[strongSwan] need help with strongswan HA setup

gaurav sharma gaurav19007 at gmail.com
Thu Oct 20 10:10:06 CEST 2011


Hi All,
I am trying to setup a ipsec HA connection using strongswan HA,
I have looked in to following link and tried to made my setup work,

http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability
http://www.strongswan.org/uml/testresults/ha/both-active/

In the setup ipsec connection is made between carol and vartual tunnal mars
which is implemented by two pc moon and alice.
like it is specified in above link. I have not yet installed the kernal
patch specified in above link,
carol is connected to moon and alice by a l2 switch, carol ip is 9.9.9.7 and
virtual ip
9.9.9.15 is added on moon and alice as specified in above link,


in my setup initially moon is active and alice is passive,

case 1:
when I ping from 9.9.9.7 to 9.9.9.15 I see the reply coming from active one
which is moon,
if i restart the ipsec on active one, i see the reply coming form standby
which is alice,

case 2
when moon is active and i ping from 9.9.9.7 to 9.9.9.15 i see reply coming
from active,
when if i disconnect the link from active traffic does not switch to
standby,
and ipsec statusall shows no connection.

I have following question regarding setup.,
1.apart from strongswan.conf file changes, is it needed to put the kernal
patch as specfied in above link,
2. since if traffic is disturbed by issueing ipsec restart, I see the ping
being resumed after some time,
does it means my HA setup is working,
3. why does the traffic does not resume when traffic from active is
disturbed by removing the link from active node.
Thank you all in advance,
have a good day.
Attached is the logs capture from each console.

Thanks and Regards,
Gaurav






===============================================================================
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111020/c3a91f44/attachment.html>
-------------- next part --------------
observation at carol
when ipsec up home is issued on carol

Oct 20 11:59:23 localhost charon: 03[CFG] received stroke: initiate 'home'
Oct 20 11:59:23 localhost charon: 11[IKE] initiating IKE_SA home[1] to 9.9.9.15
Oct 20 11:59:23 localhost charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 20 11:59:23 localhost charon: 11[NET] sending packet: from 9.9.9.7[500] to 9.9.9.15[500]
Oct 20 11:59:23 localhost charon: 12[NET] received packet: from 9.9.9.15[500] to 9.9.9.7[500]
Oct 20 11:59:23 localhost charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Oct 20 11:59:23 localhost charon: 12[IKE] sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
Oct 20 11:59:23 localhost charon: 12[IKE] authentication of 'carol.strongswan.org' (myself) with pre-shared key
Oct 20 11:59:23 localhost charon: 12[IKE] establishing CHILD_SA home
Oct 20 11:59:23 localhost charon: 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct 20 11:59:23 localhost charon: 12[NET] sending packet: from 9.9.9.7[4500] to 9.9.9.15[4500]
@                                                                              

Oct 20 11:59:23 localhost charon: 12[NET] sending packet: from 9.9.9.7[4500] to 9.9.9.15[4500]
Oct 20 11:59:23 localhost charon: 13[NET] received packet: from 9.9.9.15[4500] to 9.9.9.7[4500]
Oct 20 11:59:23 localhost charon: 13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Oct 20 11:59:23 localhost charon: 13[IKE] authentication of 'moon.strongswan.org' with pre-shared key successful
Oct 20 11:59:23 localhost charon: 13[IKE] IKE_SA home[1] established between 9.9.9.7[carol.strongswan.org]...9.9.9.15[moon.strongswan.org]
Oct 20 11:59:23 localhost charon: 13[IKE] scheduling reauthentication in 2566s
Oct 20 11:59:23 localhost charon: 13[IKE] maximum IKE_SA lifetime 3106s
Oct 20 11:59:23 localhost charon: 13[IKE] CHILD_SA home{1} established with SPIs ccc45098_i c6f61af8_o and TS 9.9.9.7/32 === 9.9.9.15/32
Oct 20 11:59:23 localhost vpn: + moon.strongswan.org 9.9.9.15 -- 9.9.9.7
Oct 20 11:59:23 localhost charon: 13[IKE] received AUTH_LIFETIME of 3299s, reauthentication already scheduled in 2566s
observation at carol
when ipsec restart is issued at intitally active node
Oct 20 11:59:23 localhost charon: 12[NET] sending packet: from 9.9.9.7[4500] to 9.9.9.15[4500]
Oct 20 11:59:23 localhost charon: 13[NET] received packet: from 9.9.9.15[4500] to 9.9.9.7[4500]
Oct 20 11:59:23 localhost charon: 13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Oct 20 11:59:23 localhost charon: 13[IKE] authentication of 'moon.strongswan.org' with pre-shared key successful
Oct 20 11:59:23 localhost charon: 13[IKE] IKE_SA home[1] established between 9.9.9.7[carol.strongswan.org]...9.9.9.15[moon.strongswan.org]
Oct 20 11:59:23 localhost charon: 13[IKE] scheduling reauthentication in 2566s
Oct 20 11:59:23 localhost charon: 13[IKE] maximum IKE_SA lifetime 3106s
Oct 20 11:59:23 localhost charon: 13[IKE] CHILD_SA home{1} established with SPIs ccc45098_i c6f61af8_o and TS 9.9.9.7/32 === 9.9.9.15/32
Oct 20 11:59:23 localhost vpn: + moon.strongswan.org 9.9.9.15 -- 9.9.9.7
Oct 20 11:59:23 localhost charon: 13[IKE] received AUTH_LIFETIME of 3299s, reauthentication already scheduled in 2566s



Oct 20 11:59:23 localhost charon: 12[NET] sending packet: from 9.9.9.7[4500] to 9.9.9.15[4500]
Oct 20 11:59:23 localhost charon: 13[NET] received packet: from 9.9.9.15[4500] to 9.9.9.7[4500]
Oct 20 11:59:23 localhost charon: 13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Oct 20 11:59:23 localhost charon: 13[IKE] authentication of 'moon.strongswan.org' with pre-shared key successful
Oct 20 11:59:23 localhost charon: 13[IKE] IKE_SA home[1] established between 9.9.9.7[carol.strongswan.org]...9.9.9.15[moon.strongswan.org]
Oct 20 11:59:23 localhost charon: 13[IKE] scheduling reauthentication in 2566s
Oct 20 11:59:23 localhost charon: 13[IKE] maximum IKE_SA lifetime 3106s
Oct 20 11:59:23 localhost charon: 13[IKE] CHILD_SA home{1} established with SPIs ccc45098_i c6f61af8_o and TS 9.9.9.7/32 === 9.9.9.15/32
Oct 20 11:59:23 localhost vpn: + moon.strongswan.org 9.9.9.15 -- 9.9.9.7
Oct 20 11:59:23 localhost charon: 13[IKE] received AUTH_LIFETIME of 3299s, reauthentication already scheduled in 2566s


observation on active node moon

[root at localhost etc]# ip address add 9.9.9.15/16 dev eth1

[root at localhost etc]# iptables -A INPUT -i eth1 -d 9.9.9.15 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5e:00:20 --total-nodes 2 --local -node 1

[root at localhost etc]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  9.9.9.7              9.9.9.15            policy match dir in pol ipsec reqid 4 proto esp
CLUSTERIP  all  --  anywhere             9.9.9.15            CLUSTERIP hashmode=sourceip clustermac=01:00:5E:00:00:20 total_nodes=2 local_node=1 hash_init=0
CLUSTERIP  all  --  anywhere             9.9.9.15            CLUSTERIP hashmode=sourceip clustermac=01:00:5E:00:00:20 total_nodes=2 local_node=1 hash_init=0

ipsec start
Oct 20 17:31:27 localhost charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-radius eap-tls eap-ttls ha
Oct 20 17:31:27 localhost charon: 00[JOB] spawning 16 worker threads
Oct 20 17:31:27 localhost charon: 04[CFG] received stroke: add connection 'rw-eap'
Oct 20 17:31:27 localhost charon: 04[CFG] added configuration 'rw-eap'
Oct 20 17:31:28 localhost charon: 13[CFG] requesting HA resynchronization
Oct 20 17:31:29 localhost charon: 05[CFG] no heartbeat received, taking all segments
Oct 20 17:31:29 localhost charon: 05[CFG] HA segment 1 activated, now active: 1
Oct 20 17:31:29 localhost charon: 05[CFG] HA segment 2 activated, now active: 1,2
when ipsec up is issued
Oct 20 17:32:47 localhost charon: 07[CFG] received heartbeat, reenabling watchdog
Oct 20 17:32:48 localhost charon: 07[CFG] resyncing HA segment 1
Oct 20 17:32:48 localhost charon: 07[CFG] resyncing HA segment 2
Oct 20 17:33:42 localhost charon: 13[NET] received packet: from 9.9.9.7[500] to 9.9.9.15[500]
                               

Oct 20 17:33:42 localhost charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Oct 20 17:33:42 localhost charon: 13[IKE] 9.9.9.7 is initiating an IKE_SA
Oct 20 17:33:42 localhost charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Oct 20 17:33:42 localhost charon: 13[NET] sending packet: from 9.9.9.15[500] to 9.9.9.7[500]
Oct 20 17:33:42 localhost charon: 15[NET] received packet: from 9.9.9.7[4500] to 9.9.9.15[4500]
Oct 20 17:33:42 localhost charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Oct 20 17:33:42 localhost charon: 15[IKE] received 1 cert requests for an unknown ca
Oct 20 17:33:42 localhost charon: 15[CFG] looking for peer configs matching 9.9.9.15[moon.strongswan.org]...9.9.9.7[carol.strongswan.org]
Oct 20 17:33:42 localhost charon: 15[CFG] selected peer config 'rw-eap'
Oct 20 17:33:42 localhost charon: 15[IKE] authentication of 'carol.strongswan.org' with pre-shared key successful
Oct 20 17:33:42 localhost charon: 15[IKE] peer supports MOBIKE
Oct 20 17:33:42 localhost charon: 15[IKE] authentication of 'moon.strongswan.org' (myself) with pre-shared key


ipsec statusall
Connections:
      rw-eap:  9.9.9.15...%any
      rw-eap:   local:  [moon.strongswan.org] uses pre-shared key authentication
      rw-eap:   remote: [%any] uses any authentication
      rw-eap:   child:  dynamic === dynamic
Security Associations:
      rw-eap[1]: ESTABLISHED 2 minutes ago, 9.9.9.15[moon.strongswan.org]...9.9.9.7[carol.strongswan.org]
      rw-eap[1]: IKE SPIs: 882f2090086159c1_i eb88c0b59a689810_r*, pre-shared key reauthentication in 51 minutes
      rw-eap[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
      rw-eap{1}:  INSTALLED, TUNNEL, ESP SPIs: c5c57d46_i c3462e1f_o
      rw-eap{1}:  AES_CBC_128/HMAC_SHA1_96, 420 bytes_i (0s ago), 420 bytes_o (0s ago), rekeying in 14 minutes
      rw-eap{1}:   9.9.9.15/32 === 9.9.9.7/32
[root at localhost etc]#

when ping is done from 9.9.9.7 to 9.9.9.15

Oct 20 17:34:58 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:34:58 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:34:58 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:34:59 localhost kernel: CLUSTERIP: unknown protocol `50'

when ipsec restarted on this
t 20 17:37:15 localhost charon: 00[CFG]   loaded IKE secret for @moon.strongswan.org %any
Oct 20 17:37:15 localhost charon: 00[CFG] starting HA heartbeat, delay 1000ms, timeout 2100ms
Oct 20 17:37:15 localhost charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-radius eap-tls eap-ttls ha
Oct 20 17:37:15 localhost charon: 00[JOB] spawning 16 worker threads
Oct 20 17:37:15 localhost charon: 04[CFG] received stroke: add connection 'rw-eap'
Oct 20 17:37:15 localhost charon: 04[CFG] added configuration 'rw-eap'
Oct 20 17:37:15 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:37:16 localhost charon: 13[CFG] requesting HA resynchronization
Oct 20 17:37:16 localhost charon: 07[CFG] installed HA passive IKE_SA 'rw-eap' 9.9.9.15[moon.strongswan.org]...9.9.9.7[carol.strongswan.org]
@                                                                                                                                             55,1          50%


observation on standy node alice

[root at localhost etc]# ip address add 9.9.9.15/16 dev eth1

[root at localhost etc]# iptables -A INPUT -i eth1 -d 9.9.9.15 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5e:00:20 --total-nodes 2 --local -node 1

[root at localhost etc]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  9.9.9.7              9.9.9.15            policy match dir in pol ipsec reqid 4 proto esp
CLUSTERIP  all  --  anywhere             9.9.9.15            CLUSTERIP hashmode=sourceip clustermac=01:00:5E:00:00:20 total_nodes=2 local_node=1 hash_init=0
CLUSTERIP  all  --  anywhere             9.9.9.15            CLUSTERIP hashmode=sourceip clustermac=01:00:5E:00:00:20 total_nodes=2 local_node=1 hash_init=0

Chain FORWARD (policy ACCEPT)

ipsec start
Oct 20 17:25:01 localhost charon: 00[CFG]   loaded IKE secret for @moon.strongswan.org %any
Oct 20 17:25:01 localhost charon: 00[CFG] detected Linux 2.6.31, using old jhash
Oct 20 17:25:01 localhost charon: 00[CFG] starting HA heartbeat, delay 1000ms, timeout 2100ms
Oct 20 17:25:01 localhost charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-radius eap-tls eap-ttls ha
Oct 20 17:25:01 localhost charon: 00[JOB] spawning 16 worker threads
Oct 20 17:25:01 localhost charon: 05[CFG] received stroke: add connection 'rw-eap'
Oct 20 17:25:01 localhost charon: 05[CFG] added configuration 'rw-eap'
Oct 20 17:25:02 localhost charon: 14[CFG] requesting HA resynchronization

when ipsec up home is issued on carol
Oct 20 17:25:56 localhost charon: 08[CFG] installed HA passive IKE_SA 'rw-eap' 9.9.9.15[moon.strongswan.org]...9.9.9.7[carol.strongswan.org]
Oct 20 17:25:56 localhost charon: 08[CFG] installed HA CHILD_SA rw-eap{1} 9.9.9.15/32 === 9.9.9.7/32  (segment in: 1, out: 1)

ipsec statusall
Connections:
      rw-eap:  9.9.9.15...%any
      rw-eap:   local:  [moon.strongswan.org] uses pre-shared key authentication
      rw-eap:   remote: [%any] uses any authentication
      rw-eap:   child:  dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
      rw-eap[1]: PASSIVE, 9.9.9.15[moon.strongswan.org]...9.9.9.7[carol.strongswan.org]
      rw-eap[1]: IKE SPIs: 882f2090086159c1_i eb88c0b59a689810_r*
      rw-eap{2}:  INSTALLED, TUNNEL, ESP SPIs: c5c57d46_i c3462e1f_o
      rw-eap{2}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 16 minutes
      rw-eap{2}:   9.9.9.15/32 === 9.9.9.7/32
[root at localhost etc]#
when ping is done from 9.9.9.7 to 9.9.9.15
Oct 20 17:27:32 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:27:33 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:27:34 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:27:35 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:27:36 localhost kernel: CLUSTERIP: unknown protocol `50'

when ipsec restart is issued on current active node moon

Oct 20 17:29:25 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:29:25 localhost charon: 08[CFG] remote node drops segment 1
Oct 20 17:29:25 localhost charon: 08[IKE] scheduling reauthentication in 3260s
Oct 20 17:29:25 localhost charon: 08[IKE] maximum IKE_SA lifetime 3440s
Oct 20 17:29:25 localhost charon: 08[CFG] HA segment 1 activated, now active: 1
Oct 20 17:29:25 localhost charon: 08[CFG] remote node drops segment 2
Oct 20 17:29:25 localhost charon: 08[CFG] HA segment 2 activated, now active: 1,2
Oct 20 17:29:26 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:29:26 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:29:27 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:29:27 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:29:27 localhost charon: 06[CFG] no heartbeat received, taking all segments
Oct 20 17:29:28 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:29:28 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:29:28 localhost charon: 08[CFG] received heartbeat, reenabling watchdog
Oct 20 17:29:29 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:29:29 localhost charon: 08[CFG] resyncing HA segment 1

Oct 20 17:29:29 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:29:29 localhost charon: 08[CFG] resyncing HA segment 1
Oct 20 17:29:29 localhost charon: 08[CFG] resyncing CHILD_SA
Oct 20 17:29:29 localhost charon: 08[IKE] establishing CHILD_SA rw-eap{2}
Oct 20 17:29:29 localhost charon: 08[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ]
Oct 20 17:29:29 localhost charon: 08[NET] sending packet: from 9.9.9.15[4500] to 9.9.9.7[4500]
Oct 20 17:29:29 localhost charon: 08[CFG] resyncing HA segment 2
Oct 20 17:29:29 localhost charon: 05[NET] received packet: from 9.9.9.7[4500] to 9.9.9.15[4500]
Oct 20 17:29:29 localhost charon: 05[ENC] parsed CREATE_CHILD_SA response 0 [ SA No TSi TSr ]
Oct 20 17:29:29 localhost charon: 05[CFG] handling HA CHILD_SA rw-eap{2} 9.9.9.15/32 === 9.9.9.7/32  (segment in: 1*, out: 1*)
Oct 20 17:29:29 localhost charon: 05[IKE] CHILD_SA rw-eap{2} established with SPIs c5f68e8e_i c7ab79d4_o and TS 9.9.9.15/32 === 9.9.9.7/32
Oct 20 17:29:29 localhost charon: 05[IKE] closing CHILD_SA rw-eap{2} with SPIs c5c57d46_i (336 bytes) c3462e1f_o (336 bytes) and TS 9.9.9.15/32 === 9.9.9.7/32
Oct 20 17:29:29 localhost charon: 05[IKE] sending DELETE for ESP CHILD_SA with SPI c5c57d46

Oct 20 17:29:29 localhost charon: 05[CFG] handling HA CHILD_SA rw-eap{2} 9.9.9.15/32 === 9.9.9.7/32  (segment in: 1*, out: 1*)
Oct 20 17:29:29 localhost charon: 05[IKE] CHILD_SA rw-eap{2} established with SPIs c5f68e8e_i c7ab79d4_o and TS 9.9.9.15/32 === 9.9.9.7/32
Oct 20 17:29:29 localhost charon: 05[IKE] closing CHILD_SA rw-eap{2} with SPIs c5c57d46_i (336 bytes) c3462e1f_o (336 bytes) and TS 9.9.9.15/32 === 9.9.9.7/32
Oct 20 17:29:29 localhost charon: 05[IKE] sending DELETE for ESP CHILD_SA with SPI c5c57d46
Oct 20 17:29:29 localhost charon: 05[ENC] generating INFORMATIONAL request 1 [ D ]
Oct 20 17:29:29 localhost charon: 05[NET] sending packet: from 9.9.9.15[4500] to 9.9.9.7[4500]
Oct 20 17:29:29 localhost charon: 14[NET] received packet: from 9.9.9.7[4500] to 9.9.9.15[4500]
Oct 20 17:29:29 localhost charon: 14[ENC] parsed INFORMATIONAL response 1 [ D ]
Oct 20 17:29:29 localhost charon: 14[IKE] received DELETE for ESP CHILD_SA with SPI c3462e1f
Oct 20 17:29:29 localhost charon: 14[IKE] CHILD_SA closed
Oct 20 17:29:30 localhost kernel: __ratelimit: 1 callbacks suppressed
Oct 20 17:29:30 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:29:30 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:29:31 localhost kernel: CLUSTERIP: unknown protocol `50'
Oct 20 17:29:31 localhost kernel: CLUSTERIP: unknown protocol `50'

ipsec statusall
nnections:
      rw-eap:  9.9.9.15...%any
      rw-eap:   local:  [moon.strongswan.org] uses pre-shared key authentication
      rw-eap:   remote: [%any] uses any authentication
      rw-eap:   child:  dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
      rw-eap[1]: ESTABLISHED 47 seconds ago, 9.9.9.15[moon.strongswan.org]...9.9.9.7[carol.strongswan.org]
      rw-eap[1]: IKE SPIs: 882f2090086159c1_i eb88c0b59a689810_r*, pre-shared key reauthentication in 53 minutes
      rw-eap{2}:  INSTALLED, TUNNEL, ESP SPIs: c5f68e8e_i c7ab79d4_o
      rw-eap{2}:  AES_CBC_128/HMAC_SHA1_96, 3612 bytes_i (1s ago), 3612 bytes_o (1s ago), rekeying in 16 minutes
      rw-eap{2}:   9.9.9.15/32 === 9.9.9.7/32








More information about the Users mailing list