[strongSwan] configuring charon with installpolicy=no

Ayyash, Mohammad (NSN - FI/Espoo) mohammad.ayyash at nsn.com
Wed May 19 10:40:23 CEST 2010


by the way, when I set the reqid to 2 on the receiving end, it works...
but is this is really the way to go?!!  this is a very simple setup, but
there will be cases with hundreds of VPNs to be established...

I still can't understand what is the use of reqid.  why does charon
generate a new one? we do I have to manually configure one (it looks
like reqid is very similar to SPI).



Here is what you request (putting back reqid to 1 as previously sent)
# ip xfrm state
src 40.0.0.1 dst 20.0.0.1
        proto esp spi 0xc0ccfae1 reqid 2 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0x5b43d15de8b3997f346f8ff2b9b297c83b60104a
        enc cbc(aes) 0x9c850aad09dddc25be6153ac8393029e
src 20.0.0.1 dst 40.0.0.1
        proto esp spi 0xc6c531f3 reqid 2 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0xdc2c4677b0c85f5842b059a86dcc5f44dc00bd78
        enc cbc(aes) 0x97b79d26f2fe533d92395e0c22a7a17b


# ip xfrm policy
src 30.0.0.0/24 dst 10.0.0.0/24
        dir in priority 1000
        tmpl src 40.0.0.1 dst 20.0.0.1
                proto esp reqid 1 mode tunnel
src 10.0.0.0/24 dst 30.0.0.0/24
        dir out priority 1000
        tmpl src 20.0.0.1 dst 40.0.0.1
                proto esp reqid 1 mode tunnel
src 30.0.0.0/24 dst 10.0.0.0/24
        dir fwd priority 1000
        tmpl src 40.0.0.1 dst 20.0.0.1
                proto esp reqid 1 mode tunnel


note how the reqid is different





Here the same example, only this time, I set reqid to 2 on the inbound
side, and ping goes just fine:
# ip xfrm state
src 40.0.0.1 dst 20.0.0.1
        proto esp spi 0xcc7636fb reqid 2 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0x51a764daac8beac9e61b3524c906894547b1fb37
        enc cbc(aes) 0x229fdbf97ec3e2d88e41270367f02c7b
src 20.0.0.1 dst 40.0.0.1
        proto esp spi 0xcb7751d6 reqid 2 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0x0e629068e2575e017ea0592bb09cc728d60946ce
        enc cbc(aes) 0xf1d152284d2ba5aa2f0ae0fada9162c3

# ip xfrm policy
src 30.0.0.0/24 dst 10.0.0.0/24
        dir in priority 1000
        tmpl src 40.0.0.1 dst 20.0.0.1
                proto esp reqid 2 mode tunnel
src 10.0.0.0/24 dst 30.0.0.0/24
        dir out priority 1000
        tmpl src 20.0.0.1 dst 40.0.0.1
                proto esp reqid 2 mode tunnel
src 30.0.0.0/24 dst 10.0.0.0/24
        dir fwd priority 1000
        tmpl src 40.0.0.1 dst 20.0.0.1
                proto esp reqid 2 mode tunnel


here is the inbound side logs:
starter --nofork
Starting strongSwan 4.3.6 IPsec [starter]...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
00[KNL] listening on interfaces:
00[KNL]   eth0
00[KNL]     20.0.0.1
00[KNL]     fe80::209:6bff:fe58:6492
00[KNL]   eth1
00[KNL]     192.168.0.250
00[KNL]     10.0.0.1
00[KNL]     10.0.0.2
00[KNL]     fe80::209:6bff:fe58:6493
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for 20.0.0.1 40.0.0.1
00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
attr resolve
00[JOB] spawning 16 worker threads
charon (25963) started after 160 ms
01[JOB] started worker thread, ID: 1
01[JOB] no events, waiting
03[JOB] started worker thread, ID: 3
04[JOB] started worker thread, ID: 4
05[JOB] started worker thread, ID: 5
06[JOB] started worker thread, ID: 6
06[NET] waiting for data on raw sockets
08[JOB] started worker thread, ID: 8
08[CFG] received stroke: add connection 'CONFIG'
08[CFG] conn CONFIG
08[CFG]   left=20.0.0.1
08[CFG]   leftsubnet=10.0.0.0/24
08[CFG]   leftsourceip=(null)
08[CFG]   leftauth=(null)
08[CFG]   leftauth2=(null)
08[CFG]   leftid=20.0.0.1
02[JOB] started worker thread, ID: 2
07[JOB] started worker thread, ID: 7
09[JOB] started worker thread, ID: 9
10[JOB] started worker thread, ID: 10
11[JOB] started worker thread, ID: 11
12[JOB] started worker thread, ID: 12
13[JOB] started worker thread, ID: 13
14[JOB] started worker thread, ID: 14
15[JOB] started worker thread, ID: 15
16[JOB] started worker thread, ID: 16
08[CFG]   leftid2=(null)
08[CFG]   leftcert=(null)
08[CFG]   leftcert2=(null)
08[CFG]   leftca=(null)
08[CFG]   leftca2=(null)
08[CFG]   leftgroups=(null)
08[CFG]   leftupdown=(null)
08[CFG]   right=40.0.0.1
08[CFG]   rightsubnet=30.0.0.0/24
08[CFG]   rightsourceip=(null)
08[CFG]   rightauth=(null)
08[CFG]   rightauth2=(null)
08[CFG]   rightid=40.0.0.1
08[CFG]   rightid2=(null)
08[CFG]   rightcert=(null)
08[CFG]   rightcert2=(null)
08[CFG]   rightca=(null)
08[CFG]   rightca2=(null)
08[CFG]   rightgroups=(null)
08[CFG]   rightupdown=(null)
08[CFG]   eap_identity=(null)
08[CFG]   ike=aes128-md5-modp1536
08[CFG]   esp=aes128-sha1
08[CFG]   mediation=no
08[CFG]   mediated_by=(null)
08[CFG]   me_peerid=(null)
08[KNL] getting interface name for 40.0.0.1
08[KNL] 40.0.0.1 is not a local address
08[KNL] getting interface name for 20.0.0.1
08[KNL] 20.0.0.1 is on interface eth0
08[CFG] added configuration 'CONFIG'
02[CFG] received stroke: route 'CONFIG'
02[CFG] proposing traffic selectors for us:
02[CFG]  10.0.0.0/24 (derived from 10.0.0.0/24)
02[CFG] proposing traffic selectors for other:
02[CFG]  30.0.0.0/24 (derived from 30.0.0.0/24)
configuration 'CONFIG' routed

06[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
06[NET] waiting for data on raw sockets
10[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
10[CFG] looking for an ike config for 20.0.0.1...40.0.0.1
10[CFG]   candidate: 20.0.0.1...40.0.0.1, prio 12
10[CFG] found matching ike config: 20.0.0.1...40.0.0.1 with prio 12
01[JOB] next event in 29s 999ms, waiting
10[IKE] 40.0.0.1 is initiating an IKE_SA
10[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
10[CFG] selecting proposal:
10[CFG]   proposal matches
10[CFG] received proposals:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
10[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
10[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
10[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
05[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
06[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
06[NET] waiting for data on raw sockets
11[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
11[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]
11[CFG] looking for peer configs matching
20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
11[CFG]   candidate "CONFIG", match: 20/20/12 (me/other/ike)
11[CFG] selected peer config 'CONFIG'
11[IKE] authentication of '40.0.0.1' with pre-shared key successful
11[IKE] authentication of '20.0.0.1' (myself) with pre-shared key
11[IKE] successfully created shared key MAC
11[IKE] IKE_SA CONFIG[1] established between
20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
11[IKE] IKE_SA CONFIG[1] state change: CONNECTING => ESTABLISHED
11[IKE] scheduling reauthentication in 23738s
01[JOB] next event in 29s 440ms, waiting
11[IKE] maximum IKE_SA lifetime 26618s
01[JOB] next event in 29s 405ms, waiting
11[CFG] looking for a child config for 10.0.0.1/32[icmp] 10.0.0.0/24 ===
30.0.0.1/32[icmp/8] 30.0.0.0/24
11[CFG] proposing traffic selectors for us:
11[CFG]  10.0.0.0/24 (derived from 10.0.0.0/24)
11[CFG] proposing traffic selectors for other:
11[CFG]  30.0.0.0/24 (derived from 30.0.0.0/24)
11[CFG]   candidate "CONFIG" with prio 7+7
11[CFG] found matching child config "CONFIG" with prio 14
11[CFG] selecting proposal:
11[CFG]   proposal matches
11[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
11[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
11[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
11[KNL] getting SPI for reqid {2}
11[KNL] got SPI cc7636fb for reqid {2}
11[CFG] selecting traffic selectors for us:
11[CFG]  config: 10.0.0.0/24, received: 10.0.0.1/32[icmp] => match:
10.0.0.1/32[icmp]
11[CFG]  config: 10.0.0.0/24, received: 10.0.0.0/24 => match:
10.0.0.0/24
11[CFG] selecting traffic selectors for other:
11[CFG]  config: 30.0.0.0/24, received: 30.0.0.1/32[icmp/8] => match:
30.0.0.1/32[icmp/8]
11[CFG]  config: 30.0.0.0/24, received: 30.0.0.0/24 => match:
30.0.0.0/24
11[KNL] adding SAD entry with SPI cc7636fb and reqid {2}
11[KNL]   using encryption algorithm AES_CBC with key size 128
11[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
11[KNL] adding SAD entry with SPI cb7751d6 and reqid {2}
11[KNL]   using encryption algorithm AES_CBC with key size 128
11[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
11[IKE] CHILD_SA CONFIG{2} established with SPIs cc7636fb_i cb7751d6_o
and TS 10.0.0.0/24 === 30.0.0.0/24
11[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT)
]
11[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
05[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
01[JOB] next event in 1ms, waiting
01[JOB] got event, queuing job for execution
01[JOB] next event in 23708s 557ms, waiting



and tcpdump:
11:33:11.814685 IP 40.0.0.1.isakmp > 20.0.0.1.isakmp: isakmp: parent_sa
ikev2_init[I]
11:33:12.001573 IP 20.0.0.1.isakmp > 40.0.0.1.isakmp: isakmp: parent_sa
ikev2_init[]
11:33:12.350975 IP 40.0.0.1.isakmp > 20.0.0.1.isakmp: isakmp: child_sa
ikev2_auth[I]
11:33:13.159219 IP 20.0.0.1.isakmp > 40.0.0.1.isakmp: isakmp: child_sa
ikev2_auth[]
11:33:13.441764 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc7636fb,seq=0x1),
length 132
11:33:13.442012 IP 20.0.0.1 > 40.0.0.1: ESP(spi=0xcb7751d6,seq=0x1),
length 132
11:33:13.443979 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc7636fb,seq=0x2),
length 132
11:33:13.444043 IP 20.0.0.1 > 40.0.0.1: ESP(spi=0xcb7751d6,seq=0x2),
length 132
11:33:14.443399 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc7636fb,seq=0x3),
length 132
11:33:14.443468 IP 20.0.0.1 > 40.0.0.1: ESP(spi=0xcb7751d6,seq=0x3),
length 132



thanks alot

-----Original Message-----
From: ext Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Wednesday, May 19, 2010 11:27 AM
To: Ayyash, Mohammad (NSN - FI/Espoo)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] configuring charon with installpolicy=no

Hi,
there is currently no way for charon to control the priorities.
I don't know why the inbound ESP packet does not trigger the
IPsec policy. The commands

   ip -s xfrm policy|state

give more information

Regards

Andreas

On 05/17/2010 09:43 AM, Ayyash, Mohammad (NSN - FI/Espoo) wrote:
> hi,
>
> it "almost" worked.  Problem is now, ping gets no reply whatsoever.. I
> wonder why.
>
> But can you please let me know if there is even a better way to
control
> policy priorities if I let charon insert them? apparently, it is
better
> to let charon do that
>
> Here is a complete example about how the ping doesn't get any reply,
two
> hosts logs:
> ================= Host1 ============================
> ipsec.conf
> config setup
>          charonstart=yes
>          plutostart=no
>          charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
> conn %default
>          keyexchange=ikev2
>          auto=route
>          installpolicy=no
>          reauth=no
> ca strongswan
>          cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
> conn CONFIG
>          rekeymargin=2880
>          rekeyfuzz=100%
>          left=20.0.0.1
>          right=40.0.0.1
>          leftsubnet=10.0.0.0/24
>          rightsubnet=30.0.0.0/24
>          leftprotoport=%any
>          rightprotoport=%any
>          authby=secret
>          leftid=20.0.0.1
>          rightid=40.0.0.1
>          ike=aes128-md5-modp1536
>          esp=aes128-sha1
>          type=tunnel
>          ikelifetime=28800s
>          keylife=28800s
>
>
> $ ip xfrm policy flush
> $ ip xfrm policy add dir in  src 30.0.0.0/24 dst 10.0.0.0/24 proto any
> priority 1000 tmpl src 40.0.0.1 dst 20.0.0.1 proto esp mode tunnel
reqid
> 1 level required
> $ ip xfrm policy add dir out src 10.0.0.0/24 dst 30.0.0.0/24 proto any
> priority 1000 tmpl src 20.0.0.1 dst 40.0.0.1 proto esp mode tunnel
reqid
> 1 level required
> $ ip xfrm policy
> src 30.0.0.0/24 dst 10.0.0.0/24
>          dir in priority 1000
>          tmpl src 40.0.0.1 dst 20.0.0.1
>                  proto esp reqid 1 mode tunnel
> src 10.0.0.0/24 dst 30.0.0.0/24
>          dir out priority 1000
>          tmpl src 20.0.0.1 dst 40.0.0.1
>                  proto esp reqid 1 mode tunnel
>
>
>
> $ starter --nofork
> Starting strongSwan 4.3.6 IPsec [starter]...
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
> 00[KNL] listening on interfaces:
> 00[KNL]   eth0
> 00[KNL]     20.0.0.1
> 00[KNL]     fe80::209:6bff:fe58:6492
> 00[KNL]   eth1
> 00[KNL]     192.168.0.250
> 00[KNL]     10.0.0.1
> 00[KNL]     fe80::209:6bff:fe58:6493
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from
> '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from
> '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG]   loaded IKE secret for 20.0.0.1 40.0.0.1
> 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
> pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
> attr resolve
> 00[JOB] spawning 16 worker threads
> charon (19425) started after 140 ms
> 01[JOB] started worker thread, ID: 1
> 01[JOB] no events, waiting
> 07[JOB] started worker thread, ID: 7
> 08[JOB] started worker thread, ID: 8
> 06[JOB] started worker thread, ID: 6
> 09[JOB] started worker thread, ID: 9
> 09[NET] waiting for data on raw sockets
> 05[JOB] started worker thread, ID: 5
> 05[CFG] received stroke: add connection 'CONFIG'
> 05[CFG] conn CONFIG
> 05[CFG]   left=20.0.0.1
> 05[CFG]   leftsubnet=10.0.0.0/24
> 05[CFG]   leftsourceip=(null)
> 05[CFG]   leftauth=(null)
> 05[CFG]   leftauth2=(null)
> 05[CFG]   leftid=20.0.0.1
> 05[CFG]   leftid2=(null)
> 05[CFG]   leftcert=(null)
> 05[CFG]   leftcert2=(null)
> 05[CFG]   leftca=(null)
> 05[CFG]   leftca2=(null)
> 05[CFG]   leftgroups=(null)
> 05[CFG]   leftupdown=(null)
> 05[CFG]   right=40.0.0.1
> 05[CFG]   rightsubnet=30.0.0.0/24
> 05[CFG]   rightsourceip=(null)
> 05[CFG]   rightauth=(null)
> 05[CFG]   rightauth2=(null)
> 05[CFG]   rightid=40.0.0.1
> 05[CFG]   rightid2=(null)
> 05[CFG]   rightcert=(null)
> 05[CFG]   rightcert2=(null)
> 05[CFG]   rightca=(null)
> 05[CFG]   rightca2=(null)
> 05[CFG]   rightgroups=(null)
> 05[CFG]   rightupdown=(null)
> 05[CFG]   eap_identity=(null)
> 05[CFG]   ike=aes128-md5-modp1536
> 05[CFG]   esp=aes128-sha1
> 05[CFG]   mediation=no
> 05[CFG]   mediated_by=(null)
> 05[CFG]   me_peerid=(null)
> 14[JOB] started worker thread, ID: 14
> 15[JOB] started worker thread, ID: 15
> 16[JOB] started worker thread, ID: 16
> 02[JOB] started worker thread, ID: 2
> 10[JOB] started worker thread, ID: 10
> 11[JOB] started worker thread, ID: 11
> 12[JOB] started worker thread, ID: 12
> 04[JOB] started worker thread, ID: 4
> 03[JOB] started worker thread, ID: 3
> 13[JOB] started worker thread, ID: 13
> 05[KNL] getting interface name for 40.0.0.1
> 05[KNL] 40.0.0.1 is not a local address
> 05[KNL] getting interface name for 20.0.0.1
> 05[KNL] 20.0.0.1 is on interface eth0
> 05[CFG] added configuration 'CONFIG'
> 14[CFG] received stroke: route 'CONFIG'
> 14[CFG] proposing traffic selectors for us:
> 14[CFG]  10.0.0.0/24 (derived from 10.0.0.0/24)
> 14[CFG] proposing traffic selectors for other:
> 14[CFG]  30.0.0.0/24 (derived from 30.0.0.0/24)
> configuration 'CONFIG' routed
> 09[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
> 09[NET] waiting for data on raw sockets
> 02[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
> 02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> 02[CFG] looking for an ike config for 20.0.0.1...40.0.0.1
> 02[CFG]   candidate: 20.0.0.1...40.0.0.1, prio 12
> 02[CFG] found matching ike config: 20.0.0.1...40.0.0.1 with prio 12
> 02[IKE] 40.0.0.1 is initiating an IKE_SA
> 02[IKE] IKE_SA (unnamed)[1] state change: CREATED =>  CONNECTING
> 02[CFG] selecting proposal:
> 02[CFG]   proposal matches
> 02[CFG] received proposals:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
>
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
>
6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
>
AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
> 84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
> 02[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
>
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
>
6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
>
AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
> 84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
> 02[CFG] selected proposal:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
> 01[JOB] next event in 29s 999ms, waiting
> 02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
> 02[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
> 06[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
> 09[NET] received packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
> 09[NET] waiting for data on raw sockets
> 10[NET] received packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
> 10[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> 10[CFG] looking for peer configs matching
> 20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
> 10[CFG]   candidate "CONFIG", match: 20/20/12 (me/other/ike)
> 10[CFG] selected peer config 'CONFIG'
> 10[IKE] authentication of '40.0.0.1' with pre-shared key successful
> 10[IKE] peer supports MOBIKE
> 10[IKE] got additional MOBIKE peer address: 30.0.0.1
> 10[IKE] got additional MOBIKE peer address:
> 2001:490:ff0:c2c7:202:55ff:fe54:aad9
> 10[IKE] authentication of '20.0.0.1' (myself) with pre-shared key
> 10[IKE] successfully created shared key MAC
> 10[IKE] IKE_SA CONFIG[1] established between
> 20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
> 10[IKE] IKE_SA CONFIG[1] state change: CONNECTING =>  ESTABLISHED
> 10[IKE] scheduling rekeying in 25116s
> 01[JOB] next event in 29s 280ms, waiting
> 10[IKE] maximum IKE_SA lifetime 27996s
> 01[JOB] next event in 29s 231ms, waiting
> 10[CFG] looking for a child config for 10.0.0.1/32[icmp] 10.0.0.0/24
===
> 30.0.0.1/32[icmp/8] 30.0.0.0/24
> 10[CFG] proposing traffic selectors for us:
> 10[CFG]  10.0.0.0/24 (derived from 10.0.0.0/24)
> 10[CFG] proposing traffic selectors for other:
> 10[CFG]  30.0.0.0/24 (derived from 30.0.0.0/24)
> 10[CFG]   candidate "CONFIG" with prio 7+7
> 10[CFG] found matching child config "CONFIG" with prio 14
> 10[CFG] selecting proposal:
> 10[CFG]   proposal matches
> 10[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
>
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
> HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> 10[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
>
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
> HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> 10[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> 10[KNL] getting SPI for reqid {2}
> 10[KNL] got SPI cc92e3ae for reqid {2}
> 10[CFG] selecting traffic selectors for us:
> 10[CFG]  config: 10.0.0.0/24, received: 10.0.0.1/32[icmp] =>  match:
> 10.0.0.1/32[icmp]
> 10[CFG]  config: 10.0.0.0/24, received: 10.0.0.0/24 =>  match:
> 10.0.0.0/24
> 10[CFG] selecting traffic selectors for other:
> 10[CFG]  config: 30.0.0.0/24, received: 30.0.0.1/32[icmp/8] =>  match:
> 30.0.0.1/32[icmp/8]
> 10[CFG]  config: 30.0.0.0/24, received: 30.0.0.0/24 =>  match:
> 30.0.0.0/24
> 10[KNL] adding SAD entry with SPI cc92e3ae and reqid {2}
> 10[KNL]   using encryption algorithm AES_CBC with key size 128
> 10[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
> 10[KNL] adding SAD entry with SPI cbd8e62e and reqid {2}
> 10[KNL]   using encryption algorithm AES_CBC with key size 128
> 10[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
> 10[IKE] CHILD_SA CONFIG{2} established with SPIs cc92e3ae_i cbd8e62e_o
> and TS 10.0.0.0/24 === 30.0.0.0/24
> 10[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> 10[NET] sending packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
> 06[NET] sending packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
> 01[JOB] next event in 1ms, waiting
> 01[JOB] got event, queuing job for execution
> 01[JOB] next event in 25086s 718ms, waiting
>
>
>
> $ ip xfrm state
> src 40.0.0.1 dst 20.0.0.1
>          proto esp spi 0xcc92e3ae reqid 2 mode tunnel
>          replay-window 32 flag 20
>          auth hmac(sha1) 0x0009e244d350a3055610d752274cb7310a7b1f7d
>          enc cbc(aes) 0xa14f2995b930ceadf13aa327da93aea8
> src 20.0.0.1 dst 40.0.0.1
>          proto esp spi 0xcbd8e62e reqid 2 mode tunnel
>          replay-window 32 flag 20
>          auth hmac(sha1) 0x030f878e09fa0c4bc3b00a1e0fbab8409d9c7090
>          enc cbc(aes) 0x93b0e4bbce244819f11be6ac0e7f2676
>
>
> $ tcpdump -i eth0 port 500 or port 4500 or ip proto 51 or ip proto 50
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 10:24:47.623723 IP 40.0.0.1.isakmp>  20.0.0.1.isakmp: isakmp:
parent_sa
> ikev2_init[I]
> 10:24:47.809724 IP 20.0.0.1.isakmp>  40.0.0.1.isakmp: isakmp:
parent_sa
> ikev2_init[]
> 10:24:48.261709 IP 40.0.0.1.ipsec-nat-t>  20.0.0.1.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 10:24:49.160183 IP 20.0.0.1.ipsec-nat-t>  40.0.0.1.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[]
> 10:24:49.468469 IP 40.0.0.1>  20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x1),
> length 132
> 10:24:50.468321 IP 40.0.0.1>  20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x2),
> length 132
> 10:24:51.467906 IP 40.0.0.1>  20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x3),
> length 132
> 10:24:52.467547 IP 40.0.0.1>  20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x4),
> length 132
> 10:24:53.468205 IP 40.0.0.1>  20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x5),
> length 132
>
>
> ================== HOST 2 ===========================
> ipsec.conf:
> config setup
>          charonstart=yes
>          plutostart=no
>          charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
> conn %default
>          keyexchange=ikev2
>          auto=route
>          installpolicy=no
>          reauth=no
> ca strongswan
>          cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
> conn CONFIG
>          rekeymargin=2880
>          rekeyfuzz=100%
>          left=40.0.0.1
>          right=20.0.0.1
>          leftsubnet=30.0.0.0/24
>          rightsubnet=10.0.0.0/24
>          leftprotoport=%any
>          rightprotoport=%any
>          authby=secret
>          leftid=40.0.0.1
>          rightid=20.0.0.1
>          ike=aes128-md5-modp1536
>          esp=aes128-sha1
>          type=tunnel
>          ikelifetime=28800s
>          keylife=28800s
>
>
> $ ip xfrm policy flush
> $ ip xfrm policy add dir out src 30.0.0.0/24 dst 10.0.0.0/24 proto any
> priority 1000 tmpl src 40.0.0.1 dst 20.0.0.1 proto esp mode tunnel
reqid
> 1 level required
> $ ip xfrm policy add dir in  src 10.0.0.0/24 dst 30.0.0.0/24 proto any
> priority 1000 tmpl src 20.0.0.1 dst 40.0.0.1 proto esp mode tunnel
reqid
> 1 level required
> $ ip xfrm policy
> src 10.0.0.0/24 dst 30.0.0.0/24
>          dir in priority 1000
>          tmpl src 20.0.0.1 dst 40.0.0.1
>                  proto esp reqid 1 mode tunnel
> src 30.0.0.0/24 dst 10.0.0.0/24
>          dir out priority 1000
>          tmpl src 40.0.0.1 dst 20.0.0.1
>                  proto esp reqid 1 mode tunnel
>
>
> $ starter --nofork
> Starting strongSwan 4.3.6 IPsec [starter]...
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
> 00[KNL] listening on interfaces:
> 00[KNL]   eth1
> 00[KNL]   eth2
> 00[KNL]     40.0.0.1
> 00[KNL]     2001:490:ff0:c2c7:202:55ff:fe54:aad9
> 00[KNL]     fe80::202:55ff:fe54:aad9
> 00[KNL]   eth3
> 00[KNL]     30.0.0.1
> 00[KNL]     fe80::202:55ff:fe54:aada
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from
> '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from
> '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG]   loaded IKE secret for 40.0.0.1 20.0.0.1
> 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
> pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
> attr resolve
> 00[JOB] spawning 16 worker threads
> charon (16019) started after 140 ms
> 01[JOB] started worker thread, ID: 1
> 01[JOB] no events, waiting
> 03[JOB] started worker thread, ID: 3
> 04[JOB] started worker thread, ID: 4
> 05[JOB] started worker thread, ID: 5
> 06[JOB] started worker thread, ID: 6
> 06[NET] waiting for data on raw sockets
> 08[JOB] started worker thread, ID: 8
> 08[CFG] received stroke: add connection 'CONFIG'
> 08[CFG] conn CONFIG
> 08[CFG]   left=40.0.0.1
> 08[CFG]   leftsubnet=30.0.0.0/24
> 08[CFG]   leftsourceip=(null)
> 08[CFG]   leftauth=(null)
> 08[CFG]   leftauth2=(null)
> 08[CFG]   leftid=40.0.0.1
> 02[JOB] started worker thread, ID: 2
> 07[JOB] started worker thread, ID: 7
> 09[JOB] started worker thread, ID: 9
> 10[JOB] started worker thread, ID: 10
> 11[JOB] started worker thread, ID: 11
> 12[JOB] started worker thread, ID: 12
> 13[JOB] started worker thread, ID: 13
> 14[JOB] started worker thread, ID: 14
> 15[JOB] started worker thread, ID: 15
> 16[JOB] started worker thread, ID: 16
> 08[CFG]   leftid2=(null)
> 08[CFG]   leftcert=(null)
> 08[CFG]   leftcert2=(null)
> 08[CFG]   leftca=(null)
> 08[CFG]   leftca2=(null)
> 08[CFG]   leftgroups=(null)
> 08[CFG]   leftupdown=(null)
> 08[CFG]   right=20.0.0.1
> 08[CFG]   rightsubnet=10.0.0.0/24
> 08[CFG]   rightsourceip=(null)
> 08[CFG]   rightauth=(null)
> 08[CFG]   rightauth2=(null)
> 08[CFG]   rightid=20.0.0.1
> 08[CFG]   rightid2=(null)
> 08[CFG]   rightcert=(null)
> 08[CFG]   rightcert2=(null)
> 08[CFG]   rightca=(null)
> 08[CFG]   rightca2=(null)
> 08[CFG]   rightgroups=(null)
> 08[CFG]   rightupdown=(null)
> 08[CFG]   eap_identity=(null)
> 08[CFG]   ike=aes128-md5-modp1536
> 08[CFG]   esp=aes128-sha1
> 08[CFG]   mediation=no
> 08[CFG]   mediated_by=(null)
> 08[CFG]   me_peerid=(null)
> 08[KNL] getting interface name for 20.0.0.1
> 08[KNL] 20.0.0.1 is not a local address
> 08[KNL] getting interface name for 40.0.0.1
> 08[KNL] 40.0.0.1 is on interface eth2
> 08[CFG] added configuration 'CONFIG'
> 02[CFG] received stroke: route 'CONFIG'
> 02[CFG] proposing traffic selectors for us:
> 02[CFG]  30.0.0.0/24 (derived from 30.0.0.0/24)
> 02[CFG] proposing traffic selectors for other:
> 02[CFG]  10.0.0.0/24 (derived from 10.0.0.0/24)
> configuration 'CONFIG' routed
> 03[KNL] received a XFRM_MSG_ACQUIRE
> 03[KNL]   XFRMA_TMPL
> 03[KNL] creating acquire job for policy 30.0.0.1/32[icmp/8] ===
> 10.0.0.1/32[icmp] with reqid {1}
> 10[IKE] queueing IKE_INIT task
> 10[IKE] queueing IKE_VENDOR task
> 10[IKE] queueing IKE_NATD task
> 10[IKE] queueing IKE_CERT_PRE task
> 10[IKE] queueing IKE_AUTHENTICATE task
> 10[IKE] queueing IKE_CERT_POST task
> 10[IKE] queueing IKE_CONFIG task
> 10[IKE] queueing IKE_AUTH_LIFETIME task
> 10[IKE] queueing IKE_MOBIKE task
> 10[IKE] queueing CHILD_CREATE task
> 10[IKE] activating new tasks
> 10[IKE]   activating IKE_INIT task
> 10[IKE]   activating IKE_VENDOR task
> 10[IKE]   activating IKE_NATD task
> 10[IKE]   activating IKE_CERT_PRE task
> 10[IKE]   activating IKE_AUTHENTICATE task
> 10[IKE]   activating IKE_CERT_POST task
> 10[IKE]   activating IKE_CONFIG task
> 10[IKE]   activating CHILD_CREATE task
> 10[IKE]   activating IKE_AUTH_LIFETIME task
> 10[IKE]   activating IKE_MOBIKE task
> 10[IKE] initiating IKE_SA CONFIG[1] to 20.0.0.1
> 10[IKE] IKE_SA CONFIG[1] state change: CREATED =>  CONNECTING
> 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> 10[NET] sending packet: from 40.0.0.1[500] to 20.0.0.1[500]
> 05[NET] sending packet: from 40.0.0.1[500] to 20.0.0.1[500]
> 01[JOB] next event in 3s 999ms, waiting
> 06[NET] received packet: from 20.0.0.1[500] to 40.0.0.1[500]
> 06[NET] waiting for data on raw sockets
> 11[NET] received packet: from 20.0.0.1[500] to 40.0.0.1[500]
> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
> 11[CFG] selecting proposal:
> 11[CFG]   proposal matches
> 11[CFG] received proposals:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
> 11[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
>
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
>
6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
>
AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
> 84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
> 11[CFG] selected proposal:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
> 11[IKE] reinitiating already active tasks
> 11[IKE]   IKE_CERT_PRE task
> 11[IKE]   IKE_AUTHENTICATE task
> 11[IKE] authentication of '40.0.0.1' (myself) with pre-shared key
> 11[IKE] successfully created shared key MAC
> 11[IKE] establishing CHILD_SA CONFIG{1}
> 11[CFG] proposing traffic selectors for us:
> 11[CFG]  30.0.0.0/24 (derived from 30.0.0.0/24)
> 11[CFG] proposing traffic selectors for other:
> 11[CFG]  10.0.0.0/24 (derived from 10.0.0.0/24)
> 11[KNL] getting SPI for reqid {1}
> 11[KNL] got SPI cbd8e62e for reqid {1}
> 11[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> 11[NET] sending packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
> 05[NET] sending packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
> 01[JOB] next event in 3s 378ms, waiting
> 06[NET] received packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
> 06[NET] waiting for data on raw sockets
> 12[NET] received packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
> 12[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> 12[IKE] authentication of '20.0.0.1' with pre-shared key successful
> 12[IKE] IKE_SA CONFIG[1] established between
> 40.0.0.1[40.0.0.1]...20.0.0.1[20.0.0.1]
> 12[IKE] IKE_SA CONFIG[1] state change: CONNECTING =>  ESTABLISHED
> 01[JOB] next event in 2s 465ms, waiting
> 12[IKE] scheduling rekeying in 24709s
> 01[JOB] next event in 2s 465ms, waiting
> 12[IKE] maximum IKE_SA lifetime 27589s
> 12[CFG] selecting proposal:
> 12[CFG]   proposal matches
> 12[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
>
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
> HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> 12[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> 12[CFG] selecting traffic selectors for us:
> 12[CFG]  config: 30.0.0.0/24, received: 30.0.0.0/24 =>  match:
> 30.0.0.0/24
> 12[CFG] selecting traffic selectors for other:
> 12[CFG]  config: 10.0.0.0/24, received: 10.0.0.0/24 =>  match:
> 10.0.0.0/24
> 12[KNL] adding SAD entry with SPI cbd8e62e and reqid {1}
> 12[KNL]   using encryption algorithm AES_CBC with key size 128
> 12[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
> 12[KNL] adding SAD entry with SPI cc92e3ae and reqid {1}
> 12[KNL]   using encryption algorithm AES_CBC with key size 128
> 12[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
> 12[IKE] CHILD_SA CONFIG{1} established with SPIs cbd8e62e_i cc92e3ae_o
> and TS 30.0.0.0/24 === 10.0.0.0/24
> 12[IKE] peer supports MOBIKE
> 12[IKE] got additional MOBIKE peer address: 192.168.0.250
> 12[IKE] got additional MOBIKE peer address: 10.0.0.1
> 12[IKE] activating new tasks
> 12[IKE] nothing to initiate
> 01[JOB] got event, queuing job for execution
> 01[JOB] next event in 619ms, waiting
> 01[JOB] got event, queuing job for execution
> 01[JOB] next event in 24705s 911ms, waiting
>
>
>
> $ ip xfrm state
> src 40.0.0.1 dst 20.0.0.1
>          proto esp spi 0xcc92e3ae reqid 1 mode tunnel
>          replay-window 32 flag 20
>          auth hmac(sha1) 0x0009e244d350a3055610d752274cb7310a7b1f7d
>          enc cbc(aes) 0xa14f2995b930ceadf13aa327da93aea8
> src 20.0.0.1 dst 40.0.0.1
>          proto esp spi 0xcbd8e62e reqid 1 mode tunnel
>          replay-window 32 flag 20
>          auth hmac(sha1) 0x030f878e09fa0c4bc3b00a1e0fbab8409d9c7090
>          enc cbc(aes) 0x93b0e4bbce244819f11be6ac0e7f2676
>
>
> $ tcpdump -i eth2 port 500 or port 4500 or ip proto 51 or ip proto 50
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
> 10:18:42.954850 IP 40.0.0.1.isakmp>  20.0.0.1.isakmp: isakmp:
parent_sa
> ikev2_init[I]
> 10:18:43.143401 IP 20.0.0.1.isakmp>  40.0.0.1.isakmp: isakmp:
parent_sa
> ikev2_init[]
> 10:18:43.593044 IP 40.0.0.1.ipsec-nat-t>  20.0.0.1.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 10:18:44.492888 IP 20.0.0.1.ipsec-nat-t>  40.0.0.1.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[]
> 10:18:44.801023 IP 40.0.0.1>  20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x1),
> length 132
> 10:18:45.800963 IP 40.0.0.1>  20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x2),
> length 132
> 10:18:46.800639 IP 40.0.0.1>  20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x3),
> length 132
> 10:18:47.800361 IP 40.0.0.1>  20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x4),
> length 132
> 10:18:48.800041 IP 40.0.0.1>  20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x5),
> length 132

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list