024 error -113 pref medium<br>unreachable ::ffff:<a href="http://0.0.0.0/96" target="_blank">0.0.0.0/96</a> dev lo metric 1024 error -113 pref medium<br>unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium<br>unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium<br>unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium<br>unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium<br>unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium<br>unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium<br>unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium<br>fe80::/64 dev eth0 proto kernel metric 256 pref medium<br>fe80::/64 dev gre1 proto kernel metric 256 pref medium<br>unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium<br>local ::1 dev lo table local proto none metric 0 pref medium<br>local fe80:: dev lo table local proto none metric 0 pref medium<br>local fe80:: dev lo table local proto none metric 0 pref medium<br>local fe80::5efe:c0a8:17c1 dev lo table local proto none metric 0 pref medium<br>local fe80::5054:ff:fecb:abeb dev lo table local proto none metric 0 pref medium<br>ff00::/8 dev eth1 table local metric 256 pref medium<br>ff00::/8 dev eth2 table local metric 256 pref medium<br>ff00::/8 dev eth0 table local metric 256 pref medium<br>ff00::/8 dev gre1 table local metric 256 pref medium<br>unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium<br><br><br><br><br>##### ip address #####<br>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1<br> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br> inet <a href="http://127.0.0.1/8" target="_blank">127.0.0.1/8</a> scope host lo<br> valid_lft forever preferred_lft forever<br> inet6 ::1/128 scope host <br> valid_lft forever preferred_lft forever<br>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_<wbr>UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br> link/ether 52:54:00:cb:ab:eb brd ff:ff:ff:ff:ff:ff<br> inet <a href="http://192.168.23.193/24" target="_blank">192.168.23.193/24</a> brd 192.168.23.255 scope global eth0<br> valid_lft forever preferred_lft forever<br> inet6 fe80::5054:ff:fecb:abeb/64 scope link <br> valid_lft forever preferred_lft forever<br>3: eth1: <BROADCAST,MULTICAST,UP,LOWER_<wbr>UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br> link/ether 52:54:00:62:6d:17 brd ff:ff:ff:ff:ff:ff<br>4: eth2: <BROADCAST,MULTICAST,UP,LOWER_<wbr>UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br> link/ether 52:54:00:f9:74:56 brd ff:ff:ff:ff:ff:ff<br>5: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1<br> link/gre 0.0.0.0 brd 0.0.0.0<br>6: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000<br> link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff<br>7: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP<wbr>> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1<br> link/gre 192.168.23.193 peer 192.168.23.203<br> inet 192.168.34.1 peer <a href="http://192.168.34.3/32" target="_blank">192.168.34.3/32</a> scope global gre1<br> valid_lft forever preferred_lft forever<br> inet6 fe80::5efe:c0a8:17c1/64 scope link <br> valid_lft forever preferred_lft forever<br><br><br><br><br><br>=========================<br> spoke-192.168.23.203<br>=========================<br>##### ipsec.conf #####<br>config setup<br><br>conn %default<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m<br> keyingtries=1<br> authby=secret<br> mobike=no<br> keyexchange=ikev2<br><br>conn host-host<br> left=192.168.23.203<br> leftprotoport=gre<br> right=192.168.23.193<br> rightprotoport=gre<br> type=transport<br> auto=add<br> reauth=no<br> closeaction=hold<br> keyexchange=ikev2<br> keyingtries=%forever<br><br><br><br><br>##### strongswan.conf #####<br>charon {<br> load_modular = yes<br> plugins {<br> include strongswan.d/charon/*.conf<br> }<br> syslog {<br> daemon {<br> default = 2<br> ike = 2<br> cfg = 2<br> esp = 2<br> chd = 2<br> net = 2<br> }<br> }<br> filelog {<br> /var/log/charon_debug.log {<br> time_format = %a, %Y-%m-%d %R<br> default = 2<br> mgr = 0 <br> net = 1<br> enc = 1<br> asn = 1<br> job = 1<br> knl = 1<br> ike_name = yes<br> append = no<br> flush_line = yes<br> }<br> }<br>}<br><br>include strongswan.d/*.conf<br><br><br><br><br>##### swanctl.conf #####<br>include conf.d/*.conf<br><br><br><br><br><br>##### ipsec statusall #####<br>Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):<br> uptime: 16 minutes, since Sep 14 09:53:16 2017<br> malloc: sbrk 2289664, mmap 0, used 295488, free 1994176<br> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0<br> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic<br>Listening IP addresses:<br> 192.168.23.203<br> 192.168.34.3<br>Connections:<br> host-host: 192.168.23.203...192.168.23.19<wbr>3 IKEv2<br> host-host: local: [192.168.23.203] uses pre-shared key authentication<br> host-host: remote: [192.168.23.193] uses pre-shared key authentication<br> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT<br>Security Associations (0 up, 0 connecting):<br> none<br><br><br><br>##### iptables -L -v #####<br>Chain INPUT (policy ACCEPT 376 packets, 60234 bytes)<br> pkts bytes target prot opt in out source destination <br>13280 5633K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED<br> 1 84 ACCEPT icmp -- any any anywhere anywhere <br> 1 80 ACCEPT all -- lo any anywhere anywhere <br> 2 120 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh<br><br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination <br><br>Chain OUTPUT (policy ACCEPT 14803 packets, 4253K bytes)<br> pkts bytes target prot opt in out source destination <br><br><br><br><br>##### ip route show table all #####<br>default via 192.168.23.232 dev eth0 proto static metric 100 <br><a href="http://192.168.23.0/24" target="_blank">192.168.23.0/24</a> dev eth0 proto kernel scope link src 192.168.23.203 <br>192.168.34.1 dev gre1 proto kernel scope link src 192.168.34.3 <br>broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 <br>local <a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a> dev lo table local proto kernel scope host src 127.0.0.1 <br>local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 <br>broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 <br>broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src 192.168.23.203 <br>local 192.168.23.203 dev eth0 table local proto kernel scope host src 192.168.23.203 <br>broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src 192.168.23.203 <br>local 192.168.34.3 dev gre1 table local proto kernel scope host src 192.168.34.3 <br>unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium<br>unreachable ::/96 dev lo metric 1024 error -113 pref medium<br>unreachable ::ffff:<a href="http://0.0.0.0/96" target="_blank">0.0.0.0/96</a> dev lo metric 1024 error -113 pref medium<br>unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium<br>unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium<br>unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium<br>unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium<br>unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium<br>unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium<br>unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium<br>fe80::/64 dev eth0 proto kernel metric 256 pref medium<br>fe80::/64 dev gre1 proto kernel metric 256 pref medium<br>unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium<br>local ::1 dev lo table local proto none metric 0 pref medium<br>local fe80:: dev lo table local proto none metric 0 pref medium<br>local fe80:: dev lo table local proto none metric 0 pref medium<br>local fe80::5efe:c0a8:17cb dev lo table local proto none metric 0 pref medium<br>local fe80::5054:ff:fe3e:b778 dev lo table local proto none metric 0 pref medium<br>ff00::/8 dev eth0 table local metric 256 pref medium<br>ff00::/8 dev eth1 table local metric 256 pref medium<br>ff00::/8 dev eth2 table local metric 256 pref medium<br>ff00::/8 dev gre1 table local metric 256 pref medium<br>unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium<br><br><br><br><br><br>##### ip address #####<br>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1<br> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br> inet <a href="http://127.0.0.1/8" target="_blank">127.0.0.1/8</a> scope host lo<br> valid_lft forever preferred_lft forever<br> inet6 ::1/128 scope host <br> valid_lft forever preferred_lft forever<br>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_<wbr>UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br> link/ether 52:54:00:3e:b7:78 brd ff:ff:ff:ff:ff:ff<br> inet <a href="http://192.168.23.203/24" target="_blank">192.168.23.203/24</a> brd 192.168.23.255 scope global eth0<br> valid_lft forever preferred_lft forever<br> inet6 fe80::5054:ff:fe3e:b778/64 scope link <br> valid_lft forever preferred_lft forever<br>3: eth1: <BROADCAST,MULTICAST,UP,LOWER_<wbr>UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br> link/ether 52:54:00:73:7f:25 brd ff:ff:ff:ff:ff:ff<br>4: eth2: <BROADCAST,MULTICAST,UP,LOWER_<wbr>UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000<br> link/ether 52:54:00:89:7f:b2 brd ff:ff:ff:ff:ff:ff<br>5: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1<br> link/gre 0.0.0.0 brd 0.0.0.0<br>6: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000<br> link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff<br>7: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP<wbr>> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1<br> link/gre 192.168.23.203 peer 192.168.23.193<br> inet 192.168.34.3 peer <a href="http://192.168.34.1/32" target="_blank">192.168.34.1/32</a> scope global gre1<br> valid_lft forever preferred_lft forever<br> inet6 fe80::5efe:c0a8:17cb/64 scope link <br> valid_lft forever preferred_lft forever<br><br><br><br><br><br>Regards,</div><div><br></div><div>Terry</div><div><br></div><div><br></div><div><br>On Sep 13, 2017, at 12:12 PM, Noel Kuntze <noel.kuntze+strongswan-users-<wbr>ml@thermi.consulting> wrote:<br><br></div><div><blockquote type="cite"><div class="m_-7137867514355898596m_-5650816122747257959msg-quote"><div class="m_-7137867514355898596m_-5650816122747257959_stretch"><span class="m_-7137867514355898596m_-5650816122747257959body-text-content">Hello,<br><br>Please provide all the information that is listed on the HelpRequests[1] page on the wiki. Use the listed commands to get that information.<br><br>Right now, you don't even have a CHILD_SA that could be used to encapsulate the traffic nor an IKE_SA to negotiate that CHILD_SA over.<br><br>Kind regards<br><br>Noel<br><br>[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests" rel="noreferrer" target="_blank">https://wiki.strongswan.org/pr<wbr>ojects/strongswan/wiki/HelpReq<wbr>uests</a><br><br>On 13.09.2017 19:18, Anvar Kuchkartaev wrote:<br><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">What happened when you initiate host-host connection from any side? Can you share your ipsec.conf file contents so I could see if any mistakes over there? One more question how are your firewall rules configured? Do they allow udp 500,4500, ah, esp protocols from both side?</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Anvar Kuchkartaev </blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><a href="mailto:anvar@anvartay.com" target="_blank">anvar@anvartay.com</a> </blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">*From: *Chengcheng Fu</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">*Sent: *miércoles, 13 de septiembre de 2017 06:27 p.m.</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">*To: *<a href="mailto:users@lists.strongswan.org" target="_blank">users@lists.strongswan.org</a></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">*Subject: *[strongSwan] strongswan not picking up traffic</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Hi,</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">I'm trying to setup a GRE over IPSec.</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">I have the GRE working, but Strongswan wouldn't pickup the gre traffic and encrypt it.</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Following is my topology</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">hub 192.168.23.193 - 192.168.23.203 spoke</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">And here are my output.</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Hub side:</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">uptime: 108 seconds, since Sep 14 00:23:00 2017</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">malloc: sbrk 2027520, mmap 0, used 273392, free 1754128</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Listening IP addresses:</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">192.168.23.193</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">192.168.34.1</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Connections:</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">host-host: 192.168.23.193...%any IKEv2</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">host-host: local: [192.168.23.193] uses pre-shared key authentication</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">host-host: remote: uses pre-shared key authentication</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Security Associations (0 up, 0 connecting):</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">none</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Spoke side:</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">uptime: 4 seconds, since Sep 14 00:17:44 2017</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">malloc: sbrk 2289664, mmap 0, used 287184, free 2002480</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Listening IP addresses:</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">192.168.23.203</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">192.168.34.3</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Connections:</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">host-host: 192.168.23.203...192.168.23.19<wbr>3 IKEv2</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">host-host: local: [192.168.23.203] uses pre-shared key authentication</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">host-host: remote: [192.168.23.193] uses pre-shared key authentication</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Security Associations (0 up, 0 connecting):</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">none</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Any thoughts?</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Regards,</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text">Terry</blockquote><blockquote type="cite" class="m_-7137867514355898596m_-5650816122747257959quoted-plain-text"><br></blockquote><br></span></div></div></blockquote></div></div></blockquote></div></div></blockquote></div><br></div>
</blockquote></div><br></div>