<div dir="ltr">Hello Noel<br><br>Yes i agree, ideally and in production/live deployments of the IPSec-Gateways, we will need to use different/unique certificates for each tunnel that is established. But when you want to validate your IPSec-Gateway for multiple concurrent tunnels..say 1000 IKEv1/IKEv2-IPsec-tunnels.... and if you have to use certs for the IKE-auth, then it becomes very cumbersome to create 1000 certs (with different IDs, preferably certs with different subjectAltNames, etc)....so i generally test with 1 device-cert on each GW and set unique-ids=no and bring up all those tunnels as required<br> <br>>>>Why do you want that many IKE_SAs? For throughput testing, you only need many CHILD_SAs<div><div class="gmail_extra">You are right. We will use only IPsec-SAs/Child_SAs for thruput tests...But iam configuring with multiple IKE-SAs too for testing the Tunnels Capacity that the DUT (running Strongswan) can sustain (just as with using loadtester-plugin method...but here i get to tranfer continuous traffic too via each of the tunnels established)</div><div class="gmail_extra"><br></div><div class="gmail_extra">And also to run some tests to ascertain "tunnels/second", etc.</div><div class="gmail_extra"><br></div><div class="gmail_extra"> Also if you have to get your platforms/DUT IPsec-Certified (by the Ipsec labs, etc)...as per their formula/standard..1 Ipsec tunnel = 1 IKE-SA-Pair+1 Child_SA-Pair</div><div class="gmail_extra"><br></div><div class="gmail_extra">thank you so much</div><div class="gmail_extra"><br></div><div class="gmail_extra">regards</div><div class="gmail_extra">Rajiv</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_quote">On Tue, Jan 16, 2018 at 11:28 PM, Noel Kuntze <span dir="ltr"><<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" target="_blank">noel.kuntze+strongswan-users-ml@thermi.consulting</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
> I agree with Certificates you will need to set "uniqueids=no"...and use the same set of certs for each tunnel..<br>
<br>
No, just use different certificates and different IDs. It's not any different with PSKs, for example.<br>
I already did that by scripting with python.<br>
<br>
Why do you want that many IKE_SAs? For throughput testing, you only need many CHILD_SAs.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
On 15.01.2018 18:35, Rajiv Kulkarni wrote:<br>
> Hi<br>
><br>
> Actually it works when using PSK, without setting "uniqueids=no"..it could continue to be the default ."uniqueids=yes" which is implicit..becos you need each tunnel to have unique-ids for separation<br>
><br>
> I agree with Certificates you will need to set "uniqueids=no"...and use the same set of certs for each tunnel..<br>
><br>
> So say you have a setup as below:<br>
><br>
> (multiple-subnets)-----(Lan)[<wbr>GW1](Wan)====(Wan)[GW2](Lan)--<wbr>---(multiple-subnets)<br>
><br>
> Note: Its imperative and must that you define the default-gw-ipaddress (as the remote-gw wanipaddr) on each of the GW1 and GW2...eventhough they maybe connected back-to-back and they maybe having ipaddresses in same subnet...<br>
><br>
><br>
> In my case i configured a 1000-tunnels (1 tunnel = 1 IKE-SA pair, 2 IPsec-SA pairs), between GW1 and GW2 using the same single wanipaddress<br>
><br>
> I did it successfully by ensuring that each connection-entry in the ipsec.conf file has a unique-set of left/right-IDs and therefore a corresponding set of PSK in the ipsec.secrets file <br>
><br>
> I also successfully sent continuous traffic thru each of the 1000 tunnels (infact i triggered the tunnels to get established by sending traffic hitting each of the ipsec policies...) using tools like spirentTC/ixia....start by sending about 100KB of traffic for each of the subnet-pairs...and once all the tunnels are established..you may increase the traffic load as per your setup requirements<br>
><br>
> Please find attached the sample config files for both GW1 and GW2 for the 1000-tunnels (please rename the files to ipsec.conf/ipsec.secrets on the respective GWs)<br>
><br>
> Hope this helps<br>
><br>
> thanks & regards<br>
> Rajiv<br>
><br>
><br>
> On Thu, Jan 11, 2018 at 5:26 PM, Noel Kuntze <noel.kuntze+strongswan-users-<wbr>ml@thermi.consulting <mailto:<a href="mailto:noel.kuntze%2Bstrongswan-users-ml@thermi.consulting">noel.kuntze+<wbr>strongswan-users-ml@thermi.<wbr>consulting</a>>> wrote:<br>
><br>
> Hi,<br>
><br>
> Set uniqueids = no in config setup.<br>
> Better, use swanctl.conf with swanctl. There, you can set it per conn and not globally.<br>
><br>
> Kind regards<br>
><br>
> Noel<br>
><br>
> On 06.01.2018 01:15, Jun Hu wrote:<br>
> > Hi,<br>
> > Does strongswan support multiple IKE SA (each with its own CHILD_SA) between single pair of address?<br>
> > it seems strongswan only allow one IKE SA per pair of address<br>
> ><br>
> > I am using strongswan 5.5.0, inter-op with a IKEv2 client that I wrote (for learning purpose) , my client is the tunnel initiator, when I only creates one IKE SA (along with one CHILD_SA), everything is good;<br>
> > but when my client try to create 2nd CHILD_SA (using IKE_SA_INIT and IKE_AUTH exchange, not rekey) using same addresses,the 2nd IKE and CHILD SA were created successfully at the beginning, but after a few seconds, strongswan send a delete msg to delete the 1st IKE_SA<br>
> ><br>
> > I also tried to set charon.reuse_ikesa to no, but same result<br>
> ><br>
> > I checked strongswan logs, it doesn't say why it deletes 1st IKE SA:<br>
> > root@vm-svr:/usr/local/etc# ipsec status<br>
> > Security Associations (2 up, 0 connecting):<br>
> > l2l[2]: ESTABLISHED 9 seconds ago, 10.10.10.1[10.10.10.1]...10.<wbr>10.10.20[1.1.1.1]<br>
> > l2l{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1aab5fc_i 3f174706_o<br>
> > l2l{2}: <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> === <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>><br>
> > l2l[1]: ESTABLISHED 19 seconds ago, 10.10.10.1[10.10.10.1]...10.<wbr>10.10.20[1.1.1.1]<br>
> > l2l{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca5a49fd_i 617a4971_o<br>
> > l2l{1}: <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> === <a href="http://1.1.1.1/32" rel="noreferrer" target="_blank">1.1.1.1/32</a> <<a href="http://1.1.1.1/32" rel="noreferrer" target="_blank">http://1.1.1.1/32</a>> <<a href="http://1.1.1.1/32" rel="noreferrer" target="_blank">http://1.1.1.1/32</a>><br>
> > root@vm-svr:/usr/local/etc# ipsec status<br>
> > Security Associations (1 up, 0 connecting):<br>
> > l2l[2]: ESTABLISHED 10 seconds ago, 10.10.10.1[10.10.10.1]...10.<wbr>10.10.20[1.1.1.1]<br>
> > l2l{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1aab5fc_i 3f174706_o<br>
> > l2l{2}: <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> === <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>><br>
> ><br>
> ><br>
> ><br>
> > part of the log:<br>
> > .....<br>
> > Jan 5 15:50:21 06[MGR] <l2l|2> checkout IKEv2 SA with SPIs 2c79130e38a24598_i c530ad0d0f1a47f0_r<br>
> > Jan 5 15:50:21 06[MGR] <l2l|2> IKE_SA l2l[1] successfully checked out<br>
> > Jan 5 15:50:21 06[MGR] <l2l|1> checkin IKE_SA l2l[1]<br>
> > Jan 5 15:50:21 06[MGR] <l2l|1> checkin of IKE_SA successful<br>
> > Jan 5 15:50:21 06[IKE] <l2l|2> IKE_SA l2l[2] established between 10.10.10.1[10.10.10.1]...10.<wbr>10.10.20[1.1.1.1]<br>
> > Jan 5 15:50:21 06[IKE] <l2l|2> IKE_SA l2l[2] state change: CONNECTING => ESTABLISHED<br>
> > Jan 5 15:50:21 06[IKE] <l2l|2> scheduling rekeying in 490s<br>
> > Jan 5 15:50:21 06[IKE] <l2l|2> maximum IKE_SA lifetime 500s<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> got SPI c1aab5fc<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> adding SAD entry with SPI c1aab5fc and reqid {2}<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> using encryption algorithm AES_CBC with key size 128<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> using integrity algorithm HMAC_SHA1_96 with key size 160<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> using replay window of 32 packets<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> adding SAD entry with SPI 3f174706 and reqid {2}<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> using encryption algorithm AES_CBC with key size 128<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> using integrity algorithm HMAC_SHA1_96 with key size 160<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> using replay window of 0 packets<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> adding policy <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> === <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> out [priority 383616, refcount 1]<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> adding policy <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> === <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> in [priority 383616, refcount 1]<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> adding policy <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> === <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> fwd [priority 383616, refcount 1]<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> adding policy <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> === <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> fwd [priority 383616, refcount 1]<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> policy <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> === <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> out already exists, increasing refcount<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> updating policy <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> === <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> out [priority 183616, refcount 2]<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> getting a local address in traffic selector <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>><br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> using host 10.10.10.1<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> getting iface name for index 4<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> using 10.10.10.20 as nexthop and eth2 as dev to reach <a href="http://10.10.10.20/32" rel="noreferrer" target="_blank">10.10.10.20/32</a> <<a href="http://10.10.10.20/32" rel="noreferrer" target="_blank">http://10.10.10.20/32</a>> <<a href="http://10.10.10.20/32" rel="noreferrer" target="_blank">http://10.10.10.20/32</a>><br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> installing route: <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> via 10.10.10.20 src 10.10.10.1 dev eth2<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> getting iface index for eth2<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> policy <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> === <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> in already exists, increasing refcount<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> updating policy <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> === <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> in [priority 183616, refcount 2]<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> policy <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> === <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> fwd already exists, increasing refcount<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> updating policy <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> === <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> fwd [priority 183616, refcount 2]<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> policy <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> === <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> fwd already exists, increasing refcount<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> updating policy <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> === <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> fwd [priority 283616, refcount 2]<br>
> > Jan 5 15:50:21 06[IKE] <l2l|2> CHILD_SA l2l{2} established with SPIs c1aab5fc_i 3f174706_o and TS <a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">10.10.10.1/32</a> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> <<a href="http://10.10.10.1/32" rel="noreferrer" target="_blank">http://10.10.10.1/32</a>> === <a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">1.1.1.2/32</a> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>> <<a href="http://1.1.1.2/32" rel="noreferrer" target="_blank">http://1.1.1.2/32</a>><br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> querying SAD entry with SPI c1aab5fc<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> querying SAD entry with SPI 3f174706<br>
> > Jan 5 15:50:21 06[KNL] <l2l|2> 10.10.10.1 is on interface eth2<br>
> > Jan 5 15:50:21 06[ENC] <l2l|2> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]<br>
> > Jan 5 15:50:21 06[NET] <l2l|2> sending packet: from 10.10.10.1[500] to 10.10.10.20[500] (204 bytes)<br>
> > Jan 5 15:50:21 06[MGR] <l2l|2> checkin IKE_SA l2l[2]<br>
> > Jan 5 15:50:21 06[MGR] <l2l|2> checkin of IKE_SA successful<br>
> > Jan 5 15:50:31 05[MGR] checkout IKEv2 SA with SPIs 2c79130e38a24598_i c530ad0d0f1a47f0_r<br>
> > Jan 5 15:50:31 05[MGR] IKE_SA l2l[1] successfully checked out<br>
> > Jan 5 15:50:31 05[IKE] <l2l|1> queueing IKE_DELETE task<br>
> > Jan 5 15:50:31 05[IKE] <l2l|1> activating new tasks<br>
> > Jan 5 15:50:31 05[IKE] <l2l|1> activating IKE_DELETE task<br>
> > Jan 5 15:50:31 05[IKE] <l2l|1> deleting IKE_SA l2l[1] between 10.10.10.1[10.10.10.1]...10.<wbr>10.10.20[1.1.1.1]<br>
> > Jan 5 15:50:31 05[IKE] <l2l|1> IKE_SA l2l[1] state change: ESTABLISHED => DELETING<br>
> > Jan 5 15:50:31 05[IKE] <l2l|1> sending DELETE for IKE_SA l2l[1]<br>
> > Jan 5 15:50:31 05[ENC] <l2l|1> generating INFORMATIONAL request 0 [ D ]<br>
> > Jan 5 15:50:31 05[NET] <l2l|1> sending packet: from 10.10.10.1[500] to 10.10.10.20[500] (76 bytes)<br>
> > Jan 5 15:50:31 05[MGR] <l2l|1> checkin IKE_SA l2l[1]<br>
> > Jan 5 15:50:31 05[MGR] <l2l|1> checkin of IKE_SA successful<br>
> > Jan 5 15:50:31 13[MGR] checkout IKEv2 SA by message with SPIs 2c79130e38a24598_i c530ad0d0f1a47f0_r<br>
> > Jan 5 15:50:31 13[MGR] IKE_SA l2l[1] successfully checked out<br>
> ><br>
> > ===ipsec.conf===<br>
> > conn %default<br>
> > keyexchange=ikev2<br>
> > mobike = no<br>
> > reauth=no<br>
> ><br>
> > conn l2l<br>
> > ikelifetime=500s<br>
> > margintime=10s<br>
> > rekeyfuzz=0%<br>
> > ike=aes128-sha1-modp2048!<br>
> > esp=aes128-sha1<br>
> > authby=psk<br>
> > leftfirewall=yes<br>
> > rightsubnet=<a href="http://1.0.0.0/8" rel="noreferrer" target="_blank">1.0.0.0/8</a> <<a href="http://1.0.0.0/8" rel="noreferrer" target="_blank">http://1.0.0.0/8</a>> <<a href="http://1.0.0.0/8" rel="noreferrer" target="_blank">http://1.0.0.0/8</a>><br>
> > auto=add<br>
> ><br>
> ><br>
><br>
><br>
<br>
</blockquote></div><br></div></div></div>