[strongSwan] configuring charon with installpolicy=no
Andreas Steffen
andreas.steffen at strongswan.org
Wed May 19 11:33:09 CEST 2010
The assignment of a reqid to link IPsec SAs to IPsec policies is
a feature of the Linux kernel so charon needs to provide one.
As mentioned in an earlier posting, strongswan-4.4.1 will allow
you to assign a fixed reqid to each connection definition.
Regards
Andreas
On 05/19/2010 10:40 AM, Ayyash, Mohammad (NSN - FI/Espoo) wrote:
> by the way, when I set the reqid to 2 on the receiving end, it works...
> but is this is really the way to go?!! this is a very simple setup, but
> there will be cases with hundreds of VPNs to be established...
>
> I still can't understand what is the use of reqid. why does charon
> generate a new one? we do I have to manually configure one (it looks
> like reqid is very similar to SPI).
>
>
>
> Here is what you request (putting back reqid to 1 as previously sent)
> # ip xfrm state
> src 40.0.0.1 dst 20.0.0.1
> proto esp spi 0xc0ccfae1 reqid 2 mode tunnel
> replay-window 32 flag 20
> auth hmac(sha1) 0x5b43d15de8b3997f346f8ff2b9b297c83b60104a
> enc cbc(aes) 0x9c850aad09dddc25be6153ac8393029e
> src 20.0.0.1 dst 40.0.0.1
> proto esp spi 0xc6c531f3 reqid 2 mode tunnel
> replay-window 32 flag 20
> auth hmac(sha1) 0xdc2c4677b0c85f5842b059a86dcc5f44dc00bd78
> enc cbc(aes) 0x97b79d26f2fe533d92395e0c22a7a17b
>
>
> # ip xfrm policy
> src 30.0.0.0/24 dst 10.0.0.0/24
> dir in priority 1000
> tmpl src 40.0.0.1 dst 20.0.0.1
> proto esp reqid 1 mode tunnel
> src 10.0.0.0/24 dst 30.0.0.0/24
> dir out priority 1000
> tmpl src 20.0.0.1 dst 40.0.0.1
> proto esp reqid 1 mode tunnel
> src 30.0.0.0/24 dst 10.0.0.0/24
> dir fwd priority 1000
> tmpl src 40.0.0.1 dst 20.0.0.1
> proto esp reqid 1 mode tunnel
>
>
> note how the reqid is different
>
>
>
>
>
> Here the same example, only this time, I set reqid to 2 on the inbound
> side, and ping goes just fine:
> # ip xfrm state
> src 40.0.0.1 dst 20.0.0.1
> proto esp spi 0xcc7636fb reqid 2 mode tunnel
> replay-window 32 flag 20
> auth hmac(sha1) 0x51a764daac8beac9e61b3524c906894547b1fb37
> enc cbc(aes) 0x229fdbf97ec3e2d88e41270367f02c7b
> src 20.0.0.1 dst 40.0.0.1
> proto esp spi 0xcb7751d6 reqid 2 mode tunnel
> replay-window 32 flag 20
> auth hmac(sha1) 0x0e629068e2575e017ea0592bb09cc728d60946ce
> enc cbc(aes) 0xf1d152284d2ba5aa2f0ae0fada9162c3
>
> # ip xfrm policy
> src 30.0.0.0/24 dst 10.0.0.0/24
> dir in priority 1000
> tmpl src 40.0.0.1 dst 20.0.0.1
> proto esp reqid 2 mode tunnel
> src 10.0.0.0/24 dst 30.0.0.0/24
> dir out priority 1000
> tmpl src 20.0.0.1 dst 40.0.0.1
> proto esp reqid 2 mode tunnel
> src 30.0.0.0/24 dst 10.0.0.0/24
> dir fwd priority 1000
> tmpl src 40.0.0.1 dst 20.0.0.1
> proto esp reqid 2 mode tunnel
>
>
> here is the inbound side logs:
> starter --nofork
> Starting strongSwan 4.3.6 IPsec [starter]...
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
> 00[KNL] listening on interfaces:
> 00[KNL] eth0
> 00[KNL] 20.0.0.1
> 00[KNL] fe80::209:6bff:fe58:6492
> 00[KNL] eth1
> 00[KNL] 192.168.0.250
> 00[KNL] 10.0.0.1
> 00[KNL] 10.0.0.2
> 00[KNL] fe80::209:6bff:fe58:6493
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from
> '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from
> '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG] loaded IKE secret for 20.0.0.1 40.0.0.1
> 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
> pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
> attr resolve
> 00[JOB] spawning 16 worker threads
> charon (25963) started after 160 ms
> 01[JOB] started worker thread, ID: 1
> 01[JOB] no events, waiting
> 03[JOB] started worker thread, ID: 3
> 04[JOB] started worker thread, ID: 4
> 05[JOB] started worker thread, ID: 5
> 06[JOB] started worker thread, ID: 6
> 06[NET] waiting for data on raw sockets
> 08[JOB] started worker thread, ID: 8
> 08[CFG] received stroke: add connection 'CONFIG'
> 08[CFG] conn CONFIG
> 08[CFG] left=20.0.0.1
> 08[CFG] leftsubnet=10.0.0.0/24
> 08[CFG] leftsourceip=(null)
> 08[CFG] leftauth=(null)
> 08[CFG] leftauth2=(null)
> 08[CFG] leftid=20.0.0.1
> 02[JOB] started worker thread, ID: 2
> 07[JOB] started worker thread, ID: 7
> 09[JOB] started worker thread, ID: 9
> 10[JOB] started worker thread, ID: 10
> 11[JOB] started worker thread, ID: 11
> 12[JOB] started worker thread, ID: 12
> 13[JOB] started worker thread, ID: 13
> 14[JOB] started worker thread, ID: 14
> 15[JOB] started worker thread, ID: 15
> 16[JOB] started worker thread, ID: 16
> 08[CFG] leftid2=(null)
> 08[CFG] leftcert=(null)
> 08[CFG] leftcert2=(null)
> 08[CFG] leftca=(null)
> 08[CFG] leftca2=(null)
> 08[CFG] leftgroups=(null)
> 08[CFG] leftupdown=(null)
> 08[CFG] right=40.0.0.1
> 08[CFG] rightsubnet=30.0.0.0/24
> 08[CFG] rightsourceip=(null)
> 08[CFG] rightauth=(null)
> 08[CFG] rightauth2=(null)
> 08[CFG] rightid=40.0.0.1
> 08[CFG] rightid2=(null)
> 08[CFG] rightcert=(null)
> 08[CFG] rightcert2=(null)
> 08[CFG] rightca=(null)
> 08[CFG] rightca2=(null)
> 08[CFG] rightgroups=(null)
> 08[CFG] rightupdown=(null)
> 08[CFG] eap_identity=(null)
> 08[CFG] ike=aes128-md5-modp1536
> 08[CFG] esp=aes128-sha1
> 08[CFG] mediation=no
> 08[CFG] mediated_by=(null)
> 08[CFG] me_peerid=(null)
> 08[KNL] getting interface name for 40.0.0.1
> 08[KNL] 40.0.0.1 is not a local address
> 08[KNL] getting interface name for 20.0.0.1
> 08[KNL] 20.0.0.1 is on interface eth0
> 08[CFG] added configuration 'CONFIG'
> 02[CFG] received stroke: route 'CONFIG'
> 02[CFG] proposing traffic selectors for us:
> 02[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
> 02[CFG] proposing traffic selectors for other:
> 02[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
> configuration 'CONFIG' routed
>
> 06[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
> 06[NET] waiting for data on raw sockets
> 10[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
> 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> 10[CFG] looking for an ike config for 20.0.0.1...40.0.0.1
> 10[CFG] candidate: 20.0.0.1...40.0.0.1, prio 12
> 10[CFG] found matching ike config: 20.0.0.1...40.0.0.1 with prio 12
> 01[JOB] next event in 29s 999ms, waiting
> 10[IKE] 40.0.0.1 is initiating an IKE_SA
> 10[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> 10[CFG] selecting proposal:
> 10[CFG] proposal matches
> 10[CFG] received proposals:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
> 6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
> AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
> 84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
> 10[CFG] configured proposals:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
> 6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
> AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
> 84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
> 10[CFG] selected proposal:
> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
> 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) N(MULT_AUTH) ]
> 10[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
> 05[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
> 06[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
> 06[NET] waiting for data on raw sockets
> 11[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
> 11[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH)
> N(EAP_ONLY) ]
> 11[CFG] looking for peer configs matching
> 20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
> 11[CFG] candidate "CONFIG", match: 20/20/12 (me/other/ike)
> 11[CFG] selected peer config 'CONFIG'
> 11[IKE] authentication of '40.0.0.1' with pre-shared key successful
> 11[IKE] authentication of '20.0.0.1' (myself) with pre-shared key
> 11[IKE] successfully created shared key MAC
> 11[IKE] IKE_SA CONFIG[1] established between
> 20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
> 11[IKE] IKE_SA CONFIG[1] state change: CONNECTING => ESTABLISHED
> 11[IKE] scheduling reauthentication in 23738s
> 01[JOB] next event in 29s 440ms, waiting
> 11[IKE] maximum IKE_SA lifetime 26618s
> 01[JOB] next event in 29s 405ms, waiting
> 11[CFG] looking for a child config for 10.0.0.1/32[icmp] 10.0.0.0/24 ===
> 30.0.0.1/32[icmp/8] 30.0.0.0/24
> 11[CFG] proposing traffic selectors for us:
> 11[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
> 11[CFG] proposing traffic selectors for other:
> 11[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
> 11[CFG] candidate "CONFIG" with prio 7+7
> 11[CFG] found matching child config "CONFIG" with prio 14
> 11[CFG] selecting proposal:
> 11[CFG] proposal matches
> 11[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
> HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> 11[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
> HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> 11[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> 11[KNL] getting SPI for reqid {2}
> 11[KNL] got SPI cc7636fb for reqid {2}
> 11[CFG] selecting traffic selectors for us:
> 11[CFG] config: 10.0.0.0/24, received: 10.0.0.1/32[icmp] => match:
> 10.0.0.1/32[icmp]
> 11[CFG] config: 10.0.0.0/24, received: 10.0.0.0/24 => match:
> 10.0.0.0/24
> 11[CFG] selecting traffic selectors for other:
> 11[CFG] config: 30.0.0.0/24, received: 30.0.0.1/32[icmp/8] => match:
> 30.0.0.1/32[icmp/8]
> 11[CFG] config: 30.0.0.0/24, received: 30.0.0.0/24 => match:
> 30.0.0.0/24
> 11[KNL] adding SAD entry with SPI cc7636fb and reqid {2}
> 11[KNL] using encryption algorithm AES_CBC with key size 128
> 11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
> 11[KNL] adding SAD entry with SPI cb7751d6 and reqid {2}
> 11[KNL] using encryption algorithm AES_CBC with key size 128
> 11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
> 11[IKE] CHILD_SA CONFIG{2} established with SPIs cc7636fb_i cb7751d6_o
> and TS 10.0.0.0/24 === 30.0.0.0/24
> 11[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT)
> ]
> 11[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
> 05[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
> 01[JOB] next event in 1ms, waiting
> 01[JOB] got event, queuing job for execution
> 01[JOB] next event in 23708s 557ms, waiting
>
>
>
> and tcpdump:
> 11:33:11.814685 IP 40.0.0.1.isakmp> 20.0.0.1.isakmp: isakmp: parent_sa
> ikev2_init[I]
> 11:33:12.001573 IP 20.0.0.1.isakmp> 40.0.0.1.isakmp: isakmp: parent_sa
> ikev2_init[]
> 11:33:12.350975 IP 40.0.0.1.isakmp> 20.0.0.1.isakmp: isakmp: child_sa
> ikev2_auth[I]
> 11:33:13.159219 IP 20.0.0.1.isakmp> 40.0.0.1.isakmp: isakmp: child_sa
> ikev2_auth[]
> 11:33:13.441764 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc7636fb,seq=0x1),
> length 132
> 11:33:13.442012 IP 20.0.0.1> 40.0.0.1: ESP(spi=0xcb7751d6,seq=0x1),
> length 132
> 11:33:13.443979 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc7636fb,seq=0x2),
> length 132
> 11:33:13.444043 IP 20.0.0.1> 40.0.0.1: ESP(spi=0xcb7751d6,seq=0x2),
> length 132
> 11:33:14.443399 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc7636fb,seq=0x3),
> length 132
> 11:33:14.443468 IP 20.0.0.1> 40.0.0.1: ESP(spi=0xcb7751d6,seq=0x3),
> length 132
>
>
>
> thanks alot
>
> -----Original Message-----
> From: ext Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Wednesday, May 19, 2010 11:27 AM
> To: Ayyash, Mohammad (NSN - FI/Espoo)
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] configuring charon with installpolicy=no
>
> Hi,
> there is currently no way for charon to control the priorities.
> I don't know why the inbound ESP packet does not trigger the
> IPsec policy. The commands
>
> ip -s xfrm policy|state
>
> give more information
>
> Regards
>
> Andreas
>
> On 05/17/2010 09:43 AM, Ayyash, Mohammad (NSN - FI/Espoo) wrote:
>> hi,
>>
>> it "almost" worked. Problem is now, ping gets no reply whatsoever.. I
>> wonder why.
>>
>> But can you please let me know if there is even a better way to
> control
>> policy priorities if I let charon insert them? apparently, it is
> better
>> to let charon do that
>>
>> Here is a complete example about how the ping doesn't get any reply,
> two
>> hosts logs:
>> ================= Host1 ============================
>> ipsec.conf
>> config setup
>> charonstart=yes
>> plutostart=no
>> charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
>> conn %default
>> keyexchange=ikev2
>> auto=route
>> installpolicy=no
>> reauth=no
>> ca strongswan
>> cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
>> conn CONFIG
>> rekeymargin=2880
>> rekeyfuzz=100%
>> left=20.0.0.1
>> right=40.0.0.1
>> leftsubnet=10.0.0.0/24
>> rightsubnet=30.0.0.0/24
>> leftprotoport=%any
>> rightprotoport=%any
>> authby=secret
>> leftid=20.0.0.1
>> rightid=40.0.0.1
>> ike=aes128-md5-modp1536
>> esp=aes128-sha1
>> type=tunnel
>> ikelifetime=28800s
>> keylife=28800s
>>
>>
>> $ ip xfrm policy flush
>> $ ip xfrm policy add dir in src 30.0.0.0/24 dst 10.0.0.0/24 proto any
>> priority 1000 tmpl src 40.0.0.1 dst 20.0.0.1 proto esp mode tunnel
> reqid
>> 1 level required
>> $ ip xfrm policy add dir out src 10.0.0.0/24 dst 30.0.0.0/24 proto any
>> priority 1000 tmpl src 20.0.0.1 dst 40.0.0.1 proto esp mode tunnel
> reqid
>> 1 level required
>> $ ip xfrm policy
>> src 30.0.0.0/24 dst 10.0.0.0/24
>> dir in priority 1000
>> tmpl src 40.0.0.1 dst 20.0.0.1
>> proto esp reqid 1 mode tunnel
>> src 10.0.0.0/24 dst 30.0.0.0/24
>> dir out priority 1000
>> tmpl src 20.0.0.1 dst 40.0.0.1
>> proto esp reqid 1 mode tunnel
>>
>>
>>
>> $ starter --nofork
>> Starting strongSwan 4.3.6 IPsec [starter]...
>> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
>> 00[KNL] listening on interfaces:
>> 00[KNL] eth0
>> 00[KNL] 20.0.0.1
>> 00[KNL] fe80::209:6bff:fe58:6492
>> 00[KNL] eth1
>> 00[KNL] 192.168.0.250
>> 00[KNL] 10.0.0.1
>> 00[KNL] fe80::209:6bff:fe58:6493
>> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>> 00[CFG] loading ocsp signer certificates from
>> '/usr/local/etc/ipsec.d/ocspcerts'
>> 00[CFG] loading attribute certificates from
>> '/usr/local/etc/ipsec.d/acerts'
>> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>> 00[CFG] loaded IKE secret for 20.0.0.1 40.0.0.1
>> 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
>> pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
>> attr resolve
>> 00[JOB] spawning 16 worker threads
>> charon (19425) started after 140 ms
>> 01[JOB] started worker thread, ID: 1
>> 01[JOB] no events, waiting
>> 07[JOB] started worker thread, ID: 7
>> 08[JOB] started worker thread, ID: 8
>> 06[JOB] started worker thread, ID: 6
>> 09[JOB] started worker thread, ID: 9
>> 09[NET] waiting for data on raw sockets
>> 05[JOB] started worker thread, ID: 5
>> 05[CFG] received stroke: add connection 'CONFIG'
>> 05[CFG] conn CONFIG
>> 05[CFG] left=20.0.0.1
>> 05[CFG] leftsubnet=10.0.0.0/24
>> 05[CFG] leftsourceip=(null)
>> 05[CFG] leftauth=(null)
>> 05[CFG] leftauth2=(null)
>> 05[CFG] leftid=20.0.0.1
>> 05[CFG] leftid2=(null)
>> 05[CFG] leftcert=(null)
>> 05[CFG] leftcert2=(null)
>> 05[CFG] leftca=(null)
>> 05[CFG] leftca2=(null)
>> 05[CFG] leftgroups=(null)
>> 05[CFG] leftupdown=(null)
>> 05[CFG] right=40.0.0.1
>> 05[CFG] rightsubnet=30.0.0.0/24
>> 05[CFG] rightsourceip=(null)
>> 05[CFG] rightauth=(null)
>> 05[CFG] rightauth2=(null)
>> 05[CFG] rightid=40.0.0.1
>> 05[CFG] rightid2=(null)
>> 05[CFG] rightcert=(null)
>> 05[CFG] rightcert2=(null)
>> 05[CFG] rightca=(null)
>> 05[CFG] rightca2=(null)
>> 05[CFG] rightgroups=(null)
>> 05[CFG] rightupdown=(null)
>> 05[CFG] eap_identity=(null)
>> 05[CFG] ike=aes128-md5-modp1536
>> 05[CFG] esp=aes128-sha1
>> 05[CFG] mediation=no
>> 05[CFG] mediated_by=(null)
>> 05[CFG] me_peerid=(null)
>> 14[JOB] started worker thread, ID: 14
>> 15[JOB] started worker thread, ID: 15
>> 16[JOB] started worker thread, ID: 16
>> 02[JOB] started worker thread, ID: 2
>> 10[JOB] started worker thread, ID: 10
>> 11[JOB] started worker thread, ID: 11
>> 12[JOB] started worker thread, ID: 12
>> 04[JOB] started worker thread, ID: 4
>> 03[JOB] started worker thread, ID: 3
>> 13[JOB] started worker thread, ID: 13
>> 05[KNL] getting interface name for 40.0.0.1
>> 05[KNL] 40.0.0.1 is not a local address
>> 05[KNL] getting interface name for 20.0.0.1
>> 05[KNL] 20.0.0.1 is on interface eth0
>> 05[CFG] added configuration 'CONFIG'
>> 14[CFG] received stroke: route 'CONFIG'
>> 14[CFG] proposing traffic selectors for us:
>> 14[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
>> 14[CFG] proposing traffic selectors for other:
>> 14[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
>> configuration 'CONFIG' routed
>> 09[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
>> 09[NET] waiting for data on raw sockets
>> 02[NET] received packet: from 40.0.0.1[500] to 20.0.0.1[500]
>> 02[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) ]
>> 02[CFG] looking for an ike config for 20.0.0.1...40.0.0.1
>> 02[CFG] candidate: 20.0.0.1...40.0.0.1, prio 12
>> 02[CFG] found matching ike config: 20.0.0.1...40.0.0.1 with prio 12
>> 02[IKE] 40.0.0.1 is initiating an IKE_SA
>> 02[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
>> 02[CFG] selecting proposal:
>> 02[CFG] proposal matches
>> 02[CFG] received proposals:
>> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
>>
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
>>
> 6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
>>
> AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
>> 84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
>> 02[CFG] configured proposals:
>> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
>>
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
>>
> 6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
>>
> AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
>> 84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
>> 02[CFG] selected proposal:
>> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
>> 01[JOB] next event in 29s 999ms, waiting
>> 02[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) N(MULT_AUTH) ]
>> 02[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
>> 06[NET] sending packet: from 20.0.0.1[500] to 40.0.0.1[500]
>> 09[NET] received packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
>> 09[NET] waiting for data on raw sockets
>> 10[NET] received packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
>> 10[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
>> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>> 10[CFG] looking for peer configs matching
>> 20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
>> 10[CFG] candidate "CONFIG", match: 20/20/12 (me/other/ike)
>> 10[CFG] selected peer config 'CONFIG'
>> 10[IKE] authentication of '40.0.0.1' with pre-shared key successful
>> 10[IKE] peer supports MOBIKE
>> 10[IKE] got additional MOBIKE peer address: 30.0.0.1
>> 10[IKE] got additional MOBIKE peer address:
>> 2001:490:ff0:c2c7:202:55ff:fe54:aad9
>> 10[IKE] authentication of '20.0.0.1' (myself) with pre-shared key
>> 10[IKE] successfully created shared key MAC
>> 10[IKE] IKE_SA CONFIG[1] established between
>> 20.0.0.1[20.0.0.1]...40.0.0.1[40.0.0.1]
>> 10[IKE] IKE_SA CONFIG[1] state change: CONNECTING => ESTABLISHED
>> 10[IKE] scheduling rekeying in 25116s
>> 01[JOB] next event in 29s 280ms, waiting
>> 10[IKE] maximum IKE_SA lifetime 27996s
>> 01[JOB] next event in 29s 231ms, waiting
>> 10[CFG] looking for a child config for 10.0.0.1/32[icmp] 10.0.0.0/24
> ===
>> 30.0.0.1/32[icmp/8] 30.0.0.0/24
>> 10[CFG] proposing traffic selectors for us:
>> 10[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
>> 10[CFG] proposing traffic selectors for other:
>> 10[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
>> 10[CFG] candidate "CONFIG" with prio 7+7
>> 10[CFG] found matching child config "CONFIG" with prio 14
>> 10[CFG] selecting proposal:
>> 10[CFG] proposal matches
>> 10[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
>>
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
>> HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
>> 10[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
>>
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
>> HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
>> 10[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
>> 10[KNL] getting SPI for reqid {2}
>> 10[KNL] got SPI cc92e3ae for reqid {2}
>> 10[CFG] selecting traffic selectors for us:
>> 10[CFG] config: 10.0.0.0/24, received: 10.0.0.1/32[icmp] => match:
>> 10.0.0.1/32[icmp]
>> 10[CFG] config: 10.0.0.0/24, received: 10.0.0.0/24 => match:
>> 10.0.0.0/24
>> 10[CFG] selecting traffic selectors for other:
>> 10[CFG] config: 30.0.0.0/24, received: 30.0.0.1/32[icmp/8] => match:
>> 30.0.0.1/32[icmp/8]
>> 10[CFG] config: 30.0.0.0/24, received: 30.0.0.0/24 => match:
>> 30.0.0.0/24
>> 10[KNL] adding SAD entry with SPI cc92e3ae and reqid {2}
>> 10[KNL] using encryption algorithm AES_CBC with key size 128
>> 10[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
>> 10[KNL] adding SAD entry with SPI cbd8e62e and reqid {2}
>> 10[KNL] using encryption algorithm AES_CBC with key size 128
>> 10[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
>> 10[IKE] CHILD_SA CONFIG{2} established with SPIs cc92e3ae_i cbd8e62e_o
>> and TS 10.0.0.0/24 === 30.0.0.0/24
>> 10[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr
>> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>> 10[NET] sending packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
>> 06[NET] sending packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
>> 01[JOB] next event in 1ms, waiting
>> 01[JOB] got event, queuing job for execution
>> 01[JOB] next event in 25086s 718ms, waiting
>>
>>
>>
>> $ ip xfrm state
>> src 40.0.0.1 dst 20.0.0.1
>> proto esp spi 0xcc92e3ae reqid 2 mode tunnel
>> replay-window 32 flag 20
>> auth hmac(sha1) 0x0009e244d350a3055610d752274cb7310a7b1f7d
>> enc cbc(aes) 0xa14f2995b930ceadf13aa327da93aea8
>> src 20.0.0.1 dst 40.0.0.1
>> proto esp spi 0xcbd8e62e reqid 2 mode tunnel
>> replay-window 32 flag 20
>> auth hmac(sha1) 0x030f878e09fa0c4bc3b00a1e0fbab8409d9c7090
>> enc cbc(aes) 0x93b0e4bbce244819f11be6ac0e7f2676
>>
>>
>> $ tcpdump -i eth0 port 500 or port 4500 or ip proto 51 or ip proto 50
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>> 10:24:47.623723 IP 40.0.0.1.isakmp> 20.0.0.1.isakmp: isakmp:
> parent_sa
>> ikev2_init[I]
>> 10:24:47.809724 IP 20.0.0.1.isakmp> 40.0.0.1.isakmp: isakmp:
> parent_sa
>> ikev2_init[]
>> 10:24:48.261709 IP 40.0.0.1.ipsec-nat-t> 20.0.0.1.ipsec-nat-t:
>> NONESP-encap: isakmp: child_sa ikev2_auth[I]
>> 10:24:49.160183 IP 20.0.0.1.ipsec-nat-t> 40.0.0.1.ipsec-nat-t:
>> NONESP-encap: isakmp: child_sa ikev2_auth[]
>> 10:24:49.468469 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x1),
>> length 132
>> 10:24:50.468321 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x2),
>> length 132
>> 10:24:51.467906 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x3),
>> length 132
>> 10:24:52.467547 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x4),
>> length 132
>> 10:24:53.468205 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x5),
>> length 132
>>
>>
>> ================== HOST 2 ===========================
>> ipsec.conf:
>> config setup
>> charonstart=yes
>> plutostart=no
>> charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
>> conn %default
>> keyexchange=ikev2
>> auto=route
>> installpolicy=no
>> reauth=no
>> ca strongswan
>> cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
>> conn CONFIG
>> rekeymargin=2880
>> rekeyfuzz=100%
>> left=40.0.0.1
>> right=20.0.0.1
>> leftsubnet=30.0.0.0/24
>> rightsubnet=10.0.0.0/24
>> leftprotoport=%any
>> rightprotoport=%any
>> authby=secret
>> leftid=40.0.0.1
>> rightid=20.0.0.1
>> ike=aes128-md5-modp1536
>> esp=aes128-sha1
>> type=tunnel
>> ikelifetime=28800s
>> keylife=28800s
>>
>>
>> $ ip xfrm policy flush
>> $ ip xfrm policy add dir out src 30.0.0.0/24 dst 10.0.0.0/24 proto any
>> priority 1000 tmpl src 40.0.0.1 dst 20.0.0.1 proto esp mode tunnel
> reqid
>> 1 level required
>> $ ip xfrm policy add dir in src 10.0.0.0/24 dst 30.0.0.0/24 proto any
>> priority 1000 tmpl src 20.0.0.1 dst 40.0.0.1 proto esp mode tunnel
> reqid
>> 1 level required
>> $ ip xfrm policy
>> src 10.0.0.0/24 dst 30.0.0.0/24
>> dir in priority 1000
>> tmpl src 20.0.0.1 dst 40.0.0.1
>> proto esp reqid 1 mode tunnel
>> src 30.0.0.0/24 dst 10.0.0.0/24
>> dir out priority 1000
>> tmpl src 40.0.0.1 dst 20.0.0.1
>> proto esp reqid 1 mode tunnel
>>
>>
>> $ starter --nofork
>> Starting strongSwan 4.3.6 IPsec [starter]...
>> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
>> 00[KNL] listening on interfaces:
>> 00[KNL] eth1
>> 00[KNL] eth2
>> 00[KNL] 40.0.0.1
>> 00[KNL] 2001:490:ff0:c2c7:202:55ff:fe54:aad9
>> 00[KNL] fe80::202:55ff:fe54:aad9
>> 00[KNL] eth3
>> 00[KNL] 30.0.0.1
>> 00[KNL] fe80::202:55ff:fe54:aada
>> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>> 00[CFG] loading ocsp signer certificates from
>> '/usr/local/etc/ipsec.d/ocspcerts'
>> 00[CFG] loading attribute certificates from
>> '/usr/local/etc/ipsec.d/acerts'
>> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>> 00[CFG] loaded IKE secret for 40.0.0.1 20.0.0.1
>> 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
>> pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
>> attr resolve
>> 00[JOB] spawning 16 worker threads
>> charon (16019) started after 140 ms
>> 01[JOB] started worker thread, ID: 1
>> 01[JOB] no events, waiting
>> 03[JOB] started worker thread, ID: 3
>> 04[JOB] started worker thread, ID: 4
>> 05[JOB] started worker thread, ID: 5
>> 06[JOB] started worker thread, ID: 6
>> 06[NET] waiting for data on raw sockets
>> 08[JOB] started worker thread, ID: 8
>> 08[CFG] received stroke: add connection 'CONFIG'
>> 08[CFG] conn CONFIG
>> 08[CFG] left=40.0.0.1
>> 08[CFG] leftsubnet=30.0.0.0/24
>> 08[CFG] leftsourceip=(null)
>> 08[CFG] leftauth=(null)
>> 08[CFG] leftauth2=(null)
>> 08[CFG] leftid=40.0.0.1
>> 02[JOB] started worker thread, ID: 2
>> 07[JOB] started worker thread, ID: 7
>> 09[JOB] started worker thread, ID: 9
>> 10[JOB] started worker thread, ID: 10
>> 11[JOB] started worker thread, ID: 11
>> 12[JOB] started worker thread, ID: 12
>> 13[JOB] started worker thread, ID: 13
>> 14[JOB] started worker thread, ID: 14
>> 15[JOB] started worker thread, ID: 15
>> 16[JOB] started worker thread, ID: 16
>> 08[CFG] leftid2=(null)
>> 08[CFG] leftcert=(null)
>> 08[CFG] leftcert2=(null)
>> 08[CFG] leftca=(null)
>> 08[CFG] leftca2=(null)
>> 08[CFG] leftgroups=(null)
>> 08[CFG] leftupdown=(null)
>> 08[CFG] right=20.0.0.1
>> 08[CFG] rightsubnet=10.0.0.0/24
>> 08[CFG] rightsourceip=(null)
>> 08[CFG] rightauth=(null)
>> 08[CFG] rightauth2=(null)
>> 08[CFG] rightid=20.0.0.1
>> 08[CFG] rightid2=(null)
>> 08[CFG] rightcert=(null)
>> 08[CFG] rightcert2=(null)
>> 08[CFG] rightca=(null)
>> 08[CFG] rightca2=(null)
>> 08[CFG] rightgroups=(null)
>> 08[CFG] rightupdown=(null)
>> 08[CFG] eap_identity=(null)
>> 08[CFG] ike=aes128-md5-modp1536
>> 08[CFG] esp=aes128-sha1
>> 08[CFG] mediation=no
>> 08[CFG] mediated_by=(null)
>> 08[CFG] me_peerid=(null)
>> 08[KNL] getting interface name for 20.0.0.1
>> 08[KNL] 20.0.0.1 is not a local address
>> 08[KNL] getting interface name for 40.0.0.1
>> 08[KNL] 40.0.0.1 is on interface eth2
>> 08[CFG] added configuration 'CONFIG'
>> 02[CFG] received stroke: route 'CONFIG'
>> 02[CFG] proposing traffic selectors for us:
>> 02[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
>> 02[CFG] proposing traffic selectors for other:
>> 02[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
>> configuration 'CONFIG' routed
>> 03[KNL] received a XFRM_MSG_ACQUIRE
>> 03[KNL] XFRMA_TMPL
>> 03[KNL] creating acquire job for policy 30.0.0.1/32[icmp/8] ===
>> 10.0.0.1/32[icmp] with reqid {1}
>> 10[IKE] queueing IKE_INIT task
>> 10[IKE] queueing IKE_VENDOR task
>> 10[IKE] queueing IKE_NATD task
>> 10[IKE] queueing IKE_CERT_PRE task
>> 10[IKE] queueing IKE_AUTHENTICATE task
>> 10[IKE] queueing IKE_CERT_POST task
>> 10[IKE] queueing IKE_CONFIG task
>> 10[IKE] queueing IKE_AUTH_LIFETIME task
>> 10[IKE] queueing IKE_MOBIKE task
>> 10[IKE] queueing CHILD_CREATE task
>> 10[IKE] activating new tasks
>> 10[IKE] activating IKE_INIT task
>> 10[IKE] activating IKE_VENDOR task
>> 10[IKE] activating IKE_NATD task
>> 10[IKE] activating IKE_CERT_PRE task
>> 10[IKE] activating IKE_AUTHENTICATE task
>> 10[IKE] activating IKE_CERT_POST task
>> 10[IKE] activating IKE_CONFIG task
>> 10[IKE] activating CHILD_CREATE task
>> 10[IKE] activating IKE_AUTH_LIFETIME task
>> 10[IKE] activating IKE_MOBIKE task
>> 10[IKE] initiating IKE_SA CONFIG[1] to 20.0.0.1
>> 10[IKE] IKE_SA CONFIG[1] state change: CREATED => CONNECTING
>> 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) ]
>> 10[NET] sending packet: from 40.0.0.1[500] to 20.0.0.1[500]
>> 05[NET] sending packet: from 40.0.0.1[500] to 20.0.0.1[500]
>> 01[JOB] next event in 3s 999ms, waiting
>> 06[NET] received packet: from 20.0.0.1[500] to 40.0.0.1[500]
>> 06[NET] waiting for data on raw sockets
>> 11[NET] received packet: from 20.0.0.1[500] to 40.0.0.1[500]
>> 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
>> N(NATD_D_IP) N(MULT_AUTH) ]
>> 11[CFG] selecting proposal:
>> 11[CFG] proposal matches
>> 11[CFG] received proposals:
>> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
>> 11[CFG] configured proposals:
>> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
>>
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_9
>>
> 6/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_
>>
> AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_3
>> 84/PRF_HMAC_SHA2_512/MODP_2048/MODP_1536/MODP_4096/MODP_8192/MODP_1024
>> 11[CFG] selected proposal:
>> IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536
>> 11[IKE] reinitiating already active tasks
>> 11[IKE] IKE_CERT_PRE task
>> 11[IKE] IKE_AUTHENTICATE task
>> 11[IKE] authentication of '40.0.0.1' (myself) with pre-shared key
>> 11[IKE] successfully created shared key MAC
>> 11[IKE] establishing CHILD_SA CONFIG{1}
>> 11[CFG] proposing traffic selectors for us:
>> 11[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
>> 11[CFG] proposing traffic selectors for other:
>> 11[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
>> 11[KNL] getting SPI for reqid {1}
>> 11[KNL] got SPI cbd8e62e for reqid {1}
>> 11[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
>> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>> 11[NET] sending packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
>> 05[NET] sending packet: from 40.0.0.1[4500] to 20.0.0.1[4500]
>> 01[JOB] next event in 3s 378ms, waiting
>> 06[NET] received packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
>> 06[NET] waiting for data on raw sockets
>> 12[NET] received packet: from 20.0.0.1[4500] to 40.0.0.1[4500]
>> 12[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
>> N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>> 12[IKE] authentication of '20.0.0.1' with pre-shared key successful
>> 12[IKE] IKE_SA CONFIG[1] established between
>> 40.0.0.1[40.0.0.1]...20.0.0.1[20.0.0.1]
>> 12[IKE] IKE_SA CONFIG[1] state change: CONNECTING => ESTABLISHED
>> 01[JOB] next event in 2s 465ms, waiting
>> 12[IKE] scheduling rekeying in 24709s
>> 01[JOB] next event in 2s 465ms, waiting
>> 12[IKE] maximum IKE_SA lifetime 27589s
>> 12[CFG] selecting proposal:
>> 12[CFG] proposal matches
>> 12[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
>> 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
>>
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_S
>> HA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
>> 12[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
>> 12[CFG] selecting traffic selectors for us:
>> 12[CFG] config: 30.0.0.0/24, received: 30.0.0.0/24 => match:
>> 30.0.0.0/24
>> 12[CFG] selecting traffic selectors for other:
>> 12[CFG] config: 10.0.0.0/24, received: 10.0.0.0/24 => match:
>> 10.0.0.0/24
>> 12[KNL] adding SAD entry with SPI cbd8e62e and reqid {1}
>> 12[KNL] using encryption algorithm AES_CBC with key size 128
>> 12[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
>> 12[KNL] adding SAD entry with SPI cc92e3ae and reqid {1}
>> 12[KNL] using encryption algorithm AES_CBC with key size 128
>> 12[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
>> 12[IKE] CHILD_SA CONFIG{1} established with SPIs cbd8e62e_i cc92e3ae_o
>> and TS 30.0.0.0/24 === 10.0.0.0/24
>> 12[IKE] peer supports MOBIKE
>> 12[IKE] got additional MOBIKE peer address: 192.168.0.250
>> 12[IKE] got additional MOBIKE peer address: 10.0.0.1
>> 12[IKE] activating new tasks
>> 12[IKE] nothing to initiate
>> 01[JOB] got event, queuing job for execution
>> 01[JOB] next event in 619ms, waiting
>> 01[JOB] got event, queuing job for execution
>> 01[JOB] next event in 24705s 911ms, waiting
>>
>>
>>
>> $ ip xfrm state
>> src 40.0.0.1 dst 20.0.0.1
>> proto esp spi 0xcc92e3ae reqid 1 mode tunnel
>> replay-window 32 flag 20
>> auth hmac(sha1) 0x0009e244d350a3055610d752274cb7310a7b1f7d
>> enc cbc(aes) 0xa14f2995b930ceadf13aa327da93aea8
>> src 20.0.0.1 dst 40.0.0.1
>> proto esp spi 0xcbd8e62e reqid 1 mode tunnel
>> replay-window 32 flag 20
>> auth hmac(sha1) 0x030f878e09fa0c4bc3b00a1e0fbab8409d9c7090
>> enc cbc(aes) 0x93b0e4bbce244819f11be6ac0e7f2676
>>
>>
>> $ tcpdump -i eth2 port 500 or port 4500 or ip proto 51 or ip proto 50
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>> listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
>> 10:18:42.954850 IP 40.0.0.1.isakmp> 20.0.0.1.isakmp: isakmp:
> parent_sa
>> ikev2_init[I]
>> 10:18:43.143401 IP 20.0.0.1.isakmp> 40.0.0.1.isakmp: isakmp:
> parent_sa
>> ikev2_init[]
>> 10:18:43.593044 IP 40.0.0.1.ipsec-nat-t> 20.0.0.1.ipsec-nat-t:
>> NONESP-encap: isakmp: child_sa ikev2_auth[I]
>> 10:18:44.492888 IP 20.0.0.1.ipsec-nat-t> 40.0.0.1.ipsec-nat-t:
>> NONESP-encap: isakmp: child_sa ikev2_auth[]
>> 10:18:44.801023 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x1),
>> length 132
>> 10:18:45.800963 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x2),
>> length 132
>> 10:18:46.800639 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x3),
>> length 132
>> 10:18:47.800361 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x4),
>> length 132
>> 10:18:48.800041 IP 40.0.0.1> 20.0.0.1: ESP(spi=0xcc92e3ae,seq=0x5),
>> length 132
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list