[strongSwan] configuring charon with installpolicy=no
Ayyash, Mohammad (NSN - FI/Espoo)
mohammad.ayyash at nsn.com
Wed May 19 10:40:23 CEST 2010
by the way, when I set the reqid to 2 on the receiving end, it works...
but is this is really the way to go?!! this is a very simple setup, but
there will be cases with hundreds of VPNs to be established...
I still can't understand what is the use of reqid. why does charon
generate a new one? we do I have to manually configure one (it looks
like reqid is very similar to SPI).
Here is what you request (putting back reqid to 1 as previously sent)
# ip xfrm state
src 40.0.0.1 dst 20.0.0.1
proto esp spi 0xc0ccfae1 reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x5b43d15de8b3997f346f8ff2b9b297c83b60104a
enc cbc(aes) 0x9c850aad09dddc25be6153ac8393029e
src 20.0.0.1 dst 40.0.0.1
proto esp spi 0xc6c531f3 reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0xdc2c4677b0c85f5842b059a86dcc5f44dc00bd78
enc cbc(aes) 0x97b79d26f2fe533d92395e0c22a7a17b
# ip xfrm policy
src 30.0.0.0/24 dst 10.0.0.0/24
dir in priority 1000
tmpl src 40.0.0.1 dst 20.0.0.1
proto esp reqid 1 mode tunnel
src 10.0.0.0/24 dst 30.0.0.0/24
dir out priority 1000
tmpl src 20.0.0.1 dst 40.0.0.1
proto esp reqid 1 mode tunnel
src 30.0.0.0/24 dst 10.0.0.0/24
dir fwd priority 1000
tmpl src 40.0.0.1 dst 20.0.0.1
proto esp reqid 1 mode tunnel
note how the reqid is different
Here the same example, only this time, I set reqid to 2 on the inbound
side, and ping goes just fine:
# ip xfrm state
src 40.0.0.1 dst 20.0.0.1
proto esp spi 0xcc7636fb reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x51a764daac8beac9e61b3524c906894547b1fb37
enc cbc(aes) 0x229fdbf97ec3e2d88e41270367f02c7b
src 20.0.0.1 dst 40.0.0.1
proto esp spi 0xcb7751d6 reqid 2 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x0e629068e2575e017ea0592bb09cc728d60946ce
enc cbc(aes) 0xf1d152284d2ba5aa2f0ae0fada9162c3
# ip xfrm policy
src 30.0.0.0/24 dst 10.0.0.0/24
dir in priority 1000
tmpl src 40.0.0.1 dst 20.0.0.1
proto esp reqid 2 mode tunnel
src 10.0.0.0/24 dst 30.0.0.0/24
dir out priority 1000
tmpl src 20.0.0.1 dst 40.0.0.1
proto esp reqid 2 mode tunnel
src 30.0.0.0/24 dst 10.0.0.0/24
dir fwd priority 1000
tmpl src 40.0.0.1 dst 20.0.0.1
proto esp reqid 2 mode tunnel
here is the inbound side logs:
starter --nofork
Starting strongSwan 4.3.6 IPsec [starter]...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
00[KNL] listening on interfaces:
00[KNL] eth0
00[KNL] 20.0.0.1
00[KNL] fe80::209:6bff:fe58:6492
00[KNL] eth1
00[KNL] 192.168.0.250
00[KNL] 10.0.0.1
00[KNL] 10.0.0.2
00[KNL] fe80::209:6bff:fe58:6493
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loaded IKE secret for 20.0.0.1 40.0.0.1
00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
attr resolve
00[JOB] spawning 16 worker threads
charon (25963) started after 160 ms
01[JOB] started worker thread, ID: 1
01[JOB] no events, waiting
03[JOB] started worker thread, ID: 3
04[JOB] started worker thread, ID: 4
05[JOB] started worker thread, ID: 5
06[JOB] started worker thread, ID: 6
06[NET] waiting for data on raw sockets
08[JOB] started worker thread, ID: 8
08[CFG] received stroke: add connection 'CONFIG'
08[CFG] conn CONFIG
08[CFG] left=20.0.0.1
08[CFG] leftsubnet=10.0.0.0/24
08[CFG] leftsourceip=(null)
08[CFG] leftauth=(null)
08[CFG] leftauth2=(null)
08[CFG] leftid=20.0.0.1
02[JOB] started worker thread, ID: 2
07[JOB] started worker thread, ID: 7
09[JOB] started worker thread, ID: 9
10[JOB] started worker thread, ID: 10
11[JOB] started worker thread, ID: 11
12[JOB] started worker thread, ID: 12
13[JOB] started worker thread, ID: 13
14[JOB] started worker thread, ID: 14
15[JOB] started worker thread, ID: 15
16[JOB] started worker thread, ID: 16
08[CFG] leftid2=(null)
08[CFG] leftcert=(null)
08[CFG] leftcert2=(null)
08[CFG] leftca=(null)
08[CFG] leftca2=(null)
08[CFG] leftgroups=(null)
08[CFG] leftupdown=(null)
08[CFG] right=40.0.0.1
08[CFG] rightsubnet=30.0.0.0/24
08[CFG] rightsourceip=(null)
08[CFG] rightauth=(null)
08[CFG] rightauth2=(null)
08[CFG] rightid=40.0.0.1
08[CFG] rightid2=(null)
08[CFG] rightcert=(null)
08[CFG] rightcert2=(null)
08[CFG] rightca=(null)
08[CFG] rightca2=(null)
08[CFG] rightgroups=(null)
08[CFG] rightupdown=(null)
08[CFG] eap_identity=(null)
08[CFG] ike=aes128-md5-modp1536
08[CFG] esp=aes128-sha1
08[CFG] mediation=no
08[CFG] mediated_by=(null)
08[CFG] me_peerid=(null)
08[KNL] getting interface name for 40.0.0.1
08[KNL] 40.0.0.1 is not a local address
08[KNL] getting interface name for 20.0.0.1
08[KNL] 20.0.0.1 is on interface eth0
08[CFG] added configuration 'CONFIG'
02[CFG] received stroke: route 'CONFIG'
02[CFG] proposing traffic selectors for us:
02[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
02[CFG] proposing traffic selectors for other:
02[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
configuration 'CONFIG' routed
06[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
06[NET] waiting for data on raw sockets
10[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
10[CFG] looking for an ike config for 20.0.0.1...40.0.0.1
10[CFG] candidate: 20.0.0.1...40.0.0.1, prio 12
10[CFG] found matching ike config: 20.0.0.1...40.0.0.1 with prio 12
01[JOB] next event in 29s 999ms, waiting
10[IKE] 40.0.0.1 is initiating an IKE_SA
10[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
10[CFG] selecting proposal:
10[CFG] proposal matches
10[CFG] received proposals:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
10[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
10[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
10[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
05[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
06[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
06[NET] waiting for data on raw sockets
11[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
11[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]
11[CFG] looking for peer configs matching
20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
11[CFG] candidate "CONFIG", match: 20/20/12 (me/other/ike)
11[CFG] selected peer config 'CONFIG'
11[IKE] authentication of '40.0.0.1' with pre-shared key successful
11[IKE] authentication of '20.0.0.1' (myself) with pre-shared key
11[IKE] successfully created shared key MAC
11[IKE] IKE_SA CONFIG[1] established between
20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
11[IKE] IKE_SA CONFIG[1] state change: CONNECTING => ESTABLISHED
11[IKE] scheduling reauthentication in 23738s
01[JOB] next event in 29s 440ms, waiting
11[IKE] maximum IKE_SA lifetime 26618s
01[JOB] next event in 29s 405ms, waiting
11[CFG] looking for a child config for 10.0.0.1/32[icmp] 10.0.0.0/24 ===
30.0.0.1/32[icmp/8] 30.0.0.0/24
11[CFG] proposing traffic selectors for us:
11[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
11[CFG] proposing traffic selectors for other:
11[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
11[CFG] candidate "CONFIG" with prio 7+7
11[CFG] found matching child config "CONFIG" with prio 14
11[CFG] selecting proposal:
11[CFG] proposal matches
11[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
11[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
11[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
11[KNL] getting SPI for reqid {2}
11[KNL] got SPI cc7636fb for reqid {2}
11[CFG] selecting traffic selectors for us:
11[CFG] config: 10.0.0.0/24, received: 10.0.0.1/32[icmp] => match:
10.0.0.1/32[icmp]
11[CFG] config: 10.0.0.0/24, received: 10.0.0.0/24 => match:
10.0.0.0/24
11[CFG] selecting traffic selectors for other:
11[CFG] config: 30.0.0.0/24, received: 30.0.0.1/32[icmp/8] => match:
30.0.0.1/32[icmp/8]
11[CFG] config: 30.0.0.0/24, received: 30.0.0.0/24 => match:
30.0.0.0/24
11[KNL] adding SAD entry with SPI cc7636fb and reqid {2}
11[KNL] using encryption algorithm AES_CBC with key size 128
11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
11[KNL] adding SAD entry with SPI cb7751d6 and reqid {2}
11[KNL] using encryption algorithm AES_CBC with key size 128
11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
11[IKE] CHILD_SA CONFIG{2} established with SPIs cc7636fb_i cb7751d6_o
and TS 10.0.0.0/24 === 30.0.0.0/24
11[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT)
]
11[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
05[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
01[JOB] next event in 1ms, waiting
01[JOB] got event, queuing job for execution
01[JOB] next event in 23708s 557ms, waiting
and tcpdump:
11:33:11.814685 IP 40.0.0.1.isakmp > 20.0.0.1.isakmp: isakmp: parent_sa
ikev2_init[I]
11:33:12.001573 IP 20.0.0.1.isakmp > 40.0.0.1.isakmp: isakmp: parent_sa
ikev2_init[]
11:33:12.350975 IP 40.0.0.1.isakmp > 20.0.0.1.isakmp: isakmp: child_sa
ikev2_auth[I]
11:33:13.159219 IP 20.0.0.1.isakmp > 40.0.0.1.isakmp: isakmp: child_sa
ikev2_auth[]
11:33:13.441764 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc7636fb,seq=0x1),
length 132
11:33:13.442012 IP 20.0.0.1 > 40.0.0.1: ESP(spi=0xcb7751d6,seq=0x1),
length 132
11:33:13.443979 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc7636fb,seq=0x2),
length 132
11:33:13.444043 IP 20.0.0.1 > 40.0.0.1: ESP(spi=0xcb7751d6,seq=0x2),
length 132
11:33:14.443399 IP 40.0.0.1 > 20.0.0.1: ESP(spi=0xcc7636fb,seq=0x3),
length 132
11:33:14.443468 IP 20.0.0.1 > 40.0.0.1: ESP(spi=0xcb7751d6,seq=0x3),
length 132
thanks alot
-----Original Message-----
From: ext Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: Wednesday, May 19, 2010 11:27 AM
To: Ayyash, Mohammad (NSN - FI/Espoo)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] configuring charon with installpolicy=no
Hi,
there is currently no way for charon to control the priorities.
I don't know why the inbound ESP packet does not trigger the
IPsec policy. The commands
ip -s xfrm policy|state
give more information
Regards
Andreas
On 05/17/2010 09:43 AM, Ayyash, Mohammad (NSN - FI/Espoo) wrote:
> hi,
>
> it "almost" worked. Problem is now, ping gets no reply whatsoever.. I
> wonder why.
>
> But can you please let me know if there is even a better way to
control
> policy priorities if I let charon insert them? apparently, it is
better
> to let charon do that
>
> Here is a complete example about how the ping doesn't get any reply,
two
> hosts logs:
> ================= Host1 ============================
> ipsec.conf
> config setup
> charonstart=yes
> plutostart=no
> charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
> conn %default
> keyexchange=ikev2
> auto=route
> installpolicy=no
> reauth=no
> ca strongswan
> cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
> conn CONFIG
> rekeymargin=2880
> rekeyfuzz=100%
> left=20.0.0.1
> right=40.0.0.1
> leftsubnet=10.0.0.0/24
> rightsubnet=30.0.0.0/24
> leftprotoport=%any
> rightprotoport=%any
> authby=secret
> leftid=20.0.0.1
> rightid=40.0.0.1
> ike=aes128-md5-modp1536
> esp=aes128-sha1
> type=tunnel
> ikelifetime=28800s
> keylife=28800s
>
>
> $ ip xfrm policy flush
> $ ip xfrm policy add dir in src 30.0.0.0/24 dst 10.0.0.0/24 proto any
> priority 1000 tmpl src 40.0.0.1 dst 20.0.0.1 proto esp mode tunnel
reqid
> 1 level required
> $ ip xfrm policy add dir out src 10.0.0.0/24 dst 30.0.0.0/24 proto any
> priority 1000 tmpl src 20.0.0.1 dst 40.0.0.1 proto esp mode tunnel
reqid
> 1 level required
> $ ip xfrm policy
> src 30.0.0.0/24 dst 10.0.0.0/24
> dir in priority 1000
> tmpl src 40.0.0.1 dst 20.0.0.1
> proto esp reqid 1 mode tunnel
> src 10.0.0.0/24 dst 30.0.0.0/24
> dir out priority 1000
> tmpl src 20.0.0.1 dst 40.0.0.1
> proto esp reqid 1 mode tunnel
>
>
>
> $ starter --nofork
> Starting strongSwan 4.3.6 IPsec [starter]...
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
> 00[KNL] listening on interfaces:
> 00[KNL] eth0
> 00[KNL] 20.0.0.1
> 00[KNL] fe80::209:6bff:fe58:6492
> 00[KNL] eth1
> 00[KNL] 192.168.0.250
> 00[KNL] 10.0.0.1
> 00[KNL] fe80::209:6bff:fe58:6493
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from
> '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from
> '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG] loaded IKE secret for 20.0.0.1 40.0.0.1
> 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
> pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
> attr resolve
> 00[JOB] spawning 16 worker threads
> charon (19425) started after 140 ms
> 01[JOB] started worker thread, ID: 1
> 01[JOB] no events, waiting
> 07[JOB] started worker thread, ID: 7
> 08[JOB] started worker thread, ID: 8
> 06[JOB] started worker thread, ID: 6
> 09[JOB] started worker thread, ID: 9
> 09[NET] waiting for data on raw sockets
> 05[JOB] started worker thread, ID: 5
> 05[CFG] received stroke: add connection 'CONFIG'
> 05[CFG] conn CONFIG
> 05[CFG] left=20.0.0.1
> 05[CFG] leftsubnet=10.0.0.0/24
> 05[CFG] leftsourceip=(null)
> 05[CFG] leftauth=(null)
> 05[CFG] leftauth2=(null)
> 05[CFG] leftid=20.0.0.1
> 05[CFG] leftid2=(null)
> 05[CFG] leftcert=(null)
> 05[CFG] leftcert2=(null)
> 05[CFG] leftca=(null)
> 05[CFG] leftca2=(null)
> 05[CFG] leftgroups=(null)
> 05[CFG] leftupdown=(null)
> 05[CFG] right=40.0.0.1
> 05[CFG] rightsubnet=30.0.0.0/24
> 05[CFG] rightsourceip=(null)
> 05[CFG] rightauth=(null)
> 05[CFG] rightauth2=(null)
> 05[CFG] rightid=40.0.0.1
> 05[CFG] rightid2=(null)
> 05[CFG] rightcert=(null)
> 05[CFG] rightcert2=(null)
> 05[CFG] rightca=(null)
> 05[CFG] rightca2=(null)
> 05[CFG] rightgroups=(null)
> 05[CFG] rightupdown=(null)
> 05[CFG] eap_identity=(null)
> 05[CFG] ike=aes128-md5-modp1536
> 05[CFG] esp=aes128-sha1
> 05[CFG] mediation=no
> 05[CFG] mediated_by=(null)
> 05[CFG] me_peerid=(null)
> 14[JOB] started worker thread, ID: 14
> 15[JOB] started worker thread, ID: 15
> 16[JOB] started worker thread, ID: 16
> 02[JOB] started worker thread, ID: 2
> 10[JOB] started worker thread, ID: 10
> 11[JOB] started worker thread, ID: 11
> 12[JOB] started worker thread, ID: 12
> 04[JOB] started worker thread, ID: 4
> 03[JOB] started worker thread, ID: 3
> 13[JOB] started worker thread, ID: 13
> 05[KNL] getting interface name for 40.0.0.1
> 05[KNL] 40.0.0.1 is not a local address
> 05[KNL] getting interface name for 20.0.0.1
> 05[KNL] 20.0.0.1 is on interface eth0
> 05[CFG] added configuration 'CONFIG'
> 14[CFG] received stroke: route 'CONFIG'
> 14[CFG] proposing traffic selectors for us:
> 14[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
> 14[CFG] proposing traffic selectors for other:
> 14[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
> configuration 'CONFIG' routed
> 09[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
> 09[NET] waiting for data on raw sockets
> 02[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
> 02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> 02[CFG] looking for an ike config for 20.0.0.1...40.0.0.1
> 02[CFG] candidate: 20.0.0.1...40.0.0.1, prio 12
> 02[CFG] found matching ike config: 20.0.0.1...40.0.0.1 with prio 12
> 02[IKE] 40.0.0.1 is initiating an IKE_SA
> 02[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> 02[CFG] selecting proposal:
> 02[CFG] proposal matches
> 02[CFG] received proposals:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
>
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
>
6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
>
AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
> 84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
> 02[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
>
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
>
6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
>
AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
> 84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
> 02[CFG] selected proposal:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
> 01[JOB] next event in 29s 999ms, waiting
> 02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
> 02[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
> 06[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
> 09[NET] received packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
> 09[NET] waiting for data on raw sockets
> 10[NET] received packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
> 10[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> 10[CFG] looking for peer configs matching
> 20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
> 10[CFG] candidate "CONFIG", match: 20/20/12 (me/other/ike)
> 10[CFG] selected peer config 'CONFIG'
> 10[IKE] authentication of '40.0.0.1' with pre-shared key successful
> 10[IKE] peer supports MOBIKE
> 10[IKE] got additional MOBIKE peer address: 30.0.0.1
> 10[IKE] got additional MOBIKE peer address:
> 2001:490:ff0:c2c7:202:55ff:fe54:aad9
> 10[IKE] authentication of '20.0.0.1' (myself) with pre-shared key
> 10[IKE] successfully created shared key MAC
> 10[IKE] IKE_SA CONFIG[1] established between
> 20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
> 10[IKE] IKE_SA CONFIG[1] state change: CONNECTING => ESTABLISHED
> 10[IKE] scheduling rekeying in 25116s
> 01[JOB] next event in 29s 280ms, waiting
> 10[IKE] maximum IKE_SA lifetime 27996s
> 01[JOB] next event in 29s 231ms, waiting
> 10[CFG] looking for a child config for 10.0.0.1/32[icmp] 10.0.0.0/24
===
> 30.0.0.1/32[icmp/8] 30.0.0.0/24
> 10[CFG] proposing traffic selectors for us:
> 10[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
> 10[CFG] proposing traffic selectors for other:
> 10[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
> 10[CFG] candidate "CONFIG" with prio 7+7
> 10[CFG] found matching child config "CONFIG" with prio 14
> 10[CFG] selecting proposal:
> 10[CFG] proposal matches
> 10[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
>
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
> HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> 10[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
>
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
> HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> 10[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> 10[KNL] getting SPI for reqid {2}
> 10[KNL] got SPI cc92e3ae for reqid {2}
> 10[CFG] selecting traffic selectors for us:
> 10[CFG] config: 10.0.0.0/24, received: 10.0.0.1/32[icmp] => match:
> 10.0.0.1/32[icmp]
> 10[CFG] config: 10.0.0.0/24, received: 10.0.0.0/24 => match:
> 10.0.0.0/24
> 10[CFG] selecting traffic selectors for other:
> 10[CFG] config: 30.0.0.0/24, received: 30.0.0.1/32[icmp/8] => match:
> 30.0.0.1/32[icmp/8]
> 10[CFG] config: 30.0.0.0/24, received: 30.0.0.0/24 => match:
> 30.0.0.0/24
> 10[KNL] adding SAD entry with SPI cc92e3ae and reqid {2}
> 10[KNL] using encryption algorithm AES_CBC with key size 128
> 10[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
> 10[KNL] adding SAD entry with SPI cbd8e62e and reqid {2}
> 10[KNL] using encryption algorithm AES_CBC with key size 128
> 10[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
> 10[IKE] CHILD_SA CONFIG{2} established with SPIs cc92e3ae_i cbd8e62e_o
> and TS 10.0.0.0/24 === 30.0.0.0/24
> 10[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> 10[NET] sending packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
> 06[NET] sending packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
> 01[JOB] next event in 1ms, waiting
> 01[JOB] got event, queuing job for execution
> 01[JOB] next event in 25086s 718ms, waiting
>
>
>
> $ ip xfrm state
> src 40.0.0.1 dst 20.0.0.1
> proto esp spi 0xcc92e3ae reqid 2 mode tunnel
> replay-window 32 flag 20
> auth hmac(sha1) 0x0009e244d350a3055610d752274cb7310a7b1f7d
> enc cbc(aes) 0xa14f2995b930ceadf13aa327da93aea8
> src 20.0.0.1 dst 40.0.0.1
> proto esp spi 0xcbd8e62e reqid 2 mode tunnel
> replay-window 32 flag 20
> auth hmac(sha1) 0x030f878e09fa0c4bc3b00a1e0fbab8409d9c7090
> enc cbc(aes) 0x93b0e4bbce244819f11be6ac0e7f2676
>
>
> $ tcpdump -i eth0 port 500 or port 4500 or ip proto 51 or ip proto 50
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 10:24:47.623723 IP 40.0.0.1.isakmp> 20.0.0.1.isakmp: isakmp:
parent_sa
> ikev2_init[I]
> 10:24:47.809724 IP 20.0.0.1.isakmp> 40.0.0.1.isakmp: isakmp:
parent_sa
> ikev2_init[]
> 10:24:48.261709 IP 40.0.0.1.ipsec-nat-t> 20.0.0.1.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa ikev2_auth[I]
> 10:24:49.160183 IP 20.0.0.1.ipsec-nat-t> 40.0.0.1.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa ikev2_auth[]
> 10:24:49.468469 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x1),
> length 132
> 10:24:50.468321 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x2),
> length 132
> 10:24:51.467906 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x3),
> length 132
> 10:24:52.467547 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x4),
> length 132
> 10:24:53.468205 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x5),
> length 132
>
>
> ================== HOST 2 ===========================
> ipsec.conf:
> config setup
> charonstart=yes
> plutostart=no
> charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
> conn %default
> keyexchange=ikev2
> auto=route
> installpolicy=no
> reauth=no
> ca strongswan
> cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
> conn CONFIG
> rekeymargin=2880
> rekeyfuzz=100%
> left=40.0.0.1
> right=20.0.0.1
> leftsubnet=30.0.0.0/24
> rightsubnet=10.0.0.0/24
> leftprotoport=%any
> rightprotoport=%any
> authby=secret
> leftid=40.0.0.1
> rightid=20.0.0.1
> ike=aes128-md5-modp1536
> esp=aes128-sha1
> type=tunnel
> ikelifetime=28800s
> keylife=28800s
>
>
> $ ip xfrm policy flush
> $ ip xfrm policy add dir out src 30.0.0.0/24 dst 10.0.0.0/24 proto any
> priority 1000 tmpl src 40.0.0.1 dst 20.0.0.1 proto esp mode tunnel
reqid
> 1 level required
> $ ip xfrm policy add dir in src 10.0.0.0/24 dst 30.0.0.0/24 proto any
> priority 1000 tmpl src 20.0.0.1 dst 40.0.0.1 proto esp mode tunnel
reqid
> 1 level required
> $ ip xfrm policy
> src 10.0.0.0/24 dst 30.0.0.0/24
> dir in priority 1000
> tmpl src 20.0.0.1 dst 40.0.0.1
> proto esp reqid 1 mode tunnel
> src 30.0.0.0/24 dst 10.0.0.0/24
> dir out priority 1000
> tmpl src 40.0.0.1 dst 20.0.0.1
> proto esp reqid 1 mode tunnel
>
>
> $ starter --nofork
> Starting strongSwan 4.3.6 IPsec [starter]...
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
> 00[KNL] listening on interfaces:
> 00[KNL] eth1
> 00[KNL] eth2
> 00[KNL] 40.0.0.1
> 00[KNL] 2001:490:ff0:c2c7:202:55ff:fe54:aad9
> 00[KNL] fe80::202:55ff:fe54:aad9
> 00[KNL] eth3
> 00[KNL] 30.0.0.1
> 00[KNL] fe80::202:55ff:fe54:aada
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from
> '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from
> '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG] loaded IKE secret for 40.0.0.1 20.0.0.1
> 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
> pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
> attr resolve
> 00[JOB] spawning 16 worker threads
> charon (16019) started after 140 ms
> 01[JOB] started worker thread, ID: 1
> 01[JOB] no events, waiting
> 03[JOB] started worker thread, ID: 3
> 04[JOB] started worker thread, ID: 4
> 05[JOB] started worker thread, ID: 5
> 06[JOB] started worker thread, ID: 6
> 06[NET] waiting for data on raw sockets
> 08[JOB] started worker thread, ID: 8
> 08[CFG] received stroke: add connection 'CONFIG'
> 08[CFG] conn CONFIG
> 08[CFG] left=40.0.0.1
> 08[CFG] leftsubnet=30.0.0.0/24
> 08[CFG] leftsourceip=(null)
> 08[CFG] leftauth=(null)
> 08[CFG] leftauth2=(null)
> 08[CFG] leftid=40.0.0.1
> 02[JOB] started worker thread, ID: 2
> 07[JOB] started worker thread, ID: 7
> 09[JOB] started worker thread, ID: 9
> 10[JOB] started worker thread, ID: 10
> 11[JOB] started worker thread, ID: 11
> 12[JOB] started worker thread, ID: 12
> 13[JOB] started worker thread, ID: 13
> 14[JOB] started worker thread, ID: 14
> 15[JOB] started worker thread, ID: 15
> 16[JOB] started worker thread, ID: 16
> 08[CFG] leftid2=(null)
> 08[CFG] leftcert=(null)
> 08[CFG] leftcert2=(null)
> 08[CFG] leftca=(null)
> 08[CFG] leftca2=(null)
> 08[CFG] leftgroups=(null)
> 08[CFG] leftupdown=(null)
> 08[CFG] right=20.0.0.1
> 08[CFG] rightsubnet=10.0.0.0/24
> 08[CFG] rightsourceip=(null)
> 08[CFG] rightauth=(null)
> 08[CFG] rightauth2=(null)
> 08[CFG] rightid=20.0.0.1
> 08[CFG] rightid2=(null)
> 08[CFG] rightcert=(null)
> 08[CFG] rightcert2=(null)
> 08[CFG] rightca=(null)
> 08[CFG] rightca2=(null)
> 08[CFG] rightgroups=(null)
> 08[CFG] rightupdown=(null)
> 08[CFG] eap_identity=(null)
> 08[CFG] ike=aes128-md5-modp1536
> 08[CFG] esp=aes128-sha1
> 08[CFG] mediation=no
> 08[CFG] mediated_by=(null)
> 08[CFG] me_peerid=(null)
> 08[KNL] getting interface name for 20.0.0.1
> 08[KNL] 20.0.0.1 is not a local address
> 08[KNL] getting interface name for 40.0.0.1
> 08[KNL] 40.0.0.1 is on interface eth2
> 08[CFG] added configuration 'CONFIG'
> 02[CFG] received stroke: route 'CONFIG'
> 02[CFG] proposing traffic selectors for us:
> 02[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
> 02[CFG] proposing traffic selectors for other:
> 02[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
> configuration 'CONFIG' routed
> 03[KNL] received a XFRM_MSG_ACQUIRE
> 03[KNL] XFRMA_TMPL
> 03[KNL] creating acquire job for policy 30.0.0.1/32[icmp/8] ===
> 10.0.0.1/32[icmp] with reqid {1}
> 10[IKE] queueing IKE_INIT task
> 10[IKE] queueing IKE_VENDOR task
> 10[IKE] queueing IKE_NATD task
> 10[IKE] queueing IKE_CERT_PRE task
> 10[IKE] queueing IKE_AUTHENTICATE task
> 10[IKE] queueing IKE_CERT_POST task
> 10[IKE] queueing IKE_CONFIG task
> 10[IKE] queueing IKE_AUTH_LIFETIME task
> 10[IKE] queueing IKE_MOBIKE task
> 10[IKE] queueing CHILD_CREATE task
> 10[IKE] activating new tasks
> 10[IKE] activating IKE_INIT task
> 10[IKE] activating IKE_VENDOR task
> 10[IKE] activating IKE_NATD task
> 10[IKE] activating IKE_CERT_PRE task
> 10[IKE] activating IKE_AUTHENTICATE task
> 10[IKE] activating IKE_CERT_POST task
> 10[IKE] activating IKE_CONFIG task
> 10[IKE] activating CHILD_CREATE task
> 10[IKE] activating IKE_AUTH_LIFETIME task
> 10[IKE] activating IKE_MOBIKE task
> 10[IKE] initiating IKE_SA CONFIG[1] to 20.0.0.1
> 10[IKE] IKE_SA CONFIG[1] state change: CREATED => CONNECTING
> 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> 10[NET] sending packet: from 40.0.0.1[500] to 20.0.0.1[500]
> 05[NET] sending packet: from 40.0.0.1[500] to 20.0.0.1[500]
> 01[JOB] next event in 3s 999ms, waiting
> 06[NET] received packet: from 20.0.0.1[500] to 40.0.0.1[500]
> 06[NET] waiting for data on raw sockets
> 11[NET] received packet: from 20.0.0.1[500] to 40.0.0.1[500]
> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
> 11[CFG] selecting proposal:
> 11[CFG] proposal matches
> 11[CFG] received proposals:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
> 11[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
>
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
>
6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
>
AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
> 84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
> 11[CFG] selected proposal:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
> 11[IKE] reinitiating already active tasks
> 11[IKE] IKE_CERT_PRE task
> 11[IKE] IKE_AUTHENTICATE task
> 11[IKE] authentication of '40.0.0.1' (myself) with pre-shared key
> 11[IKE] successfully created shared key MAC
> 11[IKE] establishing CHILD_SA CONFIG{1}
> 11[CFG] proposing traffic selectors for us:
> 11[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
> 11[CFG] proposing traffic selectors for other:
> 11[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
> 11[KNL] getting SPI for reqid {1}
> 11[KNL] got SPI cbd8e62e for reqid {1}
> 11[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> 11[NET] sending packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
> 05[NET] sending packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
> 01[JOB] next event in 3s 378ms, waiting
> 06[NET] received packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
> 06[NET] waiting for data on raw sockets
> 12[NET] received packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
> 12[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> 12[IKE] authentication of '20.0.0.1' with pre-shared key successful
> 12[IKE] IKE_SA CONFIG[1] established between
> 40.0.0.1[40.0.0.1]...20.0.0.1[20.0.0.1]
> 12[IKE] IKE_SA CONFIG[1] state change: CONNECTING => ESTABLISHED
> 01[JOB] next event in 2s 465ms, waiting
> 12[IKE] scheduling rekeying in 24709s
> 01[JOB] next event in 2s 465ms, waiting
> 12[IKE] maximum IKE_SA lifetime 27589s
> 12[CFG] selecting proposal:
> 12[CFG] proposal matches
> 12[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
>
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
> HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> 12[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> 12[CFG] selecting traffic selectors for us:
> 12[CFG] config: 30.0.0.0/24, received: 30.0.0.0/24 => match:
> 30.0.0.0/24
> 12[CFG] selecting traffic selectors for other:
> 12[CFG] config: 10.0.0.0/24, received: 10.0.0.0/24 => match:
> 10.0.0.0/24
> 12[KNL] adding SAD entry with SPI cbd8e62e and reqid {1}
> 12[KNL] using encryption algorithm AES_CBC with key size 128
> 12[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
> 12[KNL] adding SAD entry with SPI cc92e3ae and reqid {1}
> 12[KNL] using encryption algorithm AES_CBC with key size 128
> 12[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
> 12[IKE] CHILD_SA CONFIG{1} established with SPIs cbd8e62e_i cc92e3ae_o
> and TS 30.0.0.0/24 === 10.0.0.0/24
> 12[IKE] peer supports MOBIKE
> 12[IKE] got additional MOBIKE peer address: 192.168.0.250
> 12[IKE] got additional MOBIKE peer address: 10.0.0.1
> 12[IKE] activating new tasks
> 12[IKE] nothing to initiate
> 01[JOB] got event, queuing job for execution
> 01[JOB] next event in 619ms, waiting
> 01[JOB] got event, queuing job for execution
> 01[JOB] next event in 24705s 911ms, waiting
>
>
>
> $ ip xfrm state
> src 40.0.0.1 dst 20.0.0.1
> proto esp spi 0xcc92e3ae reqid 1 mode tunnel
> replay-window 32 flag 20
> auth hmac(sha1) 0x0009e244d350a3055610d752274cb7310a7b1f7d
> enc cbc(aes) 0xa14f2995b930ceadf13aa327da93aea8
> src 20.0.0.1 dst 40.0.0.1
> proto esp spi 0xcbd8e62e reqid 1 mode tunnel
> replay-window 32 flag 20
> auth hmac(sha1) 0x030f878e09fa0c4bc3b00a1e0fbab8409d9c7090
> enc cbc(aes) 0x93b0e4bbce244819f11be6ac0e7f2676
>
>
> $ tcpdump -i eth2 port 500 or port 4500 or ip proto 51 or ip proto 50
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
> 10:18:42.954850 IP 40.0.0.1.isakmp> 20.0.0.1.isakmp: isakmp:
parent_sa
> ikev2_init[I]
> 10:18:43.143401 IP 20.0.0.1.isakmp> 40.0.0.1.isakmp: isakmp:
parent_sa
> ikev2_init[]
> 10:18:43.593044 IP 40.0.0.1.ipsec-nat-t> 20.0.0.1.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa ikev2_auth[I]
> 10:18:44.492888 IP 20.0.0.1.ipsec-nat-t> 40.0.0.1.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa ikev2_auth[]
> 10:18:44.801023 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x1),
> length 132
> 10:18:45.800963 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x2),
> length 132
> 10:18:46.800639 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x3),
> length 132
> 10:18:47.800361 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x4),
> length 132
> 10:18:48.800041 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x5),
> length 132
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list