[strongSwan-dev] support for {left,right}allowany in charon?

Mirko Parthey mirko.parthey at informatik.tu-chemnitz.de
Mon May 7 17:38:55 CEST 2012


On Fri, May 04, 2012 at 11:18:15AM +0200, Tobias Brunner wrote:
> Well, did you try any of the workarounds I recommended in [1]?
> 
> Regards,
> Tobias
> 
> [1] https://lists.strongswan.org/pipermail/dev/2011-November/000493.html

Hi Tobias,

I now tried the first option you suggested in a lab setup.
All relevant files should be attached to this email.
Please let me know if there is any other information I should provide.

Here is my typescript:
------------------------------------------------------------------------
root at moon:~# ip addr del 192.168.0.1/24 dev eth0
root at moon:~# ip addr add 192.168.0.11/24 dev eth0

root at sun:~# vi /etc/hosts   # update moon's address to 192.168.0.11

root at sun:~# ip addr del 192.168.0.2/24 dev eth0
root at sun:~# ip addr add 192.168.0.22/24 dev eth0

root at moon:~# vi /etc/hosts  # update sun's address to 192.168.0.22
------------------------------------------------------------------------

The tunnel was unavailable for 30 seconds after I had changed sun's external IP
address. This seems to be the relevant part of the logfile:

May  7 15:34:26 sun charon: 13[IKE] remote address changed from 192.168.0.1 to 192.168.0.11
[...]
May  7 15:34:58 sun charon: 14[IKE] checking path 192.168.0.22[4500] - 192.168.0.1[4500]
May  7 15:34:58 sun charon: 14[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.1[4500]
May  7 15:35:01 sun charon: 16[IKE] path probing attempt 1
May  7 15:35:01 sun charon: 16[IKE] checking path 192.168.0.22[4500] - 192.168.0.1[4500]
May  7 15:35:01 sun charon: 16[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.1[4500]
May  7 15:35:03 sun charon: 01[IKE] path probing attempt 2
[...]

It looks like charon does not use the updated IP address for path checking,
nor does it resolve the peer's name again, which would also have provided the
updated address.

What's happening here, and what could be done about it?

Regards,
Mirko
-------------- next part --------------
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
	plutostart=no
	charondebug="knl 2"

conn %default
	#

conn net-net-template 
	leftcert=moonCert.pem
	leftid=@moon.strongswan.org
	leftsubnet=10.1.0.0/16
	leftfirewall=yes
	rightid=@sun.strongswan.org
	rightsubnet=10.2.0.0/16
	keyingtries=%forever
	dpdaction=restart

conn net-net-any
	also=net-net-template
	right=%any
	auto=add

conn net-net
	also=net-net-template
	right=sun.ipsec
	auto=start
-------------- next part --------------
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
	plutostart=no

conn %default
	#

conn net-net-template
	leftcert=sunCert.pem
	leftid=@sun.strongswan.org
	leftsubnet=10.2.0.0/16
	leftfirewall=yes
	rightid=@moon.strongswan.org
	rightsubnet=10.1.0.0/16
	keyingtries=%forever
	dpdaction=restart

conn net-net-any
	also=net-net-template
	right=%any
	auto=add

conn net-net
	also=net-net-template
	right=moon.ipsec
	auto=start
-------------- next part --------------
May  7 15:34:00 moon charon: 16[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500]
May  7 15:34:00 moon charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
May  7 15:34:00 moon charon: 16[IKE] 192.168.0.2 is initiating an IKE_SA
May  7 15:34:01 moon charon: 16[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
May  7 15:34:01 moon charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May  7 15:34:01 moon charon: 16[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500]
May  7 15:34:01 moon charon: 01[NET] received packet: from 192.168.0.2[4500] to 192.168.0.1[4500]
May  7 15:34:01 moon charon: 01[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
May  7 15:34:01 moon charon: 01[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
May  7 15:34:01 moon charon: 01[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
May  7 15:34:01 moon charon: 01[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
May  7 15:34:01 moon charon: 01[CFG] selected peer config 'net-net'
May  7 15:34:01 moon charon: 01[CFG]   using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
May  7 15:34:01 moon charon: 01[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
May  7 15:34:01 moon charon: 01[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
May  7 15:34:01 moon charon: 01[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
May  7 15:34:01 moon charon: 01[LIB] libcurl http request failed: couldn't connect to host
May  7 15:34:01 moon charon: 01[CFG] crl fetching failed
May  7 15:34:01 moon charon: 01[CFG] certificate status is not available
May  7 15:34:01 moon charon: 01[CFG]   reached self-signed root ca with a path length of 0
May  7 15:34:01 moon charon: 01[IKE] authentication of 'sun.strongswan.org' with RSA signature successful
May  7 15:34:01 moon charon: 01[IKE] peer supports MOBIKE
May  7 15:34:01 moon charon: 01[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful
May  7 15:34:01 moon charon: 01[IKE] IKE_SA net-net[2] established between 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
May  7 15:34:01 moon charon: 01[IKE] scheduling reauthentication in 10219s
May  7 15:34:01 moon charon: 01[IKE] maximum IKE_SA lifetime 10759s
May  7 15:34:01 moon charon: 01[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
May  7 15:34:01 moon charon: 01[KNL] getting SPI for reqid {2}
May  7 15:34:01 moon charon: 01[KNL] got SPI c0a70c9d for reqid {2}
May  7 15:34:01 moon charon: 01[KNL] adding SAD entry with SPI c0a70c9d and reqid {2}
May  7 15:34:01 moon charon: 01[KNL]   using encryption algorithm AES_CBC with key size 128
May  7 15:34:01 moon charon: 01[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
May  7 15:34:01 moon charon: 01[KNL] adding SAD entry with SPI c10ee1dd and reqid {2}
May  7 15:34:01 moon charon: 01[KNL]   using encryption algorithm AES_CBC with key size 128
May  7 15:34:01 moon charon: 01[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
May  7 15:34:01 moon charon: 01[KNL] adding policy 10.1.0.0/16 === 10.2.0.0/16 out
May  7 15:34:01 moon charon: 01[KNL] adding policy 10.2.0.0/16 === 10.1.0.0/16 in
May  7 15:34:01 moon charon: 01[KNL] adding policy 10.2.0.0/16 === 10.1.0.0/16 fwd
May  7 15:34:01 moon charon: 01[KNL] getting a local address in traffic selector 10.1.0.0/16
May  7 15:34:01 moon charon: 01[KNL] using host 10.1.0.1
May  7 15:34:01 moon charon: 01[KNL] getting address to reach 192.168.0.2
May  7 15:34:01 moon charon: 01[KNL] getting interface name for 192.168.0.1
May  7 15:34:01 moon charon: 01[KNL] 192.168.0.1 is on interface eth0
May  7 15:34:01 moon charon: 01[KNL] installing route: 10.2.0.0/16 via 192.168.0.2 src 10.1.0.1 dev eth0
May  7 15:34:01 moon charon: 01[KNL] getting iface index for eth0
May  7 15:34:01 moon charon: 01[KNL] policy 10.1.0.0/16 === 10.2.0.0/16 out already exists, increasing refcount
May  7 15:34:01 moon charon: 01[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
May  7 15:34:01 moon charon: 01[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 in already exists, increasing refcount
May  7 15:34:01 moon charon: 01[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
May  7 15:34:01 moon charon: 01[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 fwd already exists, increasing refcount
May  7 15:34:01 moon charon: 01[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
May  7 15:34:01 moon charon: 01[KNL] getting a local address in traffic selector 10.1.0.0/16
May  7 15:34:01 moon charon: 01[KNL] using host 10.1.0.1
May  7 15:34:01 moon charon: 01[KNL] getting address to reach 192.168.0.2
May  7 15:34:01 moon charon: 01[KNL] getting interface name for 192.168.0.1
May  7 15:34:01 moon charon: 01[KNL] 192.168.0.1 is on interface eth0
May  7 15:34:01 moon charon: 01[IKE] CHILD_SA net-net{2} established with SPIs c0a70c9d_i c10ee1dd_o and TS 10.1.0.0/16 === 10.2.0.0/16 
May  7 15:34:01 moon charon: 01[KNL] getting interface name for 192.168.0.1
May  7 15:34:01 moon charon: 01[KNL] 192.168.0.1 is on interface eth0
May  7 15:34:01 moon charon: 01[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
May  7 15:34:01 moon charon: 01[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.2[4500]
May  7 15:34:19 moon charon: 03[KNL] 192.168.0.1 disappeared from eth0
May  7 15:34:19 moon charon: 14[KNL] creating roam job due to address/link change
May  7 15:34:19 moon charon: 14[KNL] getting address to reach 192.168.0.2
May  7 15:34:19 moon charon: 14[IKE] old path is not available anymore, try to find another
May  7 15:34:19 moon charon: 14[IKE] looking for a route to 192.168.0.2 ...
May  7 15:34:19 moon charon: 14[KNL] getting address to reach 192.168.0.2
May  7 15:34:19 moon charon: 14[IKE] looking for a route to 10.2.0.1 ...
May  7 15:34:19 moon charon: 14[KNL] getting address to reach 10.2.0.1
May  7 15:34:19 moon charon: 14[IKE] no route found to reach 192.168.0.2, MOBIKE update deferred
May  7 15:34:26 moon charon: 03[KNL] 192.168.0.11 appeared on eth0
May  7 15:34:26 moon charon: 13[KNL] getting iface index for eth0
May  7 15:34:26 moon charon: 16[KNL] creating roam job due to address/link change
May  7 15:34:26 moon charon: 16[KNL] getting address to reach 192.168.0.2
May  7 15:34:26 moon charon: 16[IKE] old path is not available anymore, try to find another
May  7 15:34:26 moon charon: 16[IKE] looking for a route to 192.168.0.2 ...
May  7 15:34:26 moon charon: 16[KNL] getting address to reach 192.168.0.2
May  7 15:34:26 moon charon: 16[IKE] sending address list update using MOBIKE, implicitly requesting an address change
May  7 15:34:26 moon charon: 16[KNL] getting address to reach 192.168.0.2
May  7 15:34:26 moon charon: 16[ENC] generating INFORMATIONAL request 0 [ ]
May  7 15:34:26 moon charon: 16[KNL] getting address to reach 192.168.0.2
May  7 15:34:26 moon charon: 16[IKE] checking path 192.168.0.11[4500] - 192.168.0.2[4500]
May  7 15:34:26 moon charon: 16[NET] sending packet: from 192.168.0.11[4500] to 192.168.0.2[4500]
May  7 15:34:26 moon charon: 16[KNL] getting address to reach 10.2.0.1
May  7 15:34:26 moon charon: 12[NET] received packet: from 192.168.0.2[4500] to 192.168.0.11[4500]
May  7 15:34:26 moon charon: 12[ENC] parsed INFORMATIONAL response 0 [ ]
May  7 15:34:26 moon charon: 12[KNL] querying SAD entry with SPI c0a70c9d for update
May  7 15:34:26 moon charon: 12[KNL] querying replay state from SAD entry with SPI c0a70c9d
May  7 15:34:26 moon charon: 12[KNL] deleting SAD entry with SPI c0a70c9d
May  7 15:34:26 moon charon: 12[KNL] deleted SAD entry with SPI c0a70c9d
May  7 15:34:26 moon charon: 12[KNL] updating SAD entry with SPI c0a70c9d from 192.168.0.2[4500]..192.168.0.1[4500] to 192.168.0.2[4500]..192.168.0.11[4500]
May  7 15:34:26 moon charon: 12[KNL] querying SAD entry with SPI c10ee1dd for update
May  7 15:34:26 moon charon: 12[KNL] querying replay state from SAD entry with SPI c10ee1dd
May  7 15:34:26 moon charon: 12[KNL] deleting SAD entry with SPI c10ee1dd
May  7 15:34:26 moon charon: 12[KNL] deleted SAD entry with SPI c10ee1dd
May  7 15:34:26 moon charon: 12[KNL] updating SAD entry with SPI c10ee1dd from 192.168.0.1[4500]..192.168.0.2[4500] to 192.168.0.11[4500]..192.168.0.2[4500]
May  7 15:34:26 moon charon: 12[KNL] deleting policy 10.1.0.0/16 === 10.2.0.0/16 out
May  7 15:34:26 moon charon: 12[KNL] policy still used by another CHILD_SA, not removed
May  7 15:34:26 moon charon: 12[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
May  7 15:34:26 moon charon: 12[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 in
May  7 15:34:26 moon charon: 12[KNL] policy still used by another CHILD_SA, not removed
May  7 15:34:26 moon charon: 12[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
May  7 15:34:26 moon charon: 12[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 fwd
May  7 15:34:26 moon charon: 12[KNL] policy still used by another CHILD_SA, not removed
May  7 15:34:26 moon charon: 12[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
May  7 15:34:26 moon charon: 12[KNL] getting a local address in traffic selector 10.1.0.0/16
May  7 15:34:26 moon charon: 12[KNL] using host 10.1.0.1
May  7 15:34:26 moon charon: 12[KNL] getting address to reach 192.168.0.2
May  7 15:34:26 moon charon: 12[KNL] getting interface name for 192.168.0.1
May  7 15:34:26 moon charon: 12[KNL] 192.168.0.1 is not a local address
May  7 15:34:26 moon charon: 12[KNL] policy 10.1.0.0/16 === 10.2.0.0/16 out already exists, increasing refcount
May  7 15:34:26 moon charon: 12[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
May  7 15:34:26 moon charon: 12[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 in already exists, increasing refcount
May  7 15:34:26 moon charon: 12[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
May  7 15:34:26 moon charon: 12[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 fwd already exists, increasing refcount
May  7 15:34:26 moon charon: 12[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
May  7 15:34:26 moon charon: 12[KNL] getting a local address in traffic selector 10.1.0.0/16
May  7 15:34:26 moon charon: 12[KNL] using host 10.1.0.1
May  7 15:34:26 moon charon: 12[KNL] getting address to reach 192.168.0.2
May  7 15:34:26 moon charon: 12[KNL] getting interface name for 192.168.0.11
May  7 15:34:26 moon charon: 12[KNL] 192.168.0.11 is on interface eth0
May  7 15:34:26 moon charon: 12[KNL] getting address to reach 192.168.0.2
May  7 15:34:26 moon charon: 12[ENC] generating INFORMATIONAL request 1 [ N(ADD_4_ADDR) ]
May  7 15:34:26 moon charon: 12[NET] sending packet: from 192.168.0.11[4500] to 192.168.0.2[4500]
May  7 15:34:26 moon charon: 11[NET] received packet: from 192.168.0.2[4500] to 192.168.0.11[4500]
May  7 15:34:26 moon charon: 11[ENC] parsed INFORMATIONAL response 1 [ ]
May  7 15:34:31 moon charon: 01[KNL] querying SAD entry with SPI c0a70c9d
May  7 15:34:31 moon charon: 01[KNL] querying policy 10.2.0.0/16 === 10.1.0.0/16 in
May  7 15:34:31 moon charon: 01[KNL] querying policy 10.2.0.0/16 === 10.1.0.0/16 fwd
May  7 15:35:00 moon charon: 12[KNL] querying SAD entry with SPI c0a70c9d
May  7 15:35:00 moon charon: 12[KNL] querying policy 10.2.0.0/16 === 10.1.0.0/16 in
May  7 15:35:00 moon charon: 12[KNL] querying policy 10.2.0.0/16 === 10.1.0.0/16 fwd
May  7 15:35:21 moon charon: 11[KNL] querying SAD entry with SPI c0a70c9d
May  7 15:35:21 moon charon: 11[IKE] sending DPD request
May  7 15:35:21 moon charon: 11[ENC] generating INFORMATIONAL request 2 [ ]
May  7 15:35:21 moon charon: 11[NET] sending packet: from 192.168.0.11[4500] to 192.168.0.2[4500]
May  7 15:35:25 moon charon: 14[IKE] retransmit 1 of request with message ID 2
May  7 15:35:25 moon charon: 14[NET] sending packet: from 192.168.0.11[4500] to 192.168.0.2[4500]
May  7 15:35:26 moon charon: 15[NET] received packet: from 192.168.0.22[500] to 192.168.0.11[500]
May  7 15:35:26 moon charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
May  7 15:35:26 moon charon: 15[IKE] 192.168.0.22 is initiating an IKE_SA
May  7 15:35:26 moon charon: 15[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
May  7 15:35:26 moon charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May  7 15:35:26 moon charon: 15[NET] sending packet: from 192.168.0.11[500] to 192.168.0.22[500]
May  7 15:35:26 moon charon: 13[NET] received packet: from 192.168.0.22[4500] to 192.168.0.11[4500]
May  7 15:35:26 moon charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
May  7 15:35:26 moon charon: 13[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
May  7 15:35:26 moon charon: 13[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
May  7 15:35:26 moon charon: 13[CFG] looking for peer configs matching 192.168.0.11[moon.strongswan.org]...192.168.0.22[sun.strongswan.org]
May  7 15:35:26 moon charon: 13[CFG] selected peer config 'net-net'
May  7 15:35:26 moon charon: 13[CFG]   using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
May  7 15:35:26 moon charon: 13[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
May  7 15:35:26 moon charon: 13[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
May  7 15:35:26 moon charon: 13[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
May  7 15:35:26 moon charon: 13[LIB] libcurl http request failed: couldn't connect to host
May  7 15:35:26 moon charon: 13[CFG] crl fetching failed
May  7 15:35:26 moon charon: 13[CFG] certificate status is not available
May  7 15:35:26 moon charon: 13[CFG]   reached self-signed root ca with a path length of 0
May  7 15:35:26 moon charon: 13[IKE] authentication of 'sun.strongswan.org' with RSA signature successful
May  7 15:35:26 moon charon: 13[IKE] peer supports MOBIKE
May  7 15:35:26 moon charon: 13[IKE] destroying duplicate IKE_SA for peer 'sun.strongswan.org', received INITIAL_CONTACT
May  7 15:35:26 moon charon: 13[KNL] deleting SAD entry with SPI c0a70c9d
May  7 15:35:26 moon charon: 13[KNL] deleted SAD entry with SPI c0a70c9d
May  7 15:35:26 moon charon: 13[KNL] deleting SAD entry with SPI c10ee1dd
May  7 15:35:26 moon charon: 13[KNL] deleted SAD entry with SPI c10ee1dd
May  7 15:35:26 moon charon: 13[KNL] deleting policy 10.1.0.0/16 === 10.2.0.0/16 out
May  7 15:35:26 moon charon: 13[KNL] policy still used by another CHILD_SA, not removed
May  7 15:35:26 moon charon: 13[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
May  7 15:35:26 moon charon: 13[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 in
May  7 15:35:26 moon charon: 13[KNL] policy still used by another CHILD_SA, not removed
May  7 15:35:26 moon charon: 13[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
May  7 15:35:26 moon charon: 13[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 fwd
May  7 15:35:26 moon charon: 13[KNL] policy still used by another CHILD_SA, not removed
May  7 15:35:26 moon charon: 13[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
May  7 15:35:26 moon charon: 13[KNL] getting a local address in traffic selector 10.1.0.0/16
May  7 15:35:26 moon charon: 13[KNL] using host 10.1.0.1
May  7 15:35:26 moon charon: 13[KNL] getting address to reach 192.168.0.2
May  7 15:35:26 moon charon: 13[KNL] getting interface name for 192.168.0.1
May  7 15:35:26 moon charon: 13[KNL] 192.168.0.1 is not a local address
May  7 15:35:26 moon charon: 13[KNL] deleting policy 10.1.0.0/16 === 10.2.0.0/16 out
May  7 15:35:26 moon charon: 13[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 in
May  7 15:35:26 moon charon: 13[KNL] deleting policy 10.2.0.0/16 === 10.1.0.0/16 fwd
May  7 15:35:26 moon charon: 13[KNL] getting iface index for eth0
May  7 15:35:26 moon charon: 13[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful
May  7 15:35:26 moon charon: 13[IKE] IKE_SA net-net[3] established between 192.168.0.11[moon.strongswan.org]...192.168.0.22[sun.strongswan.org]
May  7 15:35:26 moon charon: 13[IKE] scheduling reauthentication in 10195s
May  7 15:35:26 moon charon: 13[IKE] maximum IKE_SA lifetime 10735s
May  7 15:35:26 moon charon: 13[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
May  7 15:35:26 moon charon: 13[KNL] getting SPI for reqid {3}
May  7 15:35:26 moon charon: 13[KNL] got SPI cfa61919 for reqid {3}
May  7 15:35:26 moon charon: 13[KNL] adding SAD entry with SPI cfa61919 and reqid {3}
May  7 15:35:26 moon charon: 13[KNL]   using encryption algorithm AES_CBC with key size 128
May  7 15:35:26 moon charon: 13[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
May  7 15:35:26 moon charon: 13[KNL] adding SAD entry with SPI c1fe7792 and reqid {3}
May  7 15:35:26 moon charon: 13[KNL]   using encryption algorithm AES_CBC with key size 128
May  7 15:35:26 moon charon: 13[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
May  7 15:35:26 moon charon: 13[KNL] adding policy 10.1.0.0/16 === 10.2.0.0/16 out
May  7 15:35:26 moon charon: 13[KNL] adding policy 10.2.0.0/16 === 10.1.0.0/16 in
May  7 15:35:26 moon charon: 13[KNL] adding policy 10.2.0.0/16 === 10.1.0.0/16 fwd
May  7 15:35:26 moon charon: 13[KNL] getting a local address in traffic selector 10.1.0.0/16
May  7 15:35:26 moon charon: 13[KNL] using host 10.1.0.1
May  7 15:35:26 moon charon: 13[KNL] getting address to reach 192.168.0.22
May  7 15:35:26 moon charon: 13[KNL] getting interface name for 192.168.0.11
May  7 15:35:26 moon charon: 13[KNL] 192.168.0.11 is on interface eth0
May  7 15:35:26 moon charon: 13[KNL] installing route: 10.2.0.0/16 via 192.168.0.22 src 10.1.0.1 dev eth0
May  7 15:35:26 moon charon: 13[KNL] getting iface index for eth0
May  7 15:35:26 moon charon: 13[KNL] policy 10.1.0.0/16 === 10.2.0.0/16 out already exists, increasing refcount
May  7 15:35:26 moon charon: 13[KNL] updating policy 10.1.0.0/16 === 10.2.0.0/16 out
May  7 15:35:26 moon charon: 13[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 in already exists, increasing refcount
May  7 15:35:26 moon charon: 13[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 in
May  7 15:35:26 moon charon: 13[KNL] policy 10.2.0.0/16 === 10.1.0.0/16 fwd already exists, increasing refcount
May  7 15:35:26 moon charon: 13[KNL] updating policy 10.2.0.0/16 === 10.1.0.0/16 fwd
May  7 15:35:26 moon charon: 13[KNL] getting a local address in traffic selector 10.1.0.0/16
May  7 15:35:26 moon charon: 13[KNL] using host 10.1.0.1
May  7 15:35:26 moon charon: 13[KNL] getting address to reach 192.168.0.22
May  7 15:35:26 moon charon: 13[KNL] getting interface name for 192.168.0.11
May  7 15:35:26 moon charon: 13[KNL] 192.168.0.11 is on interface eth0
May  7 15:35:26 moon charon: 13[IKE] CHILD_SA net-net{3} established with SPIs cfa61919_i c1fe7792_o and TS 10.1.0.0/16 === 10.2.0.0/16 
May  7 15:35:26 moon charon: 13[KNL] getting interface name for 192.168.0.11
May  7 15:35:26 moon charon: 13[KNL] 192.168.0.11 is on interface eth0
May  7 15:35:26 moon charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
May  7 15:35:26 moon charon: 13[NET] sending packet: from 192.168.0.11[4500] to 192.168.0.22[4500]
May  7 15:35:56 moon charon: 11[KNL] querying SAD entry with SPI cfa61919
May  7 15:35:56 moon charon: 11[KNL] querying policy 10.2.0.0/16 === 10.1.0.0/16 in
May  7 15:35:56 moon charon: 11[KNL] querying policy 10.2.0.0/16 === 10.1.0.0/16 fwd
May  7 15:36:06 moon charon: 14[KNL] querying SAD entry with SPI cfa61919
May  7 15:36:06 moon charon: 14[IKE] sending DPD request
May  7 15:36:06 moon charon: 14[ENC] generating INFORMATIONAL request 0 [ ]
May  7 15:36:06 moon charon: 14[NET] sending packet: from 192.168.0.11[4500] to 192.168.0.22[4500]
May  7 15:36:06 moon charon: 15[NET] received packet: from 192.168.0.22[4500] to 192.168.0.11[4500]
May  7 15:36:06 moon charon: 15[ENC] parsed INFORMATIONAL response 0 [ ]
-------------- next part --------------
May  7 15:34:00 sun charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.3)
May  7 15:34:00 sun charon: 00[KNL] listening on interfaces:
May  7 15:34:00 sun charon: 00[KNL]   eth1
May  7 15:34:00 sun charon: 00[KNL]     10.2.0.1
May  7 15:34:00 sun charon: 00[KNL]     fe80::5054:ff:fe61:5147
May  7 15:34:00 sun charon: 00[KNL]   eth0
May  7 15:34:00 sun charon: 00[KNL]     192.168.0.2
May  7 15:34:00 sun charon: 00[KNL]     fe80::5054:ff:fed4:f6e6
May  7 15:34:00 sun charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May  7 15:34:00 sun charon: 00[CFG]   loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
May  7 15:34:00 sun charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May  7 15:34:00 sun charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May  7 15:34:00 sun charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May  7 15:34:00 sun charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May  7 15:34:00 sun charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May  7 15:34:00 sun charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/sunKey.pem'
May  7 15:34:00 sun charon: 00[CFG] sql plugin: database URI not set
May  7 15:34:00 sun charon: 00[LIB] plugin 'sql': failed to load - sql_plugin_create returned NULL
May  7 15:34:00 sun charon: 00[CFG] loaded 0 RADIUS server configurations
May  7 15:34:00 sun charon: 00[LIB] plugin 'medsrv' failed to load: /usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared object file: No such file or directory
May  7 15:34:00 sun charon: 00[CFG] mediation client database URI not defined, skipped
May  7 15:34:00 sun charon: 00[LIB] plugin 'medcli': failed to load - medcli_plugin_create returned NULL
May  7 15:34:00 sun charon: 00[LIB] plugin 'nm' failed to load: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object file: No such file or directory
May  7 15:34:00 sun charon: 00[CFG] HA config misses local/remote address
May  7 15:34:00 sun charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
May  7 15:34:00 sun charon: 00[DMN] loaded plugins: test-vectors curl ldap pkcs11 aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls dhcp led addrblock
May  7 15:34:00 sun charon: 00[JOB] spawning 16 worker threads
May  7 15:34:00 sun charon: 11[CFG] received stroke: add connection 'net-net-any'
May  7 15:34:00 sun charon: 11[CFG] left nor right host is our side, assuming left=local
May  7 15:34:00 sun charon: 11[CFG]   loaded certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" from 'sunCert.pem'
May  7 15:34:00 sun charon: 11[CFG] added configuration 'net-net-any'
May  7 15:34:00 sun charon: 13[CFG] received stroke: add connection 'net-net'
May  7 15:34:00 sun charon: 13[CFG] left nor right host is our side, assuming left=local
May  7 15:34:00 sun charon: 13[CFG]   loaded certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org" from 'sunCert.pem'
May  7 15:34:00 sun charon: 13[CFG] added configuration 'net-net'
May  7 15:34:00 sun charon: 16[CFG] received stroke: initiate 'net-net'
May  7 15:34:00 sun charon: 16[IKE] initiating IKE_SA net-net[1] to 192.168.0.1
May  7 15:34:00 sun charon: 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
May  7 15:34:00 sun charon: 16[NET] sending packet: from 192.168.0.2[500] to 192.168.0.1[500]
May  7 15:34:00 sun charon: 01[NET] received packet: from 192.168.0.1[500] to 192.168.0.2[500]
May  7 15:34:00 sun charon: 01[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May  7 15:34:00 sun charon: 01[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
May  7 15:34:00 sun charon: 01[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
May  7 15:34:00 sun charon: 01[IKE] authentication of 'sun.strongswan.org' (myself) with RSA signature successful
May  7 15:34:00 sun charon: 01[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
May  7 15:34:00 sun charon: 01[IKE] establishing CHILD_SA net-net
May  7 15:34:00 sun charon: 01[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
May  7 15:34:00 sun charon: 01[NET] sending packet: from 192.168.0.2[4500] to 192.168.0.1[4500]
May  7 15:34:00 sun charon: 12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.2[4500]
May  7 15:34:00 sun charon: 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
May  7 15:34:00 sun charon: 12[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
May  7 15:34:00 sun charon: 12[CFG]   using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
May  7 15:34:00 sun charon: 12[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
May  7 15:34:00 sun charon: 12[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
May  7 15:34:00 sun charon: 12[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
May  7 15:34:00 sun charon: 12[LIB] libcurl http request failed: couldn't connect to host
May  7 15:34:00 sun charon: 12[CFG] crl fetching failed
May  7 15:34:00 sun charon: 12[CFG] certificate status is not available
May  7 15:34:00 sun charon: 12[CFG]   reached self-signed root ca with a path length of 0
May  7 15:34:00 sun charon: 12[IKE] authentication of 'moon.strongswan.org' with RSA signature successful
May  7 15:34:00 sun charon: 12[IKE] IKE_SA net-net[1] established between 192.168.0.2[sun.strongswan.org]...192.168.0.1[moon.strongswan.org]
May  7 15:34:00 sun charon: 12[IKE] scheduling reauthentication in 10182s
May  7 15:34:00 sun charon: 12[IKE] maximum IKE_SA lifetime 10722s
May  7 15:34:00 sun charon: 12[IKE] CHILD_SA net-net{1} established with SPIs c10ee1dd_i c0a70c9d_o and TS 10.2.0.0/16 === 10.1.0.0/16 
May  7 15:34:00 sun charon: 12[IKE] received AUTH_LIFETIME of 10219s, scheduling reauthentication in 9679s
May  7 15:34:00 sun charon: 12[IKE] peer supports MOBIKE
May  7 15:34:26 sun charon: 15[NET] received packet: from 192.168.0.11[4500] to 192.168.0.2[4500]
May  7 15:34:26 sun charon: 15[ENC] parsed INFORMATIONAL request 0 [ ]
May  7 15:34:26 sun charon: 15[ENC] generating INFORMATIONAL response 0 [ ]
May  7 15:34:26 sun charon: 15[NET] sending packet: from 192.168.0.2[4500] to 192.168.0.11[4500]
May  7 15:34:26 sun charon: 13[NET] received packet: from 192.168.0.11[4500] to 192.168.0.2[4500]
May  7 15:34:26 sun charon: 13[ENC] parsed INFORMATIONAL request 1 [ N(ADD_4_ADDR) ]
May  7 15:34:26 sun charon: 13[IKE] remote address changed from 192.168.0.1 to 192.168.0.11
May  7 15:34:26 sun charon: 13[ENC] generating INFORMATIONAL response 1 [ ]
May  7 15:34:26 sun charon: 13[NET] sending packet: from 192.168.0.2[4500] to 192.168.0.11[4500]
May  7 15:34:51 sun charon: 05[KNL] 192.168.0.2 disappeared from eth0
May  7 15:34:51 sun charon: 01[IKE] old path is not available anymore, try to find another
May  7 15:34:51 sun charon: 01[IKE] looking for a route to 192.168.0.1 ...
May  7 15:34:51 sun charon: 01[IKE] looking for a route to 10.1.0.1 ...
May  7 15:34:51 sun charon: 01[IKE] no route found to reach 192.168.0.11, MOBIKE update deferred
May  7 15:34:58 sun charon: 05[KNL] 192.168.0.22 appeared on eth0
May  7 15:34:58 sun charon: 14[IKE] old path is not available anymore, try to find another
May  7 15:34:58 sun charon: 14[IKE] looking for a route to 192.168.0.1 ...
May  7 15:34:58 sun charon: 14[IKE] requesting address change using MOBIKE
May  7 15:34:58 sun charon: 14[ENC] generating INFORMATIONAL request 2 [ ]
May  7 15:34:58 sun charon: 14[IKE] checking path 192.168.0.22[4500] - 192.168.0.1[4500]
May  7 15:34:58 sun charon: 14[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.1[4500]
May  7 15:35:01 sun charon: 16[IKE] path probing attempt 1
May  7 15:35:01 sun charon: 16[IKE] checking path 192.168.0.22[4500] - 192.168.0.1[4500]
May  7 15:35:01 sun charon: 16[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.1[4500]
May  7 15:35:03 sun charon: 01[IKE] path probing attempt 2
May  7 15:35:03 sun charon: 01[IKE] checking path 192.168.0.22[4500] - 192.168.0.1[4500]
May  7 15:35:03 sun charon: 01[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.1[4500]
May  7 15:35:06 sun charon: 12[IKE] path probing attempt 3
May  7 15:35:06 sun charon: 12[IKE] checking path 192.168.0.22[4500] - 192.168.0.1[4500]
May  7 15:35:06 sun charon: 12[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.1[4500]
May  7 15:35:08 sun charon: 14[IKE] path probing attempt 4
May  7 15:35:08 sun charon: 14[IKE] checking path 192.168.0.22[4500] - 192.168.0.1[4500]
May  7 15:35:08 sun charon: 14[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.1[4500]
May  7 15:35:11 sun charon: 11[IKE] path probing attempt 5
May  7 15:35:11 sun charon: 11[IKE] checking path 192.168.0.22[4500] - 192.168.0.1[4500]
May  7 15:35:11 sun charon: 11[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.1[4500]
May  7 15:35:13 sun charon: 15[IKE] path probing attempt 6
May  7 15:35:13 sun charon: 15[IKE] checking path 192.168.0.22[4500] - 192.168.0.1[4500]
May  7 15:35:13 sun charon: 15[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.1[4500]
May  7 15:35:16 sun charon: 13[IKE] path probing attempt 7
May  7 15:35:16 sun charon: 13[IKE] checking path 192.168.0.22[4500] - 192.168.0.1[4500]
May  7 15:35:16 sun charon: 13[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.1[4500]
May  7 15:35:18 sun charon: 16[IKE] path probing attempt 8
May  7 15:35:18 sun charon: 16[IKE] checking path 192.168.0.22[4500] - 192.168.0.1[4500]
May  7 15:35:18 sun charon: 16[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.1[4500]
May  7 15:35:21 sun charon: 01[IKE] path probing attempt 9
May  7 15:35:21 sun charon: 01[IKE] checking path 192.168.0.22[4500] - 192.168.0.1[4500]
May  7 15:35:21 sun charon: 01[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.1[4500]
May  7 15:35:23 sun charon: 12[IKE] path probing attempt 10
May  7 15:35:23 sun charon: 12[IKE] checking path 192.168.0.22[4500] - 192.168.0.1[4500]
May  7 15:35:23 sun charon: 12[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.1[4500]
May  7 15:35:26 sun charon: 14[IKE] giving up after 10 path probings
May  7 15:35:26 sun charon: 14[IKE] restarting CHILD_SA net-net
May  7 15:35:26 sun charon: 14[IKE] initiating IKE_SA net-net[2] to 192.168.0.11
May  7 15:35:26 sun charon: 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
May  7 15:35:26 sun charon: 14[NET] sending packet: from 192.168.0.22[500] to 192.168.0.11[500]
May  7 15:35:26 sun charon: 11[NET] received packet: from 192.168.0.11[500] to 192.168.0.22[500]
May  7 15:35:26 sun charon: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May  7 15:35:26 sun charon: 11[IKE] received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
May  7 15:35:26 sun charon: 11[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
May  7 15:35:26 sun charon: 11[IKE] authentication of 'sun.strongswan.org' (myself) with RSA signature successful
May  7 15:35:26 sun charon: 11[IKE] sending end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
May  7 15:35:26 sun charon: 11[IKE] establishing CHILD_SA net-net
May  7 15:35:26 sun charon: 11[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
May  7 15:35:26 sun charon: 11[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.11[4500]
May  7 15:35:26 sun charon: 15[NET] received packet: from 192.168.0.11[4500] to 192.168.0.22[4500]
May  7 15:35:26 sun charon: 15[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
May  7 15:35:26 sun charon: 15[IKE] received end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
May  7 15:35:26 sun charon: 15[CFG]   using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
May  7 15:35:26 sun charon: 15[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
May  7 15:35:26 sun charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
May  7 15:35:26 sun charon: 15[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
May  7 15:35:26 sun charon: 15[LIB] libcurl http request failed: couldn't connect to host
May  7 15:35:26 sun charon: 15[CFG] crl fetching failed
May  7 15:35:26 sun charon: 15[CFG] certificate status is not available
May  7 15:35:26 sun charon: 15[CFG]   reached self-signed root ca with a path length of 0
May  7 15:35:26 sun charon: 15[IKE] authentication of 'moon.strongswan.org' with RSA signature successful
May  7 15:35:26 sun charon: 15[IKE] IKE_SA net-net[2] established between 192.168.0.22[sun.strongswan.org]...192.168.0.11[moon.strongswan.org]
May  7 15:35:26 sun charon: 15[IKE] scheduling reauthentication in 9772s
May  7 15:35:26 sun charon: 15[IKE] maximum IKE_SA lifetime 10312s
May  7 15:35:26 sun charon: 15[IKE] CHILD_SA net-net{2} established with SPIs c1fe7792_i cfa61919_o and TS 10.2.0.0/16 === 10.1.0.0/16 
May  7 15:35:26 sun charon: 15[IKE] received AUTH_LIFETIME of 10195s, scheduling reauthentication in 9655s
May  7 15:35:26 sun charon: 15[IKE] peer supports MOBIKE
May  7 15:36:06 sun charon: 14[NET] received packet: from 192.168.0.11[4500] to 192.168.0.22[4500]
May  7 15:36:06 sun charon: 14[ENC] parsed INFORMATIONAL request 0 [ ]
May  7 15:36:06 sun charon: 14[ENC] generating INFORMATIONAL response 0 [ ]
May  7 15:36:06 sun charon: 14[NET] sending packet: from 192.168.0.22[4500] to 192.168.0.11[4500]


More information about the Dev mailing list