<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
We're on Strongswan 5.3.5 on Ubuntu 16.04 (kernel 4.0-171-generic). <span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">I've searched the web and found very little references to table 220 issues but, after
"ipsec start", "ipsec statusall" shows the connection (as does ip xfrm policy and ip xfrm state) and table 220 is empty. This is the first time this has happened to me (admittedly, only two other IPSec setups using Strongswan). Below are the configuration
files (except ipsec.secrets which has one uncommented line in the form: 67.nnn.nnn.nnn : PSK <pre-shared key obfuscated>) with IP addresses and conn names (but nothing else) obfuscated. What am I doing wrong? Any further debugging steps I can take? Anything
else you need to know? Thanks for your help.</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;"><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;"># ipsec.conf - strongSwan IPsec configuration file
<div><br>
</div>
<div># basic configuration</div>
<div><br>
</div>
<div>config setup</div>
<div> # strictcrlpolicy=yes</div>
<div> # uniqueids = no</div>
<div><br>
</div>
<div># Add connections here.</div>
<div><br>
</div>
<div># Sample VPN connections</div>
<div><br>
</div>
<div>conn %default</div>
<div> authby=psk</div>
<div> auto=start</div>
<div> dpdaction=restart</div>
<div> dpddelay=30s</div>
<div> esp=aes256-sha256-ecp384</div>
<div> ike=aes256-sha256-ecp384</div>
<div> keyexchange=ikev2</div>
<div> left=67.nnn.nnn.nnn</div>
<div> leftauth=psk</div>
<div> leftfirewall=yes</div>
<div> lifetime=3h</div>
<div># mark=77 tested with vti - didn't help</div>
<div> right=64.mmm.mmm.mmm</div>
<div> rightauth=psk</div>
<div># See strongswan.conf for retransmission settings</div>
<div><br>
</div>
<div>conn Rock-Roll-aaa-qqq</div>
<div> leftsubnet=10.xxx.aaa.0/24</div>
<div> rightsubnet=10.64.qqq.0/24</div>
<div><br>
</div>
<div>conn Rock-Roll-bbb-qqq</div>
<div> leftsubnet=10.xxx.bbb.0/24</div>
<div> rightsubnet=10.64.qqq.0/24</div>
<div><br>
</div>
<div>conn Rock-Roll-ccc-qqq</div>
<div> leftsubnet=10.xxx.ccc.0/24</div>
<div> rightsubnet=10.64.qqq.0/24</div>
<div><br>
</div>
<div>conn Rock-Roll-aaa-rrr</div>
<div> leftsubnet=10.xxx.aaa.0/24</div>
<div> rightsubnet=10.64.rrr.0/24</div>
<div><br>
</div>
<div>conn Rock-Roll-bbb-rrr</div>
<div> leftsubnet=10.xxx.bbb.0/24</div>
<div> rightsubnet=10.64.rrr.0/24</div>
<div><br>
</div>
<div>conn Rock-Roll-ccc-rrr</div>
<div> leftsubnet=10.xxx.ccc.0/24</div>
<div> rightsubnet=10.64.rrr.0/24</div>
<div><br>
</div>
<div># strongswan.conf - strongSwan configuration file</div>
<div>#</div>
<div># Refer to the strongswan.conf(5) manpage for details</div>
<div>#</div>
<div># Configuration changes should be made in the included files</div>
<div><br>
</div>
<div>charon {</div>
<div> load_modular = yes</div>
<div> plugins {</div>
<div> include strongswan.d/charon/*.conf</div>
<div> }</div>
<div># charon.install_routes=0</div>
<div> charon.retransmit_base = 2</div>
<div> charon.retransmit_timeout = 5</div>
<div> charon.retransmit_tries = 7</div>
<div>}</div>
<div><br>
</div>
<div>include strongswan.d/*.conf</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;"><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">ipsec statusall<br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-171-generic, i686):
<div> uptime: 13 seconds, since Oct 08 12:07:47 2020</div>
<div> malloc: sbrk 1310720, mmap 0, used 305896, free 1004824</div>
<div> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3</div>
<div> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark
farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs
tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity</div>
<div>Listening IP addresses:</div>
<div> 192.168.eee.fff</div>
<div> 67.nnn.nnn.nnn</div>
<div> 10.xxx.ddd.www</div>
<div> 10.xxx.ddd.ttt</div>
<div> 10.xxx.bbb.www</div>
<div> 10.xxx.bbb.ttt</div>
<div> 10.xxx.eee.www</div>
<div> 10.xxx.eee.ttt</div>
<div> 192.168.ppp.ttt</div>
<div> 10.xxx.aaa.uuu</div>
<div> 66.lll.mmm.vvv</div>
<div>Connections:</div>
<div>Rock-Roll-aaa-qqq: 67.nnn.nnn.nnn...64.mmm.mmm.mmm IKEv2, dpddelay=30s</div>
<div>Rock-Roll-aaa-qqq: local: [67.nnn.nnn.nnn] uses pre-shared key authentication</div>
<div>Rock-Roll-aaa-qqq: remote: [64.mmm.mmm.mmm] uses pre-shared key authentication</div>
<div>Rock-Roll-aaa-qqq: child: 10.xxx.aaa.0/24 === 10.64.qqq.0/24 TUNNEL, dpdaction=restart</div>
<div>Rock-Roll-bbb-qqq: child: 10.xxx.bbb.0/24 === 10.64.qqq.0/24 TUNNEL, dpdaction=restart</div>
<div>Rock-Roll-ccc-qqq: child: 10.xxx.ccc.0/24 === 10.64.qqq.0/24 TUNNEL, dpdaction=restart</div>
<div>Rock-Roll-aaa-rrr: child: 10.xxx.aaa.0/24 === 10.64.rrr.0/24 TUNNEL, dpdaction=restart</div>
<div>Rock-Roll-bbb-rrr: child: 10.xxx.bbb.0/24 === 10.64.rrr.0/24 TUNNEL, dpdaction=restart</div>
<div>Rock-Roll-ccc-rrr: child: 10.xxx.ccc.0/24 === 10.64.rrr.0/24 TUNNEL, dpdaction=restart</div>
<div>Security Associations (1 up, 0 connecting):</div>
<div>Rock-Roll-aaa-qqq[1]: ESTABLISHED 13 seconds ago, 67.nnn.nnn.nnn[67.nnn.nnn.nnn]...64.mmm.mmm.mmm[64.mmm.mmm.mmm]</div>
<div>Rock-Roll-aaa-qqq[1]: IKEv2 SPIs: 8b6302f038b8cd7a_i* 093becf3e02081ef_r, pre-shared key reauthentication in 2 hours</div>
<div>Rock-Roll-aaa-qqq[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384</div>
<div>Rock-Roll-bbb-rrr{6}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c5a95ea2_i 8d9b26cd_o</div>
<div>Rock-Roll-bbb-rrr{6}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 2 hours</div>
<div>Rock-Roll-bbb-rrr{6}: 10.xxx.ccc.0/24 === 10.64.rrr.0/24</div>
<br>
</span><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">ip xfrm state</span><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;"><br>
</span></div>
<div>src <span style="font-family: Calibri, Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255); display: inline !important">
67.nnn.nnn.nnn</span> dst <span style="font-family: Calibri, Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255); display: inline !important">
64.mmm.mmm.mmm</span></div>
<div> proto esp spi 0x8d9b26cd reqid 6 mode tunnel</div>
<div> replay-window 32 flag af-unspec</div>
<div> mark 0x4d/0xffffffff</div>
<div> auth-trunc hmac(sha256) 0x9985013cc2678d13ff4d070f02c72fd1ea49f2c7158bc056d0150de4a5b4a7dc 128</div>
<div> enc cbc(aes) 0xfcbc30f7ffadddb494d651668b012db11c437164fb430ed809a190b537e016c1</div>
<div> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</div>
<div> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000</div>
<div>src <span style="font-family: Calibri, Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255); display: inline !important">
64.mmm.mmm.mmm</span> dst <span style="font-family: Calibri, Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255); display: inline !important">
67.nnn.nnn.nnn</span></div>
<div> proto esp spi 0xc5a95ea2 reqid 6 mode tunnel</div>
<div> replay-window 32 flag af-unspec</div>
<div> mark 0x4d/0xffffffff</div>
<div> auth-trunc hmac(sha256) 0xa71506e5ad73a6ad0b1b25bd7d94af7d19906fe9d82bf86e1c21e5a8d9feb22c 128</div>
<div> enc cbc(aes) 0x6c819631ced958d174d1490ee83f95c1d47ae5ead6df21b08095575e199c9805</div>
<div> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</div>
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;"><br>
</span></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt;">ip xfrm policy
<div>src 10.64.rrr.0/24 dst 10.xxx.ccc.0/24 </div>
<div> dir fwd priority 2883 </div>
<div> mark 0x4d/0xffffffff</div>
<div> tmpl src <span style="font-family: Calibri, Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255); display: inline !important">
64.mmm.mmm.mmm</span> dst <span style="font-family: Calibri, Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255); display: inline !important">
67.nnn.nnn.nnn</span></div>
<div> proto esp reqid 6 mode tunnel</div>
<div>src 10.64.rrr.0/24 dst 10.xxx.ccc.0/24 </div>
<div> dir in priority 2883 </div>
<div> mark 0x4d/0xffffffff</div>
<div> tmpl src <span style="font-family: Calibri, Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255); display: inline !important">
64.mmm.mmm.mmm</span> dst <span style="font-family: Calibri, Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255); display: inline !important">
67.nnn.nnn.nnn</span></div>
<div> proto esp reqid 6 mode tunnel</div>
<div>src 10.xxx.ccc.0/24 dst 10.64.rrr.0/24 </div>
<div> dir out priority 2883 </div>
<div> mark 0x4d/0xffffffff</div>
<div> tmpl src <span style="font-family: Calibri, Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255); display: inline !important">
67.nnn.nnn.nnn</span> dst <span style="font-family: Calibri, Arial, Helvetica, sans-serif; background-color: rgb(255, 255, 255); display: inline !important">
64.mmm.mmm.mmm</span></div>
<div> proto esp reqid 6 mode tunnel</div>
<div>src 0.0.0.0/0 dst 0.0.0.0/0 </div>
<div> socket in priority 0 </div>
<div>src 0.0.0.0/0 dst 0.0.0.0/0 </div>
<div> socket out priority 0 </div>
<div>src 0.0.0.0/0 dst 0.0.0.0/0 </div>
<div> socket in priority 0 </div>
<div>src 0.0.0.0/0 dst 0.0.0.0/0 </div>
<div> socket out priority 0 </div>
<div>src ::/0 dst ::/0 </div>
<div> socket in priority 0 </div>
<div>src ::/0 dst ::/0 </div>
<div> socket out priority 0 </div>
<div>src ::/0 dst ::/0 </div>
<div> socket in priority 0 </div>
<div>src ::/0 dst ::/0 </div>
<div> socket out priority 0 </div>
<br>
<br>
</span></div>
<P id=c1-id-7
style="FONT-SIZE: 0px; FONT-FAMILY: Arial; COLOR: #fff">Harriscomputer</P>
<TABLE id=c1-id-8
style="BORDER-LEFT-WIDTH: 0px; BORDER-RIGHT-WIDTH: 0px; BORDER-BOTTOM-WIDTH: 0px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; PADDING-LEFT: 0px; MARGIN: 0px; PADDING-RIGHT: 0px; BORDER-TOP-WIDTH: 0px">
<COLGROUP id=c1-id-9>
<COL id=c1-id-10></COL></COLGROUP>
<TBODY id=c1-id-11>
<TR id=c1-id-12>
<TD id=c1-id-13>
<TABLE id=c1-id-14 style="HEIGHT: 0px; WIDTH: 100%" cellSpacing=0
cellPadding=0 border=0>
<COLGROUP id=c1-id-15>
<COL id=c1-id-16>
<COL id=c1-id-17>
<COL id=c1-id-18></COL></COL></COL></COLGROUP>
<TBODY id=c1-id-19>
<TR id=c1-id-27>
<TD id=c1-id-28 style="WIDTH: 33%">
<P style="FONT-SIZE: 10pt; FONT-FAMILY: Arial" align=left><B
id=c1-id-30><FONT id=c1-id-31 face=Arial>Leroy Tennison<BR
id=c1-id-32></FONT></B><FONT id=c1-id-33 size=2
face=Arial>Network Information/Cyber Security Specialist<BR id=c1-id-38><SPAN id=c1-id-39
style="FONT-SIZE: 8pt">E: leroy@datavoiceint.com<BR>P:</SPAN></FONT></P></TD>
<TD id=c1-id-40 style="WIDTH: 33%">
<P style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; TEXT-ALIGN: center"
align=center><BR id=c1-id-43><IMG border=0
src="cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG"></P></TD>
<TD id=c1-id-45 style="WIDTH: 33%">
<P id=c1-id-46
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial; TEXT-ALIGN: right"
align=right><FONT id=c1-id-47 style="FONT-SIZE: 8pt"
face=Arial>2220 Bush Dr<BR id=c1-id-48>McKinney, Texas<BR
id=c1-id-49>75070<BR><FONT id=c1-id-51
style="FONT-SIZE: 8pt" face=Arial><A
href="http://www..com">www.datavoiceint.com</A></FONT></FONT><FONT
id=c1-id-56 size=3> </FONT></P></TD></TR></TBODY></TABLE>
<TABLE id=c1-id-57 style="WIDTH: 100%" cellSpacing=2 border=0>
<COLGROUP id=c1-id-58>
<COL id=c1-id-59>
<COL id=c1-id-60>
<COL id=c1-id-61></COL></COL></COL></COLGROUP>
<TBODY id=c1-id-62>
<TR id=c1-id-63>
<TD id=c1-id-64 colSpan=3>
<P id=c1-id-65
style="MARGIN-BOTTOM: 0px; FONT-SIZE: 10pt; FONT-FAMILY: Arial; MARGIN-TOP: 0px"><FONT
id=c1-id-66 size=1 face=Arial>This message has been sent on behalf
of a company that is part of the Harris Operating Group of
Constellation Software Inc.</FONT></P>
<P
style="MARGIN-BOTTOM: 0px; FONT-SIZE: 10pt; FONT-FAMILY: Arial; MARGIN-TOP: 0px"><FONT
size=1 face=Arial>If you prefer not to be contacted by Harris
Operating Group <A
href="http://subscribe.harriscomputer.com/">please notify us</A>.
</FONT></P>
<P
style="MARGIN-BOTTOM: 0px; FONT-SIZE: 10pt; FONT-FAMILY: Arial; MARGIN-TOP: 0px"> </P>
<P
style="MARGIN-BOTTOM: 0px; FONT-SIZE: 10pt; FONT-FAMILY: Arial; MARGIN-TOP: 0px"><FONT
size=1 face=Arial></FONT></P>
<P
style="MARGIN-BOTTOM: 0px; FONT-SIZE: 10pt; FONT-FAMILY: Arial; MARGIN-TOP: 0px"><FONT
size=1 face=Arial>This message is intended exclusively for the
individual or entity to which it is addressed. This communication
may contain information that is proprietary, privileged or
confidential or otherwise legally exempt from disclosure. If you are
not the named addressee, you are not authorized to read, print,
retain, copy or disseminate this message or any part of it. If you
have received this message in error, please notify the sender
immediately by e-mail and delete all copies of the
message.</FONT></P></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
<P id=c1-id-74
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"> </P></body>
</html>