[strongSwan] multiple tunnels established for one connection (IKEv2)
Matthias Läßig
mla at apob.net
Tue Oct 19 20:54:02 CEST 2010
Hi Andreas,
I took a look at the starter script and it seems it collided with the ipsec implementation the distri provided. I manually copied the strongswan version over and the problem seems to have vanished.
And I blamed it on strongswan... *stupidofme*
Thanks,
/matthi.
On Oct 19, 2010, at 8:46 PM, Andreas Steffen wrote:
> Hi Matthias,
>
> I just see from your log, that ipsec starter initiates the connection
> several times in a row:
>
>> Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: initiate
> 'tanzplatz-h3x2'
>
>> Oct 19 17:05:01 tanzplatz charon: 08[CFG] received stroke: initiate
>> 'tanzplatz-h3x2'
>
>> Oct 19 17:10:01 tanzplatz charon: 15[CFG] received stroke: initiate
>> 'tanzplatz-h3x2'
>
> I actually don't understand what you are doing because starter should
> initiate the connection only once.
>
> Regards
>
> Andreas
>
> On 19.10.2010 19:19, Matthias Läßig wrote:
>> Hi all,
>>
>> I have strongswan 4.3.5 working between two Linux 2.6 gateways, routing
>> etc. is working perfectly. When looking at the established connections
>> I'm getting:
>>
>> 000 Status of IKEv1 pluto daemon (strongSwan 4.3.5):
>> 000 interface lo/lo ::1:500
>> 000 interface lo/lo 127.0.0.1:4500
>> 000 interface lo/lo 127.0.0.1:500
>> 000 interface lo/lo 127.0.0.2:4500
>> 000 interface lo/lo 127.0.0.2:500
>> 000 interface eth0/eth0 10.0.0.252:4500
>> 000 interface eth0/eth0 10.0.0.252:500
>> 000 interface eth1/eth1 10.0.0.5:4500
>> 000 interface eth1/eth1 10.0.0.5:500
>> 000 %myid = '%any'
>> 000 loaded plugins: curl aes des sha1 sha2 md5 random x509 pubkey pkcs1
>> pgp dnskey pem hmac gmp
>> 000 debug options: none
>> 000
>> Status of IKEv2 charon daemon (strongSwan 4.3.5):
>> uptime: 117 seconds, since Oct 19 17:04:44 2010
>> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 4
>> loaded plugins: curl aes des sha1 sha2 md5 fips-prf random x509 pubkey
>> pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown attr
>> resolve
>> Listening IP addresses:
>> 10.0.0.252
>> 10.0.0.5
>> Connections:
>> tanzplatz-h3x2: 10.0.0.252...88.198.14.125
>> tanzplatz-h3x2: local: [C=DE, ST=Bavaria, L=Unterschleissheim,
>> O=apob.net, OU=Network Services, CN=elias.apob.net, E=info at apob.net]
>> uses public key authentication
>> tanzplatz-h3x2: cert: "C=DE, ST=Bavaria, L=Unterschleissheim,
>> O=apob.net, OU=Network Services, CN=elias.apob.net, E=info at apob.net
>> <mailto:E=info at apob.net>"
>> tanzplatz-h3x2: remote: [C=DE, ST=Bavaria, L=Nuremberg, O=apob.net,
>> OU=Network Services, CN=h3x2.apob.net, E=info at apob.net] uses any
>> authentication
>> tanzplatz-h3x2: cert: "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net,
>> OU=Network Services, CN=h3x2.apob.net, E=info at apob.net
>> <mailto:E=info at apob.net>"
>> tanzplatz-h3x2: child: 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24
>> Security Associations:
>> tanzplatz-h3x2[1]: ESTABLISHED 114 seconds ago, 10.0.0.252[C=DE,
>> ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services,
>> CN=elias.apob.net, E=info at apob.net]...88.198.14.125[C=DE, ST=Bavaria,
>> L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net,
>> E=info at apob.net]
>> tanzplatz-h3x2[1]: IKE SPIs: 80f47cac247b838c_i* a6eef15b1c4cafc5_r,
>> public key reauthentication in 2 hours
>> tanzplatz-h3x2[1]: IKE proposal:
>> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>> tanzplatz-h3x2{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cb001dde_i
>> cb487bdb_o
>> tanzplatz-h3x2{1}: AES_CBC_128/HMAC_SHA1_96, 152 bytes_i (15s ago), 0
>> bytes_o, rekeying in 41 minutes
>> tanzplatz-h3x2{1}: 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24
>> tanzplatz-h3x2{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: ca0c17ef_i
>> c24d0e02_o
>> tanzplatz-h3x2{2}: AES_CBC_128/HMAC_SHA1_96, 17994 bytes_i (15s ago),
>> 16661 bytes_o (14s ago), rekeying in 46 minutes
>> tanzplatz-h3x2{2}: 10.0.0.0/24 === 10.1.0.0/24 172.16.8.0/24
>>
>> The longer the SA is up, the more tunnels I get. All of them are being
>> rekeyed. After 24 hours there are hundreds of them up. Is there a way to
>> prevent this as I don't think this is the expected behaviour?
>>
>> Here's my ipsec.conf:
>>
>> # /etc/ipsec.conf - Openswan IPsec configuration file
>> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
>>
>> # This file: /usr/share/doc/packages/openswan/ipsec.conf-sample
>> #
>> # Manual: ipsec.conf.5
>>
>>
>> version 2.0 # conforms to second version of ipsec.conf specification
>>
>> # basic configuration
>> config setup
>> # plutodebug / klipsdebug = "all", "none" or a combation from below:
>> # "raw crypt parsing emitting control klips pfkey natt x509 private"
>> # eg:
>> #plutodebug="all"
>> #
>> # Only enable klipsdebug=all if you are a developer
>> #
>> # NAT-TRAVERSAL support, see README.NAT-Traversal
>> # nat_traversal=yes
>> # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>> #
>> # Certificate Revocation List handling:
>> crlcheckinterval=600
>> strictcrlpolicy=no
>> #
>> # Change rp_filter setting? (default is 0, disabled)
>> # See also setting in the /etc/sysctl.conf file!
>> #rp_filter=%unchanged
>> #
>> # Workaround to setup all tunnels immediately, since the new default
>> # of "plutowait=no" causes "Resource temporarily unavailable" errors
>> # for the first connect attempt over each tunnel, that is delayed to
>> # be established later / on demand.
>> #
>> nat_traversal=yes
>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>>
>> conn %default
>> # keyingtries default to %forever
>> #keyingtries=3
>> # Sig keys (default: %dnsondemand)
>> leftrsasigkey=%cert
>> rightrsasigkey=%cert
>> # Lifetimes, defaults are 1h/8hrs
>> #ikelifetime=20m
>> #keylife=1h
>> #rekeymargin=8m
>>
>> #Disable Opportunistic Encryption
>> include /usr/local/etc/ipsec.d/examples/no_oe.conf
>>
>> ca apob.net <http://apob.net>
>> cacert=apob.pem
>> crluri=http://ca.apob.net/ca-crl.crl
>> auto=add
>>
>> # Add connections here
>>
>> conn tanzplatz-h3x2
>> authby=rsasig
>> left=10.0.0.252
>> leftcert=elias.pem
>> leftsubnet=10.0.0.0/24
>> right=88.198.14.125
>> rightsubnet=10.1.0.0/24,172.16.8.0/24
>> rightcert=h3x2.pem
>> compress=no
>> keyexchange=ikev2
>> keyingtries=%forever
>> rekeyfuzz = 100%
>> pfs = yes
>> mobike=no
>> auto=start
>>
>> And all the charon messages from syslog:
>>
>> Oct 19 17:04:43 tanzplatz charon: 01[DMN] Starting IKEv2 charon daemon
>> (strongSwan 4.3.5)
>> Oct 19 17:04:43 tanzplatz charon: 01[KNL] listening on interfaces:
>> Oct 19 17:04:43 tanzplatz charon: 01[KNL] eth0
>> Oct 19 17:04:43 tanzplatz charon: 01[KNL] 10.0.0.252
>> Oct 19 17:04:43 tanzplatz charon: 01[KNL] fe80::6ef0:49ff:fe13:64a7
>> Oct 19 17:04:43 tanzplatz charon: 01[KNL] eth1
>> Oct 19 17:04:43 tanzplatz charon: 01[KNL] 10.0.0.5
>> Oct 19 17:04:43 tanzplatz charon: 01[KNL] fe80::21b:21ff:fe1b:f53d
>> Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading ca certificates from
>> '/usr/local/etc/ipsec.d/cacerts'
>> Oct 19 17:04:43 tanzplatz charon: 01[CFG] loaded ca certificate "C=DE,
>> ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services, CN=apob.net
>> Certification Authority, E=info at ca.apob.net <mailto:E=info at ca.apob.net>"
>> from '/usr/local/etc/ipsec.d/cacerts/apob.pem'
>> Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading aa certificates from
>> '/usr/local/etc/ipsec.d/aacerts'
>> Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading ocsp signer
>> certificates from '/usr/local/etc/ipsec.d/ocspcerts'
>> Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading attribute certificates
>> from '/usr/local/etc/ipsec.d/acerts'
>> Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading crls from
>> '/usr/local/etc/ipsec.d/crls'
>> Oct 19 17:04:43 tanzplatz charon: 01[CFG] loading secrets from
>> '/usr/local/etc/ipsec.secrets'
>> Oct 19 17:04:43 tanzplatz charon: 01[CFG] loaded RSA private key from
>> '/usr/local/etc/ipsec.d/private/elias.key'
>> Oct 19 17:04:43 tanzplatz charon: 01[DMN] loaded plugins: curl aes des
>> sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac
>> gmp kernel-netlink stroke updown attr resolve
>> Oct 19 17:04:43 tanzplatz charon: 01[JOB] spawning 16 worker threads
>> Oct 19 17:04:43 tanzplatz ipsec_starter[7194]: charon (7222) started
>> after 20 ms
>> Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: add ca 'apob.net'
>> Oct 19 17:04:43 tanzplatz charon: 05[CFG] added ca 'apob.net'
>> Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: add
>> connection 'tanzplatz-h3x2'
>> Oct 19 17:04:43 tanzplatz charon: 05[CFG] loaded certificate "C=DE,
>> ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services,
>> CN=elias.apob.net, E=info at apob.net <mailto:E=info at apob.net>" from
>> 'elias.pem'
>> Oct 19 17:04:43 tanzplatz charon: 05[CFG] peerid 10.0.0.252 not
>> confirmed by certificate, defaulting to subject DN: C=DE, ST=Bavaria,
>> L=Unterschleissheim, O=apob.net, OU=Network Services, CN=elias.apob.net,
>> E=info at apob.net <mailto:E=info at apob.net>
>> Oct 19 17:04:43 tanzplatz charon: 05[CFG] loaded certificate "C=DE,
>> ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services,
>> CN=h3x2.apob.net, E=info at apob.net <mailto:E=info at apob.net>" from 'h3x2.pem'
>> Oct 19 17:04:43 tanzplatz charon: 05[CFG] peerid 88.198.14.125 not
>> confirmed by certificate, defaulting to subject DN: C=DE, ST=Bavaria,
>> L=Nuremberg, O=apob.net, OU=Network Services, CN=h3x2.apob.net,
>> E=info at apob.net <mailto:E=info at apob.net>
>> Oct 19 17:04:43 tanzplatz charon: 05[CFG] added configuration
>> 'tanzplatz-h3x2'
>> Oct 19 17:04:43 tanzplatz charon: 05[CFG] received stroke: initiate
>> 'tanzplatz-h3x2'
>> Oct 19 17:04:43 tanzplatz charon: 05[IKE] initiating IKE_SA
>> tanzplatz-h3x2[1] to 88.198.14.125
>> Oct 19 17:04:43 tanzplatz charon: 05[IKE] initiating IKE_SA
>> tanzplatz-h3x2[1] to 88.198.14.125
>> Oct 19 17:04:43 tanzplatz charon: 05[ENC] generating IKE_SA_INIT request
>> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Oct 19 17:04:43 tanzplatz charon: 05[NET] sending packet: from
>> 10.0.0.252[500] to 88.198.14.125[500]
>> Oct 19 17:04:44 tanzplatz charon: 14[NET] received packet: from
>> 88.198.14.125[500] to 10.0.0.252[500]
>> Oct 19 17:04:44 tanzplatz charon: 14[ENC] parsed IKE_SA_INIT response 0
>> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> Oct 19 17:04:44 tanzplatz charon: 14[IKE] local host is behind NAT,
>> sending keep alives
>> Oct 19 17:04:44 tanzplatz charon: 14[IKE] received cert request for
>> "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services,
>> CN=apob.net Certification Authority, E=info at ca.apob.net
>> <mailto:E=info at ca.apob.net>"
>> Oct 19 17:04:44 tanzplatz charon: 14[IKE] sending cert request for
>> "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services,
>> CN=apob.net Certification Authority, E=info at ca.apob.net
>> <mailto:E=info at ca.apob.net>"
>> Oct 19 17:04:44 tanzplatz charon: 14[IKE] authentication of 'C=DE,
>> ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services,
>> CN=elias.apob.net, E=info at apob.net <mailto:E=info at apob.net>' (myself)
>> with RSA signature successful
>> Oct 19 17:04:44 tanzplatz charon: 14[IKE] sending end entity cert "C=DE,
>> ST=Bavaria, L=Unterschleissheim, O=apob.net, OU=Network Services,
>> CN=elias.apob.net, E=info at apob.net <mailto:E=info at apob.net>"
>> Oct 19 17:04:44 tanzplatz charon: 14[IKE] establishing CHILD_SA
>> tanzplatz-h3x2
>> Oct 19 17:04:44 tanzplatz charon: 14[IKE] establishing CHILD_SA
>> tanzplatz-h3x2
>> Oct 19 17:04:44 tanzplatz charon: 14[ENC] generating IKE_AUTH request 1
>> [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) ]
>> Oct 19 17:04:44 tanzplatz charon: 14[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:04:46 tanzplatz charon: 17[NET] received packet: from
>> 88.198.14.125[4500] to 10.0.0.252[4500]
>> Oct 19 17:04:46 tanzplatz charon: 17[ENC] parsed IKE_AUTH response 1 [
>> IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
>> Oct 19 17:04:46 tanzplatz charon: 17[IKE] received end entity cert
>> "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services,
>> CN=h3x2.apob.net, E=info at apob.net <mailto:E=info at apob.net>"
>> Oct 19 17:04:46 tanzplatz charon: 17[CFG] using trusted ca certificate
>> "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services,
>> CN=apob.net Certification Authority, E=info at ca.apob.net
>> <mailto:E=info at ca.apob.net>"
>> Oct 19 17:04:46 tanzplatz charon: 17[CFG] checking certificate status of
>> "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services,
>> CN=h3x2.apob.net, E=info at apob.net <mailto:E=info at apob.net>"
>> Oct 19 17:04:46 tanzplatz charon: 17[CFG] fetching crl from
>> 'http://ca.apob.net/ca-crl.crl' ...
>> Oct 19 17:04:46 tanzplatz charon: 17[CFG] using trusted certificate
>> "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services,
>> CN=apob.net Certification Authority, E=info at ca.apob.net
>> <mailto:E=info at ca.apob.net>"
>> Oct 19 17:04:46 tanzplatz charon: 17[CFG] crl correctly signed by
>> "C=DE, ST=Bavaria, L=Eching, O=apob.net, OU=Certification Services,
>> CN=apob.net Certification Authority, E=info at ca.apob.net
>> <mailto:E=info at ca.apob.net>"
>> Oct 19 17:04:46 tanzplatz charon: 17[CFG] crl is valid: until Oct 26
>> 00:05:02 2010
>> Oct 19 17:04:46 tanzplatz charon: 17[CFG] certificate status is good
>> Oct 19 17:04:46 tanzplatz charon: 17[CFG] using trusted certificate
>> "C=DE, ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services,
>> CN=h3x2.apob.net, E=info at apob.net <mailto:E=info at apob.net>"
>> Oct 19 17:04:46 tanzplatz charon: 17[IKE] authentication of 'C=DE,
>> ST=Bavaria, L=Nuremberg, O=apob.net, OU=Network Services,
>> CN=h3x2.apob.net, E=info at apob.net <mailto:E=info at apob.net>' with RSA
>> signature successful
>> Oct 19 17:04:46 tanzplatz charon: 17[IKE] IKE_SA tanzplatz-h3x2[1]
>> established between 10.0.0.252[C=DE, ST=Bavaria, L=Unterschleissheim,
>> O=apob.net, OU=Network Services, CN=elias.apob.net,
>> E=info at apob.net]...88.198.14.125[C=DE, ST=Bavaria, L=Nuremberg,
>> O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info at apob.net]
>> Oct 19 17:04:46 tanzplatz charon: 17[IKE] IKE_SA tanzplatz-h3x2[1]
>> established between 10.0.0.252[C=DE, ST=Bavaria, L=Unterschleissheim,
>> O=apob.net, OU=Network Services, CN=elias.apob.net,
>> E=info at apob.net]...88.198.14.125[C=DE, ST=Bavaria, L=Nuremberg,
>> O=apob.net, OU=Network Services, CN=h3x2.apob.net, E=info at apob.net]
>> Oct 19 17:04:46 tanzplatz charon: 17[IKE] scheduling reauthentication in
>> 9844s
>> Oct 19 17:04:46 tanzplatz charon: 17[IKE] maximum IKE_SA lifetime 10384s
>> Oct 19 17:04:46 tanzplatz charon: 17[IKE] CHILD_SA tanzplatz-h3x2{1}
>> established with SPIs cb001dde_i cb487bdb_o and TS 10.0.0.0/24 ===
>> 10.1.0.0/24 172.16.8.0/24
>> Oct 19 17:04:46 tanzplatz charon: 17[IKE] CHILD_SA tanzplatz-h3x2{1}
>> established with SPIs cb001dde_i cb487bdb_o and TS 10.0.0.0/24 ===
>> 10.1.0.0/24 172.16.8.0/24
>> Oct 19 17:04:46 tanzplatz charon: 17[IKE] received AUTH_LIFETIME of
>> 9827s, scheduling reauthentication in 9287s
>> Oct 19 17:05:01 tanzplatz charon: 08[CFG] received stroke: initiate
>> 'tanzplatz-h3x2'
>> Oct 19 17:05:01 tanzplatz charon: 13[IKE] establishing CHILD_SA
>> tanzplatz-h3x2
>> Oct 19 17:05:01 tanzplatz charon: 13[IKE] establishing CHILD_SA
>> tanzplatz-h3x2
>> Oct 19 17:05:01 tanzplatz charon: 13[ENC] generating CREATE_CHILD_SA
>> request 2 [ SA No TSi TSr ]
>> Oct 19 17:05:01 tanzplatz charon: 13[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:05:03 tanzplatz charon: 12[NET] received packet: from
>> 88.198.14.125[4500] to 10.0.0.252[4500]
>> Oct 19 17:05:03 tanzplatz charon: 12[ENC] parsed CREATE_CHILD_SA
>> response 2 [ SA No TSi TSr ]
>> Oct 19 17:05:03 tanzplatz charon: 12[IKE] CHILD_SA tanzplatz-h3x2{2}
>> established with SPIs ca0c17ef_i c24d0e02_o and TS 10.0.0.0/24 ===
>> 10.1.0.0/24 172.16.8.0/24
>> Oct 19 17:05:03 tanzplatz charon: 12[IKE] CHILD_SA tanzplatz-h3x2{2}
>> established with SPIs ca0c17ef_i c24d0e02_o and TS 10.0.0.0/24 ===
>> 10.1.0.0/24 172.16.8.0/24
>> Oct 19 17:06:16 tanzplatz charon: 15[IKE] sending keep alive
>> Oct 19 17:06:16 tanzplatz charon: 15[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:06:46 tanzplatz charon: 09[IKE] sending keep alive
>> Oct 19 17:06:46 tanzplatz charon: 09[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:07:19 tanzplatz charon: 15[IKE] sending keep alive
>> Oct 19 17:07:19 tanzplatz charon: 15[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:07:39 tanzplatz charon: 13[IKE] sending keep alive
>> Oct 19 17:07:39 tanzplatz charon: 13[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:08:15 tanzplatz charon: 10[IKE] sending keep alive
>> Oct 19 17:08:15 tanzplatz charon: 10[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:09:19 tanzplatz charon: 05[IKE] sending keep alive
>> Oct 19 17:09:19 tanzplatz charon: 05[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:09:45 tanzplatz charon: 16[IKE] sending keep alive
>> Oct 19 17:09:45 tanzplatz charon: 16[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:10:01 tanzplatz charon: 15[CFG] received stroke: initiate
>> 'tanzplatz-h3x2'
>> Oct 19 17:10:01 tanzplatz charon: 12[IKE] establishing CHILD_SA
>> tanzplatz-h3x2
>> Oct 19 17:10:01 tanzplatz charon: 12[IKE] establishing CHILD_SA
>> tanzplatz-h3x2
>> Oct 19 17:10:01 tanzplatz charon: 12[ENC] generating CREATE_CHILD_SA
>> request 3 [ SA No TSi TSr ]
>> Oct 19 17:10:01 tanzplatz charon: 12[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:10:01 tanzplatz charon: 10[NET] received packet: from
>> 88.198.14.125[4500] to 10.0.0.252[4500]
>> Oct 19 17:10:01 tanzplatz charon: 10[ENC] parsed CREATE_CHILD_SA
>> response 3 [ SA No TSi TSr ]
>> Oct 19 17:10:01 tanzplatz charon: 10[IKE] CHILD_SA tanzplatz-h3x2{3}
>> established with SPIs c8fcffcc_i cde77e67_o and TS 10.0.0.0/24 ===
>> 10.1.0.0/24 172.16.8.0/24
>> Oct 19 17:10:01 tanzplatz charon: 10[IKE] CHILD_SA tanzplatz-h3x2{3}
>> established with SPIs c8fcffcc_i cde77e67_o and TS 10.0.0.0/24 ===
>> 10.1.0.0/24 172.16.8.0/24
>> Oct 19 17:10:32 tanzplatz charon: 05[IKE] sending keep alive
>> Oct 19 17:10:32 tanzplatz charon: 05[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:10:52 tanzplatz charon: 09[IKE] sending keep alive
>> Oct 19 17:10:52 tanzplatz charon: 09[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:11:12 tanzplatz charon: 16[IKE] sending keep alive
>> Oct 19 17:11:12 tanzplatz charon: 16[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:12:13 tanzplatz charon: 15[IKE] sending keep alive
>> Oct 19 17:12:13 tanzplatz charon: 15[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>> Oct 19 17:12:47 tanzplatz charon: 08[IKE] sending keep alive
>> Oct 19 17:12:47 tanzplatz charon: 08[NET] sending packet: from
>> 10.0.0.252[4500] to 88.198.14.125[4500]
>>
>> I hope someone has a fix for this.
>>
>> KInd Regards,
>> Matthias
>>
>> *Matthias Läßig* | certified it security specialist
>> fon: +49.89.4209548370 | fax: +49.89.4209548379 | mobile: +49.162.2470635
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
Matthias Läßig | certified it security specialist
fon: +49.89.4209548370 | fax: +49.89.4209548379 | mobile: +49.162.2470635
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101019/decaad7c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2723 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101019/decaad7c/attachment.bin>
More information about the Users
mailing list