<div dir="ltr">Hi<div><br></div><div>From my own understanding (i maybe wrong) of your configs applied...i believe there is a "missing" permit rule for ESP in the INPUT chain of your iptables/firewall rules</div><div><br></div><div>Try with adding to running config as below, above the drop rule</div><div><br></div><div>iptables -I INPUT 1 -p esp -i <ens01> -j ACCEPT</div><div><br></div><div>and no harm in adding a similar rule in OUTPUT chain too</div><div><br></div><div>iptables -I OUTPUT 1 -p esp -i <ens01> -j ACCEPT<br></div><div><br></div><div>--------------------------------------------------------------------------- </div><div>or a more complete rule-set would be as below (to be applied on both ipsec-gateways)</div><div><br></div><div><br>iptables -I INPUT 1 -i <Internet> -p esp -j ACCEPT<br>iptables -I INPUT 2 -i <Internet> -p udp -m udp --dport 500 -j ACCEPT<br>iptables -I INPUT 3 -i <Internet> -p udp -m udp --dport 4500 -j ACCEPT<br>iptables -I INPUT 4 -p tcp -m multiport --dports 22 -j f2b-sshd<br>iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT<br>iptables -I INPUT 6 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT<br>iptables -A INPUT -i lo -j ACCEPT<br>iptables -A INPUT -i LAN -j ACCEPT<br>iptables -A INPUT -j DROP<br><br>iptables -I OUTPUT 1 -p esp -j ACCEPT<br>iptables -I OUTPUT 2 -p udp -m udp --dport 500 -j ACCEPT<br>iptables -I OUTPUT 3 -p udp -m udp --dport 4500 -j ACCEPT<br>iptables -I OUTPUT 4 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT<br><br>Note: "Internet" interface mentioned is to be replaced with your actual wan/internet/public interface of the gateway<br><br></div><div>-----------------------------------------------------------------------------</div><div><br></div><div>regards</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 1, 2022 at 6:54 PM VTwin Farriers <<a href="mailto:vtwin@cox.net">vtwin@cox.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<p><br><span style="font-family:"courier new",courier">Good morning Noel,</span></p>
<p><span style="font-family:"courier new",courier">Attached below are the various configurations you requested. At this point my config is pretty basic as I attempt to get this working.</span></p>
<p><span style="font-family:"courier new",courier">The IP addresses of my Work and Home Routers are 192.168.126.254 and 192.168.127.254 respectively. Upon establishing a connection I cannot ping or ssh to either router from the other subnet.</span></p>
<p><span style="font-family:"courier new",courier">If there's anything else I can provide to aid in diagnosing how I've set this up wrong let me know and I'll try to get it quickly.</span></p>
<p><span style="font-family:"courier new",courier">Thank you for the assistance, </span></p>
<p><span style="font-family:"courier new",courier">Mike</span></p>
<p><br><span style="font-family:"courier new",courier">----------------------------------------------------------------------</span></p>
<p><span style="font-family:"courier new",courier">WorkRouter & HomeRouter /etc/sysctl.conf:</span></p>
<p><span style="font-family:"courier new",courier">net.ipv4.ip_forward = 1</span><br><span style="font-family:"courier new",courier">net.ipv6.conf.all.forwarding = 0</span><br><span style="font-family:"courier new",courier">net.ipv6.conf.all.disable_ipv6 = 1</span><br><span style="font-family:"courier new",courier">net.ipv6.conf.default.disable_ipv6 = 1</span><br><span style="font-family:"courier new",courier">net.conf.lo.disable_ipv6 = 1</span><br><span style="font-family:"courier new",courier">net.netfilter.nf_conntrack_helper = 1</span></p>
<p><span style="font-family:"courier new",courier">----------------------------------------------------------------------</span></p>
<p><span style="font-family:"courier new",courier">WorkRouter iptables pre-connection:</span></p>
<p><span style="font-family:"courier new",courier"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:34:10 2022</span><br><span style="font-family:"courier new",courier">*filter</span><br><span style="font-family:"courier new",courier">:INPUT ACCEPT [0:0]</span><br><span style="font-family:"courier new",courier">:FORWARD DROP [0:0]</span><br><span style="font-family:"courier new",courier">:OUTPUT ACCEPT [0:0]</span><br><span style="font-family:"courier new",courier">:f2b-sshd - [0:0]</span><br><span style="font-family:"courier new",courier">-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd</span><br><span style="font-family:"courier new",courier">-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -p udp -m udp --dport 500 -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -p udp -m udp --dport 4500 -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -i lo -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -i LAN -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -j DROP</span><br><span style="font-family:"courier new",courier">-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -i lo -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -i LAN -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -j DROP</span><br><span style="font-family:"courier new",courier">-A OUTPUT -o lo -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A OUTPUT -o LAN -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A OUTPUT -o Internet -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A f2b-sshd -j RETURN</span><br><span style="font-family:"courier new",courier">COMMIT</span><br><span style="font-family:"courier new",courier"># Completed on Tue Feb 1 07:34:10 2022</span><br><span style="font-family:"courier new",courier"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:34:10 2022</span><br><span style="font-family:"courier new",courier">*nat</span><br><span style="font-family:"courier new",courier">:PREROUTING ACCEPT [30:3004]</span><br><span style="font-family:"courier new",courier">:INPUT ACCEPT [0:0]</span><br><span style="font-family:"courier new",courier">:POSTROUTING ACCEPT [0:0]</span><br><span style="font-family:"courier new",courier">:OUTPUT ACCEPT [1:88]</span><br><span style="font-family:"courier new",courier">-A POSTROUTING -s <a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a> -o Internet -m policy --dir out --pol ipsec -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A POSTROUTING -o Internet -j MASQUERADE</span><br><span style="font-family:"courier new",courier">COMMIT</span><br><span style="font-family:"courier new",courier"># Completed on Tue Feb 1 07:34:10 2022</span></p>
<p><span style="font-family:"courier new",courier">----------------------------------------------------------------------</span></p>
<p><span style="font-family:"courier new",courier">WorkRouter post-connection:</span></p>
<p><span style="font-family:"courier new",courier"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:49:29 2022</span><br><span style="font-family:"courier new",courier">*filter</span><br><span style="font-family:"courier new",courier">:INPUT ACCEPT [0:0]</span><br><span style="font-family:"courier new",courier">:FORWARD DROP [0:0]</span><br><span style="font-family:"courier new",courier">:OUTPUT ACCEPT [0:0]</span><br><span style="font-family:"courier new",courier">:LOGGING - [0:0]</span><br><span style="font-family:"courier new",courier">:f2b-sshd - [0:0]</span><br><span style="font-family:"courier new",courier">-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd</span><br><span style="font-family:"courier new",courier">-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -p udp -m udp --dport 500 -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -p udp -m udp --dport 4500 -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -i lo -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -i LAN -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -j DROP</span><br><span style="font-family:"courier new",courier">-A FORWARD -s <a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a> -d <a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a> -i Internet -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -s <a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a> -d <a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a> -o Internet -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -i lo -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -i LAN -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -j DROP</span><br><span style="font-family:"courier new",courier">-A OUTPUT -o lo -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A OUTPUT -o LAN -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A OUTPUT -o wlp3s0 -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A OUTPUT -o Internet -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A f2b-sshd -j RETURN</span><br><span style="font-family:"courier new",courier">COMMIT</span><br><span style="font-family:"courier new",courier"># Completed on Tue Feb 1 07:49:29 2022</span><br><span style="font-family:"courier new",courier"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:49:29 2022</span><br><span style="font-family:"courier new",courier">*nat</span><br><span style="font-family:"courier new",courier">:PREROUTING ACCEPT [1431:142370]</span><br><span style="font-family:"courier new",courier">:INPUT ACCEPT [1:364]</span><br><span style="font-family:"courier new",courier">:POSTROUTING ACCEPT [0:0]</span><br><span style="font-family:"courier new",courier">:OUTPUT ACCEPT [16:1124]</span><br><span style="font-family:"courier new",courier">-A POSTROUTING -s <a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a> -o Internet -m policy --dir out --pol ipsec -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A POSTROUTING -o Internet -j MASQUERADE</span><br><span style="font-family:"courier new",courier">COMMIT</span><br><span style="font-family:"courier new",courier"># Completed on Tue Feb 1 07:49:29 2022</span></p>
<p><span style="font-family:"courier new",courier">----------------------------------------------------------------------</span></p>
<p><span style="font-family:"courier new",courier">HomeRouter iptables pre-connection:</span></p>
<p><span style="font-family:"courier new",courier"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:36:55 2022</span><br><span style="font-family:"courier new",courier">*filter</span><br><span style="font-family:"courier new",courier">:INPUT ACCEPT [0:0]</span><br><span style="font-family:"courier new",courier">:FORWARD DROP [0:0]</span><br><span style="font-family:"courier new",courier">:OUTPUT ACCEPT [7573850:808120940]</span><br><span style="font-family:"courier new",courier">:f2b-sshd - [0:0]</span><br><span style="font-family:"courier new",courier">-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd</span><br><span style="font-family:"courier new",courier">-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -p udp -m udp --dport 500 -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -p udp -m udp --dport 4500 -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -i lo -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -i LAN -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -j DROP</span><br><span style="font-family:"courier new",courier">-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -i lo -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -i LAN -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -j DROP</span><br><span style="font-family:"courier new",courier">-A f2b-sshd -j RETURN</span><br><span style="font-family:"courier new",courier">COMMIT</span><br><span style="font-family:"courier new",courier"># Completed on Tue Feb 1 07:36:55 2022</span><br><span style="font-family:"courier new",courier"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:36:55 2022</span><br><span style="font-family:"courier new",courier">*nat</span><br><span style="font-family:"courier new",courier">:PREROUTING ACCEPT [201662:20100360]</span><br><span style="font-family:"courier new",courier">:INPUT ACCEPT [130094:8522561]</span><br><span style="font-family:"courier new",courier">:POSTROUTING ACCEPT [347066:26292253]</span><br><span style="font-family:"courier new",courier">:OUTPUT ACCEPT [395652:30979041]</span><br><span style="font-family:"courier new",courier">-A POSTROUTING -s <a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a> -o Internet -m policy --dir out --pol ipsec -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A POSTROUTING -o Internet -j MASQUERADE</span><br><span style="font-family:"courier new",courier">COMMIT</span><br><span style="font-family:"courier new",courier"># Completed on Tue Feb 1 07:36:55 2022</span></p>
<p><span style="font-family:"courier new",courier">----------------------------------------------------------------------</span></p>
<p><span style="font-family:"courier new",courier">HomeRouter iptables post-connection:</span></p>
<p><span style="font-family:"courier new",courier"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:47:36 2022</span><br><span style="font-family:"courier new",courier">*filter</span><br><span style="font-family:"courier new",courier">:INPUT ACCEPT [0:0]</span><br><span style="font-family:"courier new",courier">:FORWARD DROP [0:0]</span><br><span style="font-family:"courier new",courier">:OUTPUT ACCEPT [7775544:830642656]</span><br><span style="font-family:"courier new",courier">:f2b-sshd - [0:0]</span><br><span style="font-family:"courier new",courier">-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd</span><br><span style="font-family:"courier new",courier">-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -p udp -m udp --dport 500 -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -p udp -m udp --dport 4500 -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -i lo -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -i LAN -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A INPUT -j DROP</span><br><span style="font-family:"courier new",courier">-A FORWARD -s <a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a> -d <a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a> -i Internet -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -s <a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a> -d <a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a> -o Internet -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -i lo -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -i LAN -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A FORWARD -j DROP</span><br><span style="font-family:"courier new",courier">-A f2b-sshd -j RETURN</span><br><span style="font-family:"courier new",courier">COMMIT</span><br><span style="font-family:"courier new",courier"># Completed on Tue Feb 1 07:47:36 2022</span><br><span style="font-family:"courier new",courier"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:47:36 2022</span><br><span style="font-family:"courier new",courier">*nat</span><br><span style="font-family:"courier new",courier">:PREROUTING ACCEPT [205511:20493848]</span><br><span style="font-family:"courier new",courier">:INPUT ACCEPT [132803:8703437]</span><br><span style="font-family:"courier new",courier">:POSTROUTING ACCEPT [353122:26767112]</span><br><span style="font-family:"courier new",courier">:OUTPUT ACCEPT [402834:31555865]</span><br><span style="font-family:"courier new",courier">-A POSTROUTING -s <a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a> -o Internet -m policy --dir out --pol ipsec -j ACCEPT</span><br><span style="font-family:"courier new",courier">-A POSTROUTING -o Internet -j MASQUERADE</span><br><span style="font-family:"courier new",courier">COMMIT</span><br><span style="font-family:"courier new",courier"># Completed on Tue Feb 1 07:47:36 2022</span></p>
<p><span style="font-family:"courier new",courier">----------------------------------------------------------------------</span></p>
<p><span style="font-family:"courier new",courier">WorkRouter swanctl.conf:</span></p>
<p><span style="font-family:"courier new",courier">connections {</span><br><span style="font-family:"courier new",courier"> homenet {</span><br><span style="font-family:"courier new",courier"> version=2</span><br><span style="font-family:"courier new",courier"> mobike=no</span><br><span style="font-family:"courier new",courier"> fragmentation=yes</span><br><span style="font-family:"courier new",courier"> local_addrs=Work.Public.IP.Address</span><br><span style="font-family:"courier new",courier"> remote_addrs=Home.Public.IP.Address</span><br><span style="font-family:"courier new",courier"> proposals=aes256-sha1-modp1024</span><br><span style="font-family:"courier new",courier"> local {</span><br><span style="font-family:"courier new",courier"> auth = psk</span><br><span style="font-family:"courier new",courier"> }</span><br><span style="font-family:"courier new",courier"> remote {</span><br><span style="font-family:"courier new",courier"> auth = psk</span><br><span style="font-family:"courier new",courier"> }</span><br><span style="font-family:"courier new",courier"> children {</span><br><span style="font-family:"courier new",courier"> homenet {</span><br><span style="font-family:"courier new",courier"> esp_proposals=aes256-sha1</span><br><span style="font-family:"courier new",courier"> remote_ts=<a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a></span><br><span style="font-family:"courier new",courier"> local_ts=<a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a></span><br><span style="font-family:"courier new",courier"> updown=/usr/libexec/strongswan/_updown iptables</span><br><span style="font-family:"courier new",courier"> }</span><br><span style="font-family:"courier new",courier"> }</span><br><span style="font-family:"courier new",courier"> }</span><br><span style="font-family:"courier new",courier">}</span></p>
<p><span style="font-family:"courier new",courier">HomeRouter swanctl.conf:</span></p>
<p><span style="font-family:"courier new",courier">worknet {</span><br><span style="font-family:"courier new",courier"> version=2</span><br><span style="font-family:"courier new",courier"> mobike=no</span><br><span style="font-family:"courier new",courier"> fragmentation=yes</span><br><span style="font-family:"courier new",courier"> local_addrs=Home.Public.IP.Address</span><br><span style="font-family:"courier new",courier"> remote_addrs=Work.Public.IP.Address</span><br><span style="font-family:"courier new",courier"> proposals=aes256-sha1-modp1024</span><br><span style="font-family:"courier new",courier"> local {</span><br><span style="font-family:"courier new",courier"> auth = psk</span><br><span style="font-family:"courier new",courier"> }</span><br><span style="font-family:"courier new",courier"> remote {</span><br><span style="font-family:"courier new",courier"> auth = psk</span><br><span style="font-family:"courier new",courier"> }</span><br><span style="font-family:"courier new",courier"> children {</span><br><span style="font-family:"courier new",courier"> worknet {</span><br><span style="font-family:"courier new",courier"> esp_proposals=aes256-sha1</span><br><span style="font-family:"courier new",courier"> local_ts=<a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a></span><br><span style="font-family:"courier new",courier"> remote_ts=<a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a></span><br><span style="font-family:"courier new",courier"> updown=/usr/libexec/strongswan/_updown iptables</span><br><span style="font-family:"courier new",courier"> }</span><br><span style="font-family:"courier new",courier"> }</span><br><span style="font-family:"courier new",courier">}</span></p>
<p><br><span style="font-family:"courier new",courier">Connection from HomeRouter to WorkRouter:</span></p>
<p><span style="font-family:"courier new",courier">swanctl --initiate --ike worknet --child worknet</span><br><span style="font-family:"courier new",courier">[IKE] initiating IKE_SA worknet[5] to Work.Public.IP.Address</span><br><span style="font-family:"courier new",courier">[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]</span><br><span style="font-family:"courier new",courier">[NET] sending packet: from Home.Public.IP.Address[500] to Work.Public.IP.Address[500] (336 bytes)</span><br><span style="font-family:"courier new",courier">[NET] received packet: from Work.Public.IP.Address[500] to Home.Public.IP.Address[500] (344 bytes)</span><br><span style="font-family:"courier new",courier">[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]</span><br><span style="font-family:"courier new",courier">[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</span><br><span style="font-family:"courier new",courier">[CFG] no IDi configured, fall back on IP address</span><br><span style="font-family:"courier new",courier">[IKE] authentication of 'Home.Public.IP.Address' (myself) with pre-shared key</span><br><span style="font-family:"courier new",courier">[IKE] establishing CHILD_SA worknet{1}</span><br><span style="font-family:"courier new",courier">[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]</span><br><span style="font-family:"courier new",courier">[NET] sending packet: from Home.Public.IP.Address[500] to Work.Public.IP.Address[500] (220 bytes)</span><br><span style="font-family:"courier new",courier">[NET] received packet: from Work.Public.IP.Address[500] to Home.Public.IP.Address[500] (204 bytes)</span><br><span style="font-family:"courier new",courier">[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]</span><br><span style="font-family:"courier new",courier">[IKE] authentication of 'Work.Public.IP.Address' with pre-shared key successful</span><br><span style="font-family:"courier new",courier">[IKE] IKE_SA worknet[5] established between Home.Public.IP.Address[Home.Public.IP.Address]...Work.Public.IP.Address[Work.Public.IP.Address]</span><br><span style="font-family:"courier new",courier">[IKE] scheduling rekeying in 14047s</span><br><span style="font-family:"courier new",courier">[IKE] maximum IKE_SA lifetime 15487s</span><br><span style="font-family:"courier new",courier">[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ</span><br><span style="font-family:"courier new",courier">[IKE] CHILD_SA worknet{1} established with SPIs ca677689_i c43a2311_o and TS <a href="http://192.168.127.0/24" target="_blank">192.168.127.0/24</a> === <a href="http://192.168.126.0/24" target="_blank">192.168.126.0/24</a></span><br><span style="font-family:"courier new",courier">initiate completed successfully</span><br></p>
</div>
</blockquote></div>